Opposition calls for rethink on data storage

24 Dec 2007

The debate over healthcare data security took a political turn today as the opposition called on the government to change its plans for central data storage in favour of local, interoperable services.

Shadow health secretary, Andrew Lansley, told the BBC’s Today Programme this morning that plans for the national database in England holding around 50m records should be replaced by storage on ‘local servers with interoperability between them.’

“What worries us in data security terms is if you create an enormous data base you not only create opportunities for catastrophic data loss, you also create real opportunities for people all across the country - if they have access and proper passwords – to access other people’s data,” Lansley said.

Encryption was fine, he said, but there was a risk if many people had the passwords to get into the system.

“You have to look at the risks as well as the benefits…unfortunately the government only appears to have looked at some of the benefits and has not taken advice on the risks,” he said.

The Department of Health defended the centralised approach currently being rolled out and responded to Lansley’s comments saying that the planned central system had particularly strong data protection rules and the highest standards of security control.

NHS chief executive, David Nicholson, told the Today Programme: "We are listening to what people say about data security and we have a level of security built into the system which is way above industry standards."

Lansley’s comments came as review of NHS trusts security showed nine reporting data losses, some already recorded in E-Health Insider. The trusts are: City and Hackney Primary Care Trust ; Maidstone and Tunbridge Wells; Bolton Royal Hospital; Sutton and Merton PCT; Sefton PCT; Mid-Essex Care Trust; East and North Hertfordshire; Norfolk and Norwich and Gloucester Partnership Foundation Trust.

Ross Anderson, professor of security engineering at Cambridge University, also interviewed by the programme, commented on one of the incidents at City and Hackney PCT where 160,000 children's records were lost. Tight security ensured that the records were not accessed, but Professor Anderson asked: "How is it that somebody had access to 160,000 children's records? Surely that's not right."

He said that in banking, for example, no single employee would have access to so many records.

Nicholson pointed out that the National Programme for IT's security with username, password and smartcard access plus role-based access control would ensure that individual staff had access to a relatively small number of records.

"The very thing that Ross Anderson is saying we need is exactly what we are putting into the National Programme for IT," he said.

The NHS boss defended the centralised approach to IT modernisation pointing out that previous efforts to encourage "a thousand flowers to bloom" at local level had not produced the access to information needed for patient care.

Related articles

NHS London orders data transfer review

Immediate data security review ordered

Sefton PCT leaks personal details of 1800 staff

After the security storm

Reader's Comments

The real issue

douglas.scott@nelpct.nhs.uk

24 Dec 07 09:27

This is too important to be highjacked by political opportunism. There is a danger of loosing sight of the real issue here. These breaches of data security have arisen where data has been taken outside a secure records system (whatever the system may be). The greatest data security risk remains the handling and processing of bulk data extracted from secure care records systems. This is a clear argument for having fewer more secure systems not more local databases !. As long as we continue with a multiplicity of data silos and allow our information systems to be driven primarily by performance management needs rather that the need to integrated care records this will be a risk for the NHS. The new data sharing models for summary care record and detailed care record rather than being a threat are an opportunity to create a culture where all the NHS (incl GPs) recognise that the record is not theirs but the patients.

Too important

24 Dec 07 11:53

Indeed the issues are too important - to allow uploading without explicit consent.

The patient's data is theirs - and so should not be uploaded without their explicit consent.

There are serious risks to having a centralised repository of sensitive data - and you can argue till the cows come home whether it's more or less risky than local databases - so explicit consent should be sought.

These are precisely the reasons why the majority of GPs, and the BMA, are demanding explicit consent before uploading.

nice to see a reasoned response

24 Dec 07 12:38

spot on with that first comment, it's a relief to see people are waking up to what a shambles the current situation is. Perhaps once people realise N3 can be used to securely pipe this kind of information, and GP2GP can (once the suppliers get their fingers out and stop throwing strops or insisting on using nonstandard coding) remove the need for a great deal of the data transfers going on. I wonder if EMIS, TPP or iSoft were to comment on the methods actually used to deliver data to them, how long would it take for another torch bearing army to be out screaming for blood. CFH really needs to put together a detailed explanation of this whole project and its benefits so the layman can understand what is going on and politicans on all sides will stop trying to score cheap points.

