next up previous
Next: The Caldicott Report Up: Information technology in medical Previous: Why do these failures

Cultural problems with privacy

The NHS habit of conceiving systems without user consultation, using them to push through administrative changes sought on cost reduction grounds and, if need be, even dissembling about their goals and basic functionality, has led to privacy failures too. For example, the Hospital Episode System (HES) is a central government database used for planning purposes which records the nature and cost of every episode of hospital care, whether inpatient or outpatient, in the NHS. When the British Medical Association asked whether this would make personal health information available without consent to administrators, senior officials stated categorically that the data in HES would not only be non-identifiable but also non-linkable; that is, it would not be possible to link up successive hospital stays (or courses of outpatient treatment) for the same patient. This assurance was repeated on a number of occasions in public, including conferences and radio programs.

However, one of the statistics required in efficiency monitoring is a hospital's readmission rate: a hospital that discharges appendix patients after four days rather than a week will not save money if a quarter of them are back on the ward within a month. But how could readmission rates be computed if the data were not linkable? It transpired that records were only de-identified to the extent that the patient's name was replaced by their postcode plus their date of birth. This `de-identification' scheme is ineffective for the 98% or so of British residents whom it identifies unambiguously and gives misleading results for the 2% where ambiguity arises - typically students, soldiers, prisoners and the homeless, who do not have fixed postcodes. These groups generate highly atypical healthcare statistics, and miscounting them can introduce serious errors into predictions based on statistical methods such as capture-recapture. It is thus objectionable from both privacy and safety points of view, and much inferior to the properly designed de-identification methods used by private sector healthcare informatics firms.

There are many other central systems under development which pose privacy problems, and it was these which spurred the medical profession into open revolt during 1995 and 1996. This not only involved acrimonious exchanges in the media, but also a medical boycott of a data network that the NHS wanted to introduce and which would have been used, inter alia, for centralised data collection of personal health information for management and other purposes. This revolt is merely dormant during the new Labour government's honeymoon period, and could break out again at any time.


next up previous
Next: The Caldicott Report Up: Information technology in medical Previous: Why do these failures
Ross Anderson
1998-11-13