
Only 13% of UK adults trust big tech firms with handling anonymized NHS data - beastibash
https://techerati.com/news-hub/only-13-of-uk-adults-trust-tech-firms-with-anonymized-nhs-data/
======
ShorsHammer
Australian authorities released "anonymised" data into the public domain for
research. It didn't take long for the ever-amazing Dr. Vanessa Teague et al.
to deanonymise it.

[https://www.abc.net.au/news/science/2017-12-18/anonymous-
med...](https://www.abc.net.au/news/science/2017-12-18/anonymous-medicare-
data-can-identify-patients-researchers-say/9267684)

~~~
marcinzm
To be more specific she de-anonymised 7 individuals in the data set and
claimed she could do more (if you used someone's semi-personal information).

The risk with good de-identification is generally not that they can find
everyone but that given enough knowledge they can find one individual. Or in
other words, that your friend find you in the data set with enough effort.
It's also why you're supposed to remove famous people from such data sets.

~~~
luckylion
> It's also why you're supposed to remove famous people from such data sets.

Because they deserve special protection the mere mortals don't?

~~~
roscorollo
Because the average "famous" individual has far more personally identifiable
data out for public digest than you or I, It's not about special treatment,
just understanding the realities.

~~~
luckylion
Sure, but the publicly available data is huge for lots of people. I don't see
why you'd make an exemption for celebrities. If you can deanonymize people in
sensitive data sets, don't release them. Saying "we'll protect the VIPs, the
rest can go deal with the fallout of their employers looking at their personal
health issues" isn't an option to me.

------
johnnycab
There has been a very poor record of NHS and IT, at least for the last two
decades i.e. the previous Labour government wasted £10bn+ and failed to
provide any solutions. In the process, they alienated a range of medical
professionals by creating a culture of mistrust towards the digital
strategy[1]. In 2016, the 'WannaCry' ransomware attack, exposed the gaping
holes in the system[2]. The current trend of rushing to give access to parts
of the silo/NHS Spine to other providers like Babylon health et al., without
due consideration or a debate, is another can of worms best left unopened.[3]

In the absence of any robust measures to safeguard data, it is right for the
patients to be diligent and have a high degree of control over who gets access
to their health data and opt-out while they _still_ have a choice, as no
explicit promises are provided by the NHS to keep your data confidential: _use
anonymised data whenever possible_ [4]

[1] [https://www.theguardian.com/society/2013/sep/18/nhs-
records-...](https://www.theguardian.com/society/2013/sep/18/nhs-records-
system-10bn)

[2]
[https://www.bbc.co.uk/news/technology-41753022](https://www.bbc.co.uk/news/technology-41753022)

[3] [https://www.wired.co.uk/article/babylon-health-
nhs](https://www.wired.co.uk/article/babylon-health-nhs)

[4] [https://www.nhs.uk/your-nhs-data-matters/where-
confidential-...](https://www.nhs.uk/your-nhs-data-matters/where-confidential-
patient-information-is-used/)

~~~
cs02rm0
I was a software dev working in the NHS at the time of the National Programme
for IT. They couldn't decide how they wanted authorisation to work, whether it
was role based or whatever else.

We put a config flag in to switch between the two models they were going back
and forth between and just twiddled it every week for months. There was some
set charge every time they did it. They had the opposite problem with anything
that actually mattered where they couldn't make a decision at all. Some of
that software is still running in hospitals 10+ years later with apparently
little change since the the NPfIT died.

I moved out of the healthcare domain shortly after that. A few years ago I
tried to sell some software for next to nothing to the NHS for a team my wife
worked for. A simple webapp backed by a DB instead of spreadsheets on a shared
drive. They took the idea and gave it to an in house employee who was running
it as a side project (charging more for it than I was) and never finished
building it.

Speaking to someone in charge of innovation for a large part of the country
recently, he said he couldn't even take some software I'd offered for a free
trial. As he saw it the system was so broken he was warning everyone off. And
his job was innovation.

The NHS is ripe for improvement. I suspect its management haven't got a clue
what they're doing though and fear the lure of big tech firms will be the only
thing they can't resist.

