NHS Under Fire Over Third-Party Handling Of Patient Data

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

NHS data sharing initiatives cause upset again after two third parties take down files that indicate they shared public data in places they shouldn’t have

The NHS has yet again faced criticism for its handling of patient data, after two of its partners were accused of privacy blunders.

Both third parties have claimed they respected the law and people’s privacy in using the data, but they have both removed the related information from the public Internet.

NHS privacy problems

© Monika Wisniewska - Fotolia.comThe first case, and deemed the most serious, involved PA Consulting. It pushed out a report in which it said it had used Google BigQuery servers to analyse a Hospital Episode Statistics (HES) dataset it had purchased from the Health and Social Care Information Centre (HSCIC).

“The dataset does not contain information that can be linked to specific individuals and is held securely in the cloud in accordance with conditions specified and approved by HSCIC. Access to the dataset is tightly controlled and restricted to the small PA project team,” PA said in a statement.

The HSCIC added: “The NHS IC  had written confirmation from PA Consulting prior to the agreement being signed that no Google staff would be able to access the data; access continued to be restricted to the individuals named in the data sharing agreement.”

In the second case, mapping firm Earthware had created a map using data ostensibly taken from HSCIC, making it publicly viewable online – yet it appears the information was not genuine patient data.

Care.data

“The map displayed mock data held by a third party who provided this data to Earthware via a web API,” Earthware said in a statement. “We do not hold nor have we ever held HES data on our servers… No patient identifiable data was ever displayed on the map.

“Earthware are confident that we have not breached any legal or regulatory rules regarding the licencing or publication of HES data.”

Despite the assurances over protection of patients’ identities, the reports will do nothing to assuage those angry at the government’s handling of Care.data, which will see people’s medical information made accessible to research organisations and healthcare professionals. The project has already been delayed after it emerged citizens may not have been properly informed of their rights to opt out.

The Information Commissioner’s Office (ICO) has also come under fire for not responding adequately to concerns over medical data privacy.

Phil Booth, coordinator of medConfidential, warned that 47 million people may have had their hospital history in targeted ads on Twitter and Facebook, as HES data can be used for this purpose. He called on the information commissioner Christopher Graham to reopen a public consultation on health data usage.

“We have an information commissioner struggling with Microsoft Encarta in a Wikipedia world,” Booth said.

“We call on the information commissioner to reopen the consultation, to give the public a chance to comment now people are beginning to get the picture of how their data has been used.”

Respect privacy? Try our privacy quiz!