Feeds

NHS slammed for MAJOR data blunders as scale of patient info sell-off is revealed

No real idea what the hell we did with a lot of it, basically

Secure remote control for conventional and virtual desktops

The NHS struck four "data-sharing" deals with three re-insurance companies that allowed them access to patient information under agreements that don't expire until 2015 and 2016.

That's among the shocking findings of a review of data released by the NHS Information Centre - the predecessor to the Health and Social Care Information Centre, which is responsible for overseeing the shambolic care.data scheme that was delayed for six months earlier this year, after critics and GPs slammed the plans on privacy and trust grounds.

In a new report (PDF), penned by HSCIC non-exec director Sir Nick Partridge, it is disclosed that 588 data packages were sold to "a range of private sector organisations, typically for the purpose of analytics, benchmarking and research" between April 2005 and March last year.

Alarmingly, in two incidences, Partridge said that it had been impossible for independent auditors Pricewaterhouse Coopers - which examined 3,059 releases (PDF) - to identify the organisations and private companies that had received data from information retained by the IC.

He added that, although the HSCIC was created in the wake of supposedly tighter controls of medical records being shared based on legislation laid out in the Social Care Act, the NHS had kept on staff and procedures from the IC.

Partridge said:

There was no single gateway into the NHS IC where data requests could enter and there were too many disparate, disjointed processes for the sharing of data. The process for ensuring the appropriate deletion of data at the end of an agreement was inadequate.

And, on a more technical point, there was confusion regarding the differences between a Data Sharing Agreement and a Data Re-use Agreement, and in what circumstances they were appropriate.

The upshot of all these defects is that it is not clear if data has been released for appropriate purposes in all cases.

Partridge recommended nine different measures in response to the damning findings. He said it is vital:

  • That the HSCIC undertakes a programme of work to ensure that data has been deleted appropriately for all data releases referenced in the PwC report, where the agreement has ended.
  • That the HSCIC develops one clear, simple, efficient and transparent process for the management of all data releases.
  • That the HSCIC implements a robust audit function, which will enable ongoing scrutiny of how data is being used, stored and deleted by those receiving it.
  • That the HSCIC publishes its policy, process and governance for the release of data.
  • That the HSCIC ensures there is clear, transparent and timely decision making, via the appropriate governance for all data releases, and that all decisions are documented and published on its website.
  • That the HSCIC implements a robust record keeping approach and that the details of all data releases (including the purpose for which they are released) are made available on its website.
  • That the HSCIC develops one Data Sharing Agreement, which is used for all releases of data, and which includes clear sanctions for any breaches.
  • That the HSCIC actively pursues a technical solution to allow access to data, without the need to release data out of the HSCIC to external organisations.
  • That the HSCIC quarterly Register of all data releases includes the number of law enforcement agencies’ person tracing requests processed by the National Back Office. The Register will also include all data being released under NHS IC data sharing agreements, ensuring it is providing a comprehensive account to the public of all data being shared.

The review also revealed that between 2008 and 2013 law enforcement authorities made 28,744 trace requests to help identify individuals in an attempt to access "very limited information about the health area in which the person was, or was last, registered with a GP."

The records of 10,647 patients were successfully traced, the PwC report found.

"To earn the public's trust in future, we must be able to show that our controls are meticulous, fool-proof and solid as a rock," Partridge said.

But privacy campaigner Phil Booth of MedConfidential slammed the NHS for its pitiful record.

"HSCIC clearly know they are in a mess – data sent into black holes, limited information on a tenth of releases, no information on the uses to which data was put, no proper audit or audited deletions and dozens of commercial re-use contracts still in operation," he said. “This all has to be fixed, and be seen to be fixed, before NHS England can be allowed to proceed with any plan to hoover up yet more data."

He warned that the care.data scheme "could be a re-run of IC/Dr Foster 2006," if England's health service failed to act.

HSCIC boss Andy Williams said that the body had accepted the recommendations from Partridge and added that he wanted to "draw a line under the past". ®

The essential guide to IT transformation

More from The Register

next story
Hello, police, El Reg here. Are we a bunch of terrorists now?
Do Brits risk arrest for watching beheading video nasty? We asked the fuzz
UK fuzz want PINCODES on ALL mobile phones
Met Police calls for mandatory passwords on all new mobes
Munich considers dumping Linux for ... GULP ... Windows!
Give a penguinista a hug, the Outlook's not good for open source's poster child
EU justice chief blasts Google on 'right to be forgotten'
Don't pretend it's a freedom of speech issue – interim commish
Detroit losing MILLIONS because it buys CHEAP BATTERIES – report
Man at hardware store was right: name brands DO last longer
Snowden on NSA's MonsterMind TERROR: It may trigger cyberwar
Plus: Syria's internet going down? That was a US cock-up
UK government accused of hiding TRUTH about Universal Credit fiasco
'Reset rating keeps secrets on one-dole-to-rule-them-all plan', say MPs
Caught red-handed: UK cops, PCSOs, specials behaving badly… on social media
No Mr Fuzz, don't ask a crime victim to be your pal on Facebook
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Yes, but what are your plans if a DRAGON attacks?
Local UK gov outs most ridiculous FoI requests...
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.