UKC

Apologies if this has been covered already. I couldn't find anything so here goes. I think it is important.

You have until the 23rd June to opt out of having all your personal healthcare data grabbed from your GP and put onto a central database accessible by 'outside sources'. I read that as commercial organisations or in fact anyone. There is some sort of commitment to anonymise the data.

This was tried in 2014 but defeated when MP David Davis and a group of Doctors brought it to wider attention on ethical and moral grounds. 

 I may be slightly wrong with some of the detail but it is worth checking out. 

Although the stuff I have read makes it sound as if you have to opt out by the date above I suspect you can opt out any time if you so wish. Some of the news stories are scaremongering but it is worth giving some thought to how you want your data used.

Also I should have used the term pseudonymise not anonymise.

There are two optouts.

One is opting out from GP data sharing, where the deadline is 23 July, but the 2nd is opting out from NHS data sharing which is different and far more open to commercial use and abuse. There is apparently no deadline for the 2nd opt out.

https://www.nhs.uk/your-nhs-data-matters/

https://digital.nhs.uk/about-nhs-digital/our-work/keeping-patient-data-safe...

Thank you for the links.

Followed the 1st link and opted out. The second link seemed to go round in circles and end up in in what looked suspiciously like the same place.

Alarming; however couldn't it be as detrimental to opt out as to stay opted in?

On the one hand, every Tom, Dick and Harry could find out embarrassing personal information; on the other something treatable could be missed because records aren't being shared.

Is this the gist of it?

Not quite. I think your details are encrypted in a way which can be retrieved when a code is entered by say your doctor for your health care. Commercial organisations will only see the anonymous data. It's just the fact that your data is being used for purposes you have not agreed to at a time when nearly every website gives you that choice. Surely the same courtesy should be accorded to your very personal health data.

I think that by opting out your data stays with the GP and is still available to others who are only concerned with your care, just as it is now.

Could certainly be detrimental to your health if the people treating you can’t easily access your health records. 

All your information will still be treated in accordance with Calldicott principles. Give it a Google, it’s fairly reasonable.

The problems are:

1. Do you trust this government not to sell any of your data if it makes their mates a profit either now or in the future?

2. The data mining company involved with the NHS is Palantir which doesn't have a good reputation concerning privacy.

https://www.bbc.co.uk/news/technology-56183785

I don’t trust this government at all but what you have to decide is what’s likely to cause you and yours the greater harm; clinicians being unable to access timely information when treating you or a private company having access to your anonymised data.

In reply to:

NHS trusts routinely use patient data for purposes which aren’t directly related to the individual patient’s health, for example analysis of data in pursuit of targets. The data is anonymised (“pseudonymised” as the NHS call it) to protect patient confidentiality but this is imperfect, especially if you have something really unusual wrong with you which can help to identify you. In the ideal world all this data would be stored very securely and safely, not on a server under someone’s desk. So I’m not personally that bothered about my data being additionally used for other research in a similar way. 
In fact, I’d be over the moon at having my data harvested by a third party if it solved the seemingly very difficult problem of sharing my data between different NHS services or locations. 

the problem is the third party the NHS is contracted with.

Palantir was formed by Peter Thierry, who was the head of Cambridge Analytica which, as you recall was involved in major illegal data collection and manipulation in the Brexit referendum.

https://www.bbc.co.uk/news/business-54348456

That aspect of it sounds similar to being an organ donor (which is also opt out these days) although it's your information that you're volunteering.

Malodorous, although if this technology can be so powerful in a deceitful way, think what good it could achieve if applied with wholesome intentions.

Absolutely. Unfortunately this government is only interested in lining their own pockets....not the good of the electorate....

If you own a smartphone, it will be relatively easy for the data analytics companies to de-anonymise your health data.

About time they got on and digitalised this info so that it can be used to help advance medical science. 

The NHS data on us has been used for years to help all sorts of stuff in medical research. 
 

It cannot come fast enough imho 

It would be interesting to know what percentage of health professionals are happy to go along with the change and what percentage aren't. 

I just think there should be some debate. Most people don't even know it's happening.

I've heard this mentioned before. Regarding location data and patient registration GP practice codes.

I might have a dig into it. Medical data is shared, NHS numbers are de-id'd. I don't believe GP practice data and org data is.

I have no argument with that.

What I do have an argument with is a) the US company the NHS is using to do this, and b) I just don't trust this government farther than I can spit.

the US company, Palantir,  was set up by the head of Cambridge Analytica, he's a right-wing libertarian tech investor, Peter Thiel, and America's Central Intelligence Agency.

I think it's not meant to be found. But it is there if you persist  This is the link.

https://assets.nhs.uk/nhsuk-cms/documents/Make_and_manage_your_choice_or_yo...

Each person is likely to have an almost unique health record regards symptoms reported, injuries and illnesses. 

Some one who broke their nose playing rugby would be hard to pick out of millions of records. But if you know their approximate age and that they also have diabetes and have been treated for an ingrown toenail then suddenly the potential number of people drops to single digits.

This government has shown it has no qualms about giving preferential treatment to their mates, even if breaking procurement laws. Trust them with valuable data that can be exploited for profit? No chance. 

There is already a system in place for info to be used for medical research, but this go's way to far. Our data is being sold to the likes of google and Amazon. Its also going to a company called Palantir, originally set up by the CIA and with an appalling history of poor security and dodgy dealing.

The data is anonymous, but in certain situations  this can be overidden. We have no control over that, unless as individuals we opt out now.

Your records are still available to the NHS just as they are now. Its the selling on to dubious companies that's wrong.

Not currently easily accessible to all branches of the NHS and even harder for the multitude of private firms providing various patient services for the NHS.

The data sharing in question is explicitly described by NHS digital as being “for purposes other than your individual care”. Opting out shouldn’t therefore make any difference to how easily a treating clinician can access your data.

I’m sure you’re right, I’ve not looked into the ins and outs.

What I do know is that access to GP records can beca tortuous process due to GPs practices overwhelming existing as individual private businesses. Something worth reflecting on by all those up thread worried about private businesses getting their grubby mitts on “our NHS data”.

The NHS app already has a fair bit of data about me from my GP’s records. I can’t remember whether that required my consent or not. I think my GP’s surgery uses one of the more mainstream IT systems. There’s a lot of free text; I don’t know whether it’s more machine-friendly behind the scenes but I’d guess not. 
A very long time ago I worked on a GP IT system which encoded smear test results into individual bits before storing them in a horrible niche database, which might take someone a while to unpick. 

Problem is that the data will be pseudonymised, not truly anonymised. That makes it much easier to identify individuals. The information to do that is stored separately but that in itself is no guarantee of security. 

You’ll remember that that Fiona Caldicott was not very impressed with the government’s last attempt at data-sharing, care.data. Lack of transparency and information for practitioners and patients were key issues. I don’t see any signs that these have been addressed. It looks like the government are trying to sneak out another version of care.data under cover of the pandemic. They’ve made no attempt to present the public and the medical profession with an honest discussion of the risks and benefits. 

I'm not sure how knowing three pieces of medical information about a person helps u identify them?

Unless you know where they were treated as well, and can then as others have said use smartphone location data to cross check against the GP practice, CCG, trust locations?

This organisation data, eg where a pseudo NHS number  was treated isn't part of the GP data sharing, but I'm going to check that.

I don't work on the GP data but I do work for NHS Digital on other patient related data.

Here’s some information on NHS data breaches that have occurred already. Not a great track record.

https://medconfidential.org/for-patients/major-health-data-breaches-and-sca...

Read through the breaches and tell me what the resulting negative impacts on actual people were? 
 

I know I’m in a small minority on this but I really don’t get this obsession with privacy on the most mundane aspects of our lives. From what we earn to whether we had an in growing toenail in 1998... nobody really gives a shit do they? And if they do, so what?

On the other hand, on almost a daily basis, I see real world impacts of poor data sharing on patient care. Impacts that aren’t just detrimental to the patient but also attending clinicians and the wider public.

Anybody on here got a tale to tell where lax medical data security had a negative impact on them? (Not holding my breath).

Surely the fear is that your medical data might be used for the wrong reasons by the wrong people. It may be relatively safe at present but who knows what type of Government we will have in the future. Who knows what bodies will have access to our most private records. It's not just about ingrown toenails is it? For example if 1 in 5 people have mental health problems and a prospective employer gets access to the fact then there are consequences. There are many other examples I could cite. The strictest controls should be maintained on privacy and confidentiality. It is the only way to ensure some sort of standard in the future. As I have already mentioned somewhere if websites can ask for permission as to how they use your browsing data then individuals should be accorded the same courtesy with regard to their most private and personal data.

So you can’t come up with real world examples of people being negatively impacted by leaked medical data and the best you can come up with is a hypothetical employer accessing information on the mental health of a prospective employee?

