Books, news, & views from Karen Traviss

(Don't) trust me (with IT), I'm a doctor.

Your medical records in their hands. What could possibly go wrong?
I'm not ashamed to say that I had an Apple Newton once.

So I was a bit misty and nostalgic when I saw this reference to it in The Register. I bought mine just after they ceased production, and that meant a used one. I trawled the substantial ad section of staff newsletter where I worked and found one at a knockdown price. The seller said it had one careful owner, a GP. ("Family physician" to you transatlantic folk.) If memory serves, the seller was his missus.

Anyway, I was riveted by this thing. But I'm not sure the GP's patients would have been so delighted. Their confidential medical details were still stored on it.

Yes, I did notify the seller, and erased the data as thoroughly as you could on those things at the time. I don't think doctors are the sharpest tools in the box, so I can't say that I was shocked. But I was disappointed.

Now, if you've been following UK news, you'll be aware that there's a huge brouhaha about the NHS's latest attempt to data-grab every patient record and upload it to some allegedly secure database for our own good. Like all government IT schemes, it's been badly handled at the PR and technical level, and appears to be more about selling data to big business rather than making us a healthier nation. We've been given the chance to opt out, but that's been a clusterfuck of epic proportions too. The scheme has been put on hold while the government works out ways to shout the same message at us more loudly until we see sense.

I've been following the various attempts to data-grab for at least six years, and the opting out process is so convoluted and misleading (even NHS staff say so) that it's been a tough and ongoing job even for a bloody-minded, bureaucracy-wrangling, awkward old journalist like me. I'm still not sure I've tracked down all the parts of the health service that I've used in the past to tell them not to scatter my data to all and sundry. It's like a game of Twenty Questions. Even the NHS doesn't know everywhere that data gets held, so to opt out from each outpost of the NHS – there's no single access point to make the request – requires luck and guesswork on top investigative slog.

A lot of GPs and health staff don't like this latest data grab either. I pulled out of NHS care some years ago because I both fear and loathe it, and my once-heretic views have since been vindicated by an endless string of national scandals about appalling care, but it's still like an old Eastern Bloc bureaucracy. You're entered into the system at birth, by law, and your data doesn't belong to you. You can't have it deleted. You can't even have your medical records back – you can only have a copy, because the records are the property of the NHS. Once in, there's no avoiding these bastards. The most you can do is drop off their radar.

In the course of my letters and calls, though, I have come across at least two NHS staff who take patient privacy seriously and enforce the data protection regulations to the maximum extent. We need more people like that. Unfortunately, the awareness of data security among NHS staff generally is as bad as in the rest of the population, and that's a toxic combination with the eagerness of pharmaceutical and insurance companies to grab as much from records as they can, and the ambition of every political party to have a Stasi-style file on every citizen. (And then sell it.)

Anonymised data isn't any safer. The insistence on using postcodes and demographic detail means that jigsaw identification is more than possible, and progressively easier the smaller the town you live in. If there's a buck in it, the incentive to do just that will be irresistible. Fines for abuse of the system, if they're even imposed, will be seen as acceptable overheads in some industries.

Anyway, the point of this rant is that the NHS is telling us that our data is safe in its hands. That would be the same NHS that sold data to insurance companies within days of the opt-out, the same NHS whose various trusts fail to dispose of confidential data properly, that misplaced nearly two million records in a year, and that has GPs who have no idea how to secure data on their own devices. It was bad enough to find clunky text files on a Newton, but imagine what a health care worker can store digitally and lose today.

It's not enough to get the data policy right at national level, not that any UK government ever has. It's entirely at the mercy of dumb behaviour by individuals within the system. And that's assuming the data uploaded is accurate and has been coded to the right patient in the first place, of course. The risks are so great that it's better not to do it at all. Claiming that not having One Database To Rule Them All could cost lives is the most cynical kind of scaremongering.