Evidence submitted by Dr Peter Gooderham
1. I am writing to submit evidence to this
inquiry in a personal capacity.
2. My locus for submission is as follows.
I qualified in Medicine from Cambridge University in 1988. I completed
GP training in 1994. Thereafter I worked part-time in General
Practice. I subsequently studied Law, graduating LLB (Open) in
2003, and LLM (Wales) in Legal Aspects of Medical Practice in
2004. Currently I am studying for a PhD at Cardiff Law School,
about Clinical Negligence, in combination with teaching law. I
have taught Criminal Law, Tort, and Medicine, Ethics & Law
on the Cardiff LLB course. I have also taught various subjects
of the LLM course, including the topic of Confidentiality and
Access to Medical Records. I am concerned about confidentiality
and have requested that my data should not be placed upon an electronic
database. While I do not claim any special expertise, I am sufficiently
concerned to contribute to this exercise.
3. Medical records are sensitive personal
information, and as such, benefit from legal protection, and also
protection from medical professional ethics. Proposals for use
of electronic databases, particularly a national database, do
not appear to recognise this protection adequately. That is especially
so, given the likely extreme difficulty in protecting confidentiality
with a national database. That itself carries a risk of identity
theft. If opt-outs were only to be confined to certain classes
of citizens, eg prominent individual, that would be potentially
discriminatory and would need careful definition. The Department
of Health has, it seems, belatedly recognised that patients will
be able to refuse consent for inclusion of their data on a national
electronic database. Private companies taking over NHS activities
stand to benefit from a ready-made, easily accessible database,
although this is not a reason to proceed. Patient-held smart cards
should be considered.
What patient information will be held on the new
local and national electronic record systems, including whether
patients may prevent their personal data being placed on systems
4. As I understand it, it is proposed initially
to hold on a national database a "summary record," including
diagnoses, medication, allergies and adverse reactions. However
it seems likely that it would soon include most clinical information,
including referrals, consultation notes, day-to-day records, requests
for investigations, results of investigations and clinical images.
These are already held on local databases. Transfer onto a national
database gives rise to concern that because there will be many
more users, security will be reduced, and that there will be a
great threat to confidentiality of medical information.
5. It has been argued by the Department
of Health that patients may prevent their personal data being
held if this would cause distress. In fact, s 10 of the Data Protection
Act 1998 provides:
"(1) Subject to subsection (2), an individual
is entitled at any time by notice in writing to a data controller
to require the data controller at the end of such period as is
reasonable in the circumstances to cease, or not to begin, processing,
or processing for a specified purpose or in a specified manner,
any personal data in respect of which he is the data subject,
on the ground that, for specified reasons
(a) the processing of those data or their
processing for that purpose or in that manner is causing or is
likely to cause substantial damage or substantial distress to
him or to another, and
(b) that damage or distress is or would be
6. A breach of confidentiality might be
regarded as "substantial damage" whether or not this
is associated with distress.
7. Subsection (2) of the Act provides:
(2) Subsection (1) does not apply
(a) in a case where any of the conditions
in paragraphs 1 to 4 of Schedule 2 is met, or
(b) in such other cases as may be prescribed
by the [Secretary of State] by order.
8. The relevant provisions from Schedule
"1. The data subject has given his consent
to the processing.
4. The processing is necessary in order to
protect the vital interests of the data subject."
9. So there may be an argument that the
Secretary of State could prevent refusal of data processing by
the subject, or that it is in subjects' "vital interests."
10. One point of interest is whether prominent
individuals, such as Members of Parliament, will be able to prevent
their data being processed on grounds of confidentiality. If such
an exception is to exist, it will seemingly represent an implied
acknowledgment that there is a significant risk of breach of confidentiality.
There is then the issue of who may object and who may not. A distinction
may be discriminatory. Would anyone be able to object on the basis
that they may at some point achieve a position of public prominence?
11. My understanding of the current Department
of Health position, as stated by Harry Cayton, National Director
for Patients & the Public, Department of Health,
is that patients will be allowed to prevent processing of their
data. He stated that this was conceded by the Department of Health
because of the extent of opposition which had built up to the
Electronic Patient Record. He also cited section 10 of the Data
Protection Act in support of this position.
Who will have access to locally and nationally
held information and under what circumstances;
12. Clearly if an electronic record exists,
then those health professionals treating a patient should have
access. The access must be secure and confidential, with sanctions
for breach of confidentiality. However, with many users, there
must be great scope for breach of confidentiality (see below).
13. Access by the government, police and
the security services is a source of concern. It is already not
unknown anecdotally for access to be sought in individual cases
without the patient's consent. If access to an electronic database
can be established by a government employee without having to
satisfy a data controller (such as a General Practitioner) that
consent has been given, the protection would be inadequate.
14. The growing privatization/corporatisation
of the NHS is relevant to the establishment of a national database.