Forgive me if I come across as a bit of a nervous nelly but the next time I board an easyJet flight to somewhere sunny, I’d rather the flight crew didn’t compose of an epileptic prone to frequent seizures and a schizophrenic suffering frequent suicidal ideation.

There are plenty of job roles where your medical history has a direct impact on your employability, and for very good reason. Sorry, but this stuff isn’t black and white.

This sort of data is flowing freely anyway.  It’s a data driven world .

If you are that bothered about this sort of stuff go off grid and stop posting on ukc etc etc.  
 

I think the point is that it is my data.and I want a say in who sees it. Simple as that really.

Aha! But huge amounts of people make a complete recovery from mental health issues, it could even be argued they are better placed to avoid them in the future due to their experience compared to someone who's been cushioned from some of the harsh realities of life. A hackable digital system is like a caste system on steroids.

I am playing Devil's advocate here but I think this is a valid point.

You already have a say on it, so what’s your issue again?

And of course there was the pilot who decided to deliberately crash his commercial flight in France in 2015, killing all 150 people on board

I am not saying Lubitz was mentally ill. I don't know. I'm saying it was a mistake to let him pilot that plane that day

https://en.wikipedia.org/wiki/Germanwings_Flight_9525#Investigation_of_Lubi...

Granted.

1 in 4 people in the UK have mental health problems in any given year.

There is, due to the rare examples, such as yours above, a stigma surrounding mental health.

Overall unless a massive number of people opt out (and ruining the statistical significance) _or_ you have a rare condition that makes you opting out alter the statistical significance of studies into your condition opting out is harmless to you.

On the latter point, rare conditions aren't cherry picked by pharma so in or out your condition is likely to be ignored in this data sale so you probably won't benefit anyway.

Quite simply I wouldn't trust them to be able to protect your data, manage to not identify you in a data breach or through fusion with other datasets or screw up in one of many other ways. 

While this is probably also true of your medical records already the difference is presumed consent.

Information exploitation like this is not far from issues raised by the exploitation of tissue taken without consent (look up Henrietta Lacks). 

I should have added Terry Pratchett's quote "No-one goes crazy quicker than a totally sane person" to the end of this post.

I'm bowing out now as this is an important discussion and wider than just mental health.

I suggest you read Permanent Record by Edward Snowden, and The Filter Bubble by Eli Pariser.

This mantra  "I have nothing to hide therefore I don't mind my data being collected" is a complete nonsense. the more data the commercial giants have on you, the more money they make by selling it to third party companies, some of whom may not be overly responsible in the way they use it.

https://lifehacker.com/why-you-should-care-about-and-defend-your-privacy-59...

https://www.forbes.com/sites/quora/2017/03/21/why-data-collecting-can-be-da...

No you don't. Once it gets out of the confines of the NHS, how can you determine what it's used for?

That's just silly. There are plenty of ways to minimize or actually prevent the collection of your data. I'd be very surprised if UKC sells your data on to a third party companies, unlike Google (particularly), Microsoft, Apple et al.

Yeah, that's more commonly known as "freeloading". Opt out, keep your data secure (maybe) and reap the rewards of medical advances predicated on everyone else's data. Maybe brush up on Kant's categorical imperative?

You're even less likely to suffer any detrimental impact either but hey ho.

We're talking about data bases compiled by private GP practices here. Is there anyone on this thread who hasn't had interactions with overly inquisitive GP receptionists? If you're worried about data security in the real world, as opposed to the purely hypothetical, perhaps skim through the Caldicott principles and think about the questions typically posed to you by the average entirely non medically trained GP receptionist.

Yep, presumed consent so if you're bothered withdraw consent. In the real world most people don't care. How do I know this? because I see an average of 6 patients a shift and 25-30% of those I contact their GP or other services to discuss their case. I always say "are you happy for me to discuss your case and share relevant information", since I started doing this in 2017 I've never had anyone say no. I've never even had anyone question the why's and wherefores in any way shape or form.

Interesting case to bring up. Her information (tissue) was taken without consent, made an immeasurable contribution to medical advancement and the lives of others, had zero detrimental impact on her and Henrietta only became famous as a result of campaigners publicising her case. So who had the most impact on her privacy? the medics or the campaigners?

GPs aren't in the confines of the NHS, they're overwhelmingly involved in small private businesses working under contract to the NHS.

Which will then be shared to (not good track record of security) NHS databases which will then be accessed by a private US  company, Palantir, who very definitely have a dodgy record when it comes to data security.

Do you REALLY want your personal medical records given to a US company backed by the founder of Cambridge Analytica, which if you remember was embroiled in accusations of illegal data collection and manipulation in the Referendum?

You don't get it at all, do you? GPs are covered by GDPR as is the NHS. When the NHS allows access to your records by a US company, there's no GDPR applicable. Happy with that?

Don’t care, not bothered, totally relaxed about it.

Well. More fool you then.

i suppose you're quite happy for the NHS to be privatised and turned into a US insurance company product. Because a US company trawling through everyone's medical records is just the thin end of the wedge.

And when medical records are used by insurance companies to up or refuse premiums because of a "mistake" or by potential employers, or by any other organisation that can get their hands on them for non-health related purpose, you're quite happy?

Cheers, I’ll stress about real world problems like hackers emptying my bank account while you stress about US multinationals finding out you had piles in 2004😂

Nope, big fan of the NHS. You’re conflating completely separate issues.

Thin end of the wedge now is it? The phrase universally employed by everyone who ever wanted to get people worked up about an issue that hadn’t yet managed to manifest any real world impact.

You really really need to do some research instead of burying your head in the sand.

Start with Palantir and see if they are a proper company to access all our medical records.

A GP was on a BBC program last week and said that everyone should be concerned with giving medical data to private sector (he wasn’t the first Doctor on the BBC to say this in recent weeks btw).

Two, theoretical, examples were given as realistic possibilities when commercial companies get hold of the medical data.

 Just giving the examples as I recall they were roughly stated:

1. Insurance companies could process medical conditions and their frequency by postcodes, and in future limit insurance/charge more/place more restrictions/etc., for anyone living same postcode area irrespective of their actual medical history.

2. Financial companies, could similarly process data and refuse/restrict mortgages in certain postcodes purely based on typical medical conditions if it suited them.

Yeah Gordon, in common with almost all people I worry mostly about things that are happening than getting worked up about what ifs.

Global warming, pandemics and sourcing a decent plumber are enough for me to be getting on with at the moment 😂

Maybe reply to Stichtplate. He's burying his head in the sand.

Jeeeeeze......

I know! I’ve got loads on my plate already

does this stuff really keep you awake at night?

At least for some of your medical colleagues it appears so; to go onto tv and state their concerns they must have carefully considered it. See my post above.

Data protection is a real world problem. Data breaches cost money, disrupt services and cause reputational damage. 

If you're a big fan of the NHS you should be concerned about data breaches for the reasons noted above. It makes sense to insist on protections like full anonymisation, proper monitoring procedures and so on to protect the NHS. And full transparency combined with getting the population to understand the trade-offs involved in extensive data scraping and sharing can only enhance the NHS's standing in this context. 

People like this are experts in obtaining multiple databases and cross-correlating to identify the same individual and obtain more information about them than could be obtained from any one source.  They also have a track record of complete contempt for data protection law - specifically during Brexit.  And they have associations with insurance and financial service companies.   They will do the particularly obnoxious stuff in throwaway organisations / companies which can be folded and walked away from when the complaints catch up with them.

The obvious risks are:

a. damaging prominent individuals who cross them by correlating sensitive medical information  with public information to identify an individual and then leaking allegations to journalists or police.  They don't need to be 100% sure based only on the computer search, it just needs to be enough to put an investigator on.

b. blackmail

c. obtaining a more accurate prediction of medical risk in financial services situations in order to get a commercial advantage.   For example being able to offer instant quotes where others would require a long form, or avoid risky cases.

d. identifying customers/voters who might be susceptible to specific targeted advertising on social media.

e. 'screening' services for employers which give a rating without being honest about how they determine it.

As someone with a background in computer science I can think of about 10 dodgy things to do with medical data to make money, damage rivals or influence consumers and voters with about five minutes thought.

People who have spent their entire career thinking about dodgy stuff to do with data in the service of intelligence agencies and politicians will be way ahead of me.

For example they could specifically look for folk with mental health issues and target then with social media advertising designed to set them off in a particular direction.   People who use nefarious means to get psych profiles on millions of Facebook users can't be trusted not to go after real mental health information.

https://en.wikipedia.org/wiki/Facebook%E2%80%93Cambridge_Analytica_data_sca...