~~~
TazeTSchnitzel
Now living in Sweden which has what seem like very sophisticated e-health
systems by comparison (at least on the user-facing side), I wonder why the UK
couldn't have purchased and adapted an existing system that worked elsewhere.

~~~
benmaraschino
Denmark's healthcare system tried to implement Epic nationally, and if this
article is anything to go by, it didn't go so well:
[https://www.politico.com/story/2019/06/06/epic-denmark-
healt...](https://www.politico.com/story/2019/06/06/epic-denmark-
health-1510223)

Essentially, different healthcare systems have different needs which are
reflected in how their electronic health record systems are architected. For
example, EHRs in the US are optimized for billing, and if you're moving an US-
centric EHR, like Epic, to a country like Denmark with universal healthcare,
all that functionality becomes superfluous. Not to mention the language
differences, as well, which are touched upon in the article. It's possible
that similar concerns played into the NHS's decision to build their own
system. Some NHS trusts are moving forward with their own Epic
implementations, however. For example:
[https://www.digitalhealth.net/2018/06/royal-devon-exeter-
nhs...](https://www.digitalhealth.net/2018/06/royal-devon-exeter-nhs-
foundation-trust-gets-epic/)

------
amelius
Survey:

Q: Do you trust big tech with your data?

A: No, of course not!

Real world:

Q: If you trust us with your data, you will get access to X, and you will get
discount on Y and free Z. Will you trust us?

A: Yes, sign me up!

~~~
danw1979
Q: if you trust us with the very personal data about your health and medical
conditions you'll get free healthcare !

A:. It's already free (at the point of use). Thanks anyway.

------
delroth
Anyone got a link to the actual poll and/or the precise questions that were
asked? As far as I can tell the original source for this article is a press
release from a UK digital healthcare company [1]. There is a fairly obvious
conflict of interest there, since big tech firms here means "our competition".
It could very well be leading questions, results cherry-picking, etc.

[1] [https://www.sensynehealth.com/insights/yougov-survey-
shows-u...](https://www.sensynehealth.com/insights/yougov-survey-shows-uk-
public-strongly-support-the-analysis-of-anonymised-nhs-patient-data)

Disclaimer: I work at Google, not on anything related to health or AI or ML.

------
marcinzm
If you're in the US then the tech giants can already easily get your de-
identified billing data. Billing data would contain what was done, by whom,
when (probably only at a year level), where and why. It costs money but a drop
in the bucket for them.

So the question is I feel, given that this has already been done, has this
caused real-life problems for anyone? Known re-identification would be a HIPAA
violation I believe so more likely to be reported.

------
ksaj
A few years back I did a penetration test for a hospital, in which a mainframe
was in scope (I have some mainframe training from Y2K / tech bubble era, so I
almost know what I'm doing in that camp). Because medical students were also
working on that mainframe, ample anonymized records were lying around for
their studies.

All things said, in my final report were several examples of said anonymized
records paired with the actual patient real-life info, obscured only enough
that they could verify the result without my report contributing to the
problem.

What stood out was how vocal and even cynical they were when I brought up what
I had found initially. That is, until I finished the testing and report,
complete with a batch script that would automate what I had done manually.

So, I commend these UK adults for recognizing the risks. Everything might be
safe as described, but a policy of transparency might help alleviate the trust
issue. Allow the public, or at least an expert not connected to the success of
the system to know exactly what information is in the records being shared,
because sometimes 2 or more disparate data sets can be combined to tell a much
bigger story.

------
darkpuma
The big question is how did 13% of the British public become so naive?

------
tempguy9999
Results like this always make me wonder what the minority think, how they
justify it.

My guess is "I don't care" but it may be more nuanced than that, or something
entirely else. I'd like to know if anyone can comment.

~~~
pessimizer
Just wait a few minutes. On HN I bet the number is closer to 60/40 in favor.

As for the 13%, my guess is that they think "Important people say that it will
help us to apply computers to NHS data, so they should have at it and advance
civilization. Even better that it will be based on UK data, because they might
pay us directly _and_ they might be able to find current NHS inefficiencies,
which may counter the austerity cuts that lengthened wait times and made our
cancer statistics worse than US statistics. Finally, the UK will be thought of
as the leading edge of this tech advance, and that might bring investments,
employment, and tax receipts."

There could also be the realistic/fatalistic perspective that public opinion
has little or no effect on government decision-making so you might as well
think positively about it, because it's happening whenever they can sneak it
through.

