1.  I am writing to submit evidence to this inquiry in a personal capacity.

  2.  My locus for submission is as follows. I qualified in Medicine from Cambridge University in 1988. I completed GP training in 1994. Thereafter I worked part-time in General Practice. I subsequently studied Law, graduating LLB (Open) in 2003, and LLM (Wales) in Legal Aspects of Medical Practice in 2004. Currently I am studying for a PhD at Cardiff Law School, about Clinical Negligence, in combination with teaching law. I have taught Criminal Law, Tort, and Medicine, Ethics & Law on the Cardiff LLB course. I have also taught various subjects of the LLM course, including the topic of Confidentiality and Access to Medical Records. I am concerned about confidentiality and have requested that my data should not be placed upon an electronic database. While I do not claim any special expertise, I am sufficiently concerned to contribute to this exercise.

EXECUTIVE SUMMARY

  3.  Medical records are sensitive personal information, and as such, benefit from legal protection, and also protection from medical professional ethics. Proposals for use of electronic databases, particularly a national database, do not appear to recognise this protection adequately. That is especially so, given the likely extreme difficulty in protecting confidentiality with a national database. That itself carries a risk of identity theft. If opt-outs were only to be confined to certain classes of citizens, eg prominent individual, that would be potentially discriminatory and would need careful definition. The Department of Health has, it seems, belatedly recognised that patients will be able to refuse consent for inclusion of their data on a national electronic database. Private companies taking over NHS activities stand to benefit from a ready-made, easily accessible database, although this is not a reason to proceed. Patient-held smart cards should be considered.

What patient information will be held on the new local and national electronic record systems, including whether patients may prevent their personal data being placed on systems

  4.  As I understand it, it is proposed initially to hold on a national database a "summary record," including diagnoses, medication, allergies and adverse reactions. However it seems likely that it would soon include most clinical information, including referrals, consultation notes, day-to-day records, requests for investigations, results of investigations and clinical images. These are already held on local databases. Transfer onto a national database gives rise to concern that because there will be many more users, security will be reduced, and that there will be a great threat to confidentiality of medical information.

  5.  It has been argued by the Department of Health that patients may prevent their personal data being held if this would cause distress. In fact, s 10 of the Data Protection Act 1998 provides:

"(1) Subject to subsection (2), an individual is entitled at any time by notice in writing to a data controller to require the data controller at the end of such period as is reasonable in the circumstances to cease, or not to begin, processing, or processing for a specified purpose or in a specified manner, any personal data in respect of which he is the data subject, on the ground that, for specified reasons—

(a)  the processing of those data or their processing for that purpose or in that manner is causing or is likely to cause substantial damage or substantial distress to him or to another, and

(b)  that damage or distress is or would be unwarranted."

  6.  A breach of confidentiality might be regarded as "substantial damage" whether or not this is associated with distress.

  7.  Subsection (2) of the Act provides:

(2) Subsection (1) does not apply

(a)  in a case where any of the conditions in paragraphs 1 to 4 of Schedule 2 is met, or

(b)  in such other cases as may be prescribed by the [Secretary of State] by order.

  8.  The relevant provisions from Schedule 2 are:

"1.  The data subject has given his consent to the processing.

...

4.  The processing is necessary in order to protect the vital interests of the data subject."

  9.  So there may be an argument that the Secretary of State could prevent refusal of data processing by the subject, or that it is in subjects' "vital interests."

  10.  One point of interest is whether prominent individuals, such as Members of Parliament, will be able to prevent their data being processed on grounds of confidentiality. If such an exception is to exist, it will seemingly represent an implied acknowledgment that there is a significant risk of breach of confidentiality. There is then the issue of who may object and who may not. A distinction may be discriminatory. Would anyone be able to object on the basis that they may at some point achieve a position of public prominence?

  11.  My understanding of the current Department of Health position, as stated by Harry Cayton, National Director for Patients & the Public, Department of Health,[92] is that patients will be allowed to prevent processing of their data. He stated that this was conceded by the Department of Health because of the extent of opposition which had built up to the Electronic Patient Record. He also cited section 10 of the Data Protection Act in support of this position.

Who will have access to locally and nationally held information and under what circumstances;

  12.  Clearly if an electronic record exists, then those health professionals treating a patient should have access. The access must be secure and confidential, with sanctions for breach of confidentiality. However, with many users, there must be great scope for breach of confidentiality (see below).

  13.  Access by the government, police and the security services is a source of concern. It is already not unknown anecdotally for access to be sought in individual cases without the patient's consent. If access to an electronic database can be established by a government employee without having to satisfy a data controller (such as a General Practitioner) that consent has been given, the protection would be inadequate.

