A recent article in the Guardian describes plans for the UK National Health Service to begin centralizing all of its patient data and making that information available to third parties, including pharmaceutical and insurance companies. Under the scheme, these third parties would apply to a proposed Health and Social Care Information Centre for access to the data. Successful applicants will have access to “pseudonymized” health records, but also to metadata including date of birth, postcode, ethnicity, and gender.
In other words, the data will effectively not be anonymous at all, since the metadata makes it far easier to infer identity. Quoting form a Forbes article on genomic reidentification:
Of the 1,130 volunteers Sweeney and her team reviewed, about 579 provided zip code, date of birth and gender, the three key pieces of information she needs to identify anonymous people combined with information from voter rolls or other public records. Of these, Sweeney succeeded in naming 241, or 42% of the total. The Personal Genome Project confirmed that 97% of the names matched those in its database if nicknames and first name variations were included. She describes her findings here.
Supporters of this new system in the UK argue — I think correctly — that better access to data has the potential to improve the health care of everyone in the country. In order to promote this data sharing scheme, the NHS will send a pamphlet entitled Better Information Means Better Care to all households in the country this month. The pamphlet claims that the data will be used to:
- ﬁnd more effective ways of preventing, treating and managing illnesses
- make sure that any changes or improvements to services reﬂect the needs of local patients
- understand who is most at risk of particular diseases and conditions, so those who plan care can provide preventative services
- improve your understanding of the outcomes of care, giving you greater conﬁdence in health and social care services
- guide decisions about how to manage NHS resources so that they can best support the treatment and care of all patients
- identify who could be at risk of a condition or would beneﬁt from a particular treatment
- make sure that NHS organisations receive the correct payments for the services they provide.
While it’s hard to argue with these potential benefits, I believe that there are a few clear problems with the data sharing scheme as it has been proposed.
- Default opt-in — everyone in the country is enrolled by default, and can only opt out by asking their doctors to “make a special note” about sharing in their medical record. You must apparently ask the doctor to separately note your choices both within his practice and with other medical facilities (e.g. hospitals) within the NHS. The intention seems to be making opting out cumbersome, presumably to increase enrollment. It must also be done in a place where the patient can be influenced to remain enrolled. Still, things are not as bad as they might be — the government backed down from its original plan that would have made sharing compulsory.
- Lack of policy control — as a patient, your only policy setting is whether you agree to share your NHS data or not. You have no ability, for example, to allow sharing with academic and public research institutions but exclude commercial entities. That decision is being made for you by the government. This quotation, from The Independent is typical:
NHS England’s chief data officer Geraint Lewis said he had “no ideological problem” with private firms using the data, so long as they did so responsibly. “The test should be about how it’s going to benefit patient care, rather than making any sweeping ideological statement that we’re not going to allow private companies to access the data.”
- Inability to audit — not only can you not control how and when your data are being used, you also have no ability to audit the use of those data and to know which institutions and companies have access to your data to begin with. A bare minimum requirement for a system of this nature should be a robust system of accounting so that when the privacy breaches happen — and they will happen — we can at least identify the source of the problem.
- Ease of reidentification — as argued above, the metadata associated with the shared NHS records provides ample means for reidentification when combined with other sources of information.
- Concentration of security risks — making the entire nation’s health data available in one logically centralized system could lead to additional risks. From an article in The Daily Mail:
Professor Ross Anderson, professor of security engineering at the University of Cambridge computer laboratory and the leading British expert in the field, says the system could lead to a catastrophe. “Imagine a doctor or professor leaving a laptop on a plane that includes the entire nation’s health records,” said Anderson. “It’s not impossible.”
The United Kingdom, like all countries, must strive for a balance between public welfare and individual privacy rights. The government is absolutely right when it claims that more data are needed for research to benefit British citizens. I believe that most people recognize this. I believe that most people would be happy to contribute their data voluntarily — if they were guaranteed a measure of control and some basic privacy safeguards. An approach that puts privacy rights in the hands of patients would be far less controversial, and in the long run, far more likely to succeed.