Ben Goldacre writes in The Guardian:
I am embarrassed. Last week I wrote in support of the government’s plans to collect and share the medical records of all patients in the NHS, albeit with massive caveats. The research opportunities are huge, but we already knew that the implementation was chaotic, with poor public information, partly because the checks and balances on who gets access to data – and how – have not yet been devised or implemented. When you’re proposing to share our most private medical records, vague promises and an imaginary regulatory framework are not reassuring.
Now it’s worse. On Monday, the Health and Social Care Information Centre admitted giving the insurance industry the coded hospital records of millions of patients, pseudonymised, but re-identifiable by anyone with malicious intent, as I explained last week. These were crunched by actuaries into tables showing the likelihood of death depending on various features such as age or disease, to help inform insurance premiums.
We can reasonably disagree on whether you find this use of your medical records acceptable, but the process must be competent and transparent. The HSCIC has now told the BBC that this release of your medical records broke the rules, and that there may have been other similarly erroneous releases: but it won’t say more until “later this year”.
On Tuesday, at a health select committee hearing, things got worse. HSCIC said it couldn’t share documentation on these releases because it had all been done by its predecessor body, the NHS Information Centre – even though the HSCIC replaced the NHSIC in 2013, and is in the same building, doing the same job, with almost identical personnel and all the old records. Furthermore, the actuaries’ report using the hospital data carries the HSCIC’s logo – not the old NHSIC one – with the HSCIC’s admitted full consent. If HSCIC disapproves of NHSIC releasing this data – or regards it as illegal – why did it add its logo and approval to the output?