I've been waiting for a particular letter from the NHS to arrive, and today was the day. You'll get one too. It introduces the Summary Care Record (SCR) scheme which is being gradually rolled out across England, and in several phases.I know a thing or two about the challenges of IT security, about big IT projects, and (according to a recent File on 4 report) that the National Programme for IT is not doing at all well with its multi-£billion aim to computerise all patient records. And I hear that the No2ID campaign, who are deeply against ID cards, are not surprisingly saying that there are privacy concerns about SCRs too. Taken together, I decided I should go through all the details carefully before deciding whether to participate or not, and publish my thoughts here, where hopefully others can find it useful.I can summarise the pamphlet they sent me (and most of the SCR website) as:

  • it "will enable health-care staff to have quicker access to your records, including prescriptions and any allergies you have, so they can provide more effective care"
  • we take confidentiality very seriously, and only authorised staff will access what they need, and with your permission
  • we take security seriously, and things like chip-and-pin will be needed to access the SCRs
  • "You can look at your SCR at any time at a secure website called HealthSpace. You will be able to make sure it is accurate ..."
  • but you can opt out if you want, and opt-in later again should you change your mind.

Sounds pretty good. And it needs to be, because how many people are going to bother to opt out? Pretty few, given that to do so you actively need to opt-out, by writing a letter or filling in a paper form (which you have to get someone to send you or download and print out), and then go and find a stamp and post it. That's right, there's no phone or online option. If you fail to do this within 3 months, then you will automatically have an SCR created, and will start to be used by NHS staff.The site also says you can find more detail in The Care Record Guarantee, which I have downloaded and read. It's not a right riveting read, but it does include important additional detail, some of which makes me think they know what they're doing, but some of which worries me. See what you think ...Who can access data? The pamphlet says "they must be directly involved in caring for you", which makes you think of doctors, nurses, and hospital specialists. But the guarantee says it will also include people who "keep track of NHS spending, and manage the health service"), researchers, health trainers ("to teach healthcare professionals") and statisticians ("to protect the health of the general public"). That now includes those very indirectly involved in caring for you, including, it seems, general NHS managers. And these people can also include "Organisations under contract to the NHS". I doubt anyone knows the exact figures, but I would surprised if it's not less than 100,000 people with possible access to individual's records.When can they access data? The pamphlet says only with your permission. The guarantee adds various exceptions, including after serious crimes, to protect children, reporting of infectious diseases, or if a court says so -- all of which seem reasonable. But in order to carry out the wider functions above, including checking record quality, those staff can't possibly ask for permission, though the implication is that they won't be able to see personally identifiable information. However, in emergency situations the controls can be over-riden, making all the controls weaker.What sort of audit trail is there? The guarantee says "Every time someone accesses your record, we keep a record of who they were and what entries they may have made." which is important and necessary. Encouragingly, it says that we'll be able to see a list of everyone who has accessed or changed our records. But unless some event triggers this, inevitably the vast majority of the audit records will never be checked.Where can people access data? Neither document makes this clear. But the fact that it's available to patients themselves over the internet, means that effectively it is available anywhere in the world, not just at special terminals in surgeries or hospitals. (Where security is likely to be weak anyway, as strangers are always legitimately wandering around without access controls.) There's also a baffling odd statement that "You must register for HealthSpace to keep [your SCR] as secure as possible". Any ideas, anyone?How can staff access data? Only with a smartcard and a password, says the pamphlet. Sounds reasonable, except that by itself this doesn't mean anything. It's very easy to have poor passwords and insecure smartcards: witness chip-and-pin, where retail fraud has increased not decreased after its introduction in the UK. A rule of security engineering is that it's always possible to defeat authentication measures such as these, if the information is valuable enough to an attacker. Criminals can always buy access to apparently secure information in the Police National Computer, or the DVLA, for example. This will be no different.Can you delete an SCR once created? It's not fully clear. You can ask for it to be hidden from view to anyone, but to delete it entirely is apparently "difficult".Can some information be treated more privately? Thankfully, yes. But not yet. The concept of "sealed envelopes" will be coming in future years, and can limit information to particular health-care teams. But again, in emergency, this can be undone, which is probably the right thing to do, but again weakens the overall controls.And finally, one question not covered in either document: How likely is the system to be implemented as designed? Almost no chance. Any huge IT project is difficult, and there are good reasons why healthcare ones are more difficult still. Oh, and one with hundreds of thousands of users, all who need training and enrolling and smartcards ... lots can go wrong even without malicious intent on anyone's part.I've deliberately ignored various topics the guarantee covers, such as interim local standards, children's SCRs and parental rights, and various help, advice and complaint procedures.Overall, I think this makes the summary in the pamphlet that people are being sent misleadingly optimistic. For me the risks to my personal information being misused are much higher than the NHS suggests. So I for one will be opting out, until I see evidence that the promised upgrades have been rolled out well, early implementation 'bugs' have been squashed, and some of the ambiguity is satisfactorily cleared up. But if your health means very quick access to data by health workers could be important in the next few years, then I'd probably accept the risks of misuse.(I also see that there's a specific NHS Confidentiality campaign set up to urge people to take part in their The Big Opt Out. Though note that I've not looked beyond its front page.)