I told my GP about my mental health issues under an assumption of privacy, the idea that my innermost fears and worries could now be processed by private companies utterly terrifies me, and had this been in place at the time I would have not accessed those services in the first place. If others feel the same it may well affect how many people step forward for help which obviously will have real world impacts

GPs as subcontracted services have been part of the NHS since it's inception, you can argue all you like about that being flawed but they are the main part of the NHS Primary Care system. They are also part of the NHS pension scheme. Those worried about the privatisation aspects should be more concerned with specific changes of how GPs are being managed thanks to recent governments.

https://www.nhsforsale.info/sector/gps/

The data experts I know all think the sale of this data (and the way it's been handled) is a disaster on the most important fronts: security in the widest sense (including working with companies we can trust) and maximising the value and utility for future medical development and the public good, in an open and transparent way.

But hey, feel free to insult fellow NHS workers and play ostrich on a massive data disaster in the making. 

Well said.

Lot of people getting worked up about privacy breeches on here. First off I asked yesterday lunchtime- "Anybody on here got a tale to tell where lax medical data security had a negative impact on them? (Not holding my breath)." Nobody has coughed so right from the off we're in the realms of pure speculation as to the negative impacts.

As to positive impacts, here's what the British Medical Association had to say on this matter 3 days ago “Drawing insights from health-related data is vital for health service planning, and is a crucial way to monitor public health, organise local services and look at population-level health needs." The BMA has been involved in this matter since inception and their major qualm is the lack of publicity on the programme allowing people the option to opt out thus preserving the core principle of informed consent.

All data collation and sharing should adhere to the Caldicott principles:

The Caldicott principles, which were updated in 2013, should be employed to examine the conditions under which patient-identifiable information is used or shared. They are as follows.

Principle 1 — justify the purpose(s) for using confidential information.

Principle 2 — only use confidential information when absolutely necessary.

Principle 3 — use the minimum information that is required.

Principle 4 — access to confidential information should be on a strict need-to-know basis.

Principle 5 — everyone must understand their responsibilities.

Principle 6 — understand and comply with the law.

Principle 7 — the duty to share personal information can be as important as the duty to have regard for patient confidentiality.

Overall there should be a balance between the protection of patient information and the use and sharing of this information between agencies to improve care.

Now if you want to get all upset about unnecessary disclosure and dissemination of sensitive personal data ask yourself if the GP receptionist needs to know every detail of a patients clinical presentation every time a fellow medic rings up for a discussion about their patient, because ask they do, every single time.

Nobody will be processing personally identifiable information. No exterior data farm will be receiving your medical records with your name at the top.

Please take note thread, the above is an example of the real world damage keyboard warriors cause when they start scaremongering.

The Caldicott principles are irrelevant.  Things have gone way too far, we now have a government of proven liars, Johnson, Handcock et al all have multiple breaches of the ministerial code behind them, they have a track record of appointing cronies to investigate and whitewash their misdeeds and appointing their pals to lead public bodies.

No matter how good the principles look on paper this lot can't be trusted to apply and enforce them.  Their track record of handling personal data during the Brexit referendum campaign and the people and organisations they associate with make it even worse.

The only sensible thing is to not let Vote Leave Tories and their data mining friends anywhere near your confidential data.  You wouldn't put Ronnie Biggs in charge of the Bank of England's gold reserves just because he signed a code of conduct.

They can unlock the data for unspecified legal reasons, and even they accept that data is only pseudo anonymised. So what you are saying is I have to trust the intentions of the government, from now to perpetuity, with no concrete guarantees what this will and will not be used for? It may not make you nervous, in which case I doubt you have similar 'situations' listed in your medical record, but I cannot imagine anything worse

The flaw here is you are asking people to talk about the current state as an argument that it is okay to massively change that state.

Or to put it another way. How many people complained about their username, email and passwords getting leaked in the 1980s? No one? Excellent then why are people complaining that those columns should be hashed in databases.

Anyone with an interest in data knows three things.

Firstly anonymisation is very very hard to do on most datasets in a useful way. Obviously zeroing everything out works nicely but buggers up the ability to study it.

Secondly people find lots of ways of using data you dont expect.

Thirdly once its out there its damn hard to get back in.

So you are arguing because the data security is shit there we should make it shit on a far larger scale

A novel argument.

Sounds like the BMA have their concerns, too. I note their use of 'should', which suggests they fear this data disclosure will not meet the Caldicott principles.

The Caldicott principles are irrelevant even though they're the standard the project is adhering to?

Luckily Hancock and Johnson are unlikely to be busy typing away, compiling the data.

So your main objection is The Bastard Tories (again)... what's the SNP said on the matter?

Agreed. I've lost track of the number of data breaches I have been included in but its at least 10. I use a password manager and rotate passwords, and in the case of a breach I can reset my password and get rid of the issue. But I can never use that password again.

However, those breaches still have enough info for me to be linked to my postcode, and my postcode will be linked to my nhs data, already there is danger for cross use.

And once its breached once, I can't go back and change my NHS history, its out there, on the dark web, forever, for anybody to access. The wider the net of companies with access to our data the higher the risk of breach. Its not good at all

You think the legal reason is likely to be a low bar then? I'd imagine it'll be a bar set so high it'll require judicial oversight. As to pseudo anonymised, look up the definition and further consider your record will be one amongst 65 million.

Comments from others so far haven’t been against the broad idea of data sharing but more concerned with the lack of information and transparency. For instance Slackboot: 

“I just think there should be some debate. Most people don't even know it's happening.”

Or they are concerned with future threats to security and possible misuse of data. It’s not enough to say ‘Well you haven’t been harmed so why worry?’. Crying wolf isn’t desirable but nor is complacency. (We should understand this from the ways in which early news of the coronavirus pandemic was received). At the moment the whole data sharing realm is like the Wild West, and we don’t know what the consequences will be, or what potential misuses ‘bad actors’ may invent. It is worth being careful. 

As far as the Caldicott principles are concerned, these provide useful guidance if they are adhered to. But as I said above, Caldicott found the earlier incarnation of this NHS initiative to be in breach of her principles. The new version should be properly discussed and scrutinised, and people should have more involvement in what is shared. 
 

I have looked up the definition and, assuming you are referencing the GDPR version, the key bit is "without the use of additional information".  As for 65 million lets go back to the BMA statement you were using as a defence and look at the "local services". So ermm no longer 65 million if thats going to be achievable.

You are relying on a)the standards being kept high b)no breaches and c)no misuse.

Thats a level of trust many of us simply dont share especially for companies like Palantir.

Weigh up known benefits of the programme against potential pitfalls and decide which is the best course to follow. Its how rational people make decisions.

No, I'm arguing that people are upset at the idea of unspecified third party companies accessing their anonymous data. Meanwhile they apparently have few qualms about Janet the receptionist that lives down the road, shops in the same shops and probably has acquaintances in common, asking clinical questions on identified patients without clinical training.

The point is I don't know the bar until its too late to do anything about it

The issue here is presumed consent vs informed consent.  We've moved on since the HeLa cell line was developed without informed consent and medical ethics now require informed consent (with fine grained consent) for all tissue samples. 

While I use HeLa cells frequently I would never take and use a tissue sample without informed consent.  The same applies to medical records and this data grab breaks this basic tenet of modern research ethics. As we move between a world where physical artefacts represent property to one where information represents property we have to accept an equivalence between an physical sample and some forms of data and therefore the same informed consent should apply.

Fine grained consent is also required.  For instance, I'm happy to grant consent for restricted purposes but not for unlimited purposes or purposes that might lead to patents being taken.  This data grab does not permit this to be controlled and the binary presumption of total consent is ethically unsound and objectionable.

Okay so as a rational person my default position is that security breaches will occur. Since I wont be able to vet each company in advance therefore I have to assume at least one will have substandard security especially in the big data world.  Although AWS and co have been improving some of the default settings were way beneath what they should have been and the amateurs didnt know how to secure them.

The problem is I know "anonymous" data doesnt really exist. The only way data can be made truly anonymous is by rendering it useless for any analysis.

I'm sure Baroness Harding can be trusted with ensuring it's all "OK" when she takes over the NHS

I'm with you.  Not sure how comfortable I am with any exclusive data-sharing deals (assuming that's what what's proposed) and if they are going to do it I hope they have Kate Bingham negotiating a good deal, but I have no problem with having my medical records accessible online (as they are on the NHS app).

Why people are so concerned about the hypothetical risks around their medical records whilst being completely comfortable having all their money online is beyond me.   

You’re attaching too much weight to the receptionist analogy. The information you give the receptionist is not digitised and is not likely to be shared with organisations on a global scale. You are also able to control what information you give to the receptionist. That can sometimes mean an awkward negotiation but the point is that you still have a measure of control. The NHS data sharing project would be far more acceptable if it offered that degree of control. 

Having my money online isn't a one time risk. I have ways of reclaiming stolen money. My medical history on the other hand is not something I can rebuild, replace or insure

You’re making the assumption that people are completely comfortable with having their banking online- maybe they aren’t. But as using a bank at all these days means that our money will at some stage be in digital form we don’t have any choice. Keeping cash under the mattress has its own risks - as ever there are trade offs. The point is to be properly informed as to the relative risks and benefits.

