'Anonymous' NHS database could still allow patients to be identified, expert warns

Care.data uploads 'anonymised' patient records and hospital admissions on to a national database that can be accessed for a fee by drug companies, academics and other approved researchers

Steve Connor
Sunday 25 January 2015 20:00 EST
Comments
A controversial plan to transfer the medical records of NHS patients from GP surgeries to a national database has failed to address a major privacy concern that jeopardises patient confidentiality
A controversial plan to transfer the medical records of NHS patients from GP surgeries to a national database has failed to address a major privacy concern that jeopardises patient confidentiality (Getty)

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

A controversial plan to transfer the medical records of NHS patients from GP surgeries to a national database has failed to address a major privacy concern that jeopardises patient confidentiality, according to a leading IT security expert.

The plan, known as care.data, involves the uploading of “anonymised” patient records and hospital admissions on to a national database that can be accessed for a fee by drug companies, academics and other approved researchers who will be prevented from seeing the names and full addresses of patients.

The project was supposed to have started a year ago but was postponed for six months following privacy fears and criticisms about the right of NHS patients in England to opt out of the scheme. However, nothing has been done during the postponement period to overcome a major flaw in the protection of patient confidentiality, according to Professor Ross Anderson of Cambridge University, who is a co-author of a report on the project to be published next week.

“On the contrary, the health department is digging itself deeper and deeper into denial. The fact of the matter is, anonymisation doesn’t really work and we computer engineers have known this for 30 odd years,” Professor Anderson said.

He maintains that the process of anonymising data cannot guarantee the confidentiality of personal information because of the power of “big data” to cross-reference personal items from different databases.

“Although you can use anonymisation in some narrow, specific targeted applications, that’s not what we are talking about with big data,” Professor Anderson said.

“What people want to do is not to just get hold of individual hospital episode statistics but to be able to link the episodes affecting the same patient over a period of decades.” That, he argues, makes it quite possible for some patients to be identified, when the information is cross-referenced with other sources. The care.data project, which has the personal blessing of David Cameron, is being run by the Health and Social Care Information Centre which is managing it on behalf of NHS England. The idea is to integrate the nationwide data on NHS patients to improve health care, increase efficiency and discover new drugs and treatments.

NHS England said that at no time will anyone’s names or full addresses or notes of conversations with their GPs be collected. However, dates of birth and postcodes will be used as patient “identifiers”.

Leaflets sent last year to every home in England promised patients that their anonymised personal details will be protected because “pseudonymised” data cannot directly identify an individual. However, a code or “identifier” will enable a patient’s identity to be re-connected to the data by reference to a separate database containing the identifiers and the identifiable data.

Professor Anderson has been a long-standing critic of the care.data scheme.

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in