Feeds

NHS slammed for MAJOR data blunders as scale of patient info sell-off is revealed

No real idea what the hell we did with a lot of it, basically

Next gen security for virtualised datacentres

The NHS struck four "data-sharing" deals with three re-insurance companies that allowed them access to patient information under agreements that don't expire until 2015 and 2016.

That's among the shocking findings of a review of data released by the NHS Information Centre - the predecessor to the Health and Social Care Information Centre, which is responsible for overseeing the shambolic care.data scheme that was delayed for six months earlier this year, after critics and GPs slammed the plans on privacy and trust grounds.

In a new report (PDF), penned by HSCIC non-exec director Sir Nick Partridge, it is disclosed that 588 data packages were sold to "a range of private sector organisations, typically for the purpose of analytics, benchmarking and research" between April 2005 and March last year.

Alarmingly, in two incidences, Partridge said that it had been impossible for independent auditors Pricewaterhouse Coopers - which examined 3,059 releases (PDF) - to identify the organisations and private companies that had received data from information retained by the IC.

He added that, although the HSCIC was created in the wake of supposedly tighter controls of medical records being shared based on legislation laid out in the Social Care Act, the NHS had kept on staff and procedures from the IC.

Partridge said:

There was no single gateway into the NHS IC where data requests could enter and there were too many disparate, disjointed processes for the sharing of data. The process for ensuring the appropriate deletion of data at the end of an agreement was inadequate.

And, on a more technical point, there was confusion regarding the differences between a Data Sharing Agreement and a Data Re-use Agreement, and in what circumstances they were appropriate.

The upshot of all these defects is that it is not clear if data has been released for appropriate purposes in all cases.

Partridge recommended nine different measures in response to the damning findings. He said it is vital:

  • That the HSCIC undertakes a programme of work to ensure that data has been deleted appropriately for all data releases referenced in the PwC report, where the agreement has ended.
  • That the HSCIC develops one clear, simple, efficient and transparent process for the management of all data releases.
  • That the HSCIC implements a robust audit function, which will enable ongoing scrutiny of how data is being used, stored and deleted by those receiving it.
  • That the HSCIC publishes its policy, process and governance for the release of data.
  • That the HSCIC ensures there is clear, transparent and timely decision making, via the appropriate governance for all data releases, and that all decisions are documented and published on its website.
  • That the HSCIC implements a robust record keeping approach and that the details of all data releases (including the purpose for which they are released) are made available on its website.
  • That the HSCIC develops one Data Sharing Agreement, which is used for all releases of data, and which includes clear sanctions for any breaches.
  • That the HSCIC actively pursues a technical solution to allow access to data, without the need to release data out of the HSCIC to external organisations.
  • That the HSCIC quarterly Register of all data releases includes the number of law enforcement agencies’ person tracing requests processed by the National Back Office. The Register will also include all data being released under NHS IC data sharing agreements, ensuring it is providing a comprehensive account to the public of all data being shared.

The review also revealed that between 2008 and 2013 law enforcement authorities made 28,744 trace requests to help identify individuals in an attempt to access "very limited information about the health area in which the person was, or was last, registered with a GP."

The records of 10,647 patients were successfully traced, the PwC report found.

"To earn the public's trust in future, we must be able to show that our controls are meticulous, fool-proof and solid as a rock," Partridge said.

But privacy campaigner Phil Booth of MedConfidential slammed the NHS for its pitiful record.

"HSCIC clearly know they are in a mess – data sent into black holes, limited information on a tenth of releases, no information on the uses to which data was put, no proper audit or audited deletions and dozens of commercial re-use contracts still in operation," he said. “This all has to be fixed, and be seen to be fixed, before NHS England can be allowed to proceed with any plan to hoover up yet more data."

He warned that the care.data scheme "could be a re-run of IC/Dr Foster 2006," if England's health service failed to act.

HSCIC boss Andy Williams said that the body had accepted the recommendations from Partridge and added that he wanted to "draw a line under the past". ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
Super Cali signs a kill-switch, campaigners say it's atrocious
Remote-death button bad news for crooks, protesters – and great news for hackers?
UK government accused of hiding TRUTH about Universal Credit fiasco
'Reset rating keeps secrets on one-dole-to-rule-them-all plan', say MPs
Caught red-handed: UK cops, PCSOs, specials behaving badly… on social media
No Mr Fuzz, don't ask a crime victim to be your pal on Facebook
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Ex US cybersecurity czar guilty in child sex abuse website case
Health and Human Services IT security chief headed online to share vile images
Don't even THINK about copyright violation, says Indian state
Pre-emptive arrest for pirates in Karnataka
The police are WRONG: Watching YouTube videos is NOT illegal
And our man Corfield is pretty bloody cross about it
Felony charges? Harsh! Alleged Anon hackers plead guilty to misdemeanours
US judge questions harsh sentence sought by prosecutors
prev story

Whitepapers

A new approach to endpoint data protection
What is the best way to ensure comprehensive visibility, management, and control of information on both company-owned and employee-owned devices?
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.