I don't understand what stealing your medical history would even mean.  Someone hacking in and deleting it could be a problem but then they treat people in A&E everyday without having their medical records now.  Having electronic records that are secure but universally available to medical professionals is a no-brainer but we are still nowhere near achieving it.    

Properly informed and to give consent...

For me, it would mean very private discussions with my GP being available on the dark web, which is where most breached data ends up

Maybe I'm naive, but of what possible interest do you think think your medical history would be to anyone else, even if it weren't anonymised?  Things that have some financial value end up on the dark web.  Having your credit card details on the dark web would be a worry but who's going to pay to find out what your last prescription was for?

I get that there's a concern about prejudicing medical insurance (although this is more of a concern in the US I guess) but there are rules about what medical insurance companies are allowed to ask (and obligations on you to tell them certain things anyway).  Is that your main concern?

I'm not saying you're not entitled to your privacy.  I just think that some people have an odd way at looking at the risk/benefit calculation.  I completely agree that it would be nice to have the benefits more clearly explained and, as I've said, I have reservations about monetising the bulk data but that's a separate issue from the disproportionate squeamishness many Brits seem to have about the dark revelations in their medical records.  I have access to mine but have never even bothered to read them. 

Any number of ways by insurers, potential employers or criminals. I could easily be blackmailed with the info in there just to start with, and its not like online criminal gangs don't use breached data to blackmail people.

If you only have a series of stomach bugs reported to the GP maybe that seems over the top, but I would be utterly devastated if someone threatened to share mine with, say, my family or employer

It all depends whats on your medical record and how you perceive it may be used. Its about an individuals perception .Not anyone else's. It is data that belongs to that individual. If governments want to use an individuals data for some reason let them convince the individual. Change their perception. Then ask them. It is all about consent. It is more important now than ever.

It's a basic principle of decent human interaction. Don't use someone else's stuff unless you have permission. Presumed consent needs to be built on trust.

BMA statement on NHS data sharing calls for delay:

https://www.bma.org.uk/bma-media-centre/bma-calls-for-delay-in-roll-out-of-...

That says it all really. Well spotted.

Yes, because I am confident she will have learnt important lessons from the massive TalkTalk data breach that happened while she was in charge.  And the experience she gained at the outsourced Test and Trace means she probably won't use old versions of Excel for transferring records between databases again.

For those who don't know what she looks and sounds like, I have found a random clip on YouTube, here she is helping out the Cambridge Analytica Public Relations Department.

https://www.youtube.com/watch?app=desktop&v=7zrymE6kjbg

I suspect the only thing she will have learned is "don't get found out"...

Nah she became a expert in "sequential attacks". 

The concerns I am raising are from people who support NHS data use. The problems they raise are about to way our government are going about doing this and the risks arising from that.

The arguments Stichtplate is using are based on strawman concepts including pretending the critics are data luddites, when its often just the opposite. A quick search finds numerous links that match the expert concerns I hear from data academics. The BMA view is not unique...look at Open Democracy, Digital Health, The Good Law Project.... I'm just waiting for John Naughton now.

It's way bigger that that. It's also about potential corrupt tendering, major governance problems, breaches of democractic process, dishonest behaviour of politicians. It's also been a massive issue for months now.

https://www.opendemocracy.net/en/ournhs/why-were-suing-over-the-23m-nhs-dat...

...here she is helping out the Cambridge Analytica Public Relations Department

Doesn't that give you a nice safe feeling?

You are massively underestimating the potential commercial value of your medical history and its potential to be used against you.

You also have to assume, given the lack of cast iron protections and records of previous data leaks, that all of your records will at some point find their way in to the hands of someone with the ability to depseudonymise your records and match them up with the vast data that big tech companies already hold on you (who have a poor record of selling it to the highest bidder to use against you).

A few examples where it could end up working against you:

- Medical/travel/life/car insurance. This data is a gold mine for the insurance industry. Good luck finding any affordable cover (or any cover at all!). In extreme circumstances, this could potentially lead to mortgage companies being unwilling to lend money to someone who is at a higher risk of an early death or being unable to work. Landlords could refuse to accept tenants who are at risk of being unable to work in the future. Carehomes could potentially use it to increase costs or refuse to offer care to people who are at a higher risk of developing conditions in the future that might make them less profitable. This could also work in reverse: if your medical history (and that of your family) indicates a longer than average life expectancy, good luck getting a reasonable price on your pension annuity.

- Exploitative advertising such as unscrupulous companies targeting products/scams at people who they know are in a vulnerable mental/physical state. Or targeting alcohol/gambling to known addicts, or targeted political adverts (where have we seen this before...?)

- Potential employers refusing to employ people due to past/present conditions, or even the conditions of relations. Unless you could prove that they rejected you due to a protected characteristic (which is essentially impossible), you would have no recourse.

- Blackmail of vulnerable people such as someone who has sought treatment/advice for an abortion/contraceptive/sexual health etc. Cross referencing the records of mothers/fathers/children/other relations could be a potential paternity nightmare.

The problem is that all of the above outcomes (and, no doubt, many worse ones that I haven't considered) are possible. Without sufficient guarantees in law that these cannot happen, this opt out is your last chance to stop it happening to you. Once the 23rd June deadline has passed, if you haven't opted out, the box is open and cannot be closed.

As you cannot do it later on, you have to make a decision now on the likelihood of these hypothetical problems and the severity of their outcomes. For me, there are not sufficient safeguards to prevent medical records being used against you so I have no choice but to opt out. If there was an option to allow your data to be shared solely for academic researcher with no exceptions and with strict controls to prevent it getting in to the wrong hands, I would not be opting out of anything. This is not currently an option.

Are you seriously asking for people to provide evidence of how they have been harmed by a change that has not yet come in to effect?

Nope. I'm asking exactly what I said I was asking. Perhaps read it again?

As a counterpoint I could provide you with multiple harms caused by poor access to patient records.

Though generally many people don't want their data sharing, but they are happy to reap the rewards of research on other peoples for new drugs and treatments?

How about you opt out but you don't get to have access to any new treatments that come from this research.

We don't have enough organ donors so we went for an opt out scheme. That seems reasonable but opt out should maybe mean if you are not prepared to donate then you don't get to receive?

I don't actually think this.

Really? What about "60% of my class like our textbook, 40% dislike it"? Or "The average age of people coming to the surgery last year was 66"? How are those data not anonymous? Looks anonymous to me, thanks 

How did you get to those numbers though? To get the average age of people coming to the surgery you need to supply all the ages for patients and the GP Surgery itself. Then someone aggerates it. 

Perhaps I should have made it clearer that it is in terms of being able to anonymise individual level records when they havent been designed for that job. However if you are basing it off someones information gathered for other reasons then its very hard.

To take the surgery example. Once you say I want to know their age and then I also want to be able to group by street then you have a pretty good chance of deanonymised records. Add in gender and you will be pretty much all the way there.

Or for the liking the text book. Now yes you could probably make it anonymous if they dropped a card saying like or dislike. However if you then ask a few more questions comparing it to the other books they use then the anonymous factor would start to drop and so on.

There is a big difference between data being available within the NHS for individual treatment, and being made available to people outside the NHS, for purposes other than individual treatment.

This release is intended for the latter purpose.

Yes, but "anonymous" means "not identified by name", which is true for my simple example 

well clearly it is for the example but the use case is just not valid. 

They're not calling it anonymous, though, are they; they're calling it 'pseudonymous'. Whatever that means; many commentators suggest this data can be de-anonymised by correlation with other data sources.

This is potentially big money, so big money will be put in to do that correlation.

Thanks for your reply. I was talking about unnumbered student questionnaires which are dropped in a box at the end of class - with just one question on it. Thanks 

If you were really bothered you could use fingerprint techniques on the paper, then link it to ink analysis to determine how much people paid for their pens, then only offer opportunities to those you feel (having paid for expensive pens) would most likely be able to afford them.

Just because you can't be bothered, doesn't mean that no-one can be bothered. Of course, if its cheap to do, and there is some gain, then someone will do it for sure. 

Yeah, in one case the individual benefits from treatment over their lifetime and in the other everybody benefits from the advancement in medical treatments for ever. Medicine has advanced due to the study of individual cases since Galen, without such case studies Doctors would still be sticking leeches up your arse and telling you to piss on the corpse of a dead cat at midnight in the hope of curing your brain tumour.

I know, but data breeches are data breeches whether the scale is micro or macro.

It's pretty straightforward: the proposed data changes will benefit how resources are targeted as well as advancing medical knowledge. On the downside some dodgy company might access the data and target individuals. Note "might".

