|
|
|
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
|
|
Invasion of the body snoopers Introduction
Despite the Department of Health's talk about patients' 'consent' and 'extensive public consultations', during the last three years public information on the issue has been sparse to say the least. In October 2004 a few people in Brighton made a deliberate effort to collect information about this programme. What we found rises important questions which need sound answers from the authorities; thus we decided to summarise our material in a leaflet and circulate it. This article is an extended version of that leaflet, updated to the beginning of February 2005. We thought that NHS Exposed was a suitable site for this article, being 'a publication created to inform persons who find themselves damaged or injured as a result of a misfeasance on the part of any health care professional or organisation'. Indeed, as we argue, a fundamental problem in the creation of the ICRS is its structural denial of patient consent, which will irreversibly affect our relation of trust with our doctors and the medical profession as a whole, and may expose us to material and moral damage. How the Department of Health values confidentiality and... written consent In July 2003 a document called 'Output Based Specifications' (OBS), containing the NHS brief for the ICRS, was discussed in a conference held in Birmingham by the British Computer Society and the IT professional association ASSIST. This conference was held in an extremely secretive way. As The Guardian and Computer Weekly denounced, the participants were asked to keep the OBS secret: a gagging letter, signed by all recipients, banned any public announcement or disclosure done by the recipients without the organisers' written consent (Cross M, 2003). The covering letter sent to the selected recipients of the OBS made 'threats about the consequences should they not maintain the document's confidentiality' (Collins T, 2003a). IT magazine Computer Weekly was later attacked on the Department of Health's website for having published a coverage of the conference which, they said, breached confidentiality (Ibid.). Why did the Department of Health go as far as using threats to ensure the OBS would be kept secret? The Guardian commented: 'the document contains no commercially sensitive details such as prices and payment schedules. However, it contains a large amount of previously undisclosed information about how the national health records scheme will work' (Cross M, 2003). The reason for the almost military secrecy, then, was not to conceal commercially secretive details, but the way the ICRS would handle our medical records, and to protect the project from public polemics about its ethical or legal legitimacy. At the end of the day this was secrecy imposed for business's sake: had a major public storm exploded around the issue, private industry would have been discouraged from bidding for the contracts or would have asked higher fees for the risk. Paradoxically, while (business) confidentiality and consent was so valuable for the Department of Health, the OBS appeared to have little concern for patients' confidentiality and consent. Soon after the conference, Computer Weekly published authoritative voices of dissent on these issues (Collins T 2003b). a) Patients' consent The most fundamental ethical flaw of the ICRS was its utter neglect of patient consent. The OBS specifically instructed IT companies to upload our medical data on-line without our consent. As Fleur Fisher, former head of ethics, science and information at the British Medical Association and director of Healthcare-Ethics Consultancy, wrote to Computer Weekly: 'One source of alarm... is the clear statement: ''A patient will NOT be entitled to refuse that their personal data is made available to the Spine [the central storage system of the database]. Data about all patients events may be routinely communicated to the Spine without the consent of the patient''' (Ibid.; Fisher quotes OBS 2003a, Part III, p. 72). Indeed, the Spine will increasingly be filled with our data whether we like it or not: 'patient identifiable data will be loaded over time into the Spine without explicit consent being sought', repeats the OBS (OBS 2003a., Part III, p. 72). This process will even be automatic, thus bypassing any will or control of our same GPs: 'patients events from source systems will automatically be communicated to the Spine' (Ibid., p. 72) Astonishingly, the same brief which instructs IT companies to grab and manipulate our medical records without our permission, at the same time claims to guarantee that we are allowed to 'opt out' the database - thus, they say, patient consent is respected. How could they have this cake and eat it? The magic is performed by the Department of Health with a subtle revision of the concept of 'opting out'. As is well known, for our government's civil servants words do not mean the same as for common people. Specifically, 'opting out' does not mean that we can actually keep our records out of the database - only that