NHS confidentiality paper tries the patients

Once upon a time, about 10 years ago, IT implementation used to involve a simple process of interaction between the supplier and user.

The supplier would start with a feasibility study, taking into account costs and benefits. Then it would consider information and processes.

This work would be completed with a fair amount of contact with the user, which ensured that the business model remained relevant.

The supplier would then define a system spec and, after all this work, it would finally be ready to go to the market with its relevant solution.

But that was in the good old days, when IT was made to fit user demands. But where do users fit into any solution these days?

The world has moved on. Generic products such as knowledge management, enterprise resource planning, customer relationship management and content management can be customised to suit organisational needs.

These applications can be implemented without the need for a comprehensive specification or user dimension. But there is more to IT than generic applications.

Users have become reliant on pre-existing supplier products to solve specific IT problems. Has this attitude de-skilled us to such an extent that we have become incapable of defining our own business and systems needs?

It's not surprising that Peter Gershon, chief executive at the Office of Government Commerce, said at a Parliamentary IT Committee: "Have we learned nothing in the past 30 years?"

It seems not. Or to be more precise, we had learned something about IT, but have somehow forgotten it all again.

Look at the work being done on patient confidentiality and consent by the NHS Information Authority, which is out to consultation.

I take the confidentiality of my health information seriously and would expect the NHS to do the same.

I would, however, happily sign a piece of paper saying that my data may be shared by health institutions that are providing me with a service.

Certain information, such as sexual or mental health, should be used with commensurate sensitivity. I would leave it to these institutions to deal with it.

But the NHS consultation paper takes a complex view of how to address the problem. It suggests that the patient specifies what information is available to certain individuals, or pre-specified categories of clinicians or institutions.

Information may be put in 'sealed envelopes', which can only be opened by specific individuals or institutions.

But how can a patient predict who might need their data? And how much time would the already over-stretched health professional need to spend on maintaining a consent database for each person, cross-referencing all data held on different computer and paper-based systems?

The patient must have recourse to the law where reasonable confidentiality has not been observed.

And, as with all areas of the law where subjective judgements need to be made based on the 'reasonableness' of behaviour, this protection would be best provided through case law and precedence, rather than a complicated set of technicalities which need to be built into computer systems.

A decade ago, this proposition would have failed the stringent feasibility, cost-benefit and user tests. The most likely result would have been to tackle the consent issue outside the sphere of technology.

The consultation process will help, but this is akin to the beta-testing approach. It is flawed in that it is based entirely on getting things wrong first and putting them right afterwards.

So beware next time you are taken ill. Your consent options may seriously damage your mental health.

Fahri Zihni is chief IT officer at Wolverhampton City Council, and vice president and education officer at the Society of IT Management.