So it's down to social conscience really, whether you put the clear benefits of the many below the possible detriment to yourself. Personally speaking, I believe that if you think your data is at risk through this scheme but you continue to use social media, google, store loyalty cards, etc, etc then at best you're naive and at worst you're a total hypocrite.

I don't mind sharing my data if it will help others. But I want to know who is seeing it, and I want the right to give my consent. I want a debate where the public are properly informed before any changes. As I said before presumed consent is based on trust and this is obviously something that is sadly in short supply at the present time.

Now that's a fair point and one I'd support.

OK, that's a reasonable argument and I'm not really comfortable with monetising this information at all.  I'm similarly concerned about the possible commercial use of UK Biobank data, which I have enthusiastically supported up to now. 

That's a different argument to the general reluctance to digitise medical records, but I agree it's really unhelpful in trying to increase public conference in it.

We have already found out the ministerial code, anti-corruption laws and data protection laws are irrelevant when the people running government break them.   If the system worked Johnson and Handcock would be in jail by now for the PPE contracts , the Arcuri thing, the Downing street refurb and for the sh*t Vote Leave got up to.

The fact that a Tory project is supposed to be adhering to a standard doesn't mean it will adhere to the standard or that anything will happen when it doesn't.

No, but they will give the access or contracts to their pals and donors.

Yes, and it is again and again because this is the worst shower of sh*t we have had in government probably for 100 years.

The SNP doesn't need to say anything, this is an English thing.  Health is devolved and the Scottish NHS is not controlled by Handcock.

Cool. NHS Scotland must be super keen on preserving individual patient data:

Depending on the situation, and only where appropriate, we may share personal information with the following types of recipients:

citizens and patients registered with NHS Scotland

family, carers, associates and representatives of the person whose personal data we are processing

NHS staff

current, past and potential employers

healthcare, social and welfare organisations

suppliers, service providers, professional advisors and consultants

legal representatives

auditors and audit bodies

educators and examining bodies

medical researchers

medical education institutions (for example College of Nursing)

when dealing with enquiries or complaints

financial bodies

professional bodies

trades unions

business associates

police forces

security organisations

central and local government, government agencies and regulatory bodies

voluntary and charitable  organisations 

https://www.nhsinform.scot/care-support-and-rights/health-rights/confidenti...

...or maybe not.

Spot the difference…

‘When sharing information, NHS Scotland only provides the minimum information required and only if there is a legal basis for that, otherwise the NHS will ask for your consent prior to sharing your data.’

I'll refer you back to the Caldicott principles that NHS England are following in the proposed data sharing programme. So not much meaningful difference whatsoever.

The NHS in England will not be asking for consent prior to sharing any information. It intends to scrape GP data and then allowing people to opt out- if they’re quick enough. In other words, instead of informed consent they are using presumed consent. 

Wrong trousers Gromit

Or used to  exploit percieved (or perhaps manufactured) "failings" in the NHS to pave the way for budget cuts and widespread privatisation.

The data is being handed, free of charge, to dodgy companies with a record of using information to target individuals.

The many being those who will profit from selling that information back to the NHS? I have no issues with giving informed consent for my medical information, suitably protected to the NHS for legitimate purposes. Giving it to some mate of Dido Harding or a company like Palantir to profit from and sell on to anyone who wants it? No chance.

Facebook ads targeting me for clicking on a link to Wiggle is one thing. Ads targeted based on the content of confidential medical  records are a different kettle of fish.

You would need to provide evidence for this claim rather than simply announcing it as fact.  You would then also need to explain why, exactly, companies like Palantir are required. For resource targeting for example they could take the approach of looking at resource usage rather than peoples records.

Bonus points if you manage to explain away the rather interesting background to Palantir getting that nice juicy contract and also manage to convince me that they are a lovable bunch and not a group with a very dubious track record to date. Even if you dont want to discuss their data background just giving a good explanation on why anyone sane would use Palantir as their name would be good.

Think of the children!  The thing is my own records are,luckily for me, pretty boring. The only thing in recent years has been my vaccine jab. However I would consider those who havent been so fortunate and so default to not providing data approach in the, probably,vain hope it might make the government reconsider.

Speaking of which it is rather amazing given how many things have had to be put on the back burner that this has managed to be priortised isnt it? Sod improving the system lets get the data give away in play.

Whereas I think that is a hopelessly naive argument and has a rather obvious flaw. All of those are opt in (admittedly with some of facebook and co shadow profiling not so much but....) so if you are making this comparison then logically you should be arguing for an opt in scheme.

I'm curious to know what information is up for sale.

I signed up on the NHS app just to have shifty at my vax record. All I can find about my medical history is two c19 jabs and a prescription for nicotine inhalers from 10 years ago. Nothing about my hospital  stay April 2010 for starters.

If people want to pay good money for that info, good luck to them, I couldn't give a ....

The problem that you are stubbornly refusing to acknowledge is that there is no guarantee that our data will be used purely for lovely, benevolent purposes you describe.

As others have pointed out, the fact that the likes of Palantir are involved should be ringing a bloody great big alarm bell.

Does the warning from the BMA not sway you from your rather naive belief that there is nothing to worry about?

That seems like a reasonable list to me.

Most of the items on it are either obvious or legally required and the key words are "Depending on the situation, and only where appropriate."

Nobody is saying the NHS can't share ptient data, obviously it needs to share data to get its job done and support patients and medical research.

The problem is wholesale harvesting of data and the types of organisation that are involved - in particular people and organisations with extremely dubious history.

I am not against processing medical data on principle, but if I lived in England I would refuse consent for any scheme implemented by the current government for the same reason I wouldn't buy financial services from a convicted fraudster.

In my view the way this should be handled is to wait for professional bodies in the computer industry such as IEEE or ACM or trusted security standards bodies such as NIST in the US to come up with standards for protecting medical data and then to write the use of those standards into law.  I would also make managing medical databases a regulated profession requiring training, registration and a code of professional ethics, with the possibility of being struck off and a 'suitable person' criterion before acceptance.

I see a lot of respectable public bodies on the Scottish list like the College of Nursing, state agencies like the police, patient's relatives are obviously necessary - and so on.

What I don't see are people like Palantir.

A lot of this has to do with trust.   I'm willing to give the Scottish Government the benefit of the doubt.  I'd have given most previous UK governments the benefit of the doubt, even May or Cameron (maybe that would have been a mistake!) but the current lot are unquestionably not suitable people to be processing confidential medical information.  They've been caught red handed too many times. 

Maybe read what I wrote a few posts up at 17:09?

Maybe read what the BMA actually wrote rather than projecting what you'd have liked them to have written? Their concerns outlined in the link are entirely with timescale and lack of publicity allowing people to opt out.

I’d prefer to take the advice of a friend (25+ years as a GP - not mine) who advised me to opt out & do it straight away. She indicated that her work as an NHS clinician was being compromised, not enabled, by the large-scale incursion of commericial interests (often from the USA). Her views on both Palentir and Harding are pretty much unprintable. 

That list could be construed to include everyone from The Boy Scouts of America to the Russian FSB as I'm sure you'd be happy to point out if it'd been compiled by The Bastard English Tories. I'll set you a challenge, lets see if you can come up with any public, private, body, group or organisation that couldn't be included in the Scottish list?

And if it were Hancock or Johnson that were guaranteeing and defining the proviso "Depending on the situation, and only where appropriate."? A politician's word isn't worth an awful lot on either side of the border (ask the formerly sainted Salmond's opinion of the still saintly Sturgeon).

Luckily in this case, it won't be Hancock or Johnson that'll be able to identify individual patients; that'd be the NHS still. Here's what is actually happening:

NHS Digital will not collect patients’ names or addresses. Any other data that could directly identify patients (such as NHS Number, date of birth, full postcode) is replaced with unique codes which are produced by de-identification software before the data is shared with NHS Digital.

This process is called pseudonymisation and means that patients will not be identified directly in the data. NHS Digital will be able to use the software to convert the unique codes back to data that could directly identify patients in certain circumstances, and where there is a valid legal reason.

You might note the last bit Tom,

"identify patients in certain circumstances, and where there is a valid legal reason."

Not a million miles from the Scottish NHS,

"Depending on the situation, and only where appropriate."

Yes, it will probably be their mate Dildo Hardon, promoted to run the NHS after her stunning success as boss of Test and Trace.

https://www.independent.co.uk/news/uk/politics/dido-harding-nhs-test-trace-...

It is so obvious what these guys are up to.  Just like with the PPE contracts access to NHS data is primarily a way for their pals to make money from the 100 billion NHS budget.  The favour will be returned to the Tories as donations and hand-outs to senior politicians such as consulting jobs after they quit and decorating their house.

The press is compromised because most of it is owned by billionaires and has received 350 million pounds of advertising money from the UK government channeled through a private company for the Covid information campaigns.    That kind of spending gives you influence and is one of the reasons the Tories are getting such an easy ride while behaving so egregiously.