some 'sensitive information' will be stored in so-called 'sealed envelopes', which will allow only restricted access. The Guardian seemed content with this: 'the ICRS specification seems to accept the up-to-date view that we own our records', it comments, 'it says that patients will be allowed to put parts of their records into sealed envelopes' (Cross M, 2003). b) Confidentiality But an encrypted file can be decrypted and a 'sealed envelope' can be opened. It is interesting to go a bit deeper and understand the so-called 'sealed envelopes' better. In what sense is their access restricted? What happens if a 'user' wants to open our 'sealed envelopes'? The OBS says: 'A user who seeks to access and display Personal Data... without the consent of the patient will first be warned of the consequences before the Personal data is output and an alert is raised. Users must be made aware by the system that accessing data through the Spine without the consent of the patient should only be done in exceptional circumstances... only if the user confirms that this is understood should the Personal Data be output.' (OBS 2003a, Part III. p. 76). So the 'users' do not need to know any password to decrypt and read our files: the keys are provided to them by the system on a silver plate if only they declare that it is a 'special circumstance' and that they understand the rules! We cannot but feel disconcerted by the similarity between all this and the the rules to access given web sites, which ask only to confirm that we 'understand' the copyright laws by pushing a button 'I accept'… If this seems already too easy, the definition of 'special circumstance' worries us even more. The OBS explains: 'The user who accesses Personal Data though the Spine without patient consent will be required to assign a reason for the access from a pre-defined list of reasons... The pre-defined list of reasons... would be set nationally and published as a data standard.' (Ibid., p. 77). Who approves this list? Who can change it in the future? Is there a way to object to the list and demand amendments? Ridiculously enough, none of these questions are relevant: in fact, the OBS continues: 'one of the standard values will be ''other''' (Ibid., p. 77). However strictly and 'democratically' the 'list' may be defined, the presence of the choice 'other' makes the rest of the list a joke. What is 'other'? As far as we can imagine, 'other' may include even 'secret intelligence information' of the type that has recently brought people to indefinite imprisonment in Belmarsh without charge. Similar fears were spelled out by Dr Paul Steventon, one of the delegates at the Birmingham conference. He found in fact that 'special circumstance' will allow the government (e.g. the police) to read our medical records: 'Careful inspection of the document reveals that the complete records and encrypted identities of all NHS patients will be uploaded into the ICRS Spine without consent. The private keys meant to secure the encrypted patient identities are also held by the government. These keys will be used to reverse the de-identification of patients without their knowledge or consent in ''special circumstances''. What are these ''special circumstances''?... The definition of these special circumstances remains unclear', the list of ''interesting people'' in Britain is arbitrary, set by the government, and liable to change without either notice or parliamentary debate' (Collins T, 2003b). The fact that the private keys to secure the encrypted patients' identities are also held by the government means that any restriction on the 'user' to have, as they say, a 'Legitimate Relation with the patient', will be another joke.' If we try to explain all this plainly, we can thus say: the ICRS respects our consent and confidentiality because we can put some medical data in sort-of-sealed 'envelopes', which can be opened without our consent, by a 'user' with a sort-of-legitimate 'relation' with us, when sort-of-special 'circumstances' arise… If we do not feel patronised enough, there is something more: careful reading shows that even our 'rights' to put information in the sort-of-sealed 'envelopes' are not full rights, but... sort-of-rights! In fact the OBS says: 'Patients will be able to select parts of their health data to which access will be in normal circumstances granted only on their express consent. Their choice will not be completely free. Areas such as non-clinical data, data whose absence might lead to degradation of care, and third-party information will not be able to be selected. (OBS 2003a, Part III, pp. 101) Last but not least, what about the part of our medical records that is not put in the 'envelopes'? In fact, all the talk about our sort-of-rights to sort-of-seal sensitive information have a sinister effect in this respect, because it seems to lead to the slippery slope of relaxing the level of confidentiality of the rest of our medical records. We get a bit worried when we read in the OBS that: '... In certain circumstances, a patient request to seal off data can be refused. This might