I'm not worried, there's absolutely no way anyone could identify you with only your NHS number, your date of birth, your postcode, your gender and ethnicity, your medical diagnoses (including cancer and mental health) and any complications, your referrals to specialists, your prescriptions, your family history, your vaccinations and screening tests, your blood test results, your body mass index (height/weight) and your smoking/alcohol habits....
I think there is confusion amongst some commenters here. This comes from reading a large amount of literature from the relevant pages on the NHS / Health and Social Care Information Centre (HSCIC). The HSCIC are basically a repository in Leeds, where all this information will be stored.
Your GP records are going to the HSCIC as pseudoanonymised information, which as has been said does indeed include your NHS number, date of birth and postcode. The HSCIC will then build up a database of this information. They can indeed pass on certain of this information to certain external interested parties, although when they do this the data becomes truly anonymised as opposed to pseudoanoymised. You can read about this in the NHS published guidelines (although not in the rather patronising leaflet), as well as from the documentation of the HSCIC and the government itself.
To quote the HSCIC:
we take out details that could identify you before we make any information available
At the NHS:
there are no personal details such as your date of birth and postcode included... We would never publish this type information because there is a risk that you might be identified.
The HSCIC can only release identifiable information when (1) you specifically ask them to, or (2) hypothetically, when there is a national emergency such as a highly virulent pandemic. This would require a legal process.
Regulation 5b allows the Secretary of State for Health to disclose confidential patient information for any medical purpose. No need for a national emergency.
Bespoke extract – containing personal confidential data
Annual Service Charge: £300
Per data set per year £262
Per additional year (per data set) £64
Either that's an incredibly bad title for that particular service, or they're selling data containing 'personal confidential data'. I'd like to know a little bit more about what that actually is.
I would just like to point out that even if they "anonymize" the records it's generally not that hard to de-anonymize data.
During the Netflix prize, randomly generated IDs were eventually matched to people based simply on movie ratings and matching public information in other public sources:
Companies are TERRIBLE at this. We used a company to do an employee feedback survey. They promised us that the data would be delivered in a 100%, completely anonymized format. We sit down to go over the results and slide number one is "Men were a 100% approval while women were 73%". I'm the only male on my team. How in the world is this anonymous?
There are problems with confidentiality in the NHS - people leave patient records on monitors or send letters to the wrong address. But this kind of project is very different.
The irony. It's illegal in the US where EU countries cannot send data because of the weak data protection laws and the UK with 'strong' laws is the one selling off all your private medical records (including identification details) for a paltry sum.
The price list looks so cheap that Russian or Nigerian scammers can afford these extracts and it would save them a hell of a lot of time setting up ID scams and instantly make them much more profitable.
No longer any need to mass mail in the hope of finding someone likely to buy V!agr4, the NHS will give you a list of likely marks to direct market to and save all the useless pitches to women !
There was an interesting Businessweek article[1] on the sale of pseudoanonymised data to private companies in the US. One Harvard researcher acquired one such database and was able to identify some individuals:
>Latanya Sweeney, the director of Harvard University’s Data Privacy Lab, identified 35 patients from a Washington database by buying state medical data and creating a simple software program to cross-reference that information with news reports and other public records. “All I have to know is a little bit about a person and when they went to a hospital, and I can find their medical record in this kind of data,” Sweeney says. She says data in 25 other states are just as vulnerable.
The whole article is an interesting read. Apparently the data is sold pseudoanonymised in some states, leaving it up to the purchaser to truly anonymise the data.
You're assuming that NHS is selling it without the consent of patients. More likely this is for things like patients on drug trials etc. who sign a waiver to allow sharing of their health information. The UK takes confidentiality of public records pretty seriously and has done for years - I seriously doubt you can just just pull any given person's health records without their agreement.
I fully expected to read the details and see that the headline was some sort of hyperbole, as these things nearly always are. I'm still hoping someone will tell me this isn't real.
This seems downright evil. Disgusting. There is no justifiable reason for this data to be available in any sort of unanonymized form. Everything that is justifiable that can be achieved with it in anonymous form can be achieved with it anonymized.
The terrible part is that there is a good reason for a program like this. There are real reasons to collect and know this kind of data - it can make a huge difference to human health and well being. And that is why this is so bad. It's going to set back participation in any sort of electronic health record all around the world, if people see such a high profile program manifest as a privacy disaster.
The misunderstanding going on in the comments seems to be stemming from a failure to distinguish between personal identifiable data and personal confidential data.
