Paperless medical records : where’s the privacy protection?

3797160719_337b4742e7_bToday’s announcement from the Health Secretary that all patient medical records will be held in electronic form by 2018 has grabbed some headlines, but the underlying privacy risks seem to have been given short shrift.

Paperless records is a nice soundbite but the change creates significant privacy risks. The Department of Health needs to be absolutely clear who will hold our medical records, who can access them and reassure patients that their privacy will not be destroyed in another NHS IT blunder.

Detail on how patients will give their consent, who will have access and what rights patients will have after sharing is sparse. As we have previously highlighted, barely any NHS systems have the ability to give patients the option of seeing who has looked at their medical records. Without this audit trail, abuse is often very difficult to spot.

We’ve previously highlighted how patient confidentiality has been breached five times every week in recent years, but these figures are the tip of the iceberg. More than 100 staff were dismissed in three years for data protection breaches. The Information Commissioner has previously warned of ‘systemic’ problems in the health services’ management of patient data.

The timetable announced today aims for hospitals to have “digital records that are capable of being shared” for all their patients from 2014. From 2015, NHS referrals will be “fully paperless” and the “ambition” is for the entire health service to “go paperless” by 2018. This would include joining up health and social care systems, with private companies potentially given access.

Speaking to Policy Exchange this evening, Jeremy Hunt will say “We need to make sure there are proper protections in place and proper patient consent is given so that patients know how their data will be used.”

However, as Prof. Ross Anderson of the University of Cambridge points out on his blog, this seems largely impossible given GPs will be forced to upload data to a new system called GPES if they want to get paid.

Conservative policy on this issue was clear at the last election: “We will put patients in charge of their own health records, with the ability to choose which providers they share them with.” From the detail we know, it seems ‘control’ is something patients will not be able to exercise in practice.

There is a real risk that if patients aren’t assured that this scheme is fully secure then people will stop sharing information with their doctor and that could be extremely dangerous for care.


  1. John M
    16th January 2013

    About two or three years ago I wrote a letter to my GP expressly forbidding my medical records from being added to the NHS “data spine” project due to the concerns I have about privacy.

    Does anyone know if what the Government is now proposing is even legal in situations like this? If my data goes onto the wider NHS against my express consent would I be entitled to sue?

    • George Speller
      17th January 2013

      I did the same. It took two and a half years to get a response.

    • anon
      17th January 2013

      The Information Commissioner’s Office should be able to advise. The problem is that they might agree that it is against the DPA but will the government just have the DPA changed to suit what they want to do in the NHS?

  2. it's my data not yours
    16th January 2013

    I too opted out of having a SCR and refused consent for my medical records to be added to the spine or shared without my consent – they don’t get it though because the ‘confidential’ form that I gave to my GP was later sent to a third party (totally breaching data protection) to show someone in another part of the country that I had opted out of other things in the NHS – I kid you not. This form contained the personal data that I was refusing consent for the other department to process. So I am totally against paperless records because quite frankly the majority of people I have spoken to in the NHS do not adequately understand their obligations concerning personal and sensitive data. Even those who should know better can’t be trusted to know what is going on. Honestly it is a farce and one that I do not want to play a part in.

    Patients are not informed of everything they can opt out of with regard to their data being processed – just because we want medical care does not mean we have to let our data be used for research or other purposes. But we need to be told how our data will be used and abused – we are not. We have to dig very deep to find this out for ourselves.

  3. Links 17/1/2013: Kite HD Debut, Open Access Debate Continues | Techrights
    17th January 2013

    […] Paperless medical records : where’s the privacy protection? […]

  4. Sam Duncan
    17th January 2013

    “the majority of people I have spoken to in the NHS do not adequately understand their obligations concerning personal and sensitive data. Even those who should know better can’t be trusted to know what is going on.”

    That’s the problem. Hardly anyone is properly educated about data security – even with the existing paper records – and that seems to include the people who’ve designed this thing.

    You can have a secure database, or you can have a database accessible to tens of thousands of people. You can’t have both. It doesn’t matter what security measures you use, every user you add increases the risk.

    Which isn’t to say we couldn’t have secure digital medical records (assuming medical staff with a clue about confidentiality). What we can’t have is a single secure national database of medical records, accessible by right to every Tom, Dick, and Harry who “needs” to see it.

  5. Techno
    20th January 2013

    “This would include joining up health and social care systems, with private companies potentially given access.”

    As a software developer who works on medical record software I can assure you that the software used by GPs is all provided by a handful of private companies. It has been this way since the late 1980s.

    For many GPs surgeries you can actually tell which company it is by looking at their website and trying to order a repeat prescription or book an appointment.

    • Techno
      20th January 2013

      Just thought I would add that if you want to do some research in this area then you need to start here:


      This will tell you the names of the private companies that can supply software to GPs paid for by the NHS.