NHS Care Record data safety fears grow

12 Nov 07

The revelation has sparked fresh fears over the safety of data from Summary Care Re-cords, which will be linked to the SUS when they are rolled out across England next year.

New guidance from Connecting for Health reveals three users in every organisation within the NHS have been given access to patient-identifiable information contained within Commissioning Data Sets and Payment by Results data.

The guidance admits ‘this appears to be in total contradiction to the purpose of SUS’, which was supposed to protect patient data through pseudonymisation.

‘Limitations of the current business function codes for SUS mean that it is not possible to restrict access to patient identifiable data other than through restricting the number of users,’ it states, adding that large-scale pseudonymisation would be rolled out ‘in coming releases’.

The news follows a recent call by the Health Select Commit-tee for a Deprtment of Health inuiqry into the security safeguards being put in place by the SUS.

Professor Ross Anderson, a world expert in security engineering at the University of Cambridge, said: ‘They’ve admitted that SUS has got no privacy, and that it can’t give people privacy. They say they will essentially retrofit privacy in the form of deidentification mechanisms but that’s seriously hard.’

‘What I fear is going to happen is that when they realise they can’t de-identify stuff they’ll just say to hell with it, everyone can have access.’

Dr Paul Thornton, a GP in Kingsbury in Warwickshire, said: ‘They’re intending to take much more data and much more sensitive information and put it into the Summary Care Record with the same ethical basis and the same security framework.’

‘If they can’t do it with the basic information they’re getting from trusts, then they clearly can’t make safe the even more detailed informa-tion we have on our systems.’

A Connecting for Health spokesman said access to identifiable data was ‘strictly controlled’ and granted with the approval of the Patient Information Advisory Group.

‘The access controls are such that users cannot see identifiable data for other organisations unless they are specifically authorised to do so. The restriction to three users per organisation is a means of limiting this access.’