Hacker News new | past | comments | ask | show | jobs | submit login
The NHS is selling your private data – here's the price list [pdf] (hscic.gov.uk)
252 points by ghswa on Jan 29, 2014 | hide | past | favorite | 114 comments



I'm not worried, there's absolutely no way anyone could identify you with only your NHS number, your date of birth, your postcode, your gender and ethnicity, your medical diagnoses (including cancer and mental health) and any complications, your referrals to specialists, your prescriptions, your family history, your vaccinations and screening tests, your blood test results, your body mass index (height/weight) and your smoking/alcohol habits....

Oh... wait....


A comment on one of the Guardian articles:

J_smudger 24 January 2014 3:00pm

I think there is confusion amongst some commenters here. This comes from reading a large amount of literature from the relevant pages on the NHS / Health and Social Care Information Centre (HSCIC). The HSCIC are basically a repository in Leeds, where all this information will be stored.

Your GP records are going to the HSCIC as pseudoanonymised information, which as has been said does indeed include your NHS number, date of birth and postcode. The HSCIC will then build up a database of this information. They can indeed pass on certain of this information to certain external interested parties, although when they do this the data becomes truly anonymised as opposed to pseudoanoymised. You can read about this in the NHS published guidelines (although not in the rather patronising leaflet), as well as from the documentation of the HSCIC and the government itself.

To quote the HSCIC:

    we take out details that could identify you before we make any information available
At the NHS:

    there are no personal details such as your date of birth and postcode included... We would never publish this type information because there is a risk that you might be identified.
The HSCIC can only release identifiable information when (1) you specifically ask them to, or (2) hypothetically, when there is a national emergency such as a highly virulent pandemic. This would require a legal process.

http://www.nhs.uk/NHSEngland/thenhs/records/healthrecords/Pa...

http://www.hscic.gov.uk/article/3399/Rules-for-sharing-infor...

Or if you have a hour to spend read this:

http://www.hscic.gov.uk/media/12931/Privacy-Impact-Assessmen...

... or perhaps just sections 3.3.4. and 3.3.5.


Well, not necessarily a national emergency. Identifiable data can be released if it is approved by the Confidentiality Advisory Group (these people: http://www.hra.nhs.uk/about-the-hra/our-committees/section-2...). You can see a list of approved studies here http://www.hra.nhs.uk/about-the-hra/our-committees/section-2... , it seems they approve about 30 applications per year.


Regulation 5b allows the Secretary of State for Health to disclose confidential patient information for any medical purpose. No need for a national emergency.

http://www.legislation.gov.uk/uksi/2002/1438/regulation/5/ma...

:edit: gohrt pointed out that I'd overlooked the restriction to medical purposes in regulation 5, thanks.


Not "for any reason".

Please edit your commment for correctness:

""" General

"confidential patient information may be processed for medical purposes in the circumstances set out in the Schedule" """


Bespoke extract – containing personal confidential data

Annual Service Charge: £300 Per data set per year £262 Per additional year (per data set) £64

Either that's an incredibly bad title for that particular service, or they're selling data containing 'personal confidential data'. I'd like to know a little bit more about what that actually is.


This coversion is muddied by a failure to distinguish confidential information ("I have disease X"), from identifying information (my name/address)


It seems that in this case we are talking about "personal confidential data", which includes both.

Their main page, http://www.hscic.gov.uk/dlesaac , states

> Personal confidential data is data in which individuals are clearly identified, or there is a high risk of individuals being identified. This includes patient identifiable data, such as: NHS number, Name, Adress, [...] Personal confidential data also includes sensitive data which may include items such as: Racial or ethnic origin, Political opinions, Physical or mental health condition, [...]


Why kind of shitty low rent person lends thinks it's ok to work on this stuff?


Imagine a researcher working on suicide prevention. We have good suicide statistics in the UK. The publicly released data contains some gaps. Where less than 5 people die by suicide in an area you only get the numbers of people that died and not any ages or genders. That's because it is possible to identify an individual if the age and gender is released.

But for our researcher these bits of information are important, so they apply and are assessed and they get access. And now their stats will include the age ranges and genders for the towns with less than 5 deaths.

Note that names or postcodes or etc are not included. Just the number of people dying by completed suicide; their age range; and their gender.

