Category Archives: Privacy and Consent

Patient data there for the asking, not the taking

The importance of using health data to target and optimise the care we deliver and to advance our understanding of medicine, health and care is undeniable and something we must do, but we really do have to secure public confidence in doing stop scoring so many “own goals”

As my good friend and colleague Dr Joe McDonald said recent in his column on “Patient data there for the asking, not the taking” and this brilliantly takes us to the heart of the issue.

When asked most citizen’s would be happy to have their health data used for a broad range of research purposes that bring health or economic benefit, but they do want to be asked and not asking them is a great way to trigger bloody mindedness and push up the extent to which people actively seek to opt-out as has been demonstrated by the 1.2 million opt-outs  generated by the crass mishandling of

We seem to be repeating these mistakes with the Royal Free giving data to Google without an adequate opportunity for patients to opt-out. Sources in the NHS tell me that the Royal Free are not the only NHS Trust to do this although no more names have yet been mentioned.

To have damaged public support and confidence in the way we have is both unforgivable and avoidable the result of arrogance and ignorance of those making the decisions with a failure to listen to the advice given to them and learn from the experience of others.
Firstly, it is necessary to acknowledge that we are talking about sharing potentially identifiable data. The work of Prof Paul Ohm  has graphically illustrated that even apparently very anonymous datasets can be re-identified. In the case of a rich datasets like those in EHR re-identification is trivially easy for those with a mind to do so It provides little comfort that is probably the last thing most researchers want to do.

Generating and maintaining public confidence is possible. Most people already understand the value of their data for research purposes and are willing to share even identifiable data if approached correctly. We only need to look to the likes of UK Biobank who have successfully persuaded over half a million people to share sensitive identifiable health data and actively participate in providing blood samples to support Biobank’s research work, with no prospect of direct personal benefit

In my view the key things that those wishing to use patient data for purposes other than those very directly related to the deliver of care to the data subject must do are:

  • Acknowledge the re-identification and privacy risk associated with share health data.
  • Take all reasonable steps to mitigate these risk with appropriate governance and the use of privacy enhancing technologies (making the effort to find out what these are and what they can do.)
  • Allow those who for whatever reason my wish to do so to have an informed opportunity to easily opt-out.
    Invest in technology and approaches that allow us to move towards an opt-in approach.

The Centre can’t say they weren’t told. Had they read and heeded “Fair Shares for All” produced by the BCS Primary Health Care Group under the leadership of Ian Herbert in 2012. Things might have been different (I have since discovered that those making the decision never read anything longer than 140 characters)
It’s a long document because there are no short answers to the complex issues it addressed, but to draw out a single paragraph that will give you a flavour:

“In summary we want to encourage patients and their clinicians to provide their data for laudable research purposes, and acknowledge the need to use it to administer and manage the NHS, but we must seek to retain public confidence while doing so. Patients accept the electronic processing of their health data for primary purposes, but should have reason to feel confident that it is protected and used properly”

The document will need some updating, particularly as new privacy enhancing technologies (e.g. block chains and homomorphic encryption) have become practical tools over the past 4 years, but it still remain highly relevant.

PHRs – An important but limited role

There is a lot of interest around PHRs at the moment at senior levels within the NHS, but there seems to be a lack of clarity the role PHRs might play in the UK

If we are to make progress we have to develop a shared understanding of what we are hoping to achieve, what we mean by a PHRs and what role they might play in meeting our objectives?

For many, including me,  the key feature that separates a PHR from other forms of health records is that it is controlled by the person to whom it relates – i.e. they decide if it exists, what form it takes, where it is held, what it contains, who has access to it and if and when it might be destroyed.

It seems to me that in the UK context PHRs have a limited, but important, role to play as a driver of innovation and change, but that many of the benefits they might bring would be better archived through patient access to existing records, particular GP records, and by a step-by-step evolution from siloed institutional records to a single logical record under share curation and governance.

In this long blog:

  • I provide some background about the purposes of EHRs and the Rights and Responsibilities of both record subjects and record users, an understanding of which I think is essential to understanding the limitations of PHRs and where they fit in the bigger picture.

