Audit And Consent: Health Databases In A noSQL World
Privacy International welcomes the news that the UK NHS Data Spine is being replaced. We have fundamental privacy concerns about the existing infrastructure, and the proposed changes have the potential to enable the necessary privacy protections to be implemented in a meaningful way.
Core elements of the NHS Spine, the technological infrastructure underpinning the Service that cost the Government over £12 billion pounds, will be have to be replaced after numerous failures. The interfaces through which the “spine” talks to other systems will remain unaltered (for now), but the core infrastructure will move to something that can evolve over time.
While this change has the potential to greatly benefit the system, by tying patient choice and consent to the core data infrastructure of NHS, it could also be a privacy disaster.
In order to ensure that privacy is integrated throughout the system, we believe that at the core to the new Spine must be provisision for audit and consent.
Audit
Currently, all information entered into the NHS Data Spine is searchable from any NHS point in the country, regardless of whether the relevant patient is in attendance at the time of the search.
This means, for example, that if you make national news in Cornwall, a GP practice in Newcastle could look up your NHS number using your name and location. Such a search may or may not be proper, and should therefore be subject to scrutiny. However, for scrutiny to be possible, the individual involved has to know that their data was examined. Currently, the Personal Demographics Service (PDS) - part of the Spine - does not provide for patients to be notified when their data is accessed.
The PDS represents an important part of NHS cordination. When showing up at hospital in the back of an ambulance, few people will be able to recite their NHS number. Most, however, but are able to give a home address to which an NHS number and registered GP can be matched. The PDS allows this, and although as it system it has some inherent risks, the benefits may nevertheless be so great as to outweigh them.
However, in such a risky system safeguards must be put in place to prevent abuse and allow for redress. The PDS must be designed to record not only who was found in a search, but that a search was done, and from where it originated. That is all the information required for an individual to be able to detect abuse of their own record. The risk and likelihood of abuse or misuse are so high precisely because individuals cannot know whether an illicit search of their details has taken place.
With the current pressures in the NHS for increased use of confidential patient information, and the ability for patients to access their own data online, logs of each lookup or search (which will be associated with an NHS number) would allow individuals to receive a record of who has conducted searches of their data.
This is one of the most serious generic privacy threats against specifically targeted individuals, and can be solved by a small modification to the system.
Consent
Informed consent is the foundation of medical ethics.
The ability to chose whether or not to have a treatment extends to whether or not you want your data stored on particular systems. In a re-engineered health system, especially a noSQL world where data structures are fluid and opportunity costs low, the inclusion of consent information attached to each data structure is now feasible (if not necessarily immediately achievable).
The current replacement works provides an environment in which this could be considered, and could be a small step in the right direction, even if the practical benefits to privacy are as yet undelivered.
The use of NoSQL, and the use of building block of fluid data structures, provides the ability to add proper hierarchical privacy. The question remains whether it will be.
