China to access NHS medical records of 500,000 patients

China to access NHS medical records of 500,000 patients despite MI5 fears

 

That’s grim!

 

WHY??? Seems very irresponsible.

 

When the idea of providing US companies with access to UK patient data seemed on the cards, it was suggested that we could prevent this for our personal data by informing our GP practices that we withheld our consent.

Though I don’t know how easy it would be to find out if any individual would be one of the 500,000.

 

The problem is that anonymisation can effectively be undone when you have access to other large-scale datasets of personal information. A straightforward example: if the anonymised medical records contain age, sex & postcode it would be possible even for an individual with no particular skill to use the Electoral Register to narrow that down to a small number of candidates and then look at social media to narrow it down further; details about height, weight, & other physical attributes in the patient records would help confirm.

Intelligence agencies will be able to go much further still and will almost certainly be able to deanonymise records at scale in an automated way by cross-correlating them against lots of other databases of personal information. And the Chinese, in particular, consider genomic data to be a strategic interest and have exploited it in the past, e.g.:

 

For geographical analysis.

 

It depends on the research but sometimes researchers want to do quite fine-grained stuff, in part because the narrow area where you live would give a proxy for socio-economic status. Doesn't mean they need your entire postcode, though. But still, a partial postcode combined with other stuff could indeed uniquely identify someone.

 

It’s a couple of decades since I have looked at the figures but here in the East Midlands we have some of the poorest and some of the most affluent areas in the country. So region alone might not be much use, depending what you wanted to look at.

 

Anonymisation sounds great, unfortunately it does not always happen, is not always done correctly. Even if it is anonymized, as @Nightsong says, combining the anonymized data with other datasets, data can be traced back to individuals.

And it is also used by another country, where you have to see if they treat data respectfully. If they don’t, what rights would you have?

 

And I’m guessing one of the main risk areas is eg access to insurance or mortgage products etc at its worst in the future things like jobs if they really aren’t keeping control of the data now

so it wouldn’t need to be admitted in such instances someone is refused (based on info that might be private) because there will be other coinciding factors actuarially that cover it anyway.

and I suspect it’s one of those hard to prosecute problems where data is sold on then apparently is used nefarious and interrogated with other databases and software - people just do innocent face claim of ‘how was I supposed to know what they’d do with it’


Analysis and other data -behavioural+demographic in particular from all the web points people are analysed - and analytical tools are of course going to move on incredibly fast over the years. Whereas the ‘protections’ for a dataset are stuck with the date they were created and sent off

so it’s nonsense that unless there was a properly efficient either self-destruct or ‘they never owned it or had data in their hands just could do what they needed to do in the original environment’ then of course it can be unpicked very easily in future years.

and it was never reliable anyway for the ‘good reasons’ of it ‘just’ being data about peoples bodies . Only as data about what labels they’ve been slapped with or recorded as. The first might be able to be cured , the second the data is useless for that but very useful for making said people’s lot worse/it being used

 

If you look into pseudo-anonymisation vs anonymisation it might answer your question. I remember when the first major project involving lots of health data (care.data 2013 - 2016) became known it was quickly realised that pseudonymous data could have the anonymising reversed if the recipient of the data had access to some large datasets with personal data in. When this became known the government and the NHS basically said they would sell data to virtually anyone as long as they signed an undertaking not to reverse the anonymisation. Obviously the NHS is very gullible, and they assume that patients are too.

https://medconfidential.org/for-patients/major-health-data-breaches-and-scandals/

I assume that all my health data has been copied to the USA at some point even though I have opted out. I also assume that the NHS has lost control of all the health data they have allowed other organisations to copy, and they will not have a clue who has access. And they can't stuff the toothpaste back into the tube once it has been squeezed out so my health data will never be private again. (I'm not trusting of the government or the NHS.)

On the assumption that at one time my health data was private, but no longer is, I realise that there is nothing I can do about it. And the thing that upsets me the most now is that there are dozens of errors, lapses and gaps in my GP records and summary care records, and this is true of the few hospital records I have access to as well. And when I bought a copy of my GP records I probably wasn't given copies of all of it because doctors can deny access to anything that they think might be bad for the patient's health, whether physical or mental. So there are organisations with copies of my data that I don't have access to. And that annoys me enormously because I don't know how many ways that could come back and bite me on the bum in future.