Medically identifying is inerpreted broadly because we know about the risks of seanonymizing data, and so small details can be identifying and not released without cautious assessment.


If you read the PDF: "Bespoke extract – containing personal confidential data: A one-off extract tailored to the customer’s requirements of specified data fields containing patient identifiable data, sensitive data items or both."


Because pseudonymous data is really hard to turn back into real data, right? </s>

Just ask the victims of the AOL leak.


The NHS has a lot more experience of anonymising data. They employ real scientists and statisticians. When they take pseudoanonymous data and anonymise it I am confidant that it is going to be hard to turn it into identifying data. They release it to approved researchers. And someone who deanonymises that data risks criminal prosecution - depending what they do with it.


Postcode, gender and birthdate are enough; not to mention NHS number and full medical history...


You seem to think that the NHS is releasing all this information.

It is not.

GPs send this "pseudo-anonymous" information to HSCIC. The HSCIC needs the extra information to create statistically useful cohorts. The HSCIC control access to that data. The HSCIC do some of their own statistics work and they release the results (but not the data sets!) which are often reported in UK news. Researchers, after being assessed, get access to anonymised sets of data. Researchers do not get all the information, but get an anonymised version of the pseudo anonymous data.

Note that reports released are also carefully anonymised.

You also seem to think that your GP holds your full medical history which is laughably wrong.

Start here: http://www.hscic.gov.uk/patientconf


> Researchers do not get all the information, but get an anonymised version of the pseudo anonymous data.

Where are you getting this information from? Because the price list seems to say that there's identifiable data. Do you have some evidence to the contrary? Just saying "It is not" isn't really enough to go on.

> You also seem to think that your GP holds your full medical history which is laughably wrong.

It isn't laughably wrong at all. They do have your full medical history, either in paper form and/or on a practice management system like Emis. Sometimes you may have moved from one GP to another, and the old GP would print the record to paper and the new one would scan it in, therefore losing the Read clinical-coding (Yeah, for real!). Worst case, you move GPs and your record gets lost. In those cases the next time you go to your GP he/she will ask for your significant medical history, drug history, allergies, family history etc.

So even without storing everything your GP has all the pertinent facts about you. Those facts when in the wrong hands ...

Disclosure: I develop a practice management system used in the NHS and private sector in the UK.


...and it is now going to be available for sale to anyone who cares.

You're laughably wrong.

http://medconfidential.org/whats-the-story/

http://www.theregister.co.uk/2013/11/21/what_does_nhs_it_wan...

Did you even look at the price list? I guess not.

"Bespoke extract – containing personal confidential data"


But there are various safeguards in place for who can get database extracts containing personal data. The typical case is that all patients affected first need to sign a consent agreement. They charge a fee to cover the cost of processing the application.

In general, I'm kindof annoying with whoever submitted this URL to hacker news. I guess there are various complaints one can make about this system, but showing the price list in isolation seems calculated to just cause outrage without understanding...


I thought that your GP did hold your full medical history. I did some work doing data entry for a GP, and most patients had their full medical history on file at the surgery - in both physical and digitised form for the majority.


I would just like to point out that even if they "anonymize" the records it's generally not that hard to de-anonymize data.

During the Netflix prize, randomly generated IDs were eventually matched to people based simply on movie ratings and matching public information in other public sources:

http://www.wired.com/politics/security/commentary/securityma...

With medical data, it will probably be trivial (maybe easier or more appealing to insurance companies?).

We're a lot more unique than we think. Reminds me of this EFF project:

https://panopticlick.eff.org/

Some companies will probably resell this information to potential employers, banks (there goes your loan), etc.

Well, that's going to suck for people in the UK.


Companies are TERRIBLE at this. We used a company to do an employee feedback survey. They promised us that the data would be delivered in a 100%, completely anonymized format. We sit down to go over the results and slide number one is "Men were a 100% approval while women were 73%". I'm the only male on my team. How in the world is this anonymous?


I know in my C.S. courses most of us guys/girls wont put down our gender on surveys so the 4 or 5 females in the room can maintain anonymity.


No company is going to resell medical data. We have laws to protect personal information and they are very strict for medical information.

http://www.connectingforhealth.nhs.uk/systemsandservices/inf...

Have a look at some UK medical information and see if you can de-anonymise it.

http://www.ons.gov.uk/ons/rel/subnational-health4/suicides-i...