  14.  The growing privatization/corporatisation of the NHS is relevant to the establishment of a national database. If access to medical records is readily available to an incoming private provider, then that has positive implications both for patients and the private provider. However, this may be desirable but is not necessary, and does not in itself constitute a compelling reason to establish a national database in the face of concerns about the law and ethics of confidentiality. Access to a greater number of people makes breaches of confidentiality more likely.

Whether patient confidentiality can be adequately protected

  15.  In answer to this, I would suggest that it would be extremely difficult to protect confidentiality in a national scheme which has tens of thousands of users, and which is anticipated to send data around the world, eg for radiology reporting in Australia. Illegitimate use of a database by someone with legitimate access is an important potential threat to confidentiality. It has been acknowledged by Richard Granger, Director General of NHS IT, that sharing of usernames and passwords has happened and will happen,[93] which is a cause for concern. Illegitimate access is also a potential threat to confidentiality. Even with the existence of appropriate sanctions, some people will from time to time misuse their access to data[en rule] even police officers.[94] It should also be viewed with extreme concern that health records may be rich material for identity theft; this has been reported in other countries.[95]

  16.  With those points in mind, I think it is appropriate to consider the nature of confidentiality of medical information.

  17.  Medical confidentiality is a time-honoured principle. The Hippocratic Oath includes the following commitment:

"All that may come to my knowledge in the exercise of my profession or outside of my profession or in daily commerce with men, which ought not to be spread abroad, I will keep secret and will never reveal."

  18.  The current professional guidance is to be found in the General Medical Council (GMC) publication, Confidentiality: Protecting and Providing Information.[96] Paragraph 1 states:

"Patients have a right to expect that information about them will be held in confidence by their doctors. Confidentiality is central to trust between doctors and patients. Without assurances about confidentiality, patients may be reluctant to give doctors the information they need in order to provide good care. If you are asked to provide information about patients you must:

  —  inform patients about the disclosure, or check that they have already received information about it;

  —  anonymise data where unidentifiable data will serve the purpose;

  —  be satisfied that patients know about disclosures necessary to provide their care, or for local clinical audit of that care, that they can object to these disclosures but have not done so;

  —  seek patients' express consent to disclosure of information, where identifiable data is needed for any purpose other than the provision of care or for clinical audit—save in the exceptional circumstances described in this booklet;

  —  keep disclosures to the minimum necessary; and

  —  keep up to date with and observe the requirements of statute and common law, including data protection legislation."

  19.  Paragraphs 4 and 5 provide:[97]

"Protecting information

4.  When you are responsible for personal information about patients you must make sure that it is effectively protected against improper disclosure at all times.

5.  Many improper disclosures are unintentional. You should not discuss patients where you can be overheard or leave patients' records, either on paper or on screen, where they can be seen by other patients, unauthorised health care staff or the public. You should take all reasonable steps to ensure that your consultations with patients are private."

  20.  Paragraph 9 states:

"Disclosing information about patients

9.  You must respect patients' confidentiality. Seeking patients' consent to disclosure of information is part of good communication between doctors and patients. When asked to provide information you must follow the guidance in paragraph 1 of this booklet."

  21.  It seems to me that uploading patient information onto a national electronic record is inconsistent with these requirements, particularly the professional obligation to keep disclosure to the minimum necessary.

  22.  There is a common law duty to protect confidential information. Leading cases include Coco v Clark [1969] RPC 41 which recognised three elements to establish a breach of confidence:

—  The information must necessary quality of confidence.

—  Circumstances import obligation of confidence.

—  Unauthorised use of information must have occurred.

  23.   A-G v The Observer and Others [1990] 1 AC 109 added two more:

—  Information must not already be in the public domain.

—  It must be in the public interest to protect the information.

  24.  In Hunter v Mann [1974] All ER 414, the court held that:

"...the doctor is under a duty not to [voluntarily] disclose, without the consent of the patient, information which he, the doctor, has gained in his professional capacity."

  25.  In Campbell v Mirror Group Newspapers [2004] 2 AC 457 the House of Lords recognised that medical information is "obviously private."[98]

  26.  The Human Rights Act 1998 incorporates into UK Law the European Convention on Human Rights, to which the UK was in any case previously a signatory. Article 8 of the Convention provides:

"Article 8 Right to respect for private and family life

1.  Everyone has the right to respect for his private and family life, his home and his correspondence.

2.  There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others."

  27.  In Z v Finland 25 EHRR 371, the European Court of Human Rights held:

"Respecting the confidentiality of health data is a vital principle in the legal systems of all the Contracting Parties to the Convention."[99]

  28.   X v Y [1988] 2 All ER 648 was a case in which a newspaper obtained unauthorised disclosure of information about two doctors who had HIV. A health authority obtained an injunction to prevent their names being published by a newspaper. Rose J did not force the newspaper to reveal its source but indicated that a prison sentence would be appropriate if the informer repeated the breach of confidence. This sort of breach would become more likely the greater the number of users of a records system. The seriousness is indicated by the judge's comment on the possible sanction.