If access to medical records is readily available to an incoming
private provider, then that has positive implications both for
patients and the private provider. However, this may be desirable
but is not necessary, and does not in itself constitute a compelling
reason to establish a national database in the face of concerns
about the law and ethics of confidentiality. Access to a greater
number of people makes breaches of confidentiality more likely.
Whether patient confidentiality can be adequately
15. In answer to this, I would suggest that
it would be extremely difficult to protect confidentiality in
a national scheme which has tens of thousands of users, and which
is anticipated to send data around the world, eg for radiology
reporting in Australia. Illegitimate use of a database by someone
with legitimate access is an important potential threat to confidentiality.
It has been acknowledged by Richard Granger, Director General
of NHS IT, that sharing of usernames and passwords has happened
and will happen,
which is a cause for concern. Illegitimate access is also a potential
threat to confidentiality. Even with the existence of appropriate
sanctions, some people will from time to time misuse their access
to data[en rule] even police officers.
It should also be viewed with extreme concern that health records
may be rich material for identity theft; this has been reported
in other countries.
16. With those points in mind, I think it
is appropriate to consider the nature of confidentiality of medical
17. Medical confidentiality is a time-honoured
principle. The Hippocratic Oath includes the following commitment:
"All that may come to my knowledge in the
exercise of my profession or outside of my profession or in daily
commerce with men, which ought not to be spread abroad, I will
keep secret and will never reveal."
18. The current professional guidance is
to be found in the General Medical Council (GMC) publication,
Confidentiality: Protecting and Providing Information.
Paragraph 1 states:
"Patients have a right to expect that information
about them will be held in confidence by their doctors. Confidentiality
is central to trust between doctors and patients. Without assurances
about confidentiality, patients may be reluctant to give doctors
the information they need in order to provide good care. If you
are asked to provide information about patients you must:
inform patients about the disclosure,
or check that they have already received information about it;
anonymise data where unidentifiable
data will serve the purpose;
be satisfied that patients know
about disclosures necessary to provide their care, or for local
clinical audit of that care, that they can object to these disclosures
but have not done so;
seek patients' express consent
to disclosure of information, where identifiable data is needed
for any purpose other than the provision of care or for clinical
auditsave in the exceptional circumstances described in
keep disclosures to the minimum
keep up to date with and observe
the requirements of statute and common law, including data protection
19. Paragraphs 4 and 5 provide:
4. When you are responsible for personal
information about patients you must make sure that it is effectively
protected against improper disclosure at all times.
5. Many improper disclosures are unintentional.
You should not discuss patients where you can be overheard or
leave patients' records, either on paper or on screen, where they
can be seen by other patients, unauthorised health care staff
or the public. You should take all reasonable steps to ensure
that your consultations with patients are private."
20. Paragraph 9 states:
"Disclosing information about patients
9. You must respect patients' confidentiality.
Seeking patients' consent to disclosure of information is part
of good communication between doctors and patients. When asked
to provide information you must follow the guidance in paragraph
1 of this booklet."
21. It seems to me that uploading patient
information onto a national electronic record is inconsistent
with these requirements, particularly the professional obligation
to keep disclosure to the minimum necessary.
22. There is a common law duty to protect
confidential information. Leading cases include Coco v Clark
 RPC 41 which recognised three elements to establish a breach
The information must necessary quality
Circumstances import obligation of
Unauthorised use of information must
23. A-G v The Observer and Others
 1 AC 109 added two more:
Information must not already be in
the public domain.
It must be in the public interest
to protect the information.
24. In Hunter v Mann  All ER
414, the court held that:
"...the doctor is under a duty not to [voluntarily]
disclose, without the consent of the patient, information which
he, the doctor, has gained in his professional capacity."
25. In Campbell v Mirror Group Newspapers
 2 AC 457 the House of Lords recognised that medical information
is "obviously private."
26. The Human Rights Act 1998 incorporates
into UK Law the European Convention on Human Rights, to which
the UK was in any case previously a signatory. Article 8 of the
"Article 8 Right to respect for private
and family life
1. Everyone has the right to respect for
his private and family life, his home and his correspondence.
2. There shall be no interference by a public
authority with the exercise of this right except such as is in
accordance with the law and is necessary in a democratic society
in the interests of national security, public safety or the economic
well-being of the country, for the prevention of disorder or crime,
for the protection of health or morals, or for the protection
of the rights and freedoms of others."
27. In Z v Finland 25 EHRR 371, the
European Court of Human Rights held:
"Respecting the confidentiality of health
data is a vital principle in the legal systems of all the Contracting
Parties to the Convention."