The former:
"This includes patient identifiable data, such as:
NHS number
Name
Address
Postcode
Date of Birth
Date of Death"
and the latter:
"Personal confidential data also includes sensitive data which may include items such as:
Racial or ethnic origin
Political opinions
Religious or other similar beliefs
Physical or mental health condition
Sexual life
Criminal record"
The patient identifiable needs explicit permission from the patient in order to obtain, patient confidential needs a good legal reason + reviewed application.
It's a long site so I'd just like to highlight the following:
"The data extracted - your Primary Care Dataset - will include the following:
Your NHS number
Your date of birth
Your postcode
Your gender and ethnicity
Your medical diagnoses (including cancer and mental health) and any complications
Your referrals to specialists
Your prescriptions
Your family history
Your vaccinations and screening tests
Your blood test results
Your body mass index (height/weight)
Your smoking/alcohol habits"
Whoever gets their hands on this data should build a "20 Questions" game, to identify a person's NHS number. Knowing something of my neighbour's recent medical history, I'm pretty sure it'd take 10 questions or less.
Are there any restrictions on publishing the data? I can't find licensing terms.
Not exactly licensing terms but page 3 of the price list states that extracts subject to an annual fee will continue to be charged that fee until it is certified that all hard and soft copies of the data have been destroyed.
Other than that I'm guessing they will enforce some pretty draconian restrictions on publishing and sharing the data since doing so would undermine their ability to sell the data.
I think the thing that's missing from much of the discussion is that all released information is subject to a very clear contractual agreement and for specific purposes. The agreements limit the ability to link supplied data with anything else. These contracts and use of data are subject to privacy group oversight, managed by the NHS.
The intended use is not that insurance companies can link your medical data against you and then charge you more (or any variant on that). Instead, the intended use is that companies with clear information controls can perform useful research more cheaply, and stop guessing at cause and effect. I personally support that intent, and am interested to see what comes out of it.
What's to stop the companies just doing whatever seems to get them the most money? In my opinion, it'd be the fact that failing to stick within the agreement would cause existential risk to the company. I think that courts, government, the NHS, and UK society at large would come down VERY heavily on any company contravening their contracts. Companies are going to spend significant effort ensuring their company doesn't disappear overnight in a storm of lawsuits with the directors in jail.
Companies wouldn't do this for the same reasons that Seagate doesn't sell the data off RMA'd hard drives on the open market.
I trust the relevant public bodies in the UK to protect my interests here. You may not, of course.
Let's be clear, the intention is for the UK Government to make money off your medical data.
If Seagate wanted to make money off your RMA'd hard drive and they thought the data on it would do the trick, you can bet it would be for sale on the open market.
If the law says that is illegal, Seagate does not have the option to change it. However, the Government can simply change the law to make whatever they want to do 'legal' and their problem is solved. That's essentially what they've done here.
Large 'healthcare' companies interested in this data are more than just health providers, they have multiple divisions with multiple competing and tangential aims and targets. Just because a piece of paper says it can only be used in one way, that is not going to stop the re-use (and leaking) of the data.
Remember the UK had bankers totally screwing the country and got rewarded with massive bail-outs - I don't recall any jail time for their bad behaviour [in the UK]; quite the reverse. Any social science student will be able to cite many examples of companies shielding individuals from the consequences of their bad behaviour - it's a whole subject area.
The UK government sets up QUANGOs specifically to shift liability and risk to prevent consequences; a Scottish care home where elderly people were burned to death escaped prosecution as the legal entity was simply shut down and dissolved prior to the court case starting [this did bring about legislation changes to close that avenue in Scotland http://www.bbc.co.uk/news/uk-scotland-17740645]. There are dozens of ways to get away with abusing the data and walk away free - if you're going to make a lot of money, you can afford good lawyers to help you prepare well ahead.
"I think that courts, government, the NHS, and UK society at large would come down VERY heavily on any company contravening their contracts."
Supposing a leak happened. What makes you think you'll be able to tie it down to a single company? The data could be leaked anonymously, and the risk of such a leak becomes higher the longer this care.data scheme carries on for.
What would be interesting would be to write up this 'opt out' procedure, slightly disguised, as part of a research proposal and submit it to the UK ethics committees. I'd be shocked if they don't all reject it. Any UK academics - with enough tenure that it won't bork their career - up for that?
People with rare diseases, especially multiples, must be reasonably easy to deanonymise. Also joining the data with newspaper reports of crimes (perhaps only ones that are pertinent are mentioned, eg harassment of hospital staff) or hospitalisations would seem likely to deanonymise quite a few records.
