ORGCon: Medical privacy workshop

On the 24th of July I was lucky enough to host a workshop event at ORGCon on the question of medical privacy. Of all the data that is held about us our medical record has the potential to be the most sensitive. Yet recent news stories have shown that levels of security in the Summary Care Record, to take one example, are not anywhere close to acceptable.

In my day job I’m a scientist and an academic. I like to run experiments – it’s my MO for understanding the world. When ORG offered me the chance to run this workshop, my first though was to run a little (speculative and poorly controlled) social experiment. Could I split the room into groups and have each group draw up a list of principles for medical record privacy? And if I did, would there be a set of principles that were proposed several groups independently of one another? I had been worried that the topic of medical privacy wouldn’t capture many people’s imaginations or interest, that we wouldn’t have enough people to make one group let alone several, but I was gratifyingly wrong. Our room was full of enthusiastic and intelligent people, several of whom had experience of the issue either as patient advocates or health care professionals.

We were very well supported by the volunteer facilitators, who I would like to express my sincere gratitude to: Helen Wilkinson-Makey at The Big Opt Out Campaign, Chrysanthi Papoutsi of the Oxford Internet Institute, Ross Anderson of the University of Cambridge Computer Laboratory, and Phil Booth of No2ID.

Quite a lot of common ground emerged from the discussions. Almost all the groups (5 out of 6) volunteered a statement along the lines of œpatients should have the right to see who was accessing their record. Two groups mentioned that such audit trail data might also be sensitive and would also need to be appropriately safeguarded.

Four groups mentioned their concerns about research uses. Principles suggested included that there should be a right for patients to opt-out of (or to explicitly consent to) secondary uses of their data. All four groups stressed the importance of data being properly anonymised.

Three groups mentioned the need for effective sanctions when medical records are found to have been misused.

Two groups mentioned the need to not transfer data to countries with weaker data protection regimes.

Two groups mentioned the importance of being allowed to opt out of an electronic medical record scheme at any time and to ask that information already collected is no longer shared.

Two groups mentioned that patients should have the right to see their medical record (this is already possible, to some extent, by using Healthspace.) 

Two groups mentioned that users should have absolute control over who sees their record and should consent to each use.

In the short time we had it was apparent we could have started to argue out a set of principles between us. Some of the principles suggested may be more contentious or more difficult to put in place than others but I think that they are all deserving of consideration. As well as arguing against specific systems, piecemeal, it strikes me that our case will be more easily made if we have a set of privacy principles – a sort of statement of digital rights for medical privacy – that we expect those who hold our medical records to adhere to.