The BMA's response was to develop the `Blue Book' [1] -- a security policy for clinical information systems -- with wide professional consultation. This sets out nine system design and administration principles which if followed would ensure that personal health information would not be shared without patient consent, except in the case of statutory exemptions. It is a quite conservative document, seeking to encapsulate accepted good practice with paper records into systems language. Its principles have been shown to be workable in the context of clinical systems, by means of a pilot in a GP practice [13] and a hospital system now deployed at three sites [7]. A typical control regime involves restricting access to a patient's casenotes to the consultants involved in his care and their staff, and to staff in the appropriate ward. This mirrors the existing practice with paper records and works well. However this research and experience -- and similar work in other countries -- appear to have been ignored by the Caldicott committee.
The BMA has also helped vendors develop a number of systems for handling de-identified patient data. This exercise has shown that the design of such systems is more complex than might appear at first sight but with some care and effort can be managed. For example, the hospital data collection system mentioned above demonstrated the workability of pseudonyms that are unique to a hospital or to a group of hospitals in a trust. Another example is Xtrend -- a system for collecting prescription data from pharmacies for resale to drug companies. This data is treated to protect the privacy both of patients and of those GPs who have not consented to participate in the system. The interesting discovery here was that the privacy of non-consenting GPs could most easily be compromised by drug representatives matching their holidays to their prescribing patterns. The system therefore allows only four-month time series of prescription numbers to be seen by users, and only the percentage share of each product in a given GP's prescribing. At the European level, the Diabcare project has shown how de-identified data can be used even on a transnational scale to monitor and improve the quality of care [10].
Such systems have great potential to do good in that, by removing ethical objections to the sharing of personal health information without consent, they enable data to be collected in ways that would previously have been unacceptable to both patients and clinical staff. This facilitates not only research but also the much closer monitoring of the quality of care that the government has recently called for. Indeed, health services in countries such as Denmark, Germany and New Zealand are embracing anonymous data and building systems that use it; relevant expertise is accumulating rapidly [2].