FoI reveals cynical logic that compromises NHS data privacy

Tim Kelsey doesn’t want you to worry about your data. Policy Exchange, CC BY

It’s crunch time for the UK government’s controversial care.data scheme, which has been postponed for the second time. A new advisory panel is starting work this week to try to work out how to get this project off the ground in the face of a significant backlash.

But information that has come to light via the Freedom of Information Act suggests that NHS officials could be seeking to avoid requiring compliance with data protection legislation, and they would be doing this for rather cynical reasons.

Tim Kelsey, the NHS director for patients and information has finally admitted that, to go ahead, care.data must do more than simply more effectively informing patients about how their data will be used.

The word “anonymised” has been bandied about by politicians for some time as they try to argue that the sharing of patient records with a variety of third party organisations does not threaten privacy. But this term is open to multiple interpretations and is frequently used inappropriately.

These mixed messages, in combination with uncertainty about how anonymity relates to “pseudonymisation” are serving to help the cynical efforts of NHS officials to keep sensitive medical data away from data protection legislation. Their business model appears to rely on this.

Data protection compliance

Some of the official statements about the extent to which pseudonymised care.data information is anonymous have been peculiar, to say the least. In particular, Tim Kelsey stated “No one who uses this data will know who you are”. It is clear that no such promise can be made.

Phil Booth of MedConfidential recently received a response to a Freedom of Information request on the Health and Social Care Information Centre’s review of pseudonymisation. Interview summaries contained in this show that multiple HSCIC experts are acutely aware of a serious risk of identifying patients from pseudonymised data.

And a deeper look at the FoI response reveals why this debate is so important. HSCIC believes that sharing of care.data will be exempt from the Data Protection Act as long as pseudonymisation is applied. An FoI response just received by Dr Neil Bhatia confirms this even more explicitly. This conclusion cannot be derived from the Information Commissioner Office’s guidelines on anonymisation, which take a more sophisticated line.

Kelsey and his NHS spin doctors cannot afford to lose this argument on behalf of the HSCIC. If pseudonymised care.data information is truly anonymous, no-one who holds or receives such data incurs any obligation towards the data subjects. They will therefore be free to process the data in any way they like and take automated decisions on the basis of that processing that affect patients.

That would not be the case if the information were covered by the DPA. Handling the data would be constrained and require patient consent and information – and thus be much more expensive through the imposed administrative burden. That makes this a fight worth having from their perspective.

HSCIC needs to share care.data with its “customers”. HSCIC’s own corporate risk register strongly implies that it needs to keep income coming in to survive so it’s little wonder that HSCIC staff cynically view public opinion as a distraction. Many of the interviews in Booth’s FoI response show little regard for patient consent.

The case that pseudonymised care.data is re-identifiable has been made several times. Cambridge researcher Ross Anderson and other experts have made it, as has Doctor and journalist Ben Goldacre. HSCIC experts know it. Probably even Tim Kelsey does. I’ve personally raised the issue on Twitter, directing some of my comments at Kelsey. He has since blocked me.

And the battle is about to get bigger. According to Booth’s FoI response, some HSCIC experts fear that the upcoming European Data Protection Directive will increase protection for pseudonymised data. It will also increase fines for breaches to 2% or even 5% of the offending company’s turnover.

In light of this, attempts by the UK government to delay this directive may take on a new meaning. David Cameron wants the UK to be a world leader in the exploitation of health data. Let’s hope he has a little more respect for patient privacy than HSCIC.