COMMENTARY

Paul Hodgkin

doi:10.3399/bjgp10X532495

There are two circumstances when I might want to share my medical information: to improve my own care or to improve everyone's care through better planned, efficient services.

England's roll out of the Summary Care Record managed to mix these two up with disastrous results: people think they have agreed to a small, unexceptional subset of their data being uploaded to the spine so that should they have a heart attack while on holiday everyone can see that they are diabetic or allergic to penicillin. But buried in the consent are words that allow any other information as agreed by the NHS alone to be uploaded.

The state pressed for this blank cheque because, to plan services, it needs to know my blood pressure, total cholesterol, and smoking status regardless of whether I actually have coronary heart disease. In short it needs accurate denominators as well accurate numerators. ‘Pseudo-anonymisation’ is supposed to hide my personal identity in this process but is being increasingly questioned. As people come to understand that the NHS spine potentially knows about their divorce, alcohol status, stress incontinence, erectle dysfunction, or depression they will begin to object. As more and more opt out and refuse to share their data, denominator accuracy will degrade and its usefulness will decline.

Supposing we settled for just that first, sensible, limited subset of data — could we make that secure? For this we need to:

Give up the dream that we can improve everyone's heath by sharing everyone's data using pseudo-anonymisation.
Agree a small set of data that will clearly improve everyone's individual care if shared between clinicians. And that does as little violence to the person as possible if it does happen to become more widely known.
Tighten up the legal and technical regimes to make sure that this limited sharing is widely understood and cannot be lawfully or technically exceeded without significant pain.
Allow people to easily opt out of even this limited sharing if they wish.
Proceed on the basis that patients are the owners (although not the authors) of their own records and routinely make sure they can see and comment on what we write.

Confidentiality is both essential and defensible. So is sharing of limited, agreed subsets of key data. Legal and technical regimes are essential in balancing these conflicting goods. No matter that from time to time these regimes will be breached just as they always have been. When such breakdowns do occur then having our patients own their own records will form a final, 21st century bulwark around mutual trust because they will have taken as much responsibility for the record as us. And along the way patient ownership of the digital record is likely to lead to better, more useful records.