28. X v Y  2 All ER 648 was
a case in which a newspaper obtained unauthorised disclosure of
information about two doctors who had HIV. A health authority
obtained an injunction to prevent their names being published
by a newspaper. Rose J did not force the newspaper to reveal its
source but indicated that a prison sentence would be appropriate
if the informer repeated the breach of confidence. This sort of
breach would become more likely the greater the number of users
of a records system. The seriousness is indicated by the judge's
comment on the possible sanction.
29. It is of course, accepted that there
are situations in which confidence may be breached. These include
disclosure in the public interest,
disclosure required by statute,
and disclosure in the patient's best interests.
30. The sharing of information for therapeutic
purposes is of course recognised as legitimate disclosure, but
it is limited to that which is of therapeutic value. The GMC states:
"Sharing information in the health care
team or with others providing care
Most people understand and accept that information
must be shared within the health care team in order to provide
their care. You should make sure that patients are aware that
personal information about them will be shared within the health
care team, unless they object, and of the reasons for this. It
is particularly important to check that patients understand what
will be disclosed if you need to share identifiable information
with anyone employed by another organisation or agency who is
contributing to their care. You must respect the wishes of
any patient who objects to particular information being shared
with others providing care, except where this would put others
at risk of death or serious harm."
31. In Cornelius v de Taranto 68
BMLR 62, the Court of Appeal criticised disclosure of material
which had no therapeutic relevance.
32. It will be seen that confidentiality
is the subject of significant case law and professional ethical
guidance. A striking feature of the controversy about a national
electronic database is that the law and ethics seem to have received
inadequate attention from proponents of the database. One point
worthy of further consideration is storage of data on patient-held
electronic records, using smart cards. This would overcome some
of the concerns and would be consistent with the growing respect
for patient autonomy.
How data held on the new systems can and should
be used for purposes other than the delivery of care eg clinical
33. Subject to the concerns about confidentiality,
it seems to be accepted that a medical record is an appropriate
research tool. Data can be used for research if it is approved
by a recognised ethics committee and permanently anonymised.
There is of course statutory authority covering some research.
Section 60 of the Health and Social Care Act 2001 provides for
processing of data for certain purposes. The Health Service (Control
of Patient Information) Regulations SI 2002/1438, provides that
processing patient information in accordance with the regulations
shall be taken to be lawfully done despite any duty of confidence
owed by that person in respect of it. The scope of SI 2002/1438
includes public health/communicable diseases, trends in diseases
and risks, preventing/controlling disease, monitoring and managing
communicable disease, immunisation programmes, adverse reactions,
food and environmental risks, and giving of information about
diagnosis and risks.
34. The main issue with respect to a national
electronic record is security, as discussed above. It is essential
to protect against reversal of anonymisation. Records which, although
anonymised, allow identification of the patient, should not be
Current progress on the development of the NHS
Care Records Service and the National Data Spine and why delivery
of the new systems is up to 2 years behind schedule.
35. I am not able to comment in detail on
this point as I do not possess the necessary knowledge of the
progress of the NHS Data Spine. I wonder, however, if there is
technical difficulty, which may have an impact on the security
points made above.
36. For example, I understand that patient
access controls, otherwise known as "sealed envelopes"
have been advanced as an important method of protecting patient
However, the technology was not in existence at the time the Department
of Health described them, and may not be able to protect the confidentiality
of some forms of patient data, eg images, and information from
other systems which do not offer "sealing." This appears
37. Suggested further reading
Mason, JK, & Laurie, GT "Mason &
McCall Smith's Law and Medical Ethics" 7th edition, pub
OUP, 2006. See Chapter 8, "Medical Confidentiality."
Thornton, Dr Paul. "Why might National
NHS Database proposals be unlawful? " January 2006. At
38. I hope these thoughts are helpful to
Dr Peter Gooderham
8 March 2007
Accessed 8 March 2007.
92 Conference, "Connecting for Health,"
BT Tower, 28 February 2007. Back
Conference, "Connecting for Health," BT Tower, 28 February
See, for example, Attorney General's Reference No 1 of 2007
sub nom R v James Andrew Hardy LTL 7/03/07 Document no. AC9700372.
(As yet, unreported elsewhere). Back
See, for example, "Diagnosis: Identity Theft." Business
Week, 8 January 2007 At Back
Confidentiality: Protecting and Providing Information, GMC, 2004.
Available at http://www.gmc-uk.org/guidance/current/library/confidentiality.asp1
Accessed 2 March 2007. Back
Lord Hope of Craighead at 95. Back
405-406, para 95. Back
See, for example, W v Egdell  1 All ER 835. Back
For example, Terrorism Act 2000, section 19; Road Traffic Act
1988 section 172. Back
Op cit. 2, para 29. Back
Op cit. 2, para 10. Back
R v Department of Health, ex p Source Informatics 
1 All ER 786. Back
"Sealed Envelopes" briefing paper, Department of Health,
2005. Document record ID Key NPFIT-FNT-TO-PRJMGT-0035.10. Back