The author of a government review into medical data sharing personally opted out of the aborted plan to share GP health data, a parliamentary committee has heard.
Prof Ben Goldacre, a former Guardian columnist and the author of the Goldacre Review, exercised his right to opt out of the Government’s General Practice Data for Planning and Research scheme, he told the Commons Science and Technology committee, because he was concerned about the risks of deanonymisation.
“I did withdraw my consent,” Goldacre said, “because I know so much about how this data is used, and how people can be deanonymised. And also because, in the past, I’ve been in the public eye from doing public engagement work, and I have friends who have had their data illegally accessed through national datasets, although not health datasets. And I suppose, because I work in this field, the risks are very salient to me.”
The government should even consider prison sentences for those who do misuse sensitive data, Goldacre suggested, citing the discovery that more than 30 Metropolitan police staff were caught accessing case notes for the murder of Sarah Everard.
He said: “That’s over 30 people, working in very trusted roles, illegally accessing data outside of the purposes of their work, even in an environment where most or all of them must have known that they were subject to audit.
“You need to block people misusing data, you need to ensure that you detect it when they do, and you need to make sure that the penalties are so high that people are afraid to do it.”
Goldacre criticised the idea that “data is the new oil”, arguing that it was more like nuclear material. “When you first access small bits of it, it’s not actually very useful. It needs to be refined and processed. But after it’s been refined and processed, two things happen. Firstly, it becomes tremendously powerful.
“But secondly, it also becomes rather dangerous. Once it’s leaked, it can’t be unleaked, and you have to work very carefully with it in order to do good with it, whilst minimising harms.”
Women are particularly at risk of deanonymisation, the committee heard as “childbirth is something that appears in your medical record, and it’s also something which is typically known by colleagues or people at the school gates or so on”.
Goldacre said: “The classic example that appears in security engineering textbooks, for example, is that you could re-identify Tony Blair in health data, because you know, the approximate dates in which he had an abnormal heart rhythm reset while he was prime minister. And knowing the week in which that happens, the kind of procedure he had on two dates, and his approximate age and his approximate location, you could probably find only one person with those characteristics. Having found a unique identifier for that person, you can then see everything else in their record.
“And women are particularly at risk, in my view.”
He added: “As a result, future efforts to share NHS data with private industry should take place in ‘Trusted Research Environments’.” These would allow data to be made accessible to legitimate users without the risk of it leaking. “I’m confident that by doing that, not only can you mitigate risks, but you can also begin to earn public trust.”
Goldacre told the Guardian: “I did opt out of the old GP data programme, because it was based on pseudonymisation and dissemination.
“However … in July 2021 there was a firm ministerial commitment, in a letter to all GPs across England, stating that the GP data extracted will now only be accessible through a robust trusted research environment with transparent audit of all activity. This was a huge leap forward. It will protect patients’ privacy, earn public trust, and make all analyses much more efficient.”