Here's some data for suicide.

There are problems with confidentiality in the NHS - people leave patient records on monitors or send letters to the wrong address. But this kind of project is very different.


And .. suppose a company does sell it. Or an attacker breaks into their system and steals it. Or someone abroad takes it and is out of the UK's jurisdiction.

Medical data can't be got back.


There are criminal offences covering selling of that data, or storing it in such a way that it is released, or moving the data out of the UK.

There are problems with confidentiality of data in the NHS, but this isn't one of those examples. Have a look at any of the very many examples of anonymised information released by the NHS and see if it's possible to deanonymise it.

It's important to note that this story is only about the new development of information held by GPs. A similar scheme has been running for a while now covering information held by hospitals.


This would be straight up illegal in the US due to HIPAA, which guarantees a patient's right to privacy.

HIPAA = http://en.wikipedia.org/wiki/Health_Insurance_Portability_an...


The irony. It's illegal in the US where EU countries cannot send data because of the weak data protection laws and the UK with 'strong' laws is the one selling off all your private medical records (including identification details) for a paltry sum.

The price list looks so cheap that Russian or Nigerian scammers can afford these extracts and it would save them a hell of a lot of time setting up ID scams and instantly make them much more profitable.

No longer any need to mass mail in the hope of finding someone likely to buy V!agr4, the NHS will give you a list of likely marks to direct market to and save all the useless pitches to women !


There was an interesting Businessweek article[1] on the sale of pseudoanonymised data to private companies in the US. One Harvard researcher acquired one such database and was able to identify some individuals:

>Latanya Sweeney, the director of Harvard University’s Data Privacy Lab, identified 35 patients from a Washington database by buying state medical data and creating a simple software program to cross-reference that information with news reports and other public records. “All I have to know is a little bit about a person and when they went to a hospital, and I can find their medical record in this kind of data,” Sweeney says. She says data in 25 other states are just as vulnerable.

The whole article is an interesting read. Apparently the data is sold pseudoanonymised in some states, leaving it up to the purchaser to truly anonymise the data.

[1]http://mobile.businessweek.com/articles/2013-08-08/your-medi...


Police and researchers have provisions to request access to the database under HIPAA

The Harvard researcher probably fell under research for public health. I'd hope private researchers can access public health data. The goal for "ICD" global standardized diagnoses codes is to help research.

There are rules for distribution and compliance that should carry over to each handler of the data sets.

Given all that, I still have anxiety of bad actors handling the private information.


It's not as cut and dry as that, apparently. From that BusinessWeek article:

>Washington State’s health agency sold its database 95 times that year, collecting a mere $15,950. Donn Moyer, a spokesman for the state’s health department, says it chose to release extra identifying information such as patients’ Zip Codes to make its data more useful.

The Harvard researcher's point is that it's possible to identify individuals in the datasets being sold in some scenarios.


No it isn't. U.S. health data can be sold if it is de-identified or with a patient's permission.


Does

"Your NHS number Your date of birth Your postcode Your gender and ethnicity Your medical diagnoses (including cancer and mental health) and any complications Your referrals to specialists Your prescriptions Your family history Your vaccinations and screening tests Your blood test results Your body mass index (height/weight) Your smoking/alcohol habits"

seem 'de-identified'?


That sort of data can be included in de-identified health data in the U.S. if it can be shown statistically that the individual cannot be re-identified.


> if it can be shown statistically that the individual cannot be re-identified.

A full UK postcode is very specific - not just which street, but which side and end of the street. "date of birth plus postcode" will in almost all cases identify one and only one person. This data is not actually anonymous at all.


How exactly would you 'de-identify' a NHS number?


The data available won't include that those personal identifiers. At time of extraction, the patient record in the database is assigned a new unique identifier which has nothing to do with the NHS number.


Since that number is meaningless in the U.S., I guess you wouldn't care.


My New Zealand address is meaningless in the US unless you want to find my house. I see patient numbers on things displayed from time to time and wince - interesting case studies etc. I most certainly could find out who the person is. A distinct pathology is probably enough to identify someone in New Zealand if you tried hard enough.


But this data is not de-identified. They explicitly list prices for data with confidential, patient-identifying information.