  29.  It is of course, accepted that there are situations in which confidence may be breached. These include disclosure in the public interest,[100] disclosure required by statute,[101] and disclosure in the patient's best interests.[102]

  30.  The sharing of information for therapeutic purposes is of course recognised as legitimate disclosure, but it is limited to that which is of therapeutic value. The GMC states:

"Sharing information in the health care team or with others providing care

Most people understand and accept that information must be shared within the health care team in order to provide their care. You should make sure that patients are aware that personal information about them will be shared within the health care team, unless they object, and of the reasons for this. It is particularly important to check that patients understand what will be disclosed if you need to share identifiable information with anyone employed by another organisation or agency who is contributing to their care. You must respect the wishes of any patient who objects to particular information being shared with others providing care, except where this would put others at risk of death or serious harm."[103] [my emphasis]

  31.  In Cornelius v de Taranto 68 BMLR 62, the Court of Appeal criticised disclosure of material which had no therapeutic relevance.

  32.  It will be seen that confidentiality is the subject of significant case law and professional ethical guidance. A striking feature of the controversy about a national electronic database is that the law and ethics seem to have received inadequate attention from proponents of the database. One point worthy of further consideration is storage of data on patient-held electronic records, using smart cards. This would overcome some of the concerns and would be consistent with the growing respect for patient autonomy.

How data held on the new systems can and should be used for purposes other than the delivery of care eg clinical research.

  33.  Subject to the concerns about confidentiality, it seems to be accepted that a medical record is an appropriate research tool. Data can be used for research if it is approved by a recognised ethics committee and permanently anonymised.[104] There is of course statutory authority covering some research. Section 60 of the Health and Social Care Act 2001 provides for processing of data for certain purposes. The Health Service (Control of Patient Information) Regulations SI 2002/1438, provides that processing patient information in accordance with the regulations shall be taken to be lawfully done despite any duty of confidence owed by that person in respect of it. The scope of SI 2002/1438 includes public health/communicable diseases, trends in diseases and risks, preventing/controlling disease, monitoring and managing communicable disease, immunisation programmes, adverse reactions, food and environmental risks, and giving of information about diagnosis and risks.

  34.  The main issue with respect to a national electronic record is security, as discussed above. It is essential to protect against reversal of anonymisation. Records which, although anonymised, allow identification of the patient, should not be disclosed.

Current progress on the development of the NHS Care Records Service and the National Data Spine and why delivery of the new systems is up to 2 years behind schedule.

  35.  I am not able to comment in detail on this point as I do not possess the necessary knowledge of the progress of the NHS Data Spine. I wonder, however, if there is technical difficulty, which may have an impact on the security points made above.

  36.  For example, I understand that patient access controls, otherwise known as "sealed envelopes" have been advanced as an important method of protecting patient confidentiality.[105] However, the technology was not in existence at the time the Department of Health described them, and may not be able to protect the confidentiality of some forms of patient data, eg images, and information from other systems which do not offer "sealing." This appears highly unsatisfactory.

  37.  Suggested further reading

  Mason, JK, & Laurie, GT "Mason & McCall Smith's Law and Medical Ethics" 7th edition, pub OUP, 2006. See Chapter 8, "Medical Confidentiality."

  Thornton, Dr Paul. "Why might National NHS Database proposals be unlawful? " January 2006. At http://www.ardenhoe.demon.co.uk/privacy/NHS%20database%20proposals%20unlawful.pdf

  38.  I hope these thoughts are helpful to the Committee.

Dr Peter Gooderham

8 March 2007

http://www.businessweek.com/magazine/content/07_02/b4016041.htm Accessed 8 March 2007.

93   Conference, "Connecting for Health," BT Tower, 28 February 2007. Back

94   See, for example, Attorney General's Reference No 1 of 2007 sub nom R v James Andrew Hardy LTL 7/03/07 Document no. AC9700372. (As yet, unreported elsewhere). Back

95   See, for example, "Diagnosis: Identity Theft." Business Week, 8 January 2007 At Back

96   Confidentiality: Protecting and Providing Information, GMC, 2004. Available at http://www.gmc-uk.org/guidance/current/library/confidentiality.asp1 Accessed 2 March 2007. Back

97   ibid. Back

98   Lord Hope of Craighead at 95. Back

99   405-406, para 95. Back

100   See, for example, W v Egdell [1990] 1 All ER 835. Back

101   For example, Terrorism Act 2000, section 19; Road Traffic Act 1988 section 172. Back

102   Op cit. 2, para 29. Back

103   Op cit. 2, para 10. Back

104   R v Department of Health, ex p Source Informatics [2000] 1 All ER 786. Back

105   "Sealed Envelopes" briefing paper, Department of Health, 2005. Document record ID Key NPFIT-FNT-TO-PRJMGT-0035.10. Back