Here is a copy of what I sent to Quarry House. Executive summary:

* Caldicott guardians should be elected by all affected clinicians

* Open scrutiny of the specification of NHS central systems

* Tracing service poses unacceptable risks to life and health

Ross


Ms Raj Kaur
CA-QC(CI), NHS Executive, Room 3E58
Quarry House, Leeds LS2 7UE
Fax: 0113 2546114

Dear Ms Kaur

I am responding to your consultation exercise on the Caldicott
Guardians and the NHS Strategic Tracing Service. I am the Chairman of
the Foundation for Information Policy Research and an advisor to the
BMA on the safety and privacy of clinical information systems;
however, owing to the shortness of the time period allowed for
consultation I am making this response on my own behalf, as a
concerned expert and also as an occasional patient of the NHS.

The Roles and Responsibilities of Caldicott Guardians. 

The fundamental tension identified by the Caldicott committee (section
4.4) is that while individual clinicians are responsible for patient
confidentiality, the systems which pose the most significant added
risk to this confidentiality are specified by the NHS Executive.
Caldicott asked whether a body such as CRIR could tackle this problem
by providing a forum in which system design aspects could be hammered
out. It is deeply disappointing that no action appears to have been
taken in this regard.

I would strongly recommend that a body be established to provide
independent assessment and approval of the specification of NHS
systems which handle identifiable patient information outside the
context of immediate patient care.  This body should not be a cosy
committee of a few medics and civil servants; it should have a
membership drawn from all the clinical professions, and
respresentatives from patients' groups, the Data Protection Registrar,
and charitable bodies such as the King's Fund and the Foundation for
Information Policy Research. Its meetings and its proceedings should
be public. Only in this way, I believe, can confidence in the safety
and privacy of clinical information systems be restored and
maintained.

It is now proposed that special responsibility for the confidentiality
of electronic personal health information be assumed by senior
clinicians within provider organisations. However, this does not
resolve the conflict; it merely transfers it to the Guardians who are
thereby placed in an invidious position.

It is pointless for the Guardians' appointment to be in the gift of
hospital trust chief executives; they will simply be seen as creatures
of authority. As breaches of patient confidentiality may cost the
livelihood of the doctors, nurses and other clinical professionals who
work at a provider organisation (as well as subjecting them to the
risk of litigation and physical assault) it would be much more
appropriate for the Guardians to be elected by a secret ballot of all
clinicians contributing personal health information to the computer
system or systems over which the Guardian will have control.

Access Controls for the NHS Strategic Tracing Service. 

I have a narrow objection to the tracing service, and a broad one.

The narrow objection is the service would appear to compel a number of
clinical staff to commit criminal offences. For example, section 33 of
the Human Fertilisation & Embryology Act prohibits staff at a licensed
clinic to pass on any information that could indicate that an
identifiable individual was born as a result of certain types of
fertility treatment; making the fact of the mother's registration with
the clinic visible throughout the NHS will do just that. I understand
that there will be similar problems with STD and psychiatric clinics.

The broader objection is that the tracing service will be routinely
used by so many people that it will not be possible to prevent abuse.

The experience of large databases to which many people have access
(e.g.  criminal records, vehicle registrations, bank statements) is
that access to them is corruptly sold by insiders, and this is
extremely hard to prevent. Even where Caldicott-style controls were
attempted (e.g. making all a police station's criminal record
enquiries go through the custody sergeant) it did not work (so many
people called the sergeant on the phone or the radio for an enquiry
that proper records could not be kept).

It is unreasonable to expect a better outcome for the tracing service
than has been the case in banking, the police and motor vehicle
registration, as computer security awareness and discipline is very
much poorer in the NHS than in these organisations.

Furthermore, the NHS Tracing Service database will be the only
database of all adults and children in the UK - the NI database is
incomplete as it does not include children and many addresses are out
of date; the DVLA ditto and omits both non-drivers and recent
immigrants; the electoral register is similar but doesn't even have
the data subject's date of birth. So other government departments will
ask for and get access - the obvious ones being the police, customs,
MI5, the immigration and naturalisation service, the social security
fraud squad and the child support agency. The number of people with
lawful access will snowball.

The tracing service will also be invaluable to debt collectors,
solicitors and anybody else who needs to trace people (from the IRA
and the Mafia to foreign intelligence services). So there will be a
huge incentive for private eyes to bribe NHS staff and get access, as
they already do with existing police, motor vehicle and banking
databases. There are significant implications for national security,
for the prevention of crime, and for personal privacy.

If the NHS Tracing Service is taken online as planned, I expect that
it will facilitate one or two murders a year, and several hundred
cases of serious assualt and stalking, due to people abusing it for
personal purposes. I also expect that in the (hopefully unlikely)
event of a resumption of hostilities in Northern Ireland, the IRA
would use it to locate military and intelligence personnel, ministers
and senior civil servants, in order to murder them.

I also expect that once the public understands this, a lot of people
will either give false names or false dates of birth; others will
simply avoid seeking treatment. These will include not just the
`undeserving' such as delinquent dads and fly-by-night company
directors, but `deserving' cases such as battered women and people on
witness protection programmes, and `borderline' cases such as sex
offenders with psychiatric problems. In public health terms, of
course, the distinction between deserving and undeserving goes away
(you don't want your daughter to catch TB from an illegal immigrant
who was too scared to see a doctor). The costs to the NHS, and to
public health in general, bear careful consideration.

If the government wants Britain to have a central population register
then there should be a proper public debate. This would likely result
in its not being built; if it were, it would quite likely be somewhere
like the Passport Office and under much tighter control than currently
proposed.

In short, I consider that the proposed tracing service will do an
unacceptable level of harm not just to national security, the
prevention of crime, and the liberty of the citizen, but also to
public health. I understand that it is essential to the NHS's IM&T
strategy as currently constituted. The only possible conclusion is
that the relevant parts of the strategy will need to be rewritten.

Yours Sincerely,

Ross Anderson



%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%