Having read around this a bit, I've decided not opt out.  I think opting out reduces the value of my data for research and planning purposes and there's a clear statement here:

https://digital.nhs.uk/data-and-information/data-collections-and-data-sets/...

that the data will not be sold (although they will charge for access, which seem to me a nice distinction) and anyway will not be available for 'purely commercial purposes' such as promotong or selling products or services, market research or advertising.  I don't trust the current government not to try to get round this but I choose to trust the regulatory authorities, GDPR and parliamentary oversight to prevent this.

Here's what's available by way of transparency, if you really want to check it monthly:  

https://nhs-prod.global.ssl.fastly.net/binaries/content/assets/website-asse...

Not sure there's any confirmation that Palantir is currently involved (just rumours that they probably pitched for it).  I'm assuming that no government procurement would touch them with a barge pole after the Cambridge Analytica thing but then this government's shamelessness is seemingly limitless.

The Tories are a shower of shite and couldn't run a bath. You're preaching to the choir. As to the rest, no Tom, not everything that has any tangental government involvement is entirely a Tory plot to line their own pockets, though I wouldn't put it past them to try.

When you say "these guys" are you including the BMA and the Royal College of General Practitioners who've been intrinsically involved and supportive of this programme since it's inception 5 years ago when the last data sharing programme collapsed under similar confidentiality concerns? "These guys" are primarily concerned with advancing medical research, clinical practice and saving the NHS an estimated £10 billion per year through better targeting of resources.

How about my original question to you? 

I'll set you a challenge, lets see if you can come up with any public, private, body, group or organisation that couldn't be included in the Scottish list?

...any luck?

I did. Maybe you should take your own advice.

If you did read it you either didn’t understand it or you’re simply misrepresenting it. They don’t mention anything to do with misgivings over data usage, third party data acquisition or confidentiality issues. Their concerns are over giving the public the necessary information and time to opt out if they do wish.

You are assuming wrong.

They heroically and kindly got involved last year in the Covid response only charging £1 for their services.

A great gesture only slightly undermined by the subsequent fees.

https://www.digitalhealth.net/2020/12/palantir-awarded-23m-deal-to-continue...

Underlying all these concerns is the question of timeliness. It’s clear that the BMA and RCGP feel that the implementation of data sharing is being rushed. That puts an extra strain on general practices and gives the public little time to understand the pros and cons and to opt out if they wish: 
"The timeline is far too short because NHS Digital has not transparently and actively engaged the public in increasing awareness of the GPDPR programme since its announcement in early May."
(From the BMA /RCGP letter, quoted here.)
https://www.theregister.com/2021/06/04/bma_and_royal_college_of/

Personally I have few qualms about a properly implemented secure sharing of my data but we’ve seen many failures of large scale public IT projects, including in the health sector, and I have no great faith in NHS Digital’s ability to achieve a secure and useful implementation if it is being rushed. I’m also interested in the sudden haste with which this project is being pursued - why is this?

Who would want access to someone else's virtual legwear?

Never thought I'd ever read a comment about Palentir or these other IT bandits which incorporated the phrase 'heroically and kindly'

It is just a generic list.  This isn't about the list it is about the people at the top in England  not being  reputable and associating with companies like Palantir.

I'm just applying common sense like I would with any other purchase or business relationship.  If the people at the top look like crooks I try not to deal with them and if that is impossible I try and limit the amount of sensitive information they have access to.   We know the Vote Leave crowd and the companies they associated with grossly misused data during the Brexit referendum and they got away with it.  My operating assumption is they've not changed.

I still think it's odd that Palantir chose to take the name of a magical form of data transfer that only showed you the version of events that the administrator wanted you to see.

Seems quite appropriate; at their creation, the palantiri allowed remote exchange of thoughts. It was only when they were subverted by an evil entity that problems arose...

Frankly, if you think that pseudonymised data cannot be deanonymised using third party data sources, you are being naive. In fact, if you do not understand how this is done I'm not sure how much you can add to this discussion. This is neither hypothetical nor far fetched, it's used by practically every online advertising company in existence, including Facebook and Google, and it's the reason behind Apple's push for tracking transparency (which they are using as a differentiating factor of their products). Hell, it's how third party app advertisers that display their ads on these platforms pay per install, it's entirely mainstream technology.

If this data is pulled by a third party that shouldn't have it, and I would treat Palantir as such a third party, it will be deanonymised, legally or not.

OK go for it, relieve me of my naivety and explain how this data could be de-anonymised "by practically every online advertising company in existence"?

Edit: I have a feeling that this is the third time on here that I'll pose a question asking someone to correct my ignorance and then be left hanging, so yet again, not holding my breath.

OK I'll bite

I've been in data breaches before, so out there on the internet will be my name, age, postcode and gender for grabs.

Combine that with very basic info from my medical records, so say date of birth and postcode, between them they will almost certainly identify me personally. Thats just to start with, there will be loads of other possibilities.

Edit: you don't even need to get it from breached data, I'm pretty sure facebook will sell that data to anyone who wants it

First hit on google. There are many more articles on the subject, including plenty that go into more detail if you have the technical knowledge to understand them. 

https://www.theguardian.com/technology/2019/jul/23/anonymised-data-never-be...

If I had some cast-iron guarantee that my data is only going to be used for legitimate research I would have no issue with it being shared. Unfortunately I do not trust that to be the case, and I'm not comfortable with profits being made by selling my data either. It has also been highlighted that the data is not only being sold to medical researchers - anyone can buy it if they want so there is basically no protection here...

Why should I want to have my records in the hands of Waffen IT?  Waffen IT with a history of destroying things I believe in and that has as a result derated my wife's standing here and my own EU rights to zero.  (In fact they must not have been "rights" or I wouldn't have lost them.

Apart from the clear and present danger of unscrupulous weapons IT companies making money from getting their hands on our records it's another example of how nearly half of the voters in the binding referendum have been shat on by the Brexit Toffs

Dido "Cheltenham Festival must go ahead" Harding's friendly cosy relationship with these waffenmen says it all.

She's also befriended the Vennels woman who presided not over the implementation Horizon Scandal but over the legal shennanigans that perverted the course of justice by denying information to the victims that they should have had much much earlier.

I'm not asking for data that's out there on the internet, I'm asking for data gleaned from NHS digital. 

Yep, the identifying info that is on there will be locked and coded. This consists of your NHS number, date of birth and a postcode shared by several addresses, all locked with unique codes and since none of this info exists as words or sentences it's about as easy as it gets to encrypt.

If they *just* pseudonymise (well, hash really) the patient data and not the facilities used, then it's fairly straight forward if you have access to a database like Facebook (and they are not the only one). You correlate visits to various facilities to visits to public locations of other users until you get a match.

If the facilities themselves are hashed, then will have to group the data by the common fields and go on a more macro level to identify the facilities first.

If the facilities are hashed and salted (so that two people that visit the same facility appear to visit two different facility IDs), it's trickier but I'm pretty sure statistical analysis can be applied to find what is what, especially as people will be visiting some of those in fairly consistent procession.

Facebook can tell me who installed my app (and charge me for it), what their age, sex and geographical region is, having shown them an ad, even though they then installed the app another day, on another device that is not even logged onto Facebook. They track members and non-members across websites and devices, networks and geographical locations for the purposes of highly targeted advertising.

This isn't a future problem, it's been happening for years, I remember being blown away by what ad attribution companies could do with their models 5-6 years ago already.

For those without strong minds or somesuch they were unreliable from the outset and then as soon as someone dodgy got their hands on it they went beyond unreliable into actively malicious.

See what you mean about appropriate.

You don't think there will be any indication of my age or location in the data? You're having an utter laugh.

Also I notice you didn't respond to the poster above who linked the article highlighting the risks, just my one example.

And,if you want to be able to do anything useful with it also pretty damn easy to figure out. NHS number you would protect but to get age information and postcode if it is not going to be rendered useless as a source then it will have a usable pattern to reverse.

The only identifying data included is NHS number, date of birth and postcode, all encrypted with the unique codes held by the NHS. Fine if you don't think the NHS can be trusted but they already hold all your actual records anyway. Getting hold of the de-anonymised data would therefore be as straightforward as hacking existing NHS records, so why include the middle man and not just go for the intact records?

What they've actually said is that the data won't be sold at all but whatever

Patients 1, 2 and 3 visited locations A, B and C. Correlate with people that visited those locations in a similar time frame from other sources and voila, you've deanonymised the data without having access to the NHS servers.

What particularly annoys me about this is that I *want* my data used for research by reputable institutions and the NHS. The entities being proposed should have zero to do with this and that may cause me to opt out.

I can only go off what the NHS say they're doing. If you don't trust them what's the point of this discussion as you're already trusting them with all the data your so worried about leaking?