The main page, http://www.hscic.gov.uk/dles , states

> The data we supply is normally pseudonymised. We only provide identifiable data when there is a lawful basis to do so i.e. with patient consent, approval under section 251 of the NHS Act 2006 which enables The Health Service (Control of Patient Information) Regulations 2002, or where appropriate statutory regulation is in place.

This "About Section 251" page, http://webarchive.nationalarchives.gov.uk/20130513181011/htt... , states

> Section 251 came about because it was recognised that there were essential activities of the NHS, and important medical research, that required use of identifiable patient information but because patient consent had not been obtained to use people's personal and confidential information for these other purposes, there was no secure basis in law for these uses. [NB. There are a few exceptions where there is a legal basis for disclosure e.g. reporting of notifiable diseases]. Section 251 was established to provide a secure legal basis for disclosure of confidential patient information for medical purposes, where it was not possible to use anonymised information and where seeking consent was not practicable, having regard to the cost and technology available.


>"and where seeking consent was not practicable," //

As they have your contact details and next of kin details then seeking consent must be quite practicable.

I expect them mean "commercially financially viable". Those people the NHS can't simply look up a phone number for (from doctor's surgery records) and ask (or ask their guardian/parent) must be in the few hundreds [of those they have sufficient medical information for to be used in a scientific study].


I guess that's what it says, practicable with regard to cost.

To look at one random example, the first study on the list of approvals in 2013 was the "ETPOS: European Transfusion Practice and Outcome Survey". Apparently they took data from 10,000 patients who had blood transfusions and tried to see if there was any correlations between practices such as "ratio of red blood cells to other blood component therapy, such as plasma and platelets" and health outcomes. I guess it was deemed that phoning each of the patients was impractical.


Robot Dialer: The NHS wish to sell your medical data for use in a study of people who had blood transfusions. Press 1 to accept, 2 to refuse, 3 to speak to an agent.

Robot Dialer: You pressed 1 to accept; can we use your data for future studies? Press 1 to accept, 2 to refuse, 3 to speak to an agent.

Robot Dialer: You pressed 2, can we contact you to ask about using your data in specific studies in the future? Press 1 to accept, 2 to refuse, 3 to speak to an agent.

Umpteen marketing companies appear to be able to afford to do this sort of calling (yes even though it's against the law for them to contact me as I'm on the no-call database [which wouldn't apply to the NHS]).

If it's too costly then the studies can hardly be worthwhile? Remember the NHS wasted £10 Billion on a single IT project over the last 10 years. What would this auto-dialer have cost? £10k in "management", couple of thousand in IT staff and set-up (join study NHS numbers with main database ID table and contact info tables, select phone numbers; set-up dialer script, test, initiate) maybe £500 in direct call costs. They most likely already have systems in place to do auto-dialed calls for disease outbreaks [UK Environment Agency use one for flood warnings].


"... or where appropriate statutory regulation is in place"

You do know that means civil servants have written a statutory order, it has been signed by the minister (might have to be Secretary of State) and it has been placed in Parliament for a week (no vote required). [Exact details may be wrong but that is the overall concept of statutory orders].

My comment is based on a general understanding of statutory orders/secondary legislation and there may be specific reasons why it doesn't apply in this case but it appears to me to be a significant hole in the text you quote that you may not have noticed.


I think "statutory regulation" just means there has to be a law allowing it ("statute" meaning law). From reading their website the other day, I got the impression that the case they had in mind was certain laws about containing contagious diseases, which could override privacy laws.

Reading on Wikipedia, "Statutary orders" and "statuatory instruments" seems to be particular ways of delegating law-making power from parliament. I don't think they are directly relevant here (since there has to be some enabling legislation)? But the section 251 thing already allows the Secretary of State for Health to disclose data, so if you are worried about ministers operating without parliamentary oversight, that is indeed possible....


"This would be straight up illegal in the US due to HIPAA, which guarantees a patient's right to privacy."

That is a blanket statement which is false. Some of what NHS is providing would be illegal in the U.S. Some of it is actually legal. I am mostly responding to the blanket statement.


You're assuming that NHS is selling it without the consent of patients. More likely this is for things like patients on drug trials etc. who sign a waiver to allow sharing of their health information. The UK takes confidentiality of public records pretty seriously and has done for years - I seriously doubt you can just just pull any given person's health records without their agreement.



