Gut feeling

In spite of our previous post about the NHS, this blog is concerned primarily with data in general, and the impact of technology on personal information in particular.

So, at the risk of appearing to stray off topic, we’ll start today with Gordon Brown’s plan to liberalise the UK’s rules on organ donation. The prime minister wants everyone in the UK to be automatically included in the organ donor register under a system of “presumed consent”. Anyone who objects to having their kidneys re-used after their death would have to opt out of the system.

The thorny issue of organ donation provokes visceral (sorry) reactions in most, if not all, of the population: some see it as inherently selfish not to let others use your lights after you’re dead; others see it as yet another example of the creeping nanny state robbing citizens of jurisdiction over their own bodies.

There are, of course, powerful arguments both for and against presumed consent, and it’s beyond the remit of this blog either to defend or denounce Gordon’s plan.

But the principle of consent, and specifically the opt-in / opt-out debate, sits at the very heart of the continuing debate about the protection of our personal data, especially on the web.

Should services that use our personal data be opt-in or opt-out? Most people would instantly and decisively declare that any Internet service which collects, processes, uses or stores our personal data should naturally be opt-in.

We strongly disagree.

Regular readers will know that this blog tries to champion people’s right to privacy, whether online of offline, so there might be some who are surprised that we feel so strongly against the opt-in model. After all, shouldn’t we have to give our express permission, based on thorough information, before allowing others access to our private lives?

Ah, but indeed; and therein lies the problem.

Every time we tick the checkbox accepting terms and conditions – be it for a website, a new online service, or to set up an email account – we are giving our consent to everything in the small print.

When was the last time you read through a website’s Ts&Cs? In fact, have you ever done so? Do you know what you consented to when you signed up to watch YouTube or set up a Google Mail account? No, but you checked the box without thinking, just because you were impatient to get on with it.

And that’s where the danger of opt-in lies. Irresponsible sites – unlike YouTube and Google Mail – can use the opt-in mechanism to obtain people’s explicit consent for any number of nefarious activities by slipping new services into their terms and conditions, knowing that the vast majority of people will blithely tick the box without reading them.

Much better, then, to obtained people’s informed consent before they sign up – let them know exactly what they’re consenting to by having an unavoidable notice, explaining any changes to service, on the log-in page.

No reasonable person can argue that it should be easy as possible for people to see what they’re signing up to; yet most campaigners on this issue seem still to be in thrall to the sanctity of opt-in, which makes it so easy for people to bury nasty surprises in the Ts&Cs.

This visibility, this informing of stakeholders, is what’s lacking from the prime minister’s plans for presumed consent. While presumed consent is fair to the educated, literate and informed, it ignores the much greater majority of people who are not au courant and thus are in no position to give informed consent to organ donation.

Two cheers for the NHS

Of all the categories of sensitive data, it is information about our health and our medical histories that is perhaps the most personal and private.

For example, you wouldn’t want a stranger – or worse, a colleague – knowing that you’re being prescribed Anusol Ultra for your chalfonts, would you? Nor would you want your boss to know about the methadone prescription, or your mother to know about your latest suicide attempt. Unless, of course, it was a cry for help.

But even if it contains nothing as dramatic as an overdose, we tend to guard our medical history very jealously.

So it may come as a shock to learn that not only has the NHS amassed a central database of around one billion confidential records of patient visits to hospital, it is routinely sending some of these records to an academic organisation outside the NHS. These records contain personally identifiable information, such as postcodes and NHS numbers, as well as medical information, including diagnoses and any treatment given.

Now, a certain breed of querulous privacy advocate will start whining the moment they hear the words “giant database” in conjunction with “confidential data”. Not so data grub: we understand that there are often the very best reasons for aggregating personal data, as long as stringent measures are in place to ensure absolute confidentiality.

In this case, the aim is to use this vast resource of information to improve the NHS’s service and treatment outcomes, which I think we can agree is a Good Thing.

The other good news is that both the NHS and the academic organisation that uses this data, the inanely-titled Dr Foster Unit, seem to have taken decent precautions to protect patients. All data is held on encrypted discs and is sent by secure courier, which is a pretty good start. Then, at the Dr Foster Unit, the data is kept in secure offices, on disc-less workstations which have no link to the Internet.

While this compares pretty favourably with the cavalier approach towards data security shown by other public sector bodies, among them the Ministry of Justice, the MoD and the Department for Work and Pensions, it’s certainly far from perfect.

Our main gripe is that personally identifiable information (PII) is contained within the data that’s being sent out of the NHS. While PII such as postcodes may be vital for making distinctions between different areas of a town or the country, surely the NHS should secure people’s informed consent if they are to use their data in this way?

So, two cheers for the NHS and the Dr Foster Unit for at least trying to apply best practice to the use of sensitive data. But, as we asked at the beginning, why should anyone other than one’s doctor be able to look at your confidential medical history, even if it’s just some academic at Imperial College?

Now, if they anonymised this PII irreversibly, ensuring that records cannot be traced to an individual, while at the same time remaining useful to the bean counters (all perfectly possible with today’s technology), well – that would be just what the doctor ordered.