Give me a minute, I've got two hands and a life

OK fine you win, despite experts, doctors and IT specialists telling us to be worried, and despite my own 20 years of experience working with large scale datasets in various companies, on your word I'll stop worrying - its obviously all in my head, one to log among the rest of my mental health issues. While it feels like a total gaslight it definitely isn't and there is totally nothing to worry about, I feel a lot better.

its this for certain bits of data. Other bits, are just not shared as part of this. 

patient addresses, DOBs are not shared

Anybody been referred to hospital recently? - that got shared already and anyone can access that data.....good luck identifying my eye clinic appointment......but if you can I'll but you new nut 1

https://digital.nhs.uk/dashboards/ers-open-data

The point is proportionality, benefit versus risk and whether its reasonable to get in a flap about NHS data security when you're totally relaxed about putting all sorts of stuff out there with zero concern.  Are you worried about all the personal info you've put out on UKC? if not why not? You think a forum accessible by literally anyone is more secure than an NHS database?

Are you seriously making this comparison between what someone chooses to post on a public forum vs their medical records?

I think I will join in giving up and letting you declare victory.

From that data I can't, but give the inverse view, your pseudonymised medical record with a list of all referrals, procedures etc. you've had etc to a data scientist with access to a few external databases and I bet they'll be due a sparkling new Rock 1 in not so long.

if someone posts details of their medical history in a thread where they’re insisting that they’re terrified of details of their medical history being leaked then it would seem relevant.

You’re assuming times and locations of appointments would be listed. Maybe they are, I don’t know, but this would seem to contravene the Caldicott principles they’ve declared they’ll adhere to.

looks like the data sharing has now been delayed till September

To do any sort of research on any progressive disease, a timeline is important, so while exact dates may or may not be there, approximate timelines will be deducible from the data. Locations could also be inferred from the facilities at said locations. Would it be worth it? I don't know, depends on who is trying to harvest the data and what they are hoping to achieve. Either way, I wouldn't want the people behind Cambridge Analytica to be anywhere near it.

MPs have pushed the government also in line with moving the data sharing  to September, to also move the deadline for individuals to opt out of the data sharing to September as well, which may not necessarily have followed suit.

I agree, clinicians having access to your medical records in a timely manner seems like a good thing, but why are you conflating this with private company having access to your "anonymised" data (my quotes).  Surely you can have the former without the latter.  Maybe you have no reasons to fear your data being linked to you, but many people will have - people with a history of certain health conditions, both physical and mental, can find their employment and insurance prospects severely limited if this knowledge becomes known and shared.  

I put anonymised in quotes because it's doubtful that such a thing exists.  Reidentification is a well known privacy issue in data sciences and the "big data" industry.  The following is an abstract taken from one of the current key data science text books - Data mining : practical machine learning tools and techniques, Witten, I. H et.al, 2016 (this is just one paragraph from this section of the book - there's a whole bunch of case studies detailing this sort of thing, and examples of misuse of "anonymised" data abound, including those from the health sector domain:

 "Work on what are being called “reidentification” techniques has provided
sobering insights into the difficulty of anonymizing data. It turns out, e.g., that
over 85% of Americans can be identified from publicly available records using
just three pieces of information: five-digit ZIP code, birthdate (including year),
and sex. Don’t know the ZIP code?—over half of Americans can be identified
from just city, birthdate, and sex. When the state of Massachusetts released
medical records summarizing every state employee’s hospital record in the
mid-1990s, the Governor gave a public assurance that it had been anonymized by removing all identifying information such as name, address, and social security number. He was surprised to receive his own health records (which included diagnoses and prescriptions) in the mail."

Damn right - CA figures highly on the privacy/ethics module of a course I'm taking.  Prior to that I had a bit of an idea of the schenanigans behind what they got up to, but the more you delve into it the more appalling it seems.  From the parliamentary select committee report, it doesn't even seem to be known definitively all the people/organisations behind it.  Some"lovely" characters such as Steve Banon and Robert Mercer, various big Conservative party donors, but many others seemingly unknown.  This sentence from the report struck me as interesting regards the CEO at the time: "These concerns have been heightened by Mr Nix and SCL’s own links with organisations involved in the military, defence, intelligence and security realms." ....

The usual suspects here like to knock The Guardian, but without it, it's unlikely that any of this would have come to light, or at least not until several years down the line.  As it is, much of the harm's been done.

Because vast swathes of the "NHS" (my quotes) are private companies, from the GP surgery that provided the data to the ambulance that you called 999 for to the company digitising the records.

If potential employer or insurer wishes to know medical details because it may impact the role or cover they can just ask. If it won't reasonably impact the role or cover, why would they care? 

https://www.peoplemanagement.co.uk/experts/legal/when-legal-access-employee...

You should be reassured to know that the identifying features listed by I. H et.al, 2016 are all unavailable as they're encrypted at source. Not sure how many big companies with the cash to chuck at breaking such encryption would get the go ahead for funding from HR. Likewise, I can't imagine many smaller companies being happy to trawl the dark web for info on the off chance that their potential new wages clerk was once prescribed sertraline.

There is a risk inherent to companies in employing people with certain conditions but those risks can be mitigated legally. There is a much larger risk, both to individuals and companies, in illegally seeking access to data to which they have no right. In your estimation do you think it likely that most HR managers would be much interested in risking career, fines and/or jail time to get an unauthorised glimpse at someones medical records?

They'll use a service to vet employees and the service won't officially tell them what it is doing but it will be an open secret.  Eventually the company running the service will be chased down and forced out of business but it will have been set up on the expectation that will happen and will have been spending money as fast as it comes in.   All the clients will pretend to be shocked.

Then the same people will do roughly the same thing with a different name on the door.   It will turn into whack-a-mole with the rich people and companies who benefit from these services using their political influence to make sure that the law is always one step behind.

Pure speculation or would you care to name a company providing such a service?

…and why go to all that bother when relevant data is legally accessible?

The consulting association was one such misuse of private data for business purposes.

Or if you want "health" related then there are countless cases of discrimination against women on the grounds they are young(ish), married and likely to have kids and so be off.

As for pure speculation I notice you havent provided any examples supporting your claims.

Not quite sure how being young and a woman could be presented as confidential data.

Did you miss the link I provided? It’s two posts up from your own.

sigh. I was pointing out how its pretty common for discrimination on a "health" matter although, of course, there are restrictions legally on what you can ask a woman in interview so having access to their health records and see for example they have been looking at fertility treatment could be useful for an unscrupulous employer.

I am wanting clear demonstrations of when giving health information to Palantir and other dubious organisations directly benefited those whose information had been given away.  Come on stop speculating and provide information.

As for that article though. What do you think it shows? Because it doesnt show you can randomly request information but, if you do, its very tightly controlled and opens you up to a world of legal pain and discrimination charges.  Whereas if you acquire the information informally then you can simply not interview someone.

There's been similar things in the construction industry with small external companies providing illegal database services to 'respectable' large organisations.   Everything is speculation until it happens but the methods large companies use to get round database laws are fairly obvious.

Vote leave is another example - they weren't that bothered about data protection because they knew they would be shut down long before the enforcement mechanisms could catch up with them.

https://www.theguardian.com/uk/2009/mar/06/data-protection-construction-ind...

Because the data they want either isn't legally accessible or can't legally be used for the purpose they wish to use it for.

Sigh all you like, using "young and a woman" to demonstrate sensitive medical data is still a crap example.

You doubling down on crap examples here? In what world would a potential employer think "this candidate is female and between the ages of 18 and 55... we'd better check she's not having fertility treatment" ???

Where in this entire thread have I suggested providing Palantir or "dubious organisations" would benefit anyone? How would I provide an example of a possible future action that hasn't happened yet?

Err, what I said directly above the article's link? Namely this; "If potential employer or insurer wishes to know medical details because it may impact the role or cover they can just ask." It was right there, one line above the article link.

Yeah, good job I didn't say it did then isn't it. Sigh.

Great examples, but not examples that are really relevant since this wasn't anonymised data, wasn't medical data and wasn't data that was illegally obtained.

Yeah, which puts us right back to pure speculation without a relevant example.

I can remember the database course I took as part of my CS degree in the mid eighties had a section on anonymising databases and how people could try to de-anonymise data.   

Nothing has changed, it's a really hard problem to keep data anonymous if you have people able to construct queries in a flexible way and even harder in the general situation where you can have multiple people colluding to extract sufficient data.  Even if the system can show that no individual user has extracted enough information to identify an individual multiple users acting together may have.

I totally agree with everything you say here but I remain unconvinced that we have enough information to write off the entire scheme.

The NHS holds, arguably the most detailed treatment database and certainly the largest patient database outside of China. The research potential to the wider medical community is enormous. The  potential to cost save within the NHS is immense and the only issues raised by the BMA and Royal College of GP’s (both heavily involved in the program) have been over providing sufficient time and information to the general public to ensure informed consent, not data security.