  • Some thoughts about what I think are seen of the benefits of PHRs. I believe it is important to start with a shared view of what we are trying to achieve rather than jumping to the conclusion that the answer is PHRs

  • Finally, I lay out what steps I think we should take to move towards a shared record and what this is (which is definitely NOT a single physical record) and how patient record access to existing systems fit into this journey.

I conclude:

PHR are not the solution to the problem of sharing Electronic Health Records, but an intermediate step on a journey to a single shared logical record for every patient under shared governace with the paitient as “first amongst equals”. We should encourage the further development of PHRs and in particular explore the use of a common model for data persistence across multiple PHRs based on OpenEHR. Recognising that this is a long and difficult journey we should also continue to open up patient access to existing EHR systems (particularly GP systems) which for many will provide a better solution than a PHR to support patients engagement in their own care and the relevant sharing of their  data. We don’t know the answers to some of the challenges we will face achieving  our objectives, but answers will emerge from an exploration of PHRs, Patient Record Access and Shared Governance Models.


Before coming back to what we do with PHRs I want to develop three points.

  • The purpose of health and care records

  • Rights and responsibilities in relation to such records

  • What we hope to get out of PHRs?

Purpose of Health Records

Health records have a wide range of purposes and these include:

  • Directly supporting the delivery of care to individuals

This category includes both clinical and administrative activities that are necessary for the maintenance of health and wellbeing of and the delivery of care to identifiable individuals including:

    • The provision of an aide-memoire for those involved in care.

    • To facilitate the engagement of patients and their family and informal carers.

    • As a means of communication within teams responsibly for an aspect of care.

    • As a means of communication between teams responsible for the different aspects of care.

    • The provision of the data need by decision support tools design to provide automated guidance to patients, formal and informal carers

    • The provision of data to support workflows, care processes and transactions related to care.

  • Supporting the Health of Populations

The category includes all those uses that are concerned with the health of populations, the planning of care and the development of health knowledge. These uses don’t offer a direct and immediate benefit to individuals, often don’t require identifiable personal information and are often referred to as secondary uses. These uses include:

    • Healthcare planning and commissioning

    • Public health and epidemiology

    • Risk stratification and risk scoring

    • Predictive modelling

    • Drug safety surveillance and pharmacovigilance

    • Clinical audit and outcome measurement

    • Population based healthcare research

    • Identification of subjects for clinical trials

  • Providing a Medico-Legal Record

Those providing care need to be able to demonstrate that they did so with due professional care, recording relevant information appropriately and acting reasonably on the basis of the information available to them. The medical legal record needs to meet the requirements laid down by statue and common law for the admissibility of evidence in both civil and criminal proceedings (principally the “Civil Evidence Act 1995” and “Police and Criminal Evidence Act 1984”. A medico-legal record needs to:

  • Be able to reliably represent the record as it would have been at any particular point in time

  • Securely represent the provenance of information recorded

  • Ensure that information once recorded cannot be repudiated

  • Provide an audit trail of additions, changes and access to the record

The record has to support the needs of all those involved in care which includes health and care professionals, administrative personnel, family and informal carers and patients themselves.

Rights and Responsibilities

In order to understand the issue surround the use and access to health records I think it is helpful to think in terms of a set of rights and responsibilities.

Rights might include: The right to;

  • Determine where and how the record is stored

  • Determine the information stored in the record

  • Decide who has access to the record and the purposes for which they use it

  • Collect information

  • Know the provenance of information stored in the record

  • Use the information in the record for defined purposes

  • Retain/destroy the record

  • Change, clarify or comment on and challenge the veracity of information in the record

  • Disclose information to others for defined purposes

Responsibilities and obligations might include: The requirement to;

  • To ensure the accuracy of information recorded

  • To maintain the currency of information in the record

  • To protect record from inappropriate use or disclosure

  • T disclose information as required by law, regulation or overriding public interest

  • To protect information from loss or damage

  • To maintain details on the provenance of information

  • To maintain audit records of access to, disclosures of and changes to information

  • To securely destroy particular copies of information (typically in compliance with retention policies)

  • Not to disclose certain information even to the patient

Many individuals and organisations may have some of these rights and responsibilities including the patient; those who have contributed to the record or delivered care on the basis of the record; those responsible for maintaining systems on which the record is stored; those who have paid for care on the basis of information for which the record is the authorative source, third parties referenced in the record and those executing certain regulatory or statutory functions.

