On the NHS data sharing

The cyber security issue that has fascinated me most over the last few days has been the NHS data sharing story, not least because the “data privacy” and “sense about science” camps (both of which I normally strongly support) disagree about it. (I don’t think they are being played off against each other though.) Apparently all our medical data as currently held and controlled by GPs will be shared, in different ways for different forms (see an official NHS explanation), “red”, “amber”, and “green”, and we are asked to opt out if we don’t want this to happen.

First, opting out is clearly the wrong way around. Compare this to organ donation: “opting out” is still not a socially acceptable solution to this, despite it being more unequivocally medically essential and much less open to potential abuse than this data sharing. Not an appropriate comparison to make for everyone maybe – I’m probably too much of a “digital citizen”, caring more about my medical data when I’m alive than about my organs when I’ll be dead …

“Green” data looks relatively safe: it will be published publicly, and will consist of summarised medical info, excluding information (e.g. on rare diseases) that will come close to identifying people.

“Amber data” is pseudonymised, replacing non-medical identity data by meaningless pseudonyms. This is much more reason for worry. What is left is essentially behavioural data, some of which is similar to location data. If I can be uniquely identified from (typically) four locations visited during one day, I can also be uniquely identified from a small number of medical appointments (at given locations…!) Certainly anyone who can get hold of my mobile location data would be able to de-anonymise this. Given I have an Android phone, that list likely includes Google, the NSA, and GCHQ already.

So where will the amber data go? The NHS chief data officer saysmany of the most innovative uses of amber hospital data have come from outside organisations, including universities, think tanks and data analytics companies“. Universities – fine, I have to and do believe in them generally.
Think tanks, though? I buy Monbiot’s line that many of these are disguised corporate lobbies, and thus don’t have my best interests at heart. Data analytic companies I have no reason to trust whatsoever.

Any data, including the “red” data (which retains all personal information) will be shared within the NHS, plus in what looks like limited and tightly controlled situations with others, such as researchers. A case against opting out is made by the director of the Wellcome Trust here, but it concentrates on that limited and less controversial scenario of red data for research. If I knew that the NHS would not get privatised in any way during my lifetime, I would be reasonably comfortable with this. The old argument is that you want any A&E to be able to get all your relevant data out immediately if you’re brought in unconscious. I’d still worry about adequate protection, what the NHS do with their laptops and USB sticks, and the spooks tapping in somewhere along the way, of course. Unfortunately, with backdoor privatisation going on and likely to get worse, with dubious oversight and accountability, I’m not sure I can even trust the NHS in the medium term.

The case for opting out is made clearly by Ross Anderson (read the comments too, and see also an earlier story).

Finally, there seems to be an odd gap in data governance going on. I don’t understand the law well enough to see whether this is a real problem or a technicality, but apparently the GPs remain the data controller for your data even after it has been uploaded to the NHS. See this description of a recent Information Commissioner verdict. In terms of exercising your data subject’s rights under the DPA, this would surely be problematic?

Update (29-1-2013) The data controller issue has been resolved by an Information Commisioner Office’s blog post: it’s the GP until the data has been uploaded, and after that HSCIC will be the data controller.
Meanwhile, my worries about this have been written up in a piece at The Conversation.