I was pointing out the obvious advantages in misusing information about someone to decide whether to employ them. I could, of course, have gone on to use some of the ways some companies try to anonymise information to avoid this whereas others do not.

Well that has been what you are demanding from others when asking us to show that a db which isnt available yet is being misused.  So I thought I would return the favour. It is amusing that you manage to spot the flaw when its applied to your own position.

At the moment the government are proposing that the data is made available to companies with very dubious track records. So thats going to be a firm no from anyone with a clue about data management.

As has been repeatedly pointed out to you the anonymisation methods arent sufficient to protect against companies with large alternate data sets. They might impress someone without a clue about data analytics but for anyone with half a brain its obvious they are badly flawed. Since for them to be useful they cant be that well encoded.

If you feel it would be beneficial to have this data available then I would suggest that you put your efforts into arguing for a restricted version. Although even then we can then get onto all the ethical questions about who the data really belongs to and who benefits from it.

So you don't trust the data experts. You ignore warnings from the organisations you say didn't make them (an example BMA link from last Sept below). You throw out strawman arguments for UKC critics who all seem to say they favour use of NHS data to improve health? Has someone stolen your UKC account for propaganda purposes?

https://www.bma.org.uk/news-and-opinion/outsourced-and-undermined-the-covid...

I strongly support use of the NHS database to improve health outcomes but in a way that benefits health not data pirates like Palantir.

Pointing out that someone might be disadvantaged in seeking work due to being young and a woman remains totally irrelevant. If you wanted to make a point that was actually relevant you could have used examples such as HIV, Hep c or diabetic status. Of course you'd then have to explain away the fact that employers can legally demand such information when considering a candidate's suitability for a wide range of jobs...no illegal access necessary.

No, never demanded any such thing. What I asked was if anyone had an example of illegally obtained medical data used to someone's detriment. That was what, a week ago? still waiting.

There hasn't been the level of detail released to make to firm declarations about the level of data security inherent in the proposed system, however much of an expert you declare yourself to be.

I don't trust self declared data experts. I don't trust our government. Not sure about alleged straw man arguments but I know that's your favourite go to when you can't be bothered arguing the point so whatever.

Talking of straw man arguments... If you could explain how a link outlining rushed pandemic responses involving inadequate and unsuitable private businesses has any relevance to an NHS programme that's been years in the making?

So are you opting out? I'm not because as I've said, several times now, the known benefits to everyone accessing healthcare far outweigh the potential pitfalls for the individual. It's a common enough equation applied throughout every society, every day.

If someone's being exploited by the threat of revealing previous abortions, or STDs contacted from a rape they haven't told a partner about, they're hardly going to advertise it on a public forum or go to the press, are they?

Open a newspaper, switch on the TV or your computer. Plenty of cases of people revealing intimate details of themselves. Plenty of rape victims making anonymised statements. Plenty of court cases where illegally accessed or published data has lead to criminal convictions.

The covid crisis is very important context, it has helped out government put through changes that never would have been allowed in more normal times.

I'd very much rather not opt out as I have an interesting health record that could help others but I will if according to health data experts I trust it's not safe enough and will actively encourage others to do so as well; as opposed to listening to counter-factual statements of how safe our data is in the hands of known bad agents.

Do you not understand how useful it is having the information without announcing it? If I know you have a medical condition (incidently something heavily restricted on application forms as opposed to once we are well into the recruitment process) then if I choose not to interview you you could challenge it on discrimination grounds. Whereas if I dont officially know it then you are just unlucky.

A casual example would be how in some industries you would have a fairly neutral reference since if I got my hands on it you could be in trouble but then have a phone call to say the blokes an idiot.

You have done so repeatedly just above we have "pure speculation without a relevant example."

Andrew Stewart, Chika Mbah and Adele Rennie are all recent cases investigated for misuse of access to medical records. There are also multiple other cases where people have been prosecuted for accessing data.  Arent you NHS and so I would assume have receive yearly data protection training which would cover case studies? I am surprised you arent aware of several.

On a larger level for the willingness to use data in dubious ways. Look up the Mosiac db and Emma's diary with the former using high level medical information. Now you might live in a fantasy world where the same brokers wouldnt love the more detailed information and wouldnt dream of using it but most people dont.

As others have tried explaining to you. If you want the information to be useful and you are allowing the users to query the data directly themselves then it will hard to the point of impossible to anonymise. Just think for a second about the queries you might want to run and then how quickly you can narrow someone down by seeing who appears in several queries. Then a bit of cross referencing against other datas and you would be all good.

I wrote up thread that the BMA had issued no warnings over data security concerns with regards to this program. You wrote "You ignore warnings from the organisations you say didn't make them (an example BMA link from last Sept below)." and then provided a link that doesn't mention this program at all.

Did you think I wouldn't read the link? Perhaps an apology for the blatant misrepresentation?

A quotation shorn of context doesn't show anything. I note you've edited out the original with context as it doesn't fit with how you're misrepresenting my argument.

Any links? Any details? Or (wild guess) just guff?

Yeah, can't really be arsed looking anything up for you. If you provide an actual link I'll give it a gander.

People have explained how the data could be deanonymised if specific times, dates and geographic locations are included. No detail has been provided to confirm this information will be available. Case made but not proven rather than your repeated insistence that it's obviously easy to access confidential data.

Edit: Edited to add that you'd also need access to hugely comprehensive mobile phone data to put an individual in said geographic locations, at said times, at said dates, on multiple occasions in order to extrapolate who's who. Rather a big ask if, to use one of your examples, a firm is desperate to know if their potential new recruit is having fertility treatment.

You said:

"the only issues raised by the BMA and Royal College of GP’s (both heavily involved in the program) have been over providing sufficient time and information to the general public to ensure informed consent, not data security."

The point I was making is that BMA (and the Royal College) have been headline concerned with wide aspects of the governance, transparency, value for money and practical NHS linkage of these outsourced contracts and the past track records of some companies who won contracts.

Right, so your contention is that cos the BMA have raised concerns over totally unrelated matters this constitutes me, in your words " ignore warnings from the organisations you say didn't make them" when I've only been talking about the data program? 

Totally unsurprised that you'd rather resort to sophistry and bullshit rather than simply apologise and retract.

Safety that we will have good data security (a governance issue) as well as good wider governance,  transparency, value for money future and NHS linkage is only going to be bullshit to the ignorant. You can't just separate the specific data security from the wider concerns and people have explained patiently how the data security is clearly an issue.

You don't. That data is available through other sources. As I have already explained, Facebook, Google, other advertisers, other apps, etc. already have such data. A lot such databases exist and some have had security breaches that make them fair game on the dark web. 
 

Examples: mSpy was used by parents to track their kids' online activity. Unfortunately, it was an unencrypted piece of shit and leaked literally everything, their locations, emails, names, photos etc. Those are tied to them *for life*.

Accuweather was found to be sharing device locations and data with third party advertisers. Oh, and if you had GPS off it was sharing WiFi MAC addresses instead, which are on massive location databases already, even Google was found to be scrubbing those with the street view vans a few years ago.

Foursquare was hacked and leaked everyone's location data.

Uber has been found to be tracking user's locations after the end of their trips. All it would take would be a security flaw to leak that data, if there hasn't been one already.

Snapchat was hacked and leaked people's names, numbers and location data.

Tinder was exploited to triangulate everyone's locations.

Are you starting to get the picture now? These databases are not theoretical.

You're basically saying I'm ignoring home office advice not to travel to Uzbekistan when I've argued no such advice exists. Then you provide a link to home office advising against travel to Afghanistan and saying "there you go, you're a liar"

Ah well I cant be arsed trying to educate an idiot anymore. The sad thing is if you actually gave a toss about using the records as a research resource you would actually be arguing for maximum security and restrictions since without those people will inevitably opt out and undermine it.

Maybe TomInEdinburgh or Wintertree will continue to waste their time on you but anyone who somehow confuses the need for phone records to link into medical records isnt going to worth any time.

Fair enough. So you're saying an employer would have to access data from a variety of sources to enable them to track their potential recruit's exact location over a sizeable timeframe (say three years?) in order to cross reference them with an anonymised medical data base of 56 million people which you'd then have to deanonymise. Oh, and you're also assuming, without evidence, that times, dates and locations will be included in the database.

Thanks for pointing that out. How many databases would need to be hacked, compiled and cross referenced to provide a three year window on the lives of 56 million people? Are you starting to get the picture of why I'm unconcerned yet? It's not that it's impossible, it's that it's highly improbable that some dodgy firm would have the resources and scale to undertake such a task.

How many job roles outside of the secret service do you think would demand such a byzantine level of scrutiny? Worth noting that the security services simply ask for access as part of the recruitment process. Totally legally.

Awww. Have I upset you diddums?