8 April 2009
The scope of the report - Database State included systems that will at some time or another, hold identifiable personal information on a significant minority of citizens, including existing systems as well as those which have not been built yet such as the National Identity Registry. In all, the report assessed 46 databases across major government departments and described their purpose, methods by which they share data and the potential risks they pose. The databases were given an overall ranking (green, amber or red) following an assessment of aspects such as impact on privacy, utility and effectiveness. In addition, the report makes policy recommendations as to how data should be held, managed and collected by the government.
Nine databases were assessed within the Department of Health. Of these, seven were coded as amber signifying that they demonstrated “significant, worrying failings, and may fall foul of a legal challenge” and two as red suggesting that they do not conform to EU human rights or data protection laws. The Secondary Uses Service (SUS) processes patient identifiable data from a variety of sources, for the primary purpose of administration and in order to support secondary uses such as medical research. This service was assessed as 'red' on the basis that there is no provision for individuals to exert a right of opt-out. The Detailed Care Record aims to electronically link together information from GPs, hospitals and clinics, and was also assessed as ‘red’. This was because the system lacked a curator who would maintain and be responsible for the quality of the data, and it was felt that this would result in rapid deterioration of the records held in the system. In addition, the authors felt that increasing the number and types of users to whom information would be made available under the proposed scheme was likely to compromise privacy as well as precluding more detailed consideration of the context for the proposed information sharing.
As part of their recommendations, the authors suggest that systems coded as amber should be independently reviewed and changes made such as giving individuals the right to opt-out and those coded red should be scrapped or substantially redesigned. The report also recommends that government should compel the provision or sharing of sensitive personal data only for strictly defined purposes, and in almost all cases, sensitive data should be kept on local rather than national systems. In addition, it suggests that more effective IT systems could be built by subjecting new database systems to greater public scrutiny and openness and recruitment of civil servants able to manage complex systems.
Comment: The report is predicated upon a presumption that public interests in privacy and confidentiality outweigh other public interests such as having a sound understanding of health and disease through epidemiological or secondary medical research. The legal requirement for interventions to be 'necessary and proportionate' arguably allows such tradeoffs to be accounted for and reports from other groups have shown that a universal requirement for consent may result in vulnerable groups being unrepresented or produce biased research. It is also arguable that that the central tenet of this report is misguided in that it does not seek to take account of national law. The UK Data Protection Act provides for a more inclusive interpretation of medical purposes than the EU Data Processing Directive, thus establishing a statutory basis for sharing identifiable medical data for the purpose of medical research. Member states are permitted to derogate from the principles set out in European law, although the extent to which UK data protection law could and should lawfully derogate from European law continues to be a source of academic debate.
It is also somewhat ironic that the Secondary Uses Service has been so roundly criticised, given that it has in the past been characterised as a means of protecting and safeguarding patient identity through the provision of a more systematic and robust means of de-identifying patient data (following the 2007 Report of the Care Record Development Board Working Group on the Secondary Uses of Patient Information).