Opening NHS records to private suppliers

In August, the Conservative Party published its independent review of NHS and social care IT, examining the future of the controversial £12.7bn NHS National Programme for IT.

Taking their statements at face value, it seemed the Tories’ plan consisted merely of “dismantling Labour’s central NHS IT infrastructure”, and replacing it with a Google or Microsoft alternative, but the review covers much more than this.

The focus on Google and Microsoft was in relation to the alternatives to the HealthSpace programme. HealthSpace, which was introduced in October 2005, gives patients online access to their “summary care record”, where they can track basic health information, such as height, weight and blood pressure. It is still only in trial, accessible by fewer than 35,000 patients.

The report does not propose the replacement of HealthSpace by Google Health or Microsoft HealthVault. In fact, it was rather cold about Google Health. However, it recognised that these systems could act as replacements or alternatives, provided they are adapted to fit the NHS.

Assuming that the Conservatives’ investigation into the Google and Microsoft alternatives continues, what will need to be done to make it a reality?

In terms of data security, there is no reason to think that Google or Microsoft are more exposed to data security breaches or data loss than the NHS. Indeed, if the Information Commissioner’s recent run of enforcement action against the NHS is anything to go by, people might be forgiven for thinking that outsourcing to Google and Microsoft cannot come quickly enough. Thus, data security concerns are not in themselves barriers to the alternative vision.

The area where the Conservatives will need to improve performance is regulation. Since 2007, when HM Revenue & Customs (HMRC) lost two data discs containing almost an entire copy of the child benefit database, there has been a considerable investment in improving the regulatory framework for data security in the public sector.

This has been accompanied by massive progress in theories for best practice in data handling, as illustrated by the Data Handling Review and the development of the government’s Security Policy Framework. Likewise, the work of GCHQ’s CESG
security operation has contributed significantly to the improvement of the regulatory framework for the public sector. This is not the case for the private sector, where Google and Microsoft operate.

The best illustration of this point is found within the Coroners and Justice Bill, which was introduced in the House of Commons in January 2009. Among other things, the Bill contains a power for the Information Commissioner’s Office (ICO) to carry out compulsory inspections of government departments. The intention behind this power is to codify a non-statutory right of inspection that was given to the ICO by the prime minister immediately after the HMRC debacle.

From January to July, the ICO and many parliamentarians consistently argued for a comparable right of inspection for the private sector, but this was rejected. However, during the Bill’s committee reading in the House of Lords, the government made limited concessions that will allow the secretary of state to designate categories of private sector data controllers as liable to inspections. This limited extension could result
in a much-needed improvement to the regulatory framework for data security in the private sector.

If the Conservatives form the next government, they will need to designate controllers such as Google and Microsoft for the inspection regime. This will be essential if the public is to embrace private sector suppliers in the NHS.

Stewart Room is a partner at Field Fisher Waterhouse’s Privacy and Information Law Group. His new book, Data Security Law and Practice, will be published in November