A PHR as defined above is a record in which the patient has all of the rights and few if any of the responsibilities and in which others have few if any rights and only those responsibilities that may flow from providing and/or hosting the record on behalf of the patient.

Those who wish to maintain records can take one of two basic approaches (and many variations at points between) to ensure the record is fit for their purposes At one extreme each stakeholder maintains their own record for their own purposes (this is broadly the current situation) and at the other extreme we try and create a single logical record under shared governance that satisfies all.

Why PHRs

What then do we hope to achieve by creating PHR? Proponents of PHRs cite many potential benefits, which include the following:

  1. Greater engagement of patients and their informal carers in their health and care.

  2. Facilitation of innovation and experimentation with new approaches to health and care records.

  3. The creation of a truly integrated life-long record which covers all aspects of wellbeing, health and care.

  4. Greater transparency so that patients and their advocates are better able to assess the cost and quality of care that they receive and if needbe challenge it.

  5. Improvements to the completeness and accuracy of health and care records by allowing patients, their digital devices and their informal careers to contribute to and validate the information recorded in the record..

  6. Provide a mechanism which allows patients to see what is recorded about them and manage informed decisions about the sharing of data for both primary and secondary purposes.

  7. To enable patients to record information about the health and care beliefs, values and preferences.

  8. To allow patients to record data about their health and care for their private use which they don’t wish to be available to others.

However, with the exception of the 5th and 8th points above all of these things could be achieved using facilities that are available now in GP systems and which have been offered to patients by pioneering practices for over 10 years. Extending systems to support the 5th and 8th points while non-trivial, is entirely doable.

So what should we do?

My answer to this question is not a simple one as I think we need to pursue multiple paths.

  • First, we need to push forward with GP record access to meet the Goverment’s commitment that all patients who wish to do so should be able to access their GP record online.

  • Secondly, we need to start to lay plans to provide a single shared record under shared governance and curation with the patient as “First Amongst Equals”

  • Thirdly, we should encourage the development of PHRs as a transitional approach for those patient groups who needs would not well met by access to GP records (these are typically those groups undergoing an extended episode of care outside of general practice e.g. renal patients) and as a vehicle to experiment and drive innovation which will inform the creation of shared record.

  • Finally, we should enforce the Open APIs policy being developed by NHS England which requires all new procurement of systems to make open APIs available and require  all systems to enable patients to obtain a machine readable download along the lines of the US “Blue Button” model

Making GP record access a reality

Given that the technical facilities to allow patient access to GP records have been available to the majority of practices for many years and that they have be used successfully by pioneering practices, Government wrongly assumed that getting wider take up would be easy. What they failed to understand is that pioneering practices had chosen to ignore the risk of the unlawful disclosure of third party information to patients, something neither the Government nor their professional bodies could advise others to do. Solving this problem retrospectively is not practical and as a result a more limited approach is now being proposed as laid out in ‘Patient Online: The Road Map’.   We should get on with this and also work to ensure systems are amended so that future recording of third party data is tagged to enable it to be easiy redacted.

Building a shared record

Building a shared record will be a slow process, but one that can be approached incrementally. It’s also important to understand that I’m not proposing a single national record, but rather that for an individual there should be a single authoritve record. Every application that needs information about the patient would get it from this record and any application that needs to persist data about that patient would write it to this record. There could (and should be) multiple providers of repositories for records and the patient should be able to choose which one they use and be able move their record to another provider should they wish. It might even be appropriate for different sections of a record for a single patient to be stored in different services? It would be the responsibility of the service provider to ensure the security and integrity of the record and to put mechanisms in place to enable all those with an interest in the record to secure their rights and responsibilities in relation to the record.

The record architecture required would need to be flexible and extensible and able to handle record dissonance and maintain multiple versions of the truth where the contributors to the record can’t agree a single version.(I will shortly publish a further blog detailing my proposed model for shared governance and the role of multiple truths) It would need to be based on a set of open standards shared (at least) across the UK to ensure interoperability. For me the only currently available viable contender for this architecture is that provided by OpenEHR, which I believe can meet these complex requirements of my proposed model. In this model record storage becomes a commodity service in the cloud and various organisations could offer such storage under a range of business models, but it the UK I would suggest that the default choice of most citizens would be to use the repository funded by their local public sector care provider.

For this approach to work other things need to be in place:

  1. A discovery service for applications to find where the record for a particular patient is – This could be most simply be provided on a centralised basis by the NHS Personal Demographic Service, but could also be achieved using a distributed directory service .

  2. A service to maintain a registry of those who have contributed to the record or have a legitimate interest in it along with the consents granted by the patient for access and particular uses. Again this might be provided centrally as a service on the NHS Spine or as a distributed service. The work of has potential to address aspects of this requirement.

  3. Governance structures (probably with a statutory underpinning) to regulate the record service providers to ensure they are irrevocable obliged to: Satisfy the rights and responsibilities of all those with a legitimate interest in the record,  transfer the record  to an alternative provider if they cease to be able to  do so or on request of the patient and ensure that records are protected from loss in the event of a technical or business failure of a provider.

This architecture is one that I have described before  and is built round an enterprise service bus (ESB) that connects back-end services (which would include record repositories) to front end applications that consume these services. An appropriately designed ESB would:

  • Provide a single interface (API) to the various record repositories and supporting services avoiding the need for applications to deal with multiple APIs with the ESB handling mappings and transformations between different APIs, technical and clinical content standards facilitating incremental progress toward common standards.

  • Protecting services from badly behaved applications and denial of service attacks.

  • Off-load many functions from application and service providers to make their lives easier, requiring these functions to be implemented just once in the ESB rather than in each principal system e.g. authentication, identity management, access control, consent management IG, load balancing (to name a few.)

  • Provide an accounting platform that could support innovative business models for apps (such as pay for use models) and a mechanism for charging the responsible party for compute resource and services consumed by applications.

  • Provide a comprehensive patient portal integrating access to existing NHS national web services; NHS Choices, NHS Direct online and NHS 111 online content with record access, and transactional services.

Migration to a Shared Record

My expectation is that, over time, existing systems would migrate to using the shared record to persist the patient information rather than their own local storage. For this migration to occur existing system vendors and users will need to be confident that the shared record can deliver a level of performance and availability to match that provided by local storage and some may wish to start by maintaining of local cache of the record to improve performance and provide resilience. Also, initially that many will continue to use their own storage simply using the ESB for messaging, interoperability and to provide access to transactional services.

Where does the PHR fit

In this model I see that existing PHRs will also migrate to using the shared record just as other ExRs will do.

Many existing PHR systems are already using the latest web technologies and the agile and innovative nature of most PHR vendors and their flexible business models mean that they should be amongst the first to migrate to the shared record.

Similarly the agile and innovative nature of the PHR sector and the much similar Information Governance issue that exist with PHRs (as the patient is in control) will combine with the emerging shared record to enable of slew of PHR developments in which the developers can concentrate on the user experience and user interface design and experimentation with novel business models free from much of the burden of managing record persistence.

For those wanting to experiment there are already facilities provided by the Leeds Health Innovation Lab Platform  which offers what a test platform that could be used to start to build exactly the sort of shared record I’m suggesting.

EhrScape also based on OpenEHR has also recently annocunced an Open Health Data Platform that could also provide a basis for experimentaion

There are also a number of Open Source PHRs that could provide a rapid route for those wanting to experiment or provide live services quickly. Including Indivo and Renal Patient View

We should encourage and facilitate such activities which will help and refine and develop the shared record and the supporting open digital health ecosystem at a pace not possible with the more complex issued raised in the migration of existing large scale EHR systems.

So, in conclusion:

PHR are not the solution to the problem of sharing Electronic Health Records, but an intermediate step on a journey to a single shared logical record for every patient under shared governace with the paitient as “first amongst equals”. We should encourage the further development of PHRs and in particular explore the use of a common model for data persistence across multiple PHRs based on OpenEHR. Recognising that this is a long and difficult journey we should also continue to open up patient access to existing EHR systems (particularly GP systems) which for many will provide a better solution than a PHR to supporting patients engagement in their own care and the sharing of data. We don’t know the answers to some of the challenges we will face achieving  our objectives, but answers will emerge from an exploration of PHRs, Patient Record Access and Shared Governance Models.

“Wicked” Barriers to Innovation and Adoption

Sometimes we just have to JUST DO IT! In the NHS we have too high a tolerance for inaction and too little tolerance for honourable failure.

I’ve just come back from the Healthcare Innovation Expo in Manchester, where there was much talk about the need to encourage innovation. I’m all for that but I think it’s widely agreed that the problem is not innovation but getting innovation that works widely and rapidly adopted.

I’m trying to help NHS England do some innovative things with Open Source and we made lots of progress over the two days at Expo, but I again encountered examples of two of the wicked barrier to innovation and its’ adoption.

I call these things “wicked” because they are both things that are genuinely important and that we must properly consider, but they also represent two of the most effective spanners that those who feel threatened by the innovations of others can throw in the works to slow down adoption.

They are:

  • Clinical safety
  • Evidence

Don’t get me wrong clinical safety is important and I support the application of standards like ISB0129, which I think is actually well put together and does a good job of encouraging a proportionate approach to clinical safety. What gets my goat though is the way in which clinical safety can be used as excuse for not doing things differently. I wouldn’t mind so much if we knew that current systems and processes were safe, but the fact is that we know they are probably not and I don’t see a good case for slowing down innovation longer than is necessary to be confident that they at least marginally reduce harm. Too often “the Best is the enemy of the Good” and the paradox is that the laudable desire to ensure that responsibility for clinical safety is nailed down and hazards are properly assessed and managed makes it desirable, to some, to stick with current systems and process where the hazards are not well understood or managed, but where nobody’s head is on the block if things go wrong.

Similarly with evidence, we should of course seek evidence to support that what we plan to do will be effective in achieving whatever it is we hope to achieve, but again bleating “where’s the evidence” is a great way to throw a spanner in the work for those who lack a more cogent reason for objecting to a particular course of action. Again, I’m particularly irritated as we sometimes have little evidence that what we currently do works well and more often have evidence that it doesn’t so why not try something different. I’m also concerned when people ask for evidence for things that have not done before. Clearly, if we have not tried something before we can’t have direct evidence of its effect and the more innovative an idea is the more difficult it is to find proxies for direct evidence. Sometimes we just have to rely on professional judgment, faith or plain old gut feel and just do it. We have to take this route if we want innovation and adoption but we also have to recognise that we might be wrong, evaluate what we do and “Fail Fast”. We also have to ensure that we don’t castigate those who try and innovate when they fail, as long as they fail as fast and with as little harm as is reasonable practical; sadly in the NHS we have too high a tolerance for inaction and too little tolerance for honourable failure. Given the challenges we face we know inaction will inevitably lead to catastrophic failure and have encourage people to, at least, do something.

You can read more about barriers to innovation in my blog “What Entrepreneurs Want” over on the HANDI web sitenovation

Preserving Trust in the Digital Age

Trust lies at the heart of the relationship between patients and those that care for them.

Meeting the challenges faced by the health care system requires that we make much greater use of digital technology and increasing sophisticated use of information, but in doing so we need to ensure we preserve trust.

Healthcare professionals have the right to expect patients to share with them the information they need to deliver safe, efficient, defensible, economical viable care and to allow them to record this information and share it with others as far as is necessary to achieve these objects.

Healthcare professionals have a duty to record this data but also to ensure it is used appropriately by themselves and others respecting the patients’ expectations of privacy.

Patients’ need to understand the need for data about them to be recorded and shared and that failure to allow this might result in suboptimal care or in extreme cases mean that care can’t be delivered to them.

Patient’s also have an obligation to allow their data to be used in ways which are in the broader public interest (for example to enable medical research or support economic well-being) where this can be done in ways that properly balance the risk to their privacy with the public interest.

In this blog I suggest some principles that might be applied do balance these rights and responsibilities and preserve trust in the digital age.

Respect the patient wishes and beliefs

Respect the patient’s real or imagined concerns with regard to their privacy, while explaining clearly to them the benefit of sharing to them and the greater good as well the risks of not sharing.

Acknowledge that the risks from a privacy breach vary dramatically depending on an individual’s circumstances, for some even a usually trivial disclosure can be life-threatening

Except in exception circumstances respect the patient’s wishes not to share data even in this decision is unwise and may mean that aspects of care cannot be provided.

Try always to work on the basis of informed consent, even in the case of de-identified data. Understand the emerging approaches that can make the collection and management of consent practical when previously it was not (e.g. Relying on implied consent (with an opt-out option) or the use of legal gateways to avoid the need for consent may sometimes be necessary but such approaches should be used sparingly particularly where there is a material re-identification risk and take all reasonable steps to inform patients that this has been done and their rights to object or opt-out as well of the benefits of not doing so.

Apply the “Least Principle”

Seek to collect the least amount of data and hold it for the least time required to achieve your objective.

Avoid collecting data for which you have no clear need just because it “might come in useful”. Be particularly aware of those data which while not obvious identifying data have great utility to those seeking to re-identify de-identified data (e.g. dates of encounters).

Consider careful before creating large repositories of patient data. These can become what the Information Commissioner once described as a “Toxic Liability” However, the value of such repositories can be considerable. If build with patient consent and regard to privacy, they have an important role to share.

Acknowledge the risks

Acknowledge that there is a residual risk of inappropriate disclosure either by accident or malice and work to minimise it.

If you’ve been involved in an auto accident or have been injured in an accident and want to pursue a personal injury claim, finding the right auto accident attorney can make or break your case. For more information on what you can do after a car accident, contact Vancouver Car Accident Lawyer.

Acknowledge the risks of not sharing data which can offer be greater than those of inappropriate sharing. Good information governance is about maximising the benefits from data sharing not blocking it.

Acknowledge that the boundary between identifiable and non-identifiable data is a grey one. In all but the most limited or highly aggregated dataset there is a residual risk that those with motivation and opportunity can re-identify some of the individuals in the dataset. Manage to ensure that those with the motivation do not have the opportunity.

Be aware that for many dataset re-identification is easier than is generally understood and with rich dataset becomes a trivial task. Take active steps to understand and reduce the re-identification risk and carefully protect those dataset where the re-identification risk is material.

Actively manage privacy

Understand that the effective management of privacy requires a mixture of technical measures, governance rules and culture backed by audit to identify potential risks and actual breaches with robust action against those who through either a lack of care or maliciously fail to respect patient privacy.

Be aware of and apply all practical Privacy Enhancing Technologies

Take steps to keep up-to-date with both privacy enhancing technologies (PETs) and those approaches and technologies that might be used by those seeking to breach privacy.

In particular seek to understand approaches to anonymisation and pseudonymisation methods of blind record linkage (which allow record linkage without the exposure of identifiable data and the role that cryptography can play in protecting privacy.


Another own Goal from NHS Commissioning Board

It seems to me that the NHS Commission Board is about to score another own goal with it plans to seek section 251 approval to share identifiable patient data without consent reported in the Health Service Journal ( Warning: some of this article may be behind a paywall)

I want my identifiable health data shared so that it’s available to all of those who can use it to directly deliver better care to me – But I want to be in control

I am happy for my data to be shared for a wide range of secondary purposes that will help the NHS operate more efficiently, advance healthcare research, create economic opportunities for the UK healthcare industry, be used in any other way that contributes to the greater good or that someone is willing to make worth my while – But I want to be in control.

I want to told who my data will be shared with and have the right to restrict or extend the sharing as I chose  – even if this is not in my best interests.

I want my privacy to be protected and in particular I don’t want identifiable data or easily re identifiable rich datasets shared when the use of privacy enhancing technologies or more limited datasets make this unnecessary. If this is a little onerous for those who want to use my data – tough. However, if identifiable data is really needed and I consider the purpose noble I’ll probably consent – But I insist on being asked. I’ll lie and withhold information if I think it will be misused.

Trust lies at the heart of the relationship between patients, health and care professionals and their informal care networks. Using digital technologies and data differently is an essential part of what we have to do to have any hope of meeting the challenges that health and care faces. We have to work out how we preserve trust in the digital age and it is not helpful or necessary for the NHS Commissioning Board to attempt to remove patients from the decision about how their data is used or to ignore the existence of privacy enhancing technology that would enable them to achieve what they want to achieve without playing fast and loose with patient trust. I don’t understand how this sits in the context of a patient centered NHS or with the Government’s mantra “No decision about me without me”

My concern is that this is going to trigger a backlash that will result in challenges in the UK and European courts, patient asserting their right to opt out (section 251 does not trump active dissent), whereas most of us would be happy to share if we were asked, and most of all that this will destroy the trust that sits at the heart of the doctor patient relationship.

The issues exposed by Prof. Brian Jarman indicate just how important it is to make data about what happens in the NHS open and transparent to public  scrutiny.  Brian’s work shows us that Government and NHS can’t be trusted to hear or act on what the data tells us any more than they can be trusted to respect patient’s privacy.

We can do what needs to be done without the cavalier exposure of identifiable or trivially re-identifiable datasets. We have technology to manage blind record linkage so that identifiable data does not have to leave the control of the patient’s own care team.  Those working in the field have developed tools and processes that allow us to manage privacy risks in ways that reduce these without undermining the value of the data. While others are developing approaches that will make it easier to collect and manage patient consent.

I don’t want to see the progress we are making with open data, transparency and digital health care derailed by an avoidable backlash. let me be clear I’m with what the likes of Tim Kelsey are trying to do but they do need to take care.

For more information look at the exemplar work of:




For a broad review of the issues and more on Privacy Enhancing Technologies see Fair Shares for All from the Primary Care Group of the British Computer Society

Preserving Trust in Digital Healthcare will be the subject of the joint #CCIO #NHSSM Tweet Chat 8-9 pm, on Wednesday (20 March)



NHS-Life Sciences Partnership

“The NHS should be “opened up” to private healthcare firms under plans which include sharing anonymous patient data, David Cameron is due to announce”

25 years ago I launched AAH Meditel. My plan was to give GPs free computers in return for anonymised patient data, which I planned to sell, primarily for life-sciences research. Today’s endorsement of this concept by Prime Minister David Cameron is therefore one that I welcome, but with some critical reservations.

AAH Meditel was successful in establishing a large database of over 5 million patient records and one competitor VAMP (now part INPS), who launched at the same time, did something very similar. The commercial models didn’t work (we were too far ahead of our time in so many ways) but it is the process we started, later built upon by others (notable EMIS) that has provided the foundations on which today’s announcement is made.

Over the past 25 years I and others in the primary care informatics community have learnt a great deal about the issues associated with building a longitudinal “cradle – grave” record and in particular those that arise when you start to share it and use it for both primary and secondary purposes distant from those purposes in the minds of those who created the record.

The value of this record is created by the willingness of patients to divulge often sensitive information to healthcare professionals. They do this primarily to get the care they need, but we also know that when asked, the vast majority are happy for it to be used for other purposes, particularly medical research, as long as all practical steps to protect their privacy have been taken. David Cameron has made it clear that such steps will be taken, but I have little confidence that Government understands what is necessary and possible or that the research community go much beyond lip-service in their attempts to address these issues. It is clear to me while the research community has no need or desire to compromise patient privacy it also has little willingness to take the problem seriously and risk creating a public backlash and worse, undermining patient confidence in the doctor-patient relationship that lies at the heart of health care.

I want to see health data used to support the British life sciences industry, but more importantly I want to protect patients’ confidence in their relationship with those who provide their healthcare. I believe if we get it right we can have both, but to do so we have to protect certain key principles:

1. The use of patient data for research is a privilege that patients grant not a right for researchers to take. Patients must be able to opt-out; we know that very few will choose to do so and by denying those who wish to the opportunity we create much unnecessary conflict.

2. It is not a simple matter to protect personal information and comprehensive anonymised data can often be easily re-identified. It is important that those concerned properly understand the risks and how privacy enhancing technologies can mitigate these risk if applied as part of an appropriate governance framework.

3. There must be an acknowledgement by the research community that their first duty it to respect the wishes of patients and the privacy of their data, not their research.

4. That we recognise while health data is a valuable resource its fitness for purposes distant from those for which it was collected is not as great as some might believe. We have much work to do to understand and improve the quality of data (see my blog and )

The BCS Primary Health Care Group published a discussion paper in March this year which I think provides a good starting point

BCS Health have a much longer document in preparation “Fair Shares for All” which should appear soon. This provides an extensive review of the issue including a comprehensive review on patient attitudes on which I draw in making some of my statements above.

Let’s make the most of the opportunity, but please, be careful out there. Privacy is a fundamental human right, and should not be treated as an inconvenience by those wishing to use patient data for purposes other than care.