happen if, for example, a patient who continues to drive tries to conceal the fact that they suffer from epilepsy'. (Ibid., p. 104). Why does this worry us? Until today, our medical records were kept in the custody of our GP and state authorities could accede to any part of them only through a court order. But what about now? The sentence above seems to suggest that, while the sort-of-sealed 'envelopes' can be accessed by authorities only in sort-of-special 'circumstances', what is left outside the 'envelopes' may be made accessible to the authorities in mundane cases like the renewal of our driving licence or driving offences. We cannot tell if this is true, or only reveals a subconscious sloppy attitude towards confidentiality in the authors of the OBS. From 2003 to February 2005 Confident that public storms had been avoided, the Department of Health eventually published the OBS. They also published the first two parts of a second version of the OBS, updated in August 2003, which was supposed to take into account comments and criticisms from doctors, patients and various organisations (OBS 2003b). To date, the revised part of the OBS containing the rules of access to the database is not on-line yet - we do not know whether it has not been revised at all or it is still under negotiation. What we know is that today the government still repeats what was said when the original OBS was published, without addressing any of the serious questions raised since 2003. An example of this is the brief by the health minister John Hutton at a media demonstration of the NHS IT programme in January 2005. In this brief, Hutton told the public that the Integrated Care Record service will respect patient consent because we can put sensitive data in 'sealed envelopes' (Brettingham M, 2005). As the government seem to just recycle the same old spin, they also seem to employ again and again the same old methods of secrecy and control of information. In a way which is reminiscent of the Birmingham conference, the invitation to the media demonstration last January 'was a restricted document. It was issued by the Department of Health to a pre-selected... list of journalists and publications. ''Note that this briefing is restricted to copyees only so please do not forward on to others beyond this list'' it said' (Collins T, 2005a). Magazines like Computer Weekly and other IT magazines were barred. A reporter from Computer Weekly was stopped at the door by a press officer, who said: 'You are not invited to this particular press briefing because it has not been structured to be targeted at people like yourselves who are very knowledgeable about the national programme' (Collins T, 2005b). Most of the media present at the brief, including The Guardian, were probably not... knowledgeable enough to ask critical questions and limited themselves to report passively the 'good' things about the IT programme that they were told by the health minister - as if this was the ultimate truth on the subject. An example of this passivity is the British Medical Journal's coverage of the demonstration. This article is entitled 'New NHS IT system will preserve patient confidentiality'. What actually supported this important statement in the title was the very fact that Hutton said so (Brettingham M, 2005). A bulldozer driven over the medical profession Many GPs have taken positions against the ICRS in the name of professional ethics. In June last year the annual meeting of local medical committees of the British Medical Association voted to boycott the ICRS and at present a large number of GP surgeries across England are boycotting the programme. In November, with the recommendations of the British Medical Association (BMA), the GPs boycotted also another piece of the NHS IT programme, the Choose and Book system. One of the reasons of this second boycott was that this new system automatically transferred patients' information to the ICRS data Spine every time the GPs used it to refer a patient to hospitals - this, it was argued, undermined the GPs' boycott of the ICRS' (Magill G, 2004; see also Carvel J, 2004a). In fact it was a way of filling the Spine with information about us automatically, dodging the need of seeking and obtaining active collaboration from our GPs. The NHS website attacked GPs for their boycott of the ICRS. In a page called 'Vote on the BMA's Care Record Service Boycott', after explaining to us that the doctors are either unprofessional, or misinformed about the importance and qualities of the ICRS, they ask us to vote on their boycott (NHS, 2004). But after reading this unprofessional and misinforming web page, what else one would vote but against the boycott? In fact the real threat to the medical profession is not the ethical boycott of our doctors. It is the ICRS. According to Fleur Fisher: 'The proposal to set up a... national data warehouse signifies a radical departure by the Department of Health from all previous formal approaches to the personal health record. That all personal health information including access to all clinical services shall be collected