The claim
“NHS England has announced that patient data held by GPs is to be sold for £1 per request to ‘approved companies’ who wish to buy it. Patient records are supposed to be anonymised, with each name + first line of address merely replaced with a unique identifier code. A list of the codes will be held separately. But it will not be hard for names and addresses to be restored; once a patient record is uploaded. Any teenager could do it.”
Keep our NHS Public, 21st August, press release
The background
The NHS want to release data for good reasons. Putting out reliable data to universities and NHS suppliers means that we can know how many people are undergoing chemotherapy in the UK (we currently don’t), whether rates of heart disease are going up or down and what age groups are most likely to be smokers.
That’s useful for health policy and for research.
But some less anonymous data is being given out to medical private companies. In the near future that will include all GP records from England, and under proposals from NHS England’s Chief Data Officer it could be a lot cheaper than before – £1 a record, instead of the £20,000 previously charged.
That’s got groups like Keep Our NHS Public up in arms.
These richer datasets – available only to approved partners including universities but also private medical companies – contain more personal information. Though the NHS scrub the obvious identifiers like the names, dates of birth and addresses of patients, Keep Our NHS Public argues that it would be easy to cross-reference the GP records with another dataset and match people up with their GP records, thus gaining a huge amount of personal information.
Keep Our NHS Public implies that that extra information is being left in to make it more valuable to private health companies. The group sketch out how these records could be used in lots of unsavoury ways: that health companies will use it to target advertising, or to refuse certain people insurance payouts, that private investigators will turn up details of your STIs, or just that information given to GPs in confidence could end up kicking around online going to the highest bidder.
The analysis
So is the NHS selling off your personal information in a way that any old teenager with Google could match up with your name? Is it really that poorly anonymised? Not quite.
What is in the personal records that the NHS is selling to third parties for £1?
An NHS spokesperson told us that these records are scrubbed of name, date of birth, and the full address of the patient before they are given to private companies.
That means that on one count that Keep our NHS public is wrong: the records don’t include postcodes and they don’t include date of birth. However the pressure group isn’t entirely wrong.
The records can include information such as the age, socioeconomic status of the patient and the name of the patient’s GP. As well as gender and information like number of children, and of course details of every discussion you’ve had with your GP.
Could you identify someone with those details?
We asked a Lecturer in Computer Science at Cardiff University Dr Grigorios Loukides, who has written about anonymisation in public health records.
“If they remove all identifier data from the dataset, there should be no risk from the dataset by itself. The problem comes if it is combined with another dataset, which includes all the missing information – DOB, name, and addresses.”
“With that, then yes, theoretically it would be possible.”
Take a hypothetical anonymised medical record for forty-year-old woman registered with a GP in Manchester. Could you work out what her name was?
Yes, or you could get pretty close – if you had a list of everyone registered with that particular GP including their name, address and date of birth.
According to 2011 figures each GP has an average 1,562 patients registered with them – if you wanted to work out who a particular 40 year old woman was, you would look only at women on the list, halving it to roughly 750, and then fine down again to people born around 1973.
If age distribution is taken to be evenly spread between 0 and 80, in a group of 750 women you could say that there will be about nine in each age bracket. Thus we’d assume there are about nine 40-year-old women registered with this GP.
Could you whittle that down to one? Using ethnic and socioeconomic data could help. And conceivably Googling and social media could whittle that down too – who’s been on holiday to India and got vaccinations, who has got two kids, who is gay, who previously lived in London etc.
You couldn’t definitely identify someone everytime, but you could come close in many cases.
Why is information like GP practice being left in though it makes the patient much more identifiable? Because it makes it more useful to the NHS, NHS England say. They want to track the pathways of patients through the health system and it makes more sense to them if they’re able to trace where exactly in the system they come in and out.
The verdict
So is Dr Loukides worried about the possibility of identification?
“Theoretically it is possible, yes. But the legislation in place should be sufficient to stop the company acting on this data, there are data protection laws they need to obey.”
So we have to trust that the law and the contracts in place should act as a safeguard against being used to the detriment of patients.
Even if a company had worked out that information it would be illegal for them to use it or act on it. The very act of cross-referencing that data to try and identify someone might be illegal too – see the Information Commission’s advice on anonymity of data.
The NHS confirm that: “The data sharing contract and agreement makes clear that the customer must only use the data for a specific stated and agreed purpose: they are not permitted to link it with other data unless explicitly agreed in the contract.”
So yes, it is possible, as the Keep Our NHS Public claim, that people could be identified. But the implications of that shouldn’t be as dire as they suggest.
It has been a small-scale problem in the US when personal healthcare data being sold to third parties. And academics in the UK have expressed concerns about this jigsaw identification with NHS data, see these Oxford academics writing in the BMJ.
However Dr Loukides says that though some details could be changed, the legal agreements in place should be strong enough to make the data useful, while protecting enough privacy:
“The legislation around anonymisation is not about eliminating risk of identification, but controlling it.
“There is always a trade-off between privacy and data utility: you can have complete privacy in which case the data has no use, or you make it completely open and then there is no privacy.
“The challenge is to find a good trade-off.”
By Anna Leach
