The Government has just published its ideas for allowing general access to data (which includes the intention to allow individuals on-line access to their own personal data). In general, I support this measure but sadly, the Open Data White Paper has not even considered that it has widened the privacy problems associated with “enforced subject access” (see references).
In the White Paper, the Government states that it wants to make personal data available to the data subject by a secure portal. Indeed it intends to give NHS patients access to their own health records before the end of the Parliament (if the coalition lasts that long). This is, I suspect, the quid pro quo for the fact that the Government wants wider use of medical records for research purposes (see last week’s blog – 26th June 2012- where I show that the Data Protection Regulation has been changed at the UK Government request to support this move).
To illustrate the problems of online access to medical records, consider the following conversation:
Interviewer:”Hello John. Thanks for coming for an interview. Before we start, you have access to your medical records online. As you know, we want to make sure that you have all the hallmarks of a co-operative employee. I wonder whether you would allow us to look at your last 5 GP visits”.
John: “Well I am not sure of this. Doesn’t it breach the Data Protection Act?”
Interviewer: “No John it doesn’t and we are surprised that a cooperative individual like you could think so. All the protection you get from the Data Protection Act is unaffected. The first thing to say is that we would have your consent to your sharing your own personal details with us. 'Share' is a nice word isn’t it; indeed we encourage all our employees to consent and share their details with us in this way on a regular basis”.
Interviewer continues: “In addition, we are not going to record anything from your files in our databases. We are just going to look at your personal data. Because this information is not copied from your files to ours, we don’t have any “data” and because of that, we don’t have any personal data. All we are doing is “looking” but not “recording”.
Interviewer continues: “In theory, because we don’t have personal data we don’t have to apply the Principles. This means we don’t have to tell you what we looking for or why, we can make use of irrelevant details in the file, and of course, if there are inaccuracies in your file, we can just accept them as being the truth. This process is very secure:- after all, we can’t lose what we don’t have. But don’t worry about all these issues. Because we rely on consent, we think we are a very ethical company”.
John: “Well that is reassuring. I will just log on to my GP by the secure portal”.
Interviewer: “Please give me time to look away – I don’t want to see your password do I! This is an example of our ethics in action”.
Interviewer (after inspecting health records):”Oh. I forgot to ask. The job you are going for involves access to financial information. Do you, by chance have access to an online banking account?”....
In summary, the White Paper has ignored the obvious problem of individuals having to consent to access by others for whatever reason. Let us hope it is fixed before that portal is ever opened.
References relevant to the blog:
Enforced Subject Access to medical data raises its ugly head in the insurance industry. http://amberhawk.typepad.com/amberhawk/2012/02/enforced-subject-access-raises-its-ugly-head-in-the-context-of-medical-insurance.html
Data Protection: the use of the Internet to vet employees or job applicants: http://amberhawk.typepad.com/amberhawk/2010/08/data-protection-the-use-of-the-internet-to-vet-employees-or-job-applicants.html
Facebook passwords and employment: why data protection works and Facebook’s promise to take legal action to protect privacy doesn’t: http://amberhawk.typepad.com/amberhawk/2012/03/facebook-passwords-and-employment-why-data-protection-works-and-facebooks-promise-to-take-legal-action-to-protect-privacy.html
The Commission’s Data Protection Regulation: weaknesses from the data subject perspective (includes plea about enforced subject access): http://amberhawk.typepad.com/amberhawk/2012/03/the-commissions-data-protection-regulation-weaknesses-from-the-data-subject-perspective.html
Open Government white paper on http://data.gov.uk/sites/default/files/Open_data_White_Paper.pdf
The obvious is frequently deliberately missed where providing an answer is beyond the abilities or capabilities of those missing the particular issues concerned and acknowledging any inability could be perceived as a weakness. Far better to quietly rationalise as a strong answer to a difficult problem.
Like Microsoft in the early years, your security is not their concern… unless…
Posted by: Ian | 06/07/2012 at 10:28 AM