Intended for healthcare professionals


Undermining data privacy in health information

BMJ 2001; 322 doi: (Published 24 February 2001) Cite this as: BMJ 2001;322:442

New powers to control patient information contribute nothing to health

  1. Ross Anderson, reader in security engineering (Ross.Anderson{at}
  1. University of Cambridge Computer Laboratory, Cambridge CB2 3QG

    Since 1910, doctors have been arguing with successive British governments over access to medical records. The compromise that has emerged over the years balances patient privacy, professional autonomy, public health effectiveness, and the needs of scientific research. Past attempts to disturb this balance have foundered—on professional resistance, patient rights, and the property rights of healthcare firms—but the side effects of these disputes have often been debilitating. And now an innocuous sounding clause in the latest bill on health is set to upset the balance again, with potentially damaging effects on both privacy and research.

    The last government attempt to extend its access to personal health information was the information management and technology strategy, which in 1992 talked of a single electronic health record, accessible to all within the NHS. But the strategy was not designed to facilitate the sharing of health data between clinicians so much as its collection in central databases. This put it on a collision course with the law. For example, the Venereal Diseases Act restricts identifiable data on sexually transmitted diseases to the patient and the provider; yet the minimum dataset for contracting in the NHS contains the HIV status of the patient—even when this is irrelevant.1 This episode so undermined confidence in the confidentiality of NHS networking that it delayed the introduction of information technology into the NHS by several years.

    It also caused a confrontation between the BMA and the Department of Health in 1995-6, which the chief medical officer defused by establishing the Caldicott committee. This reported back after the 1997 election,2 but its recommendations were disappointing. In the profession's view the report was only a first step along a much longer road. For example, it transferred responsibility for privacy to a “guardian” in each provider, while entrenching central control over information systems. The stresses caused by this separation of power and responsibility are now becoming clear.

    The Department of Health has recently moved to assert control over commercial healthcare data providers. One of these firms, Source Informatics (now IMS Health), recently won a test case in the appeal court. The Department of Health claimed that Source Informatics' pharmacy data collection system breached patient privacy, but the court agreed with the BMA's expert assessment and the arguments of several other medical and research bodies and found that it didn't since it used effectively anonymised data.35

    This is the background for clause 67 of the Health and Social Care Bill, currently going through parliament.6 The bill itself enacts various measures necessary to implement the NHS plan, but clause 67 has been inserted into the bill without any consultation with patient or professional groups. It grants the secretary of state for health two sweeping new powers: (a) to collect all personal health information in identifable form—not just from the NHS, but from the private sector too; and (b) to regulate (or even ban) the use of personal health information by third parties such as Source Informatics. The arguments initially offered to justify these sweeping new powers were surprising. Health minister John Denham claimed that the purpose of the bill was to protect patient information.7 But in reality the clause 67 powers will remove the remaining effective legal restraints that protect patients and doctors from detailed surveillance by central government.

    A bias against industry also appears in government statements. Denham says he wants to overturn the Source Informatics judgment by legislation because it “allowed a company to sell patient information to the pharmaceutical industry for marketing purposes. The aim of such marketing was to drive up the costs of the drugs prescribed on the NHS, and if successful would lead to a waste of resources.”8 But this is clearly a matter for the pharmaceutical price regulation scheme. Press comment has suggested that the real motive for tightening the regulation of healthcare data is not to hinder drug marketing so much as to suppress “awkward” reports by third parties on NHS performance.9 Comment on a public mailing list devoted to the bill has a similar tone.10

    In any case, it is unclear how the health and well-being of the nation could be improved by this measure. It will certainly have a chilling effect on the doctor-patient relationship: non-consensual data sharing is contrary to medical ethics and appears to violate the European Convention on Human Rights.

    It is also at odds with the welcome declaration of the Secretary of State, in the wake of the Alder Hey scandal, that the days of the old paternalistic NHS are over and that patient consent must be paramount in future. Healthcare data management is a complex and emotive subject, which requires proper investigation and debate. In the United States there was public consultation on the regulations passed on this topic under the Health Insurance Portability and Accountability Act, with the result that the regulations have at least the grudging agreement of most of the affected parties.11 Britain's patients, doctors, and healthcare companies deserve nothing less.


    • RA was paid by the BMA to evaluate the security of the Source Informatics system referred to in this article.


    1. 1.
    2. 2.
    3. 3.
    4. 4.
    5. 5.
    6. 6.
    7. 7.
    8. 8.
    9. 9.
    10. 10.
    11. 11.
    View Abstract