You are hereBlogs / dr-no's blog / Database State

Database State

Posted by Dr No on 10 March 2010

database_state.jpgWe have seen in recent times how secure our national databases are. HM Revenue & Customs, the Ministry of Defence, the Department of Health, the Foreign and Commonwealth Office have all been reprimanded for serious ‘lapses’ that have put at risk the personal data of millions of UK subjects. On a wider scale, The Information Commissioner reported in January that there had been over 400 data breaches by government and the NHS in the past two years. Last month, the national children’s database, which records details of England’s 11 million under 18 year olds, was described as ‘not stable’ – official-speak for yet another security breach. Our national databases, it seems, are about as secure as a paper bag full of water.

Against such a backdrop, one might expect a prudent government to exercise some restraint in expanding its collection of leaky databases. But then our government is nothing if not imprudent; and therefore it comes as no surprise to learn that, in its zeal to establish a centralised national database of NHS patient records for England, it has resorted to stealth to speed up the creation of its so-called Summary Care Record (SCR) database across five NHS ‘early adopter’ regions.

The SCR – initially containing limited information including medication and allergies, but expected in time to expand to full medical records – is intended to provide crucial medical details whenever and wherever they are needed in the NHS. On a lofty note of worthy idealism, Connecting for Health, the body charged with setting up the database, allows patients to opt out of the scheme but – crucially – has adopted a wheeze called the ‘Implied Consent Model’ that assumes consent unless the patient specifically says ‘no’:

Summary Care Records are being uploaded under a model of informed implied consent…Under an informed implied consent model, patients are assumed to be happy to for their records to be created unless they specifically opt out.

Putting aside the subterfuge involved in assumed consent, the key word here is ‘informed’. For ‘implied consent’ to have meaning, patients must know they have a choice. If they remain in the dark, unaware of the scheme, then consent has no meaning – which means they have not consented.

It now appears that, in the breakneck rush to establish the database before the election, lest the Tories win and scrap the £600 million scheme – over one million records have already been created, and a further 8.9 million are imminent – patients have received only scant, virtually meaningless information about the scheme. Those who have considered opting out have faced a battery of bureaucratic hurdles and official scare-mongering – including heavy-handed ‘you have been warned’ hints on the opt out form that their future care may suffer if they do refuse:

“What does it mean if I DO NOT have a summary care record?

Health-care staff treating you may not be aware of your current medications in order to treat you safely and effectively.

Health-care staff treating you may not be made aware of current conditions and/or diagnoses leading to a delay or missed opportunity for correct treatment.

Health-care staff may not be aware of any allergies/adverse reactions to medications and may prescribe or administer a drug/treatment with adverse consequences.”

The nanny state, it seems, is quite happy to adopt bullying tactics when it suits. Patients unsure about whether they wish to allow the records to be uploaded might wish to review the findings of the Joseph Rowntree Reform Trust report ‘Database State’, published last year. The report assessed 46 public sector databases and says among its conclusions:

• A quarter of the public-sector databases reviewed are almost certainly illegal under human rights or data protection law; they should be scrapped or substantially redesigned. More than half have significant problems with privacy or effectiveness and could fall foul of a legal challenge.

• Fewer than 15% of the public databases assessed in [the] report are effective, proportionate and necessary, with a proper legal basis for any privacy intrusions. Even so, some of them still have operational problems.

• Britain is out of line with other developed countries, where records on sensitive matters like healthcare and social services are held locally. In Britain, data is increasingly centralised, and shared between health and social services, the police, schools, local government and the taxman.

• The benefits claimed for data sharing are often illusory. Sharing can harm the vulnerable, not least by leading to discrimination and stigmatisation.

• The UK public sector spends over £16 billion a year on IT. Over £1 00 billion in spending is planned for the next five years, and even the Government cannot provide an accurate figure for cost of its 'Transformational Government' programme. Yet only about 30% of government IT projects succeed.

Of the SCR, the report had this to say:

“There are 29 amber databases including:

The NHS Summary Care Record, which will 'initially' hold information such as allergies and current prescriptions, although some in the Department of Health appear to want to develop it into a full electronic health record that will be available nationally. In Scotland, where the SCR project has been completed, there has already been an abuse case in which celebrities had their records accessed by a doctor who is now facing charges. The Prime Minister's own medical records were reported compromised. There is some doubt about whether patients will be able to opt out effectively from this system, and if they cannot, it will be downgraded to red.”

Amber means that a database has significant problems, and may be unlawful.

Damp paper bag security is, it seems, is only one of a host of problems facing the SCR database. Dr No expects he will opt out.


Interestingly, there was a case recently where a GP was accused by a patient of giving too much confidential information to a specialist on a referral.

MDUS cautioned GP’s on what they should disclose on a referral"letter". One of the points made related to the risks associated with electronic transfer.


When initially being made aware of the Summary Care Records, I thought this a very sensible idea. It would provide readily (and perhaps life saving) information to the medical profession and I would also be able to check my records for incorrect data.

However, across the months and after much research, I find it all quite alarming. Reading this article in the Observer on Sunday and this in Pulse today has certainly got the bells ringing.

I find I live in one of the 'early adopter' regions and have until the end of this month to opt out. I have not received any information in the form of a letter, so have made an appointment with my GP next week in which I will attempt to erase myself from implied consent.