Clearly we have differing interpretations of that document. I don't think everyone can get the sec. 251 exemption, just for a start. It is certainly possible to de-anonymize individuals if you know enough details to get a correlation, but how many people do you know sufficiently well to work backwards through that process? If your goal is to sell more shampoo by working out who has dandruff, for example, the marginal cost of de-anonymizing your potential customers is likely to drastically exceed the marginal benefit of each additional sale. Fishing expeditions by Fleet street or private detectives targeted on a particular individual are likely to either raise red flags if too obvious or be wildly expensive if sufficiently stealthy (multiple pull requests followed by client-side correlation) - cheaper to go the traditional route of bribing the nanny or suchlike.

On the other hand, the increased risks of malicious de-anonymization (risk, not certainty) have to be weighed against the obvious benefit of having a portable health record and reducing duplication and administrative overhead if you are taken ill and have to visit a hospital or a doctor who's not your GP.


>On the other hand, the increased risks of malicious de-anonymization (risk, not certainty) have to be weighed against the obvious benefit of having a portable health record and reducing duplication and administrative overhead if you are taken ill and have to visit a hospital or a doctor who's not your GP.

That's not the system that's being discussed, though.


All other systems are pendant to that. If this data wasn't available in any way we'd have a story saying 'NHS won't release data, obstructing drug development which could save lives.'


I fully expected to read the details and see that the headline was some sort of hyperbole, as these things nearly always are. I'm still hoping someone will tell me this isn't real.

This seems downright evil. Disgusting. There is no justifiable reason for this data to be available in any sort of unanonymized form. Everything that is justifiable that can be achieved with it in anonymous form can be achieved with it anonymized.

The terrible part is that there is a good reason for a program like this. There are real reasons to collect and know this kind of data - it can make a huge difference to human health and well being. And that is why this is so bad. It's going to set back participation in any sort of electronic health record all around the world, if people see such a high profile program manifest as a privacy disaster.


>I fully expected to read the details and see that the headline was some sort of hyperbole

It really is, see the source page for more details:

http://www.hscic.gov.uk/dlesaac

The misunderstanding going on in the comments seems to be stemming from a failure to distinguish between personal identifiable data and personal confidential data.

The former: "This includes patient identifiable data, such as:

NHS number Name Address Postcode Date of Birth Date of Death"

and the latter: "Personal confidential data also includes sensitive data which may include items such as:

Racial or ethnic origin Political opinions Religious or other similar beliefs Physical or mental health condition Sexual life Criminal record"

The patient identifiable needs explicit permission from the patient in order to obtain, patient confidential needs a good legal reason + reviewed application.


The patient identifiable needs explicit permission from the patient in order to obtain - please could you link me to the official document that states this, specifically in the context of care.data?


A good explanation of the scheme, from Dr Neil Bhatia can be found at http://care-data.info/

It includes details of how to opt-out.


It's a long site so I'd just like to highlight the following:

"The data extracted - your Primary Care Dataset - will include the following:

Your NHS number Your date of birth Your postcode Your gender and ethnicity Your medical diagnoses (including cancer and mental health) and any complications Your referrals to specialists Your prescriptions Your family history Your vaccinations and screening tests Your blood test results Your body mass index (height/weight) Your smoking/alcohol habits"

---

Go to that site. Opt out here http://optout.care-data.info/. It's really simple.


It is fairly simple to print off a form and send it in to your GP but I suspect the vast majority of people will see this as a hassle and never bother.

Considering recent government actions, I find it unsurprising that this is the only method - as far as I can find - to opt-out.

A simple form or email address would have been great. But we couldn't possibly have that for an online data service, oh no.


If you prefer, you can just write a letter to your surgery:

- State that you wish to opt-out of care.data

- Request that both the 9Nu0 and 9Nu4 codes are added to your GP records

- Remember to include full names and DOBs (and your address if you are happy to)


The conundrum I have is knowing this has been done.

I wrote a letter with all of this, took it to the GP surgery. The receptionist was bemused. There has been no acknowledgement. Can I tell if I've been opted out, without hassling the already-overworked reception staff?


Try talking to your practice manager - mine is very helpful and (s)he'll hopefully be much more clued up about this than the reception staff.


Write a letter and address it to the practice manager or the caldicott guardian. Ask for a response within 28 days to tell you what is happening.