Oh yes, here's a question for all you G.P.s out there - if someone comes to your surgery for an appointment, how do you prove their identity? Noone's asked to see mine at the surgery I've just started going to, yet they've happily let me read through my history. If I knew who my boss's GP is, and arranged a visit with a locum or nurse, what interesting titbits could I find out? (I know it's not directly relevant to the article, but it might give an idea of how other industries treat access to data)

A non-existent problem?

24 Dec 07 23:36

A central database is a politicians and bureaucrats dream scheme. They can present it as something wonderful that will benefit patients and even save lives. In reality it looks like a solution for a problem that does not exist or that can be solved much more simply and cheaply. I have asked around family,friends,colleagues and no one has ever required emergency treatment away from or near to home and been incapable of giving a history. So access to a central record was irrelevant. Of course this is hardly a statistically significant sample and I accept that on occasion people get admitted as emergencies and it is not possible for them to give a history and this might result in harm. Can the DoH produce any data to justify all of this? If you as an individual have a significant medical history that would be important in an emergency then wear a bracelet with the details. It's cheap and it is secure. Trouble is it is not glamourous enough. Should not NICE look at the cost effectiveness of the glamourous alternative? After all we are told this is to benefit patients so why not look at it in the same way we look at the cost effectiveness of a drug

Proof of identity

26 Dec 07 10:55

My practice will not register a patient without sight of a passport/photo ID and proof of residence. The photo ID is scanned and available to check the credentials of anyone asking for access/copies of their data.

In reality the number of patients requesting access is surprisingly small. It is more common to receive third party requests from solicitors etc. We require a signed consent and double check with the patient before providing the information.

Patient confidentiality, and hence data security, is drummed into our staff from the first day of induction and any breach is considered a disciplinary matter. It is also listed as a possible reason for immediate dismissal.

Statement - conclusion?

nhstechie@btinternet.com

27 Dec 07 19:34

Boring as it may sound, the definition of "data" is all important here, does all data sharing require informed consent, or is this an overly simplistic soundbite?

Demographic details are already uploaded (and have been for many years) from GP systems to the National Strategic Tracing Service. Should GPs now be expected to get retrospective consent for sharing this data? If we follow the logic of this argument, they should.

Legislation exists for mandating the sharing of information regarding notifiable diseases. Presumably consent isn't required for sharing such information?

Next, let's consider the NHS's duty of care to its employees, to children and other vulnerable groups, to the general public and to patients without the capacity to give informed consent. The Mental Health Act (old and new) also requires some information sharing to take place to cover these duties of care - surely consent isn't required here?

Current medications, problems and allergies. Yes, people could be required to carry cards or identity disks - but most members of the public assume such information is already shared between care professionals. Perhaps a grey area?

Finally, detailed care records i.e. the contents of my Lloyd George envelope and my own records as a patient on the local GP, A&E, PAS, RIS, GUM, SMS, MH and pathology systems (as you've already inferred, I have a lot of "problems"). This is pretty black and white - informed consent is essential in my view. Whether this is through an opting in or opting out system is irrelevant - what is important is that the public needs to be objectively informed about the pros and cons. At the moment CfH promulgates the pros to the exclusion of any of the cons, which is a terrible mistake and sadly undermines their arguments - leaving the field open to sensational, populist, tabloid headlines and political opportunism by members of all political parties.

Given the lack of a working Legitimate Relationship Service and the long-promised Sealed Envelopes, I would not personally give consent to my own intimate data being shared.

moving on...

31 Dec 07 15:54

For all those people claiming that medical data should not be shared or only be shared with explicit consent, i have 2 words:

VICTORIA CLIMBIE

http://www.victoria-climbie-inquiry.org.uk/

a sensible and more serious New Year to you all

Post edited by EHI

Re: Moving on

02 Jan 08 09:16

Last time I looked- in the CRS content arena where the goalposts continually shift - the information that was planned to be included in the widely shared record appeared to be limited to drugs and allergies. My guess is it will never get beyond this.

I'm not convinced this would have helped in the Victoria Climbie case.

VICTORIA CLIMBIE

rf@medicineit.com

02 Jan 08 09:19

What a sad, emotional and inappropriate citing of a case! Shame on you!