I registered with Healthspace some time last year and have not long logged in for only the second time. It is not a very illuminating site and it does not really appear to give much information about the SCR. I did wonder that if by registering here that I have somehow added implied consent to impliend consent and this is the reason I have been excluded? from receiving any information via the post. I tend to think not as none of my colleagues or anyone else for that matter has mentioned SCR.

Oh Dear!

Nikita - the basic idea behind the SCR may indeed have some merit (although Dr No wonders - despite the scare-mongering - "Health-care staff may not be aware of any allergies/adverse reactions to medications and may prescribe or administer a drug/treatment with adverse consequences” - how much real difference it would make in practice - the SCR wont stop adverse reactions, just provide a belt and braces means to prevent some avoidable ones), but the problem is in the implementation. No IT system can ever be perfect, and breaches will always occur. And the bigger the database, the bigger the potential breach.

Old paper records may on the face of it be easier to breach, but any breach will be limited in scale by the nature of the medium. Even a full van load of notes hijacked and breached would only put a thousand or so at risk. But one 'mislaid' computer disk, one 'mislaid' laptop, could potentially expose millions of records...

Earlier this week I allowed my GP to dissuade me from opting out of the SCR. I now like to think that this was because I was sleep deprived and therefore receptive to any given arguement. His points of view seemed sound.

After much research yesterday, I have changed my mind. I am definitely going to opt out! The reasons being:

1. "At first your SCR will contain health information such as details of allergies, current prescriptions and bad reactions to medicines."

This seems fair enough and the way it is written would lead me to believe that this is all there will be. But of course it is not. It will be a detailed summary of my history from day one. 300,000 people will have a swipecard to enter the system. Despite being led to believe otherwise, I will have limited access to it.

2. "Safeguards that will protect the summary care record from hackers have been designed by security experts. They are far stronger than the safeguards in place anywhere with the NHS today".

This statement makes you worry about other "safeguards" within the NHS, doesn't it? The Appraisal Toolkit is a fine example.

3. "But the situation is more difficult in A&E where the few hospitals to start using the record have found it of little use, according to the report".

"It said that this was ill-matched to the care record, which was a 'historical', relatively static document' and 'seems to make a limited contribution in most acutely sick patients'".

I phoned my GP practice today to ask as it was okay just to drop the 'Opt Out Request' off at the surgery rather than waste my GPs time with another apppointment. The receptionist had no idea what the SCR were, neither did the Practice Manager. The two GPs at the practice at the time had no idea whether the cut off point for opting out was the end of this month.

I phoned the helpline and neither did they. I have made another appointment.

It would appear that there is a lack of information sharing re the inception of the SCR, which after all is all about information sharing. Odd, and worrying.

Nikita - you are right to be very cautious. It is only a matter of time before the leaks start. One day there will be a flood - and thousands if not millions will have their medical records posted online/sold to the highest bidder/whatever.

As you you note, the flagship NHS Appraisal Toolkit has recently been down because of 'security ishoos'. An over-attached apparatchick suffered a nasty loss/grief reaction, poor chap, even if he did go through eye-watering contortions to persuade himself that that the DoH was really doing very well: "we should acknowledge the suspension of the Appraisal Toolkit is a clear sign that the Department of Health is committed to protecting our data to the highest standards"(!) - see here.

Even the SCR itself has started breaching security. Earlier this month opt-out letters were sent out. Unfortunately, some on the receiving end got more than they bargained for: the envelope contained a second letter containing confidential details about another patient - see here.

If they can't even stick the right letters into the right envelopes, then God only knows what errors they'll make once they have millions of electronic records to play with.

I don't know whether you have read the following: but if not, it makes interesting reading.

Nikita - interesting indeed, as in the Chinese way.

The NHS IT loons that Dr No has met have always fitted the geek stereotype he expected - soft, mild-mannered, full of enthusiasm but lacking in focus. Reading around the link you have provided, Dr No found the one time Chief Pongo for NHS IT Richard Granger (the man behind the scheme) said in 2006 that managing NHS IT providers was like running a team of huskies:

“When one of the dogs goes lame, and begins to slow the others down, they are shot,” he said. “They are then chopped up and fed to the other dogs. The survivors work harder, not only because they’ve had a meal, but also because they have seen what will happen should they themselves go lame.”

Is it any wonder, given such management style, that the whole things has turned into such a £12.7 billion , err, dog's dinner?

Alerted by an article in that wonderful rag 'The Daily Mail', I embarked on a bit of googling. I ended up at and todays and (especially) yesterdays entries are well worth a read.

It would appear that Professor Ross Andersons view (see again of "You just can't keep a secret if 300,000 people have access to it" was well founded.

Moving on, I informed my colleagues of the existence of The Summary Care Records - they knew nothing of it! One colleague visited her GP to opt out. Worryingly, he didn't know what she was talking about. This is odd as this weeks Pulse is full of it. Perhaps there is a need for revalidation after all?

Nikita - quite right. Part of the problem with centralising all our medical records on one big computer is the scale of the thing. It's a bit like containers lost at sea (or nuclear fuel 'lost in the system') - even a very small percentage loss turns into alarmingly large absolute numbers (eg for containers: 0.005 to 0.01% containers lost = 2,000 to 10,000 - depending on which estimates you use - containers gone overboard).

Say 300,000 NHS staff with access x 50 million medical is indeed only a matter of time.