Not only that, how do you know those codes are meaningful?


Crazy that one has to opt OUT of that, seeing as I'd bet only a minuscule fraction of the population would ever opt in...


Love how it is opt out. If it was opt in would they have any takers? If you set up auto-opt in systems where I live you would soon have the commerce commission, privacy commission or the police knocking on your door asking hard questions.


wow. having that being already identified to the individual is pretty dumb. what is the excuse for this to even be like so in the first place?


thank you!!


I found this blog post from the NHS chief data officer useful to understand how they view patient data http://www.england.nhs.uk/2014/01/15/geraint-lewis/


Whoever gets their hands on this data should build a "20 Questions" game, to identify a person's NHS number. Knowing something of my neighbour's recent medical history, I'm pretty sure it'd take 10 questions or less.

Are there any restrictions on publishing the data? I can't find licensing terms.


Not exactly licensing terms but page 3 of the price list states that extracts subject to an annual fee will continue to be charged that fee until it is certified that all hard and soft copies of the data have been destroyed.

Other than that I'm guessing they will enforce some pretty draconian restrictions on publishing and sharing the data since doing so would undermine their ability to sell the data.


So the UK govt aren't even claiming that this data is public information, and charging a processing fee for it -- the govt is claiming that citizen's personal health information is owned by the goverment with privileges to restrictively license it to commercial customers!


I think the thing that's missing from much of the discussion is that all released information is subject to a very clear contractual agreement and for specific purposes. The agreements limit the ability to link supplied data with anything else. These contracts and use of data are subject to privacy group oversight, managed by the NHS.

The intended use is not that insurance companies can link your medical data against you and then charge you more (or any variant on that). Instead, the intended use is that companies with clear information controls can perform useful research more cheaply, and stop guessing at cause and effect. I personally support that intent, and am interested to see what comes out of it.

What's to stop the companies just doing whatever seems to get them the most money? In my opinion, it'd be the fact that failing to stick within the agreement would cause existential risk to the company. I think that courts, government, the NHS, and UK society at large would come down VERY heavily on any company contravening their contracts. Companies are going to spend significant effort ensuring their company doesn't disappear overnight in a storm of lawsuits with the directors in jail.

Companies wouldn't do this for the same reasons that Seagate doesn't sell the data off RMA'd hard drives on the open market.

I trust the relevant public bodies in the UK to protect my interests here. You may not, of course.


Let's be clear, the intention is for the UK Government to make money off your medical data.

If Seagate wanted to make money off your RMA'd hard drive and they thought the data on it would do the trick, you can bet it would be for sale on the open market.

If the law says that is illegal, Seagate does not have the option to change it. However, the Government can simply change the law to make whatever they want to do 'legal' and their problem is solved. That's essentially what they've done here.

Large 'healthcare' companies interested in this data are more than just health providers, they have multiple divisions with multiple competing and tangential aims and targets. Just because a piece of paper says it can only be used in one way, that is not going to stop the re-use (and leaking) of the data.

Remember the UK had bankers totally screwing the country and got rewarded with massive bail-outs - I don't recall any jail time for their bad behaviour [in the UK]; quite the reverse. Any social science student will be able to cite many examples of companies shielding individuals from the consequences of their bad behaviour - it's a whole subject area.

The UK government sets up QUANGOs specifically to shift liability and risk to prevent consequences; a Scottish care home where elderly people were burned to death escaped prosecution as the legal entity was simply shut down and dissolved prior to the court case starting [this did bring about legislation changes to close that avenue in Scotland http://www.bbc.co.uk/news/uk-scotland-17740645]. There are dozens of ways to get away with abusing the data and walk away free - if you're going to make a lot of money, you can afford good lawyers to help you prepare well ahead.

Why would it be different for your health data ?


Sorry, but I don't agree with the premise and the first line of your comment. Much of the rest I do agree with.

The NHS (not "the government" - which is an emotionally charged noun in this sort of circumstance) is selling the data. They are in financial difficulty, yes, but they are also responsible for broad social-health in the UK.

The NHS is in an almost unique position world-wide, in that they have access to high quality data that can dramatically improve health at an international level. They aren't, however, a research group. Companies just do research better than government departments, and finding a balanced way to improve access to the data and improve social health is critical to the NHS's future as the population ages.

This is why they are selling health data, imho.

