Wednesday 19 February 2014

NHS database delayed

After my previous blog post, I have seen an increase in awareness and concerns around the NHS database rollout.

Yesterday, it was announced that the rollout has been delayed for six months, as the public were not appropriately made aware of what would be happening to their data.

BBC News:

As a side note, as I was passing my Doctor's surgery, I picked up an opt out form:

As you can see the data being moved from the GP surgery to the database is you NHS Number, Data of Birth, Post Code and Gender, along with your medical records.  The data being used or sold will be age bands, area and gender, along with your medical records.

I have concerns around how the data will be transferred to the main NHS database, as well as the data itself.  I appreciate that they will then modify the data before selling it, but I would then have concerns around how this data is stored, who will have access to it and what safeguards are in place to protect the original data, rather than the anonymised data.  There is then the ethical questions around selling patient data to third parties.

It sounds extreme, but if a third party had access to your medical records and your postcode, it would take much to correlate this with information in the public domain to get your in address and/or telephone number.  If you had a serious medical condition, would you want to be bombarded by calls and letters selling care homes or even funeral services!

I wait to see what happens in the next six months around this, but suspect I will still opt-out!

Monday 3 February 2014

Data Privacy...

The Data Protection Act is there safeguard our personal information when being held by organisations.  That in itself we hope would be good enough, but if it isn't it is policed by the Information Commissioner's Office (ICO) who are an independent authority.

The ICO have the ability to issue fines up to £500,000 where there are serious breaches to the Data Protection Act and Privacy and Electronic Communications Regulations.  There have been some notable cases in the news, including:

  • NHS Surrey, who lost sensitive information belonging to 3000 patients, which was left on a computer that was auctioned.  The fine, £200,000 (Source: BBC News)
  • Sony, whose Playstation database was hacked. The fine, £250,000 (Source: BBC News)
  • Brighton  and Sussex university Hospitals NHS Trust, who have hard drives stolen containing personal data, including medical records, National Insurance numbers, and staff home addresses.  The fine, £325,000 (Source: BBC News)
  • North East Lincolnshire Council, who lost sensitive information of hundreds of children on an unencrypted memory stick. The fine, £80,000 (Source: ICO)
  • Ministry of Justice, who emailed the details of prisoners at HMP Cardiff to three of the inmates families. The fine, £140,000 (Source: ICO)

As you can see, these data breaches whether intentional or not, happen a lot.  It would want you to ensure the organisations who have your data have the necessary safeguards, but it's all to apparent that these are not in place, whether they are encryption solutions, firewalls, strong passwords, two factor authentication, data leakage prevention solutions, website firewalls, staff training, etc.

With all this in mind, did you know that the NHS have the right to share your personal information unless you opt-out of the scheme.  I for one will be opt-ing out as soon as possible.

More information here: