back to article Summary care records - you might die, but they never will

Patients can decide whether or not to have their Summary Care Records included on the NHS national database, but if they change their mind afterwards there is no way to delete the record. This emerged after a concerned Hampshire doctor asked several Primary Care Trusts what their policy was using Freedom of Information …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Flame

    What bollox

    "As with all digital records systems, complete removal would require the hardware holding records to be completely sanitised. This is a process that destroys all data held, for example on a server or hard drive, and not just a particular record."

    All the average Joe wants is to have his record deleted, but why not put up the straw man of having to physically destroy the entire system in order to delete one record, and then argue that it would be too costly?

    I'm not aware of anyone asking for their records to be deleted and a guarantee that the medium it was stored on is also destroyed. If it is held on re-writable media and deleted it will eventually be overwritten anyway which is probably sufficient for this case. If it is on optical disks or other write once media then there is a larger problem. Of course there are backups to deal with but if they are rolling backups they too will be eventually overwritten, unless of course they want to store the contents of every single transaction for ever, rather than an audit that there was a transaction, but why would they want to do that?

  2. Anonymous Coward
    Anonymous Coward

    "but the cost of completely removing them would be prohibitive"

    ie. the computer people have got us over a barrel.

    Other news, the ICO is having a snooze after a nice lunch with the NHS IT contractors.

  3. Anonymous Coward
    Thumb Down

    technically unfeasible - only by design

    Whoever designed this system designed it not to be feasible to delete a record, whether deliberatly or by omission it is still a design flaw.

    I expect it was not a requirement in the spec, but for 12 billion i would like to think there is a system that is quite good... sadly those at the trough probably know very little about IT and the monkeys coding it don't see the bonuses or the multi-million pound contract buyouts (fujutisu!).... so they make what they are told.

    Just another case of this government not having a clue about privacy expect when it comes to trying to block access to their expense records!

  4. Anonymous Coward
    Anonymous Coward

    Unacceptable!

    "As with all digital records systems, complete removal would require the hardware holding records to be completely sanitised. This is a process that destroys all data held, for example on a server or hard drive, and not just a particular record."

    While it's good that they're aware of how easy it is to (unintentionally) retain deleted data ('delete' is not synonymous with 'erase'), they really should have designed secure erasability into the system. After all, what are they going to do in the event of, say, a court order to irretrievably destroy certain records?

    Combined with the fact that the State is presuming consent, with us having to actively opt out if we don't consent, this really is an unacceptable state of affairs. They must, at the very least, change the rules from opt-out to opt-in, and make it clear before Summary Care Records are even created that once they're created, they can only be deactivated, not actually destroyed.

    As for me, I've already opted out, in that I've already handed in the opt-out form to my GPs' surgery. But looking at the form, I note that the form is also for deleting Summary Care Records:-

    "I request that my personal data, or the personal data of a person under 16 for whom I am responsible, are not added to or are deleted from the NHS Summary Care Record database and that no Summary Care Record be available to assist in treating me/them, even in an emergency situation."

    The opt-out form was downloaded from the NHS South West Essex site: http://www.swessex.nhs.uk/healthrecords/

    (They really are pushing the propaganda.)

    Looking at the form available from that site now, I note that they've changed the form a bit from the one I originally downloaded. It no longer mentions deletion. Perhaps it might be worth asking them why.

  5. Richard
    Stop

    Better not to collect it in the first place

    I'm fascinated by what problem this zillion dollar database is supposed to be solving.

    If it's about having information ready in emergencies, there is already a super low-tech solution which is highly effective and widely deployed: medical necklaces and bracelets. It's a small, discreet item of jewellery which you wear if you have some medical problem (like you are diabetic, or allergic to something) and it alerts medics to your condition in situations where you can't communicate this information yourself.

    So there's my solution, which will probably cost about £1 / patient.

    Now tell me why we need this huge database again?

  6. Paul Donnelly
    Alert

    Oh, the humour!

    The very idea that deleting a record from a database requires the sanitising of the hardware... there's absolutely no wonder that all government projects waste so much money!

    I'm especially tickled by the 'As with all digital records systems' bit... as I've never noticed myself formatting hard drives and rebuilding machines when deleting database entries.....

    Also, the Audit comment is a joke. Working in a place regulated by the FSA, and trading on the NYSE, my employer has pretty strict data control rules, and audit requirements, as they quite rightly should.

    Now, as a man with a degree in Computer Science and Artificial Intelligence (a module of which was dedicated to SQL),and as man who assists in administering a DB or two, I'd have thought someone would have told me at some point that I needed to triple format and rebuild a system whenever I deleted a db record......

    I'm surprised that the Department for Health has been told something so crucial when so many professionals and students of the very topic are left fumbling in the dark for this knowledge....

    And just for Sarah Bee... (highly entertained by the AFD rant and resignation)

    Mine's the one with the fresh printed server build instructions in the pocket!

  7. Frank

    Advice needed

    ""As with all digital records systems, complete removal would require the hardware holding records to be completely sanitised. This is a process that destroys all data held, for example on a server or hard drive, and not just a particular record."

