This is the text of a letter that we wrote today to send to our Doctor's. Three weeks on from our story about this privacy breach from a supposedly "liberal" coalition government, I know many people who are opting out. You can too.
28th October 2013
Dear Doctor,
We are writing to give notice that we refuse consent for our identifiable information (and any information relating to our two children) to be transferred from your practice systems for any purpose other than our medical care.
As you are probably aware, on the direction of NHS England you can now be required to transfer patient-identifiable data from the electronic medical records that you hold to the Health and Social Care Information Centre (HSCIC), via the General Practice Extraction Service (GPES) or other means. This is to be done without seeking our explicit consent and for purposes other than our medical care.
There are substantial concerns about the privacy and confidentiality of any information transferred to HSCIC, not least because NHS England has been given legal exemptions to pass identifiable data gathered by HSCIC between itself and a range of regional processing centres, local area teams and commissioning bodies that came into force on April 1st 2013. We are also disturbed to note that HSCIC provides access to patient data, some in identifiable form, to a range of ‘customers’ including private companies.
We do not believe that these widely distributed systems with so many potential users and such a wide range of uses, some as yet undefined, can be regarded as secure. And no guarantees can be given as to the future re-identification of pseudonymised or de-identified data; indeed HSCIC admits this is a risk.
We cannot know what specific information our medical records might come to hold but we regard the entirety of our medical records, existing and future, as private and personal.
Please take whatever steps necessary to ensure our confidential personal information is not uploaded and record our dissent by whatever means possible.
This includes adding the ‘Dissent from secondary use of GP patient identifiable data’ code (Read v2: 9Nu0 or CVT3: XaZ89) to our records as well as the ‘Dissent from disclosure of personal confidential data by Health and Social Care Information Centre’ code (Read v2: 9Nu4 or CTV3: XaaVL).
We are aware of the implications of this request, we understand that it will not affect the care we receive and we would notify you should we change our mind.
We recognise the need for health care providers to be paid for services provided to us. We believe the limited information required for such purposes can be wholly anonymised by the provider, before it is released to the relevant commissioning authority. Please ensure that any of my information used for these purposes is treated in this way, and that any other providers are made aware of this mandate, e.g. by forwarding a copy of this letter along with my information when it is passed to them.
Further information for GPs can be found on the BMA website at:
http://bma.org.uk/practical-support-at-work/ethics/confidentiality-and-health-records/care-data
Yours sincerely,
28th October 2013
Dear Doctor,
We are writing to give notice that we refuse consent for our identifiable information (and any information relating to our two children) to be transferred from your practice systems for any purpose other than our medical care.
As you are probably aware, on the direction of NHS England you can now be required to transfer patient-identifiable data from the electronic medical records that you hold to the Health and Social Care Information Centre (HSCIC), via the General Practice Extraction Service (GPES) or other means. This is to be done without seeking our explicit consent and for purposes other than our medical care.
There are substantial concerns about the privacy and confidentiality of any information transferred to HSCIC, not least because NHS England has been given legal exemptions to pass identifiable data gathered by HSCIC between itself and a range of regional processing centres, local area teams and commissioning bodies that came into force on April 1st 2013. We are also disturbed to note that HSCIC provides access to patient data, some in identifiable form, to a range of ‘customers’ including private companies.
We do not believe that these widely distributed systems with so many potential users and such a wide range of uses, some as yet undefined, can be regarded as secure. And no guarantees can be given as to the future re-identification of pseudonymised or de-identified data; indeed HSCIC admits this is a risk.
We cannot know what specific information our medical records might come to hold but we regard the entirety of our medical records, existing and future, as private and personal.
Please take whatever steps necessary to ensure our confidential personal information is not uploaded and record our dissent by whatever means possible.
This includes adding the ‘Dissent from secondary use of GP patient identifiable data’ code (Read v2: 9Nu0 or CVT3: XaZ89) to our records as well as the ‘Dissent from disclosure of personal confidential data by Health and Social Care Information Centre’ code (Read v2: 9Nu4 or CTV3: XaaVL).
We are aware of the implications of this request, we understand that it will not affect the care we receive and we would notify you should we change our mind.
We recognise the need for health care providers to be paid for services provided to us. We believe the limited information required for such purposes can be wholly anonymised by the provider, before it is released to the relevant commissioning authority. Please ensure that any of my information used for these purposes is treated in this way, and that any other providers are made aware of this mandate, e.g. by forwarding a copy of this letter along with my information when it is passed to them.
Further information for GPs can be found on the BMA website at:
http://bma.org.uk/practical-support-at-work/ethics/confidentiality-and-health-records/care-data
Yours sincerely,
1 comment:
I worked in Central Government for about ten years on info sharing between Govt Depts. It made sense then. Now it seems to be an enabler to sell personal data into the market place. Your health data will go to Atos. Where will it go from there? If you opt out, get a receipt from your GP. I've drafted one if only to raise awareness amongst health centre staff.
RECEIPT AND DECLARATION BY DATA CONTROLLER
Patient: .................................................................. NHS No. .....................................
As your General Practitioner and *Data Controller in respect of data about you recorded and held within our practice systems, I acknowledge receipt of the “dissent from secondary use of patient identifiable data” form completed and signed by you on ................................
I will now take the steps necessary to prevent your personal data or data about you from being disclosed to third parties.
As *Data Controller I understand that should any of your personal data or data about you be disclosed by me or any other person(s) from this practice to any third party against your expressed wishes, (except as provided for in law) I and others within this practice may be liable, personally, jointly or severally, to criminal prosecution under the Data Protection Act 1998 and/or any other enactments as well as to civil proceedings.
DECLARATION
I confirm that I am the *Data Controller within the meaning of the Data Protection Act 1998.
Full Name .............................................................................................(Data Controller)
Signed ...........................................................................................
Date ....................................................
Should the Data Controller refuse to sign this receipt and declaration in its entirety it will be assumed that he/she is unwilling to give any undertaking whatsoever in relation to the handling of my personal data within the law. Any such refusal will be reported to the Information Commissioner.
*Data controller means a person who (either alone or jointly or in common with other persons) determines the purposes for which, and the manner in which, any personal data are, or are to be, processed. (Data Protection Act 1998)
Please retain a copy of this document for your records.
Post a Comment