~~~
bogle
Older family members of mine, who are conservative, have this knee-jerk
response that it's valuable but there's no downside. As they lack critical
thinking skills when they are challenged to suggest the value of this data to
bad actors they will brush it off with an, "I can't think of any." Then if
pushed they will really not be able to think of the possible consequences.

They all have the vote. They believe what they are told by people like them.
They're uneducatable. I think they may be more that 13%!

------
tomtompl
I actually think 13% is ridiculously high number for this

------
blauditore
This stance seems a bit silly to be honest. In my experience, smaller
companies have much less structure in how they handle data access internally,
as well as for security in general. Thus privacy seems actually better
protected through control mechanisms there, perhaps a bit counter-intuitively
though. Of course it depends a lot on the particular company.

------
ollie87
As high as 13%? Wow, I thought it would be much, much lower.

------
fmajid
13% of UK adults have reading comprehension problems.

FTFY.

------
buboard
This data point is not useful or usable. People should of course not trust
anyone with their data, not even the NHS. The question is what tradeoffs they
are willing to take considering the possible benefits for science and
medicine. That's where researchers , universities and the industry could open
a debate and inform the public about how to proceed in the future.

~~~
afarrell
> People should of course not trust anyone with their data, not even the NHS

How do you even use the NHS without trusting them with your medical data?

~~~
luckylion
Trust != lack of alternative.

~~~
arethuza
What do you mean by "lack of alternative" \- alternative healthcare providers
or alternative places for the NHS to store your data?

~~~
luckylion
The NHS. Sure, you can pay privately, but that's way more expensive from what
I understand.

If you need medical services, you have to give them some data. If there were
similarly priced alternatives, trust would be a factor in the decision where
to go. If there's only one, it's not - unless you count not seeking medical
attention as an alternative.

~~~
arethuza
Well, the NHS is literally "free at the point of delivery" so of course
private sector healthcare is more expensive - although it is fairly common for
employers to provide private health coverage.

What I would be worried about is how on earth anyone could actually evaluate
the actual privacy of multiple competing suppliers - of course they will all
claim that privacy is important.

And what about emergencies - where even if you have private healthcare you
will be taken to an NHS hospital.

~~~
DanBC
The CQC regulate this in their "Well Led" domain.
[https://www.cqc.org.uk/what-we-do/how-we-do-our-job/five-
key...](https://www.cqc.org.uk/what-we-do/how-we-do-our-job/five-key-
questions-we-ask)

NHS Improvement (now NHS England and NHS Improvement until they get a new
name) provide support around information governance:
[https://www.england.nhs.uk/ig/](https://www.england.nhs.uk/ig/)

NHS Digital provide support about data security and governance:
[https://digital.nhs.uk/data-and-information/looking-after-
in...](https://digital.nhs.uk/data-and-information/looking-after-
information/data-security-and-information-governance)

Every health organisation has to have a Caldicott Guardian - this is a senior
manager with responsibility for keeping data confidential:
[https://www.gov.uk/government/groups/uk-caldicott-
guardian-c...](https://www.gov.uk/government/groups/uk-caldicott-guardian-
council)

All trusts should have non-executive directors, and part of their role is to
hold the trust to account around information governance. In a Foundation Trust
the NEDs will be jointly and corporately responsible for those decisions.

NHS Staff who want to become leaders can get leadership training with the NHS
Leadership academy. That will include information governance as part of an NHS
board. [https://www.leadershipacademy.nhs.uk/wp-
content/uploads/2012...](https://www.leadershipacademy.nhs.uk/wp-
content/uploads/2012/11/NHSLeadership-TheHealthyNHSBoard.pdf)

The Professional Standards Organisation's "standards for members of NHS boards
and clinical commissioning group governing bodies in England" mentions
confidentiality, albeit only briefly:
[https://www.professionalstandards.org.uk/docs/default-
source...](https://www.professionalstandards.org.uk/docs/default-
source/publications/standards/standards-for-members-of-nhs-boards-and-
ccgs-2013.pdf?sfvrsn=2)

> Respecting patients’ rights to consent, privacy and confidentiality, and
> access to information, while enabling the legitimate sharing of information
> between care teams and professionals for the purposes of a patient’s direct
> care

