NHS patient data 'insecure', says group

A think tank accuses the NHS of allowing thousands of unauthorised requests for patient data to slip through the net each year

An information policy think tank has called for the NHS to improve its safeguards on patient privacy, charging that the current system allows thousands of unauthorised people to gain access to patient information every year.

The Foundation for Information Policy Research (FIPR), a non-profit group, argued that the NHS' patient-data strategy is fundamentally flawed, and is likely to leave personal information increasingly insecure. "Patients entrust some of their most sensitive personal information to their doctors. NHS managers should not be trying to undermine that trust by spreading identifiable patient data around the health service bureaucracy and the civil service," said FIPR chairman Ross Anderson on Wednesday in a statement.

The organisation was responding to NHS plans to create a central electronic patient record consolidating the currently existing databases that record payments for hospital treatment, names, addresses and other medical data, and making the information available to NHS administrators and civil servants.

Last month the NHS announced an injection of £3bn of government cash for IT systems, which would enable it to centralise its data sources. The centralisation is partly an effort to combat fraud, as it will enable investigators to more easily detect patterns across all NHS records.

FIPR argued that such a database is likely to lead to growing abuse, citing an anti-fraud trial in one health authority that exposed 30 unauthorised information requests per week. "This suggests that over 200,000 attempts are made every year to get health information on patients, by investigators who call up pretending to be doctors or administrators. Most of these attempts currently succeed," the group said.

The group called for the NHS to abandon its centralised database plans in favour of more stringent authentication of information requests, a better system of patient consent to sharing of their information, and the removal of patient names from hospital invoices.

Who's watching you? Get the latest on spy networks such as Echelon and Carnivore, as well as privacy issues for companies and individuals alike, at ZDNet UK's Privacy News Section.

Let the editors know what you think in the Mailroom.