Intended for healthcare professionals

Head To Head

Do summary care records have the potential to do more harm than good? Yes

BMJ 2010; 340 doi: (Published 16 June 2010) Cite this as: BMJ 2010;340:c3020
  1. Ross Anderson, professor of security engineering
  1. 1University of Cambridge, Computer Laboratory, Cambridge CB3 0FD
  1. Ross.Anderson{at}

    Ross Anderson argues that the national electronic database of patient records is not fit for purpose and illegal, but Mark Walport (doi:10.1136/bmj.c3022) believes that it will make valuable contributions to better care

    A digital medical record system that shared information when appropriate between care providers, and was dependable and safe, would be of great value. However, the summary care record isn’t it. It must be abandoned—for reasons of safety, functionality, clinical autonomy, patient privacy, and human rights.

    The summary care record was marketed to the public as a way for accident and emergency staff to check up on unconscious patients. According to Tony Blair, if you ended up in hospital in Bradford, doctors could look up your records with your general practitioner in Guildford. But this is nonsense. Very few patients have conditions that must be made known to emergency staff; for those that do, the properly engineered solution is MedicAlert.1 Unconscious patients often can’t be reliably identified, so a database is less robust than a tag or card; the record doesn’t have everything accident and emergency staff might want to see; and it is not even available in Scotland (let alone on a beach in Turkey).

    The truth is that the summary care record was designed to accumulate large amounts of data about patients from multiple sources. Many patients’ records will start with a hospital discharge summary rather than a general practice summary, while plans are afoot to include medical images and even ambulance messages.2

    Lack of control

    This rapid increase in scope creates a serious hazard: a multicontributor record for which no individual clinician is responsible. Transfers of data between general practices have thrown up serious difficulties about the different ways in which data are classified. Adding other providers will make this worse; experience with the electronic discharge letter suggests that hospital data also vary from poor to dangerously incomplete. In a clinical context, weak controls on quality and consistency may be offset by the effort clinical owners make to organise the data on which they rely. But with no one motivated to curate the data, responsibility for it will be diffuse. This is a known hazard in medicine, and applies to other systems too. In no other safety critical system would people just heap up data and hope that someone will deal with it.

    Functionality and clinical autonomy are related to safety. Experience shows that clinical systems bought by doctors generally work, while those bought by civil servants generally don’t. A good case history is the GPASS system in Scotland—a well meaning attempt to save money by providing general practices with a common publicly funded computer system left them instead with systems unresponsive to clinical needs. Without clinical ownership of a system’s specification and evolution, it is unlikely to remain fit for purpose.

    So it is not surprising that one of the authors of an independent report on the summary care record by University College London, Emma Byrne, has written that the record was “not much use” and “not particularly effective at improving health care.”3 4

    In an attempt to make the summary care record appear a success in other ways, there was a frantic push before the election to increase the number of records uploaded. Yet despite Connecting for Health breaking an agreement with the BMA on pausing uploads and a deceptive and coercive patient information campaign, only 240 practices are uploading data. In Bolton, where the summary care record was piloted over three years ago, only 25 practices out of 56 are uploading; in Bradford it’s 20 out of 83; and in Somerset, 9 out of 76.

    Breach of human rights

    The showstopper though is privacy. In 2008, the European Court of Human Rights decided the case I v Finland. Ms “I” was a nurse in Helsinki, and HIV positive; the systems at her hospital let her managers find out about her status, and they hounded her out of her job. The court awarded her compensation, finding that we have a right to restrict our personal health information to the clinicians involved directly in our care. Other staff must be unable to access records, not just “not allowed.” In 2009, colleagues and I wrote a report for the Joseph Rowntree Reform Trust, examining the impact of this and other cases on UK central government systems and concluded that the summary care record had serious legal problems.5 With the additional data being added, it is now clearly unlawful.

    Furthermore, the summary care record’s consent procedures are completely unsatisfactory; sharing medical data requires informed consent, yet large numbers of patients are unaware that the record even exists. Expecting patients to be aware of it, and to opt out every time they interact with health care, is ridiculous; just how do you get consent from an intoxicated teenager who has turned up to get emergency contraception? In fact, children are not being offered an opt-out at all.

    There are two larger points here. The first is that to escape the Finland judgment, the UK would have to abrogate the European Convention on Human Rights, withdraw from the Council of Europe, and almost certainly leave the European Union. Second, this is not just a matter of law but goes to the heart of the relationship between patients and doctors. The summary care record and the national information technology plan will make even highly sensitive information such as mental health records available by default to hundreds of thousands of people—and not just in the core NHS but in Whitehall, local authorities, and research laboratories. This is totally at odds with the expectations of patients, with safe systems engineering, and with prudent clinical practice, as well as with human rights law. We do need to automate medical records—but we need to do it right.


    Cite this as: BMJ 2010;340:c3020


    • Competing interests: The author has completed the unified competing interest form at (available on request from him) and declares (1) no financial support for the submitted work from anyone other than their  employer; (2) no financial relationships with commercial entities that might have an interest in the submitted work; (3) no spouses, partners, or children with relationships with commercial entities that might have an interest in the submitted work; and (4) no non-financial interests that may be relevant to the submitted work.

    • Provenance and peer review: Commissioned; not externally peer reviewed.