I think there's a balance to be struck. The global and NHS specific improvements in health need to be balanced against individual privacy.

Unfortunately, the only way to do this is through "pieces of paper" (again, an emotive term).

It's also worth mentioning that many of these pieces of paper have already been in place for years, where they have been sharing hospital data. So to some degree this extends an exiting structure that is already working. It's just more emotive to many people since it involves a centralised location, and their local GPs.

I'd rather have a centralised location with oversight fighting down a multinational, than my local GP trying to manage legal contracts with them.

It's difficult to respond to your specific examples. Some are completely valid. Some are (imho) not. "Mistakes were made" and mistakes will be made in the future.

It's complicated, and it's a balancing act. Personally, I think it's the right balance.


"I think that courts, government, the NHS, and UK society at large would come down VERY heavily on any company contravening their contracts."

Supposing a leak happened. What makes you think you'll be able to tie it down to a single company? The data could be leaked anonymously, and the risk of such a leak becomes higher the longer this care.data scheme carries on for.


Because the same data set isn't being given to loads of different companies, it is a unique process. The whole concept is you apply for specific data for a reason, get vetted and then receive the data. At the scale we are talking about here the differences between both fields and individual records is going to be so great as to identify almost any leak.


You apply for specific data for a reason, but the whole point of releasing the data in the first place is to do statistical analysis on it, and to do any statistical analysis worth talking about you're going to need large data sets, that are bound to overlap with other data requests.

Let's think of a hypothetical situation. Companies that develop drugs to help people deal with mental illness are likely to want to research what mental illnesses are most prevalent so they know where the greatest ROI for R&D is going to be. To do this they're going to be exploring the data set, pulling patient data for people with mental illnesses of various kinds. However, there isn't just one company developing such drugs, and what seems like a good use of the data to one company is likely to seem like a good idea to another. Now imagine there's a leak of every bipolar person in the UK. Who would have access to such data? There's likely to be multiple interested parties.


Opportunity here for the motivated - the prices seem high, so arbitrage the price by reselling the data at lower prices to multiple buyers.

Bonus: you could set up a system where a person's data gets cheaper as more people query it!

(Not for me thanks.)


What would be interesting would be to write up this 'opt out' procedure, slightly disguised, as part of a research proposal and submit it to the UK ethics committees. I'd be shocked if they don't all reject it. Any UK academics - with enough tenure that it won't bork their career - up for that?


I await the shit storm when a public figures medical records are mined by the media divulging something controversial.


People with rare diseases, especially multiples, must be reasonably easy to deanonymise. Also joining the data with newspaper reports of crimes (perhaps only ones that are pertinent are mentioned, eg harassment of hospital staff) or hospitalisations would seem likely to deanonymise quite a few records.


Post code. Date of Birth. Gender.

What more do you need?



Hmm. Interesting. I remember when I recently registered with a new doctor, I was asked directly if I wanted to opt out from my medical information collected by my GP being digitally accessible by hospitals, etc. I'll have to admit: I chose not to opt out. Thinking "it's about time they join us in the digital age!" Plus, from the perspective of my health, this seemed like a positive move overall.

Of course now that I read a bit more into it, I am less sure. But I do find the above link a little fear-mongery.

Incidentally, this document has some interesting insight into the position of the hscic. http://www.hscic.gov.uk/media/12931/Privacy-Impact-Assessmen.... I am a little tickled by this statement about preventing the data falling into the wrong hands: "The Government itself could be considered a pair of 'wrong hands' with questions raised over whether it would have access and therefore would be able to misuse or exploit the data".

Not sure how they're mitigating against that risk...


Let's say I believe that this data truly is anonymised (read: cannot be traced back to an individual in any way). I still have a problem that MY data is being sold by SOMEONE ELSE. The opt-out nature of this process stinks. It feels as though it's someone else's data by default unless I kick up a fuss.


You can choose to have your information not included, it's an opt out system.

Form is here:

http://www.connectingforhealth.nhs.uk/systemsandservices/scr...


That's an opt out for the summary care record which is a different centralised system. We're talking about care.data here.


You are spreading misinformation, almost definitely not on purpose.

Read about the correct opt-out form here: http://optout.care-data.info/


And of course you're included automatically, but to opt out it is most painful way to do it.