and held centrally comprehensively demolishes the ethos of the professional doctor/patient relationship. That patients confide personal information to the clinician necessary to their diagnosis... is possible only on the understanding that the whole clinical records does not leave the clinician (most usually the GP)... Fundamentals of clinical ethics (confidentiality, informed consent and respect for patient autonomy), the law, and data security (with the proven vulnerability of large databases) seem all to have been disregarded in the rush to delivery' (Collins T, 2003b). GP Paul Steventon adds: 'Confidentiality is a medical term. It describes the solemn undertaking given by a doctor to keep secret all private matters confided by the patient. This responsibility is only waived under a magistrate's warrant, or of the clinician holding the secret judges that a third party may be put at serious risk by non-disclosure... This puts at risk the independence and integrity of British medicine' (Ibid.). The ICRS affects not only the future, but also the past. Now we know that what we say to our doctors can be read by hackers or by the police, and we are still free to decide to keep that for ourselves, even if this may be detrimental for our health. But what about what we told our GPs ten years ago, when we did not know that one day it would be put on-line? An article on the BMA website, dated 2004, claims that the NHS will put on-line only our 'contemporaneous (not retrospective) medical records' (British Medical Association, 2004). The unconsented use of retrospective medical records is very problematic and the BMA article seemed to know this very well. We do not know if the BMA ethics expert who wrote that article misunderstood the intentions of the Department of Health, but the OBS is clear: the NHS wants all our entire medical history, both current and retroactive. The redefinition of the limits and rights of access to our records without our consent and even our GP's knowledge will imply a historical change in the role of the medical profession in the UK and in the doctor-patient relation. It is a fact that in the recent few years the government has already gone some way towards transforming the doctor/patient relationship, and blur the distinction between a GP surgery, a Job Centre and a police office: more and more insistently the doctors are called to act as police or DDS (DWP) inspectors, asked to denounce immigrants, invite them to oblige us to go back to work while still in pain, etc. (see for example Elliott F, 2004). The boycott of the ICRS is significant in this broader context, because it is an attempt to defend the independence of the medical profession. The Integrated Care Record Service and security Confidentiality is only one of the important questions posed by the ICRS. Another fundamental question which is treated with unbelievable nonchalance by the NHS is that of security. Since 2003 the NHS has repeated to us the mantra that the IT programme will be safe. But this is a lie. Not because they may not use the ultimate technological advances - they will. But because any electronic network is inherently vulnerable. The fact that electronic systems are much more vulnerable to intrusion than other, more material, forms of storage, is visible to anyone. Long ago thieves needed guns or lots of digging to get to our money in the bank; now they have only to crack a code in the safety and comfort of their cyber cafes. The Ministry of Defence had already been hacked several times by the time the government insisted that the ICRS would be perfectly safe (Collins T, 2003c). And the Pentagon was hacked. When the NHS claimed that the ICRS would be beyond threat they knew that this would not possibly be true. Against these fears the NHS and the responsibles of the IT program have intervened with counter arguments and promises. The IT programme's director Richard Granger recently commented the public fear about security by saying that the old system based on paper is more insecure: 'paper is pretty dangerous for patients. It gets lost...' he claimed (Brettingham M, 2005). But already last year, similar arguments were severely criticised on the web: 'the flaws in this argument are all too obvious. A single item may be intercepted in the post, true, but a compromised database leaves all records vulnerable' (Sherriff L, 2004). In order to make us feel that the ICRS may be acceptable after all, the government has resorted to promise harsher laws against hackers and severe penalties for unauthorised access to the ICRS . But this does not help. Hackers may operate from abroad or they may escape identification and capture. And, in any case, do we really bother about the penalty given to intruders if we have to suffer intrusion? Why should we be exposed to the risk of intrusion at all? The ICRS and state control For political activists and union militants, for people belonging to certain ethnic communities, for immigrants, the risk of state intrusion is far more likely than the risk of the odd hacker. People who feel in danger of being the