Select Committee on Health Written Evidence

Evidence submitted by Ms A Jones (EPR 07)


  Thank you for the opportunity to comment on the above. My background is IT and this system has fantastic potential, but only if the confidentiality issue is taken very seriously. We need to be sure that Doctor/Patient confidentiality is maintained to the highest degree, and that GPs/other medical professionals will not be required to pass on our personal information under any circumstances without our (written?) consent. This system is unique in that it should, and must, stand alone from all the other proposed/existing database systems. The key to its success is privacy and anonymity. Already a growing number of people visit a GP's surgery at random claiming to be on holiday and possibly using a false name and address rather than having their condition logged on their own record on their GP's system. The greatest danger is that people with various sensitive conditions will not present for treatment or help if the issue of confidentiality is not robustly enforced.

1.   What info should be held?

  The absolute minimum level of personal data should be held to preserve privacy without compromising health, eg:

    —  Initials and surname (not full name).

    —  Age band (not age/date of birth).

    —  Sex (not title).

    —  House number and post code (not full address) (Apparently a surname, house number and post code are sufficient to have a letter delivered).

    —  Optional—phone/mobile phone number and email address.

  With the consent of patients, certain medical conditions, immunisations, operations, allergies and current medication should be noted. This includes Parental Consent for children under 16 years. A time limit should be considered eg: only data for past 10 years. GP/other narrative comments should be omitted.

  We all know our NI Number so it should be possible to allocate a permanent NHS number if necessary to ensure the correct record is accessed.

  Patients should be able to opt-out of the system if they wish. If a good, robust and secure system is seen to work efficiently and effectively then perhaps people may choose to opt-in at a later date.

2.   Access (local and national)

    —  Only the patient's GP should have full access—not auxiliary medical or admin staff at surgeries.

    —  Hospitals should only have access via GP giving permission to a hospital consultant so a log of authorised access is created. A system to control this "out of hours" and in an emergency should be developed.

    —  Nursing and other staff in hospitals/surgeries should not have full access to complete patient records—their need for information should be confined to current treatment and information directly relevant as directed by the patient's consultant or GP. This is absolutely essential in the case of sensitive circumstances or conditions (alchohol/drug use; STDs; domestic violence; depressive illnesses etc). Perhaps thought should be given now to the manner which information relating to these sensitive issues is stored and used. Failure to address this will lead to people not seeking appropriate treatment or help. No other body should have access to medical records under any circumstances.

    —  A patient should be able to view their full record at any time and there should be a clear and simple procedure to correct any wrong or misleading data.

3.   Protection of patient confidentiality

  This is the greatest weakness in the system. Briefly—I experienced a leak of three distinct pieces of my medical info. I could do nothing as I had no absolute proof. I sold my house and moved 250 miles away. This was due to a community medical staff known to me socially (not a GP) having what seems to be unlimited access to records. This is why every possible step must be taken to limit the personal or identifying data held in the patient record and there must be very clear and stringent penalties for any abuse of the system—no matter how trivial. In my case if my full name, address etc had not formed part of my record it would not have been possible for the gossip to be connected to me. Thought needs to be given as to why this specific and full identifying data needs to be included rather than my suggestion at Para 1. The confidentiality issue is not really about what the GP knows—it has more to do with the casual users of the system who may not be involved in your care or who may see your data in passing.

    —  When attending a medical appointment there is no need for your complete record to appear on screen in front of the Administrator. A time-out should be build in to guard against a patient record being accidently left on-screen.

    —  A chip and pin-type card held by the patient should be used to access the full patient record. The argument that we may forget or loose a card does not hold water. We all manage to carry our various credit, debit and store cards and remember our various pins. Alternative arrangements could be made for those who genuinely could not reliably use this card system. For the minority who find themselves in an emergency without their card the same procedures apply as now—medical professionals do their best in the circumstances.

    —  The proposed system will not remove the need to describe your condition several times to various medical professionals. The comprehensive patient held notes used during pregnancy do not avoid this happening as it is easier/quicker for medical staff to talk to you than to read pages of notes.

    —  There is no reason to link this database with any other database. A Medical Record should be a completely separate entity to other public or private Personal Information databases.

4.   Data for other purposes

    —  Patients could be asked to sign up to their statistical data (not personal data) being collected for other purposes eg: research. In a database system it is very easy to implement this.

    —  The GP or hospital consultant should be the gatekeeper of this data, providing total numbers or percentages or depersonalised case histories for research purposes. Most people would be comfortable with this.

5.   Progress and delay

  If this system is implemented without thorough open discussion and debate it will become an expensive failure. Time taken now to think through all the implications and to listen to people's genuine fears and concerns will ensure the final design is acceptable and fit for purpose. The system needs to be thoroughly piloted and tested before implementation. All major IT systems take years. In this instance it is essential to invest the time to make sure it is absolutely watertight and foolproof—unfortunately this will take longer than you think.

  Thanks for your time.

A Jones (Ms)

7 March 2007

previous page contents next page

House of Commons home page Parliament home page House of Lords home page search page enquiries index

© Parliamentary copyright 2007
Prepared 25 April 2007