Hmm. Interesting. I remember when I recently registered with a new doctor, I was asked directly if I wanted to opt out from my medical information collected by my GP being digitally accessible by hospitals, etc. I'll have to admit: I chose not to opt out. Thinking "it's about time they join us in the digital age!" Plus, from the perspective of my health, this seemed like a positive move overall.
Of course now that I read a bit more into it, I am less sure. But I do find the above link a little fear-mongery.
Incidentally, this document has some interesting insight into the position of the hscic. http://www.hscic.gov.uk/media/12931/Privacy-Impact-Assessmen.... I am a little tickled by this statement about preventing the data falling into the wrong hands: "The Government itself could be considered a pair of 'wrong hands' with questions raised over whether it would have access and therefore would be able to misuse or exploit the data".
Not sure how they're mitigating against that risk...
Let's say I believe that this data truly is anonymised (read: cannot be traced back to an individual in any way). I still have a problem that MY data is being sold by SOMEONE ELSE. The opt-out nature of this process stinks. It feels as though it's someone else's data by default unless I kick up a fuss.
Standard extract – no personal confidential data
£9,565
Alternatively for just under £1,000 more :
Standard extract – containing personal confidential data
£10,453
They're specifically enticing people to purchase the confidental data version since it is only 10% extra to get all the juicy information.
Trouble connecting people to their parents, siblings, children, (ex)partners ? Simple, they'll even do that for you - look at Patient Tracking, Cohort Event Notification (!) etc.
The value of this data to marketers (e.g. health insurance, private hospitals - which do exist in the UK, etc. makes the price list charges trivial and insignificant to just slurp up everything they can and start targeting people). Want someone to try and sell you cancer insurance 2 weeks after your mother dies of breast cancer ? Cohort event notification report makes this simple.
Remember the toothpaste does not go back into the tube - once the data is sold, it's basically wild and free for all sorts of use and abuse. You have absolutely no guarantee it will only be used by benign 'good actors'.
Does anyone know if this is England-only, or if it affects Wales/Scotland/Northern Ireland too? How does the opt out work if you've been in multiple areas/GPs/etc.?
[+] [-] tomelders|12 years ago|reply
Oh... wait....
[+] [-] pessimizer|12 years ago|reply
J_smudger 24 January 2014 3:00pm
I think there is confusion amongst some commenters here. This comes from reading a large amount of literature from the relevant pages on the NHS / Health and Social Care Information Centre (HSCIC). The HSCIC are basically a repository in Leeds, where all this information will be stored.
Your GP records are going to the HSCIC as pseudoanonymised information, which as has been said does indeed include your NHS number, date of birth and postcode. The HSCIC will then build up a database of this information. They can indeed pass on certain of this information to certain external interested parties, although when they do this the data becomes truly anonymised as opposed to pseudoanoymised. You can read about this in the NHS published guidelines (although not in the rather patronising leaflet), as well as from the documentation of the HSCIC and the government itself.
To quote the HSCIC:
At the NHS: The HSCIC can only release identifiable information when (1) you specifically ask them to, or (2) hypothetically, when there is a national emergency such as a highly virulent pandemic. This would require a legal process.http://www.nhs.uk/NHSEngland/thenhs/records/healthrecords/Pa...
http://www.hscic.gov.uk/article/3399/Rules-for-sharing-infor...
Or if you have a hour to spend read this:
http://www.hscic.gov.uk/media/12931/Privacy-Impact-Assessmen...
... or perhaps just sections 3.3.4. and 3.3.5.
[+] [-] vilhelm_s|12 years ago|reply
[+] [-] ghswa|12 years ago|reply
http://www.legislation.gov.uk/uksi/2002/1438/regulation/5/ma...
:edit: gohrt pointed out that I'd overlooked the restriction to medical purposes in regulation 5, thanks.
[+] [-] tomelders|12 years ago|reply
Annual Service Charge: £300 Per data set per year £262 Per additional year (per data set) £64
Either that's an incredibly bad title for that particular service, or they're selling data containing 'personal confidential data'. I'd like to know a little bit more about what that actually is.
[+] [-] unknown|12 years ago|reply
[deleted]
[+] [-] blueskin_|12 years ago|reply
Just ask the victims of the AOL leak.
[+] [-] lrei|12 years ago|reply
During the Netflix prize, randomly generated IDs were eventually matched to people based simply on movie ratings and matching public information in other public sources:
http://www.wired.com/politics/security/commentary/securityma...
With medical data, it will probably be trivial (maybe easier or more appealing to insurance companies?).
We're a lot more unique than we think. Reminds me of this EFF project:
https://panopticlick.eff.org/
Some companies will probably resell this information to potential employers, banks (there goes your loan), etc.