And not to mention that you need to know about it in the first place.


Would this enable the private industry to create services and analyses based off this cheaply available data?

Yes, it seems heinous at first, but are there legitimate, palatable Big Data opportunities here, assuming the data is properly anonymized?


Did you look at the price list ?

Standard extract – no personal confidential data £9,565

Alternatively for just under £1,000 more :

Standard extract – containing personal confidential data £10,453

They're specifically enticing people to purchase the confidental data version since it is only 10% extra to get all the juicy information.

Trouble connecting people to their parents, siblings, children, (ex)partners ? Simple, they'll even do that for you - look at Patient Tracking, Cohort Event Notification (!) etc.

The value of this data to marketers (e.g. health insurance, private hospitals - which do exist in the UK, etc. makes the price list charges trivial and insignificant to just slurp up everything they can and start targeting people). Want someone to try and sell you cancer insurance 2 weeks after your mother dies of breast cancer ? Cohort event notification report makes this simple.

Remember the toothpaste does not go back into the tube - once the data is sold, it's basically wild and free for all sorts of use and abuse. You have absolutely no guarantee it will only be used by benign 'good actors'.

edit:spelling


They're charging a nominal additional fee for the additional paperwork involved in ensuring the necessary approvals have been met. You can see the types of organizations that get their "personally identifiable" data requests approved by a separate body here: http://www.hra.nhs.uk/about-the-hra/our-committees/section-2...

A quick glance at some of the approvals suggests that yes, the information is very personally-identifying indeed but the cohorts are pretty small and not obviously commercially valuable, and the types of organisations getting the data sound no more likely to resell it than my GP (and even less likely to make a profit on it). And my GP and his admin staff and various other NHS employees have had access to it for some years now.


You can't just buy what you want from them without a legitimate legal basis.

http://www.hscic.gov.uk/dlesaac


Right, you "can't". Just like developers on Facebook's Graph API "can't" use social graph data for unapproved purposes. Because they signed an agreement.

Contracts are not the same as controls.


It is exceptionally difficult, if not impossible, to properly anonymize this kind of data, and this particular dataset is absolutely not anonymized.


Heh, mostly off topic: I just bought the book "Anonymizing Health Data"[0]. No significance to the article, just amused at the timing. Looks like this is going to be a problem domain moving forward with my career.

[0] http://shop.oreilly.com/product/0636920029229.do


[deleted]


there isn't even an attempt at anonymizing the data.


Yes, there are big data opportunities, and yes, they're already being done! companies do (regularly) get contracted to provide analysis of the data, however they have to stay within a strict set of data protection rules, and are highly accountable.


Properly anonymised down to ~25 houses and with a date of birth? Yeah.


perhaps.

the data is not anonymized.


Does anyone know if this is England-only, or if it affects Wales/Scotland/Northern Ireland too? How does the opt out work if you've been in multiple areas/GPs/etc.?


It's [NHS] England only (currently).


I live in Bristol. I wonder how quickly I can move to Cardiff?


Well in Cardiff you'll be opted in to organ donation automatically of course.


You say this is a bad thing?


I think government assuming ownership of [parts of] persons is a bad thing, yes.

IMO it makes logical sense to either not assume ownership of anything a person had in life, including their body and allow their family/executors to look after the remains of their person , effects and assets [the status quo]. Or you should say that ownership is void on dying and all assets, including one's body should pass to the state.

It would make far more difference for the state to assume ownership of the things a person had, houses, bank accounts, than it will make to only assume state ownership of a persons body post mortem.

There doesn't appear to be a consistent argument to compel one to take this middle ground.


At least here in Germany, we had some scandals around organ transplantation. It's big business. And there is a difference between recovery treatment and organ preservation treatment. The emergency team could be under economic pressure when doing a triage.


I just threw up in my mouth a little.

Then I started thinking about how to make a dating service using this data--find all eligible males with your blood type in a given area!


Oh don't worry, you can "opt out"


Will data be made available outside the NHS?* (PDF) [england.nhs.uk] http://goo.gl/CxqFVa

* FAQ 39.


You have to email them instead of querying an API?


So happy I live in Scotland...


Once you're part of Scandinavia all your problems will be gone. http://m.bbc.co.uk/news/magazine-16050269


£300 for a DVD copy? ...Huh?


2 words: thumb drive.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: