For immediate release – Monday 3 March 2014

Today, in same the building as the NHS Expo in Manchester, the Information Commissioner, Christopher Graham, is expected to continue to ignore the many breaches of Data Protection law emerging from the NHS Health and Social Care Information Centre (HSCIC). With NHS England claiming that the Data Protection Act will fully protect patients, the DPA’s public guardian is ignoring the tannoy calling him to emergencies.

Full hospital histories – with only some of the most identifying pieces of information swapped with nicknames or pseudonyms – have been sold to and shared with insurers [1] and pharmaceutical company marketers [2] for purposes including social media marketing [3]. There is a clear intention to begin sharing this and other patient data with countries outside the EEA, such as the US [4].

The HSCIC uses the fig leaf of the Information Commissioner’s ‘Anonymisation Code of Practice’ [5] as the only protection for a mandatory, full population dataset [6]; an error the ICO says could cause a “very high” degree of “embarrassment or anxiety”.

medConfidential [7] today called on the Information Commissioner to clarify that his ‘Anonymisation Code of Practice’ cannot apply to patient-level medical records of an entire population.

Phil Booth, coordinator of medConfidential, said:

“47 million people don’t have a clue that their hospital history has been used to target ads on Twitter and Facebook. We have an Information Commissioner struggling with Microsoft Encarta in a Wikipedia world.

“With population scale health data, techniques suggested in the ICO’s Code of Practice would include changing the type of disease that you were diagnosed with, which would obviously make the data meaningless.

“The ICO closed a public consultation on updating the Code in light of how it was being used since it was published last year. We call on the Information Commissioner to reopen the consultation, to give the public a chance to comment now people are beginning to get the picture of how their data has been used.”

—

Notes for editors

1) See, e.g. ‘Hospital records of all NHS patients sold to insurers’, Telegraph, 23/2/14: http://www.telegraph.co.uk/health/healthnews/10656893/Hospital-records-of-all-NHS-patients-sold-to-insurers.html

2) See http://www.beaconconsulting.co.uk/ which says:

“Because we hold a large set of historic HES data, Beacon is able to:

– Rapidly check patient numbers so clients can assess project feasibility;
– Start data extraction and analysis as soon as a project’s scope is agreed

We have worked with marketers, market researchers, business intelligence professionals, new product planners and market access teams at many leading pharmaceutical companies across a broad range of therapy areas.”

3) See http://www.beacon-dodsworth.co.uk/site/data/hospital-episode-statistics for a description of how HES data may be used by pharmaceutical companies “to improve [their] social marketing / media awareness campaigns”

4) See Professor Ross Anderson’s letter to the Health Select Committee, following up on misleading statements by NHS England and HSCIC to the Committee in last week’s evidence session: http://www.cl.cam.ac.uk/~rja14/Papers/dorrell-caredata.pdf

5) The ICO’s Anonymisation Code of Practice states: “although there may be no obvious motivation for trying to identify the individual that a particular patient ’episode’ relates to, the degree of embarrassment or anxiety that re-identification could cause could be very high. Therefore, the anonymisation techniques used to protect data should reflect this.” – http://ico.org.uk/for_organisations/data_protection/topic_guides/anonymisation

6) Hospital Episode Statistics (HES) http://www.hscic.gov.uk/hes are derived from a mandatory monthly collection of identifiable patient-level data from all NHS hospitals, by something called the Secondary Uses Service (SUS) http://www.hscic.gov.uk/sus

7) medConfidential campaigns for confidentiality and consent in health and social care, seeking to ensure that every flow of data into, across and out of the NHS and care system is consensual, safe and transparent. Founded in January 2013, medConfidential is an independent, non-partisan organisation working with patients and medics, service users and care professionals. Opt out forms and letters available here: www.medconfidential.org/how-to-opt-out/

For further information or for immediate or future interview, please contact Phil Booth, coordinator of medConfidential, on 07974 230 839 or phil@medconfidential.org

Fleur Fisher, former Head of Ethics for the BMA and member of medConfidential’s Board of Trustees, will be at the ICO conference and available for comment in Manchester today.

– ends –