Well, that's going to suck for people in the UK.
[+] [-] ryguytilidie|12 years ago|reply
[+] [-] DanBC|12 years ago|reply
http://www.connectingforhealth.nhs.uk/systemsandservices/inf...
Have a look at some UK medical information and see if you can de-anonymise it.
http://www.ons.gov.uk/ons/rel/subnational-health4/suicides-i...
Here's some data for suicide.
There are problems with confidentiality in the NHS - people leave patient records on monitors or send letters to the wrong address. But this kind of project is very different.
[+] [-] optimiz3|12 years ago|reply
HIPAA = http://en.wikipedia.org/wiki/Health_Insurance_Portability_an...
[+] [-] mortov|12 years ago|reply
The price list looks so cheap that Russian or Nigerian scammers can afford these extracts and it would save them a hell of a lot of time setting up ID scams and instantly make them much more profitable.
No longer any need to mass mail in the hope of finding someone likely to buy V!agr4, the NHS will give you a list of likely marks to direct market to and save all the useless pitches to women !
[+] [-] mcphilip|12 years ago|reply
>Latanya Sweeney, the director of Harvard University’s Data Privacy Lab, identified 35 patients from a Washington database by buying state medical data and creating a simple software program to cross-reference that information with news reports and other public records. “All I have to know is a little bit about a person and when they went to a hospital, and I can find their medical record in this kind of data,” Sweeney says. She says data in 25 other states are just as vulnerable.
The whole article is an interesting read. Apparently the data is sold pseudoanonymised in some states, leaving it up to the purchaser to truly anonymise the data.
[1]http://mobile.businessweek.com/articles/2013-08-08/your-medi...
[+] [-] rpedela|12 years ago|reply
[+] [-] anigbrowl|12 years ago|reply
[+] [-] unknown|12 years ago|reply
[deleted]
[+] [-] zmmmmm|12 years ago|reply
This seems downright evil. Disgusting. There is no justifiable reason for this data to be available in any sort of unanonymized form. Everything that is justifiable that can be achieved with it in anonymous form can be achieved with it anonymized.
The terrible part is that there is a good reason for a program like this. There are real reasons to collect and know this kind of data - it can make a huge difference to human health and well being. And that is why this is so bad. It's going to set back participation in any sort of electronic health record all around the world, if people see such a high profile program manifest as a privacy disaster.
[+] [-] lindavers|12 years ago|reply
It really is, see the source page for more details:
http://www.hscic.gov.uk/dlesaac
The misunderstanding going on in the comments seems to be stemming from a failure to distinguish between personal identifiable data and personal confidential data.
The former: "This includes patient identifiable data, such as:
NHS number Name Address Postcode Date of Birth Date of Death"
and the latter: "Personal confidential data also includes sensitive data which may include items such as:
Racial or ethnic origin Political opinions Religious or other similar beliefs Physical or mental health condition Sexual life Criminal record"
The patient identifiable needs explicit permission from the patient in order to obtain, patient confidential needs a good legal reason + reviewed application.
[+] [-] ghswa|12 years ago|reply
It includes details of how to opt-out.
[+] [-] switch007|12 years ago|reply
"The data extracted - your Primary Care Dataset - will include the following:
Your NHS number Your date of birth Your postcode Your gender and ethnicity Your medical diagnoses (including cancer and mental health) and any complications Your referrals to specialists Your prescriptions Your family history Your vaccinations and screening tests Your blood test results Your body mass index (height/weight) Your smoking/alcohol habits"
---
Go to that site. Opt out here http://optout.care-data.info/. It's really simple.
[+] [-] brownesauce|12 years ago|reply
[+] [-] pbowyer|12 years ago|reply
Are there any restrictions on publishing the data? I can't find licensing terms.
[+] [-] ghswa|12 years ago|reply
Other than that I'm guessing they will enforce some pretty draconian restrictions on publishing and sharing the data since doing so would undermine their ability to sell the data.
[+] [-] oskarpearson|12 years ago|reply
The intended use is not that insurance companies can link your medical data against you and then charge you more (or any variant on that). Instead, the intended use is that companies with clear information controls can perform useful research more cheaply, and stop guessing at cause and effect. I personally support that intent, and am interested to see what comes out of it.
What's to stop the companies just doing whatever seems to get them the most money? In my opinion, it'd be the fact that failing to stick within the agreement would cause existential risk to the company. I think that courts, government, the NHS, and UK society at large would come down VERY heavily on any company contravening their contracts. Companies are going to spend significant effort ensuring their company doesn't disappear overnight in a storm of lawsuits with the directors in jail.
