24 November 2006
The government cannot guarantee that sensitive patient data will be protected once it is e-mailed out of the UK, the director general of NHS IT has told Public Finance.
Richard Granger's comments follow controversy over plans to digitise patient records, which critics fear will jeopardise individual privacy.
Granger told PF he understood the issues were 'complex', but said there was a risk of the debate over the costs and benefits of the system being dominated by 'the well speaking for the ill'.
The debate had so far centred on who in the UK might potentially have access to patient records, Granger said, but an as yet unexplored issue was what happened once information left UK shores.
Progress on digitised scans meant that several NHS trusts went 'film-less' each week. That meant that patients and clinicians wanting to send images abroad for expert opinions would now be able to do so via the internet. But there was currently no international law regulating how that data should then be treated.
'You have a situation where the clinical professionals share information globally through journals and the internet, but the rules regulating how data is protected are based on individual jurisdictions,' he said.
'While there used to be physical barriers to information being looked at by someone in a different jurisdiction, now it can be anywhere in the world in seconds. At the moment we don't have suitable data protection regulations for handling identifiable [personal] data offshore. This is something the NHS is going to have to deal with over the next decade.'
Rosemary Jay, a data protection lawyer with Pinsent Masons, told PF that European Union law ensured that patient data transferred from the UK to elsewhere in the EU was still protected. But the matter was more complicated if data were sent to the United States, where many leading clinical specialists are based.
'If data is sent outside the EU, the person sending it is legally obliged to ensure a contract is in place that affords equivalent protections, and that its future use is laid out and understood by the individual to whom it relates. No NHS professional should be sending information off without having that in place,' said Jay.
'But if the Department of Health envisages this happening, you'd expect them to take a lead in developing a protocol, rather than leaving it to the responsibility of individual GPs,' she added.
Jay said the procedures would be complicated but not insurmountable. In the US, for example, there were several professional codes of practice that could be applied.
At a recent international conference, hosted by the UK Office of the Information Commissioner, 58 data protection and privacy commissioners signed a communiqué calling for an international convention and 'other global instruments' to protect privacy and enforce data protection.
'Problems that can only be dealt with effectively at [an] international level – either in general or in specific sectors – should be addressed in this way with appropriate means,' the communiqué said.
PFnov2006
