Dianthus Medical Blog Archive

NHS summary care records

I had a letter from the NHS yesterday, telling me that they would like to create a summary care record (SCR) for me. In fact they wanted to do it so much that they were going to go ahead and create one even if I don't ask them to.

Oh goody.

So what does this mean, exactly? Well, it means that my personal medical details would be uploaded onto a giant database that would be available to anyone working in the NHS who happens to be treating me, wherever they are in the country. In theory, the SCR is supposed to improve the safety and quality of patient care by ensuring that relevant staff have the information they need.

But hang on a minute, did someone say "personal medical details" and "uploaded onto a giant database"? Now, call me paranoid if you like, but I am not entirely comfortable with that idea. Large public sector institutions don't exactly have a good record of data security. Remember when someone accidentally loaded the detail of every family in the UK with a child under 16 onto 2 disks and then lost them? Or how about a laptop with the details of 600,000 armed forces recruits which was left in the back of a car and then stolen?

Moreover, the NHS hasn't exactly done wonders to convince me of its respect for my data privacy lately, having only recently passed my personal details on to a third party without my consent. (Update on that story: I have just today had a reply from the Information Commissioner's office saying that they will need more information to investigate my complaint, and I am still waiting for a response to my FOI request about the ethical approval of the UK Biobank study, despite the statutory 20 day deadline having long since passed and 2 reminders having been sent.) If they have my personal medical details on a giant database, the opportunities for them to do so again would not be diminished.They say in their literature that access "to others, such as the police, would be very strictly limited by law." That's not reassuring. That's not at all the same thing as saying "would be prohibited by law."

There are all sorts of assurances about how they will store the data securely. They talk about encryption, smartcard access, and all that stuff. However, in a system with as many users as the NHS, the real risk comes not from technical factors (although they are a risk) but from human factors. When you have an organisation with over 1.3 million employees, it's hard to be sure that there aren't one or two of them intent on making mischief.

But, if I were having any doubts about whether I was in favour of this, then came the killer blow: "You can look at your SCR at any time at a secure website called HealthSpace (www.healthspace.nhs.uk)." How secure exactly is that going to be? If it's on a publicly available website, then even if it is supposedly "secure", the chances of the data being hacked are hugely magnified.

Thankfully, it is apparently possible to opt out. You can download the opt-out form here. I have already done so. I just hope that my GP's practice acts on my request to opt out. I am disappointed, however, that they are using an opt-out rather than an opt-in process. It's hard to argue that data are shared based on informed consent with an opt-out process, as no doubt many of those who fail to opt out will not have read the letter about their data being unloaded to the system. I am not alone in this thought: the British Medical Association would also have preferred an opt-in model.

"But", I hear you cry, "surely it's worth the risk of your data being left on someone's laptop on a train because it will improve the safety and quality of patient care?" Well, maybe if there were any evidence that it would improve safety and quality of patient care, you might take a view on what kind of a risk of data loss you would tolerate. However, I don't believe such evidence exists. I couldn't find anything in the literature from the NHS or in a Google search. An evaluation of a pilot programme stated that it found no evidence of the claimed benefits (although it also noted that it was probably too early to expect to find any). I have emailed the relevant bit of the NHS to ask them if they have any evidence that the SCRs improve safety or quality of patient care, and will blog again if they reply.

← Dodgy statistics on airport security Evidence based footcare part 2 →