next target of a increasingly repressive state consider with scepticism the 'guarantees' of ministers and NHS spokesmen that only 'users with a legitimate relation with the patients' will be allowed to access their records. We have already seen that for the OBS this will be true only in 'normal' circumstances and that what is a 'normal' circumstance is left dangerously undefined. Many of us remember very well that already plenty of repressive laws and technologies have been introduced in the UK with the official reason of tackling special, or extremely serious, crimes, threats, or emergencies - and were afterward used against political protests, petty crime, and to harass ethnic minorities or the weakest in society. Just to mention a few examples, in 1997 the government introduced the 'Protection for Harassment Act', which they said was aimed at curbing stalkers and protect women. The government guaranteed in the Parliamentary debates that the law would not be used against protesters. However, as soon as they could use it the police unlawfully threatened and held protesters under this law until a court order was needed to stop this abuse. Similarly, the 'Terrorism Act', introduced to 'protect' the 'national life' against terrorism, was applied by the police and local authorities to obstruct anti-war demonstrations or harass individual protesters in London and Fairford. Last but not least, the high-voltage stun gun whose introduction was justified to disarm dangerous armed people without killing, is now widely used by the police to perform quick and easy capture of self-harming people with mental illness (Johnson A, 2003). What is called a 'special' risk, 'special' threat or 'special' circumstance by our government can always be reinterpreted by police and other authorities. If new laws and technologies have been so easily misused by state authorities causing distress and pain and damaging individuals, how can we trust the promises of our politicians? The fact that state abuse may be investigated is not comforting enough. State abuses are investigated with difficulty, public enquiries are granted after enormous efforts and sometimes decades of campaigning, even in cases of murder (Finucane, 2005). Hope of getting justice will fade even more with the new Inquiries Bill, which gives control on enquiries to ministers. As Michael Finucane complains, the inquiry bill will 'grant the power to a government minister to limit an inquiry through restrictive terms of reference, to curb investigations by limiting available funding, to censor the final report and even control and limit the very evidence the inquiry can consider'. (Ibid.). Another government 'promise' is that the medical database will not be related to the ID card in the future. This is a crucial issue: in fact a linkage of the ICRS with the National Citizen Register will automatically relax the rules of access to our medical records. While there will be sort-of-restriction to the users who can access the ICRS, the National Citizen Register can be searched without our consent and knowledge by a long list of state authorities (the police, the immigration service, Inland Revenue and the DSS /DWP). While the ICRS can be searched without consent only in sort-of-special 'circumstances, the National Citizen Register can be flicked through not only in case of a major terrorist threat; not only in the case of everyday crime; but even 'for the... prevention of crime', that is, before any common crime is committed yet, just in case! (Travis A, 2004) In the January media demonstration of the NHS IT program, Hutton told the journalists that the ICRS would not be linked to the National Citizens Register, the database connected to the ID card (Brettingham M, 2005). But as early as September 2003 the cabinet was strongly minded to link the two databases and make our medical records accessible through our ID card or ID number (Travis A, 2003). Their plans now sit on their desk, ready to be picked up at the next 'national security', or tabloid-fuelled, scare. Click here to read the conclusion of this article
|
|
|
|
|
[Home] [NHS Exposed] [Patients] [Health Workers] [NHS in Crisis] [Legal Issues] [Media] [Helpdesk] [Public Views] All copyright remains with original authors unless otherwise stated. |
Since
2002 the Department of Health has worked towards a programme of
'modernisation' of the NHS: the 'National Programme for IT' (NPfIT).
The NPfIT is a complex computerised system which incorporates many
different services and functions - one of these being a national
database of the medical records of all NHS patients, called
'Integrated Care Record Service' (ICRS). This database is expected to
be realised by the end of 2005, when a summary of our medical history
will go on-line. Finer details of our medical records will be made
available on-line in the following years. Eventually the database will
contain an enormous and extremely detailed amount of information about
us, our body, our health, and even multi-media records, such as
digital photographs of our body parts or recorded conversations about
us.