Companies wouldn't do this for the same reasons that Seagate doesn't sell the data off RMA'd hard drives on the open market.
I trust the relevant public bodies in the UK to protect my interests here. You may not, of course.
[+] [-] mortov|12 years ago|reply
If Seagate wanted to make money off your RMA'd hard drive and they thought the data on it would do the trick, you can bet it would be for sale on the open market.
If the law says that is illegal, Seagate does not have the option to change it. However, the Government can simply change the law to make whatever they want to do 'legal' and their problem is solved. That's essentially what they've done here.
Large 'healthcare' companies interested in this data are more than just health providers, they have multiple divisions with multiple competing and tangential aims and targets. Just because a piece of paper says it can only be used in one way, that is not going to stop the re-use (and leaking) of the data.
Remember the UK had bankers totally screwing the country and got rewarded with massive bail-outs - I don't recall any jail time for their bad behaviour [in the UK]; quite the reverse. Any social science student will be able to cite many examples of companies shielding individuals from the consequences of their bad behaviour - it's a whole subject area.
The UK government sets up QUANGOs specifically to shift liability and risk to prevent consequences; a Scottish care home where elderly people were burned to death escaped prosecution as the legal entity was simply shut down and dissolved prior to the court case starting [this did bring about legislation changes to close that avenue in Scotland http://www.bbc.co.uk/news/uk-scotland-17740645]. There are dozens of ways to get away with abusing the data and walk away free - if you're going to make a lot of money, you can afford good lawyers to help you prepare well ahead.
Why would it be different for your health data ?
[+] [-] ZenoArrow|12 years ago|reply
Supposing a leak happened. What makes you think you'll be able to tie it down to a single company? The data could be leaked anonymously, and the risk of such a leak becomes higher the longer this care.data scheme carries on for.
[+] [-] optimiz3|12 years ago|reply
Bonus: you could set up a system where a person's data gets cheaper as more people query it!
(Not for me thanks.)
[+] [-] unknown|12 years ago|reply
[deleted]
[+] [-] ajb|12 years ago|reply
[+] [-] ed_blackburn|12 years ago|reply
[+] [-] pbhjpbhj|12 years ago|reply
[+] [-] blueskin_|12 years ago|reply
[+] [-] rodh|12 years ago|reply
Of course now that I read a bit more into it, I am less sure. But I do find the above link a little fear-mongery.
Incidentally, this document has some interesting insight into the position of the hscic. http://www.hscic.gov.uk/media/12931/Privacy-Impact-Assessmen.... I am a little tickled by this statement about preventing the data falling into the wrong hands: "The Government itself could be considered a pair of 'wrong hands' with questions raised over whether it would have access and therefore would be able to misuse or exploit the data".
Not sure how they're mitigating against that risk...
[+] [-] jon_black|12 years ago|reply
[+] [-] dublinclontarf|12 years ago|reply
Form is here:
http://www.connectingforhealth.nhs.uk/systemsandservices/scr...
[+] [-] joshavant|12 years ago|reply
Yes, it seems heinous at first, but are there legitimate, palatable Big Data opportunities here, assuming the data is properly anonymized?
[+] [-] mortov|12 years ago|reply
Standard extract – no personal confidential data £9,565
Alternatively for just under £1,000 more :
Standard extract – containing personal confidential data £10,453
They're specifically enticing people to purchase the confidental data version since it is only 10% extra to get all the juicy information.
Trouble connecting people to their parents, siblings, children, (ex)partners ? Simple, they'll even do that for you - look at Patient Tracking, Cohort Event Notification (!) etc.
The value of this data to marketers (e.g. health insurance, private hospitals - which do exist in the UK, etc. makes the price list charges trivial and insignificant to just slurp up everything they can and start targeting people). Want someone to try and sell you cancer insurance 2 weeks after your mother dies of breast cancer ? Cohort event notification report makes this simple.
Remember the toothpaste does not go back into the tube - once the data is sold, it's basically wild and free for all sorts of use and abuse. You have absolutely no guarantee it will only be used by benign 'good actors'.
edit:spelling
[+] [-] Osmium|12 years ago|reply
[+] [-] dawson|12 years ago|reply
[+] [-] angersock|12 years ago|reply
Then I started thinking about how to make a dating service using this data--find all eligible males with your blood type in a given area!
[+] [-] dawson|12 years ago|reply
* FAQ 39.
[+] [-] ghswa|12 years ago|reply
[deleted]
[+] [-] quantumpotato_|12 years ago|reply
[+] [-] vrikis|12 years ago|reply
[+] [-] lostlogin|12 years ago|reply