Are your medical records safe in NHS hands? (Image: Photofusion/REX)

Plans to transfer the medical records of everyone in England from their family doctor to a central database, to be accessed by the National Health Service and approved researchers, have been put on hold for six months after medical organisations and privacy advocates warned that patients had not been properly informed.

In a leaflet distributed nationwide last month, the NHS assured patients that their records will be anonymised. But privacy researchers say there is a strong possibility that individuals could be identified by their medical history.

You might think deleting personal details would be enough to secure your anonymity. And that is essentially the approach taken by the Health and Social Care Information Centre (HSCIC), which is managing the new database, care.data, for NHS England. Your date of birth, full postcode, NHS number and gender will be linked to a secure code, and only this code joins your medical records on the database.


Decades of privacy research show this won’t necessarily protect your identity, however. “If you link together the episodes of care affecting an individual patient, then in very many cases that is identifiable,” says Ross Anderson of the University of Cambridge. For example, if you know that a celebrity has a certain medical condition, or was in an accident and received treatment on a particular day, it should be possible to identify their complete medical record as not many others are likely to share that particular history. Database managers can instead use techniques to selectively remove information while still leaving it useful for researchers. And this can be quantified: a database is called k-anonymous if a person’s records cannot be distinguished from a subset of the database. A HSCIC spokesperson told New Scientist that any publicly available data will be k-anonymised, but because care.data access is only available to organisations that sign a security contract, similar measures won’t be necessary for the full database.

But the NHS approach assumes the system cannot be hacked and that anyone with access is incorruptible. “These measures are by no means sufficient to guarantee privacy,” says Aris Gkoulalas-Divanis, who studies data privacy at IBM Research in Dublin, Ireland, and says the NHS should do more. “If the database leaks out without sufficient anonymisation, this may be catastrophic.”

Anderson agrees that the techniques care.data plans to use will not keep the NHS data secure, because a patient’s entire history is unavoidably linked. “People keep hoping against hope that someone will come up with a magic bullet,” he says. “It is a problem which cannot be solved.”

The US National Security Agency leak is just one example of what happens when private information becomes public. HSCIC could not provide a figure for the number of people expected to have access, but Anderson believes it could be as many as a million. Drug and insurance companies can apply to access the data, and may be able to identify patients by cross-referencing with their own records. On the other hand, external researchers should be able to use the data to improve public health. “There are a lot of questions that are hard to answer until you have a large number of people,” says Simon de Lusignan of the University of Surrey, UK, such as flu surveillance or monitoring the side-effects of immunisations. “It’s about designing a good experiment with the correct ethical approval, not who does it.”

Ultimately, patients will have to decide for themselves if the trade-off is worth it, or opt out by writing to their doctor. Even then, some of your data may still be sent to the central database. An HSCIC spokesperson told New Scientist that opting out would mean no data leaves the doctor’s practice, in direct contradiction to an NHS privacy assessment published last month which says anonymised data will still be uploaded. With the process now delayed, the NHS has time to clarify just how patients’ data will be used.