Confidentiality l.jpg
This presentation is the property of its rightful owner.
Sponsored Links
1 / 17

Confidentiality PowerPoint PPT Presentation

  • Uploaded on
  • Presentation posted in: General

Confidentiality. Ross Anderson Cambridge University and Foundation for Information Policy Research. The Story so Far …. 1910 – struggle over who owns medical records led to Lloyd George envelope 1992 – IM&T strategy ‘a single electronic health record available to all throughout the NHS’

Download Presentation


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Confidentiality l.jpg


Ross Anderson

Cambridge University and Foundation for Information Policy Research

The story so far l.jpg

The Story so Far …

  • 1910 – struggle over who owns medical records led to Lloyd George envelope

  • 1992 – IM&T strategy ‘a single electronic health record available to all throughout the NHS’

  • BMA resistance 95–6 once we realised what this meant; ‘Security in Clinical Information Systems’

  • Calman sets up the Caldicott Committee to postpone the issue past the 1997 election

  • Caldicott documents many illegal information flows; HSCA s60 allows SS to legalise them

The story so far 2 l.jpg

The Story so Far (2)

  • ‘Pretexting’ cost Hewlett-Packard chair her job

  • Look back at January 1996 – Anderson RJ, ‘Clinical System Security - Interim Guidelines’ BMJ 312.7023 pp 109-111

  • N Yorks HA pilot – staff trained by Alan Hassey to log info requests, get them signed off, and call back to a number you can check independently

  • We detected 30 false-pretext calls per week!

  • We asked DoH to roll this protocol out nationwide – instead, NYHA were told to stop it!

The story so far 3 l.jpg

The Story so Far (3)

  • ‘Blair moment’ in 2002 – ‘Tony wants’

  • Ray Rogers vision of the big central database is dusted off – NPfIT, CfH,…

  • Government really believes this is working and they now plan to roll out the same architecture to childcare, elder care, …

  • What are the implications for clinical confidentiality?

Issues of scale l.jpg

Issues of Scale

  • You can have functionality, or security, or scale. With good engineering you can have any two of these

  • We can live with the risks of a receptionist having access to the 6000 records in a practice – but if 20,000 receptionists have access to 60,000,000 records?

  • Secondary Uses Service will run unprotected for years – with a pious hope of eventual pseudonymisation

  • Blair philosophy is now that data will be accessible (MISC 31, ‘Information Sharing Vision’)

  • Misuse will be punished – pretexters will be liable for prison, though not careless HA staff (DCA CP 9/06)

Helen wilkinson s case l.jpg

Helen Wilkinson’s case

  • Helen is a practice manager in High Wycombe

  • Wrongly listed as a patient of an alcohol treatment centre

  • She demanded the data be corrected or removed - officials wouldn’t / couldn’t

  • Caroline Flint promised Parliament it had been done

  • It hasn’t – and the story continues…

Extending npfit to kids l.jpg

Extending NPfIT to Kids

  • ‘Every Child Matters’ white paper (2003)

  • Children Act 2004 provided powers

  • Information to be shared between schools, police, social workers, probation, doctors…

  • The ‘SCR’ is ISA – the Information Sharing and Assessment system – which points to all services interested in your child

  • So schoolteachers will know if a child is known to social workers / police

  • IC study by FIPR (due for release real soon …)

Systems 1 connexions l.jpg

Systems (1) – Connexions

  • A pilot scheme for 13-19s with ‘personal advisers’ and a card also giving discounts at HMV (better not buy Black Sabbath :-)

  • Pilot areas each have databases of children with health status, special educational needs, phone number etc

  • Contains sensitive data such as substance abuse, opinions such as risk of offending

  • Consent from parents not sought (‘Gillick’)

Systems 2 is l.jpg

Systems (2) – IS

  • Information Sharing and Assessment Index – like the summary care record

  • Contact details – school, GP, and any interaction with police, social work, probation, specialist service

  • Services can mark a ‘flag of concern’

  • Stigmatization issues (especially contact with some specialist services)

  • Celebs, abuse fugitives may be ‘stop-noted’

  • Blair view: ‘might have saved Climbié’

Systems 3 ics l.jpg

Systems (3) – ICS

  • Integrated Children’s System will be the detailed record for child social work

  • Extends the current child protection registers from ‘child protection’ (50,000 cases in UK) to ‘child welfare’ (3-4m)

  • Very detailed information, from many sources, including facts, opinions and subjective judgments

  • There may also be a separate but similar ‘eCAF’ run by local authorities for kids who’ve been assessed but are not of interest to social work

Linked systems l.jpg

Linked Systems

  • Schools – National Pupil Database, Ofsted

  • Justice – RYOGENS and other systems monitor kids ‘at risk’ of offending (ONSET tries to predict who will offend)

  • Once convicted, a wide range of probation and other systems tell officials everything (or nothing? :-)

  • Health – supposed to supply ‘relevant’ diagnoses e.g. early-onset hyperactivity

Data quality issues l.jpg

Data quality issues…

Social work viewpoint l.jpg

Social work viewpoint

  • It’s hard enough coping with the 50,000 kids at risk of significant harm

  • Adding the 3–4m kids with some disadvantage will paralyze the system

  • Talking about being ‘proactive’ is easy, but what does it mean on the front line?

  • At present, half the kids who try to kill themselves don’t get any specialist help

  • Left (SWM) – don’t ‘collude with youth justice policies which demonise young people’

  • Right (CPS) – ‘nationalisation of childhood’

Balance of benefit and harm l.jpg

Balance of benefit and harm?

  • Big problem with social care is lack of effective interventions

  • ‘Sure Start’ program tried to implement best ideas from US research – treat the population, not individuals

  • Parenting classes, preschools, …

  • Evaluations thoroughly disappointing

  • ‘When all else fails, build a database’

Effects on medical practice l.jpg

Effects on medical practice?

  • Every time you come across a negative indicator, you’ll have to decide whether to fill out a CAF

  • At present you can do the first page and pass it to social work

  • The online system will make you do it ‘properly’

  • What about privacy – once most customer-facing local government staff have access (plus charity workers and careers advisers, according to today’s Times)?

  • Doctors will be blamed for any leaks (you’ll always have to break the ‘rules’ to do your job)

Data protection aspects l.jpg

Data Protection Aspects

  • You’ll have to wait for the FIPR report!

  • This compares UK practice with European law and with the practice in Germany, France etc

  • Comment by one observer: UK practice is on a collision course with Europe

  • Eventually something will have to give. Will it be Britain’s EU membership, the German constitution, or what?

Conclusions l.jpg


  • The approach to personal data management that mutated from the IM&T strategy into the ICRS Spec into NPfIT is undergoing metastasis

  • Secondaries are now growing vigorously in child welfare, with more planned for elder care etc

  • If safety and privacy problems can’t be tackled honestly in medicine, what hope have the social workers got?

  • Maybe the best hope is a European law case. For details, wait for the FIPR report

  • Login