Better Information (is Better Services)…is leaked Information?

The Mad March Hares will soon be out and the first March Deadline has passed for you to opt-out of passing your information on to GCHQ…sorry I meant NHS and Social Care Information Centre (HSCIC)), GCHQ no doubt have this information already:-)

The News said this was going to be delayed whilst the the public was consulted but.

There apparently has already been leaked data Hospital Episode Statistics (HES) — the psuedonymised data collected about patients when they visit hospital, which includes patient age, gender, ethnicity, diagnoses, operations, time waited etc — were made available publicly in an online tool created by a mapping company.

Wired said

“These breaches fly in the face of HSCIC’s own guidelines about how patient data should be treated. These include five “rules”, such as “confidential information about service users or patients should be treated confidentially and respectfully”. You can read the rest here.

In an attempt to reassure us, the NHS says that there will be“strict controls” on how it releases patient information under Organisations will only be given information for “approved purposes for the benefit of health and social care and there must be a contract in place”. But a contract means sweet FA if someone accidentally uploads the dataset to the public web, as has already happened.

It doesn’t matter how safe data stored at HSCIC is if it’s going to be treated so casually by partners approved to access it”.

Who would have thought this could happen? 

Anyway to reassure you here is a piece from NHS Blog site

“As we’ve been doing for decades with hospital data, information from GP practices and other care settings will only be extracted as a series of codes, not as words and sentences. These codes will then be linked with a patient’s hospital codes using an automated system before being made available in three different data formats (see below). Each format is protected by a different suite of privacy safeguards as specified by the Information Commissioner’s code of practice on anonymisation. For simplicity, I refer to these formats as green, amber and red data, although their technical names are “anonymous or aggregated data”, “pseudonymised data”, and “personal confidential data”, respectively.

Green, Amber, and Red data

Green data are where we will publish the average values for large groups of patients or completely anonymous figures. For example, we might compare Ashford versus Bury in terms of the average time between presenting to a GP with bowel symptoms and having an operation for colon cancer. Green data are published free of charge for all to see. So before publishing green data, we take extra care not to publish information about rare conditions or any combinations of characteristics that might identify individuals from the data.
Amber data are where we remove each patient’s identifiers (their date of birth, postcode, and so on) and replace them with a meaningless pseudonym that bears no relationship to their “real world” identity. Amber data are essential for tracking how individuals interact with the different parts of the NHS and social care over time. For example, using amber data we can see how the NHS cares for cohorts of patients who are admitted repeatedly to hospital but who seldom visit their GP. In theory, a determined analyst could attempt to re-identify individuals within amber data by linking them to other data sets. For this reason, we never publish amber data. Instead, amber data are only made available under a legal contract to approved analysts for approved purposes. The contract stipulates how the data must be stored and protected, and how the data must be destroyed afterwards. Any attempt to re-identify an individual is strictly prohibited and there is a range of criminal and civil penalties for any infringements.
Over the years, many of the most innovative uses of amber hospital data have come from outside organisations, including universities, think-tanks and data analytics companies. We think it would be irresponsible not to make the maximum use of amber data for the benefit of patients. In future, we want charities and small academic units to be able to use amber data for the benefit of patients. Likewise, we think it would be wrong to exclude private companies simply on ideological grounds; instead, the test should be how the company wants to use the data to improve NHS care. 
Finally, in a few exceptional circumstances the HSCIC will make red data available where legally required to do so, for example in a public health emergency such as an epidemic. In the future, red data may also be made available to an organisation that has obtained the patient’s explicit consent or has been granted legal approval by the Secretary of State for Health or the Health Research Authority following independent advice from the Confidentiality Advisory Group (CAG).
CAG considers each application in great detail against the legal framework and recommends whether approval should be provided together with any conditions. Applicants for red data would need to demonstrate (i) that the research was in the public interest and for the benefit of the health service; and (ii) that it is not possible to use information that does not identify patients; and (iii) it is not possible to ask patients for their permission.

Patients have a choice

We want to make the most of the information that the NHS already collects. By drawing it together from all parts of the health service, not just hospitals, we will better be able to understand the causes of ill health, learn how to treat patients more efficiently, and find out what happens to patients after they leave hospital.
However, we are giving people a choice. If a patient is happy for their information to be used for these purposes then they do not need to do anything: there are no forms to complete and there is nothing to sign. But if they have any concerns, they can talk to their GP or contact the dedicated patient information line on 0300 456 3531

And finally a bit from the Media again

“As well as using the data to improve health services, HSCIC has the power to grant third parties access to the data it collects for certain purposes and under certain circumstances, including for medical research.
However, earlier this month NHS England announced that the programme, which was due to start in April, would be postponed by six months after admitting that it had failed to explain sufficiently how patients’ data would be used and how individuals could exercise a right to opt out.
To address concerns, new laws will be outlined to prohibit the HSCIC from disclosing data from the database for commercial purposes. Last week it emerged that some patient data previously collected by hospitals had been shared with insurance industry body the Institute and Faculty of Actuaries.”
So is this a welcomed knee jerk reaction to not thinking the process though….
Maybe this is a bit like the idea for repurposing drugs in the NHS….How can this be done?
Have they thought the process through on to how you actually get drugs to the people and keep them going, after they have spent millions doing trials. There are lots of costs getting drugs approved

On the plus side Pharma get to see how to do trials to get drugs licensed and they can be rest assured that investigator-led studies go nowhere fast.

About the author



  • The news that 13 years of patient data from hospitals (47 million patients) had been sold (for around £2500) to a commercial organisation, The Institute and Faculty of Actuaries, to enable them to provide guidance to insurance companies about setting prices for critical illness cover blows any thought in my mind about contributing my GP records to this. I would still take part in research and am donating my brain and spinal cord to the MS Tissue Bank but I don't trust either data security or the supposed restrictions on who can do what with my medical records

  • Good luck to anyone trying to use my medical records. I take my own medical history to hospitals now because theirs are incorrect. A lot of the time the doctors don't read the official documents and when they do they misinterpret them.

    • I went to the hospital today and was asked for a copy of my medical history. I rest my case.
      I'm Anon 7:25

  • The Institute and Faculty of Actuaries (IFoA) is an independent, royal chartered, not for profit professional body. It is not a commercial organisation. The research produced by the IFoA did not include recommendations on how to set critical illness insurance pricing.

By MouseDoctor



Recent Posts

Recent Comments