The recommendations of this report do not include the generation of a national 'super database' in the NHS!

The recommendations talk about local sharing of data with national structures to co-ordinate policies and resources.

What most of the current 'nay sayers' are worried about is the lie being peddled by many, that a national database is the answer.

Most care, including social care, is delivered locally. Why should the data (the most private data of all!) be held nationally?

It is not beyond the powers of technology to keep the data local with national collation of demographics. It is not impossible for local data to be accessed through a national network in the exceptional case (less than 5%) where care is delivered outside the local area.

I am not a GP but I'm extremely concerned that the relationship between patient and GP will be damaged when people wake up to the fact that the contents of each consulation will be uploaded to a national database controlled by the government.

Nothing, that I have seen in over 10 years working in the NHS and now private IT for the NHS, has given me a reason to question my fundamental fears of this 'beast'.

Facts not Hyperbole Please

02 Jan 08 10:56

The previous comment paints an apocalyptic picture of details of every clinical consultation being uploaded to the Summary Care Record. However, it ain't true!

Details of clinical consultations, diagnoses, significant conditions etc will only be uploaded with specific patient consent after consultation with a clinician on each and every occasion that such an upload could occur. So all of this is in the direct, personal, specific control of the patient.

Local vs national

02 Jan 08 11:27

'Most care, including social care, is delivered locally. Why should the data (the most private data of all!) be held nationally?'

This type of comment is very common in EHI threads. What is usually missed out is that in most cases, that local care is delivered by a number of different organisations. The fact that the organisations are geographically close, or within the same PCT or SHA is often irrelevant. It's actually far simpler to share via a single national system than try to assemble a web of sharing agreements between local organisations, then build systems around that.

Climbié and data sharing

nhstechie@btinternet.com

02 Jan 08 13:15

For info.

The Laming report recommended the setting up of a national Information Sharing Index (ISI) by the then DFES. This index is primarily designed for child protection purposes and was deliberately kept outside the NPfIT domain, though interfaces between the Index, local case management systems (Social Services) and local NHS PAS systems (including those provided under NPfIT) are planned.

This ISI developed into ContactPoint, which EHI have covered in detail, particularly the delays to its go-live date (recently shifted from 1st April 2008 to "late 2008".

The original respondent was correct in that one of the underlying issues identified by Lord Laming was a failure, for whatever reasons, to share information appropriately between the various services who ought to have been involved in the case. Such failures occur only in a very small minority of cases, whatever the care context, but the results can be catastrophic to the individuals concerned.

There are genuine reasons for concern regarding the IT Security measures proposed for ContactPoint which appear to fall short of those proposed for the NPfIT systems - two factor authentication versus three factor authentication. These are mitigated to some degree by a requirement for all registered ContactPoint users to have enhanced CRB checks.

Central Records database

03 Jan 08 11:23

" The NHS boss defended the centralised approach to IT modernisation pointing out that previous efforts to encourage "a thousand flowers to bloom" at local level had not produced the access to information needed for patient care. "

"Previous efforts" had not included £13 billion pounds of top-sliced money. Perhaps the EHR and EPR models previously proposed in Information for Health was just lacking that vital ingredient - money !

Contactpoint and disconnected for Health

03 Jan 08 17:32

At a recent launch in London of Contactpoint, it appeared that the concepts of integration between even the national databases were very tenuous. I haven't read the Climbie report, but for Contactpoint to be effective, surely every contact between a patient and the full spectrum of health and social care staff may prove significant.

A partial sequence of records is worse than no record at all, because it may lull the user into thinking that there is no problem. As with missing records on SCR where patients have opted out, or the relevant GP practice is not yet enabled, it devalues the whole.

The complexities of cross-mapping data items and keeping many databases in step is very significant, but origin and validity of data is much clearer, and the ability to innovate and develop recording mechanisms far greater.

If only the millions were not being squandered on these grandiose schemes.

RE: Central Records Database

04 Jan 08 16:21

'Previous efforts had not included £13 billion pounds of top-sliced money.'

No, but it did include £1bn of 'ringfenced' funding for IT distributed to NHS organisations in 1998, most of which was diverted elsewhere. Hence NPfIT.