'Anonymous' NHS database could still allow patients to be identified, expert warns

Care.data uploads 'anonymised' patient records and hospital admissions on to a national database that can be accessed for a fee by drug companies, academics and other approved researchers

A controversial plan to transfer the medical records of NHS patients from GP surgeries to a national database has failed to address a major privacy concern that jeopardises patient confidentiality, according to a leading IT security expert.

The plan, known as care.data, involves the uploading of “anonymised” patient records and hospital admissions on to a national database that can be accessed for a fee by drug companies, academics and other approved researchers who will be prevented from seeing the names and full addresses of patients.

The project was supposed to have started a year ago but was postponed for six months following privacy fears and criticisms about the right of NHS patients in England to opt out of the scheme. However, nothing has been done during the postponement period to overcome a major flaw in the protection of patient confidentiality, according to Professor Ross Anderson of Cambridge University, who is a co-author of a report on the project to be published next week.

“On the contrary, the health department is digging itself deeper and deeper into denial. The fact of the matter is, anonymisation doesn’t really work and we computer engineers have known this for 30 odd years,” Professor Anderson said.

He maintains that the process of anonymising data cannot guarantee the confidentiality of personal information because of the power of “big data” to cross-reference personal items from different databases.

“Although you can use anonymisation in some narrow, specific targeted applications, that’s not what we are talking about with big data,” Professor Anderson said.

“What people want to do is not to just get hold of individual hospital episode statistics but to be able to link the episodes affecting the same patient over a period of decades.” That, he argues, makes it quite possible for some patients to be identified, when the information is cross-referenced with other sources. The care.data project, which has the personal blessing of David Cameron, is being run by the Health and Social Care Information Centre which is managing it on behalf of NHS England. The idea is to integrate the nationwide data on NHS patients to improve health care, increase efficiency and discover new drugs and treatments.

NHS England said that at no time will anyone’s names or full addresses or notes of conversations with their GPs be collected. However, dates of birth and postcodes will be used as patient “identifiers”.

Leaflets sent last year to every home in England promised patients that their anonymised personal details will be protected because “pseudonymised” data cannot directly identify an individual. However, a code or “identifier” will enable a patient’s identity to be re-connected to the data by reference to a separate database containing the identifiers and the identifiable data.

Professor Anderson has been a long-standing critic of the care.data scheme.

Comments