    I'm not a database or computer 'expert', but isn't this just a simple and barefaced lie?

  8. TimNevins
    Unhappy

    Utter Rubbish

    Anyone with a passing knowledge of DB can attest to how easy it is to delete records.

    If they are talking about data held outside of the database(images,.doc files,scans etc) then the very least that can be done is to jumble the record and.or write over the pointers which record where data is held outside of the DB.

    Utter nonsense.

    Papiers s'il vour plait!

    When when when will we get a 1984 icon.

  9. Tom Chiverton Silver badge

    Buh ?

    They same to be saying they can't possibly type 'delete from people where nid=...' because they then have to *wipe the entire hard drive(s)* ? Thats obviously wrong...

  10. Col

    They're talking out their @r$e

    "As with all digital records systems, complete removal would require the hardware holding records to be completely sanitised. This is a process that destroys all data held, for example on a server or hard drive, and not just a particular record."? You what? So I need to format my hard drive to delete an email? I had no idea...

  11. DR

    say what now?

    since when have you had to sanitize or destroy all hardware to delete a database record inside (what I assume) is a relational database.

    this (confusing) point aside...

    Can I just get this straight... so, unless you opt out before the database is created, you;re going to be recorded in the database, and you can still chose to opt-out, but in the event that you opt out you won't actually be opted out, because your data will still be there because the guys who built the database can't figure out how to write, "delete from 'patients' where x=`y`;"

    So you have to opt out now, or always be included and never be able to opt out?

    isn't this completely not lawful?

    I assumed that the data protection act enabled you to request that if a company holds data against you then you had rights to request that data is deleted...

    Righty ho...

    I'm now set for life then...

    step 1, get included on the data base.

    step 2, request removal

    step 3, freedom of information request -what have you go on me.

    step 4, sue for not complying with data protection act

    go to step 2, (or 3).

    and now knowing that the records can't be deleted step 4 could be substituted for sue for not complying with freedom of information request.

    if they had data on you, and can't delete it, when they come back saying, we've got nothing mate after the first time you sue, then you say, you're lying, I know you're lying and repeat as necessary

  12. Anonymous Coward
    Stop

    eh?

    "As with all digital records systems, complete removal would require the hardware holding records to be completely sanitised. This is a process that destroys all data held, for example on a server or hard drive, and not just a particular record."

    Most people won't expect this level of removel of their data. Just as they wouldn't expect every backup tape to be read and have their details removed from them.

    What most people (I would expect) will want by way of removing their record is to simply DELETE it. It will no longer be accessible within the system, and it will no longer be added to nightly (one would hope) backups. To state that the server needs to be sanitized is nothing more than particularly unimaginative FUD. People wanting their records removed don't need rocket science, they just want to be removed before the Government can balls up all their data again.

  13. Neil

    re: Unacceptable!

    I have asked SWEssex PCT why they removed it.

    They were "asked by CfH to change this wording".

    "So you have to opt out now, or always be included and never be able to opt out?"

    Yes.

    Pray your GP doesn't "accidentally" upload your records, cause he/she won't be able to put it right.

    Neil

    www.nhsdatabase.info

  14. David Pollard

    Accurate data and accurate audit trails

    In order to be able to audit data to the highest possible level of accuracy, then it is necessary to be able to rebuild any part of the database starting from the earliest date of entry of information that it contains. If it is a requirement to be able to track malfeasance and accidental errors fully, then it is necessary to record who entered, amended or deleted what and when. (What happens, for example, if the wrong records are deleted by mistake? Can't happen?)

    When data can be selectively removed or amended without subsequent trace, then integrity is compromised. It's as simple as that.

    The solution seems to be to hold medical data locally wherever possible and to allow the data owners - the individuals to whom it relates - to check their details easily. Provided that access can be controlled on a similar basis to that which presently applies then there is no increased loss of confidentiality.

    The problem is that a national-scale dataset is useful for research that can't easily be done otherwise, though to allow this could also open the door to more nefarious uses.

  15. RW
    Unhappy

    A not-unheard-of mistake in design

    It strikes me that once again a public body in the UK is lying.

    If you build any kind of system with a "create" function and don't build a corresponding "delete" function as well, your database will slowly fill up with superannuated crap. In the present case, the records for all those who die or emigrate permanently.

    I have seen another system or two where this mistake was made, but iirc they were amateur hobbyist systems where such a design error would be understandable. Not, however, in a large, publicly funded system presumably designed by people with reasonable expertise.

    Sadly, I can't even get excited over another example of NuLab lying through its teeth; it's so very typical.

  16. anarchic-teapot

    Ah, Whitehallspeak

    "As with all digital records systems, complete removal would require the hardware holding records to be completely sanitised. This is a process that destroys all data held, for example on a server or hard drive, and not just a particular record."

    Reading between the lines here, Minister, I *think* what they're saying is that to remove one record they would need to blow up the data centre.

    Sounds good to me. Can I do it?

  17. Claire Rand

    cross reference

    so in effect they are saying that other systems will be cross referenced to this one, and can't handle the fact they may get what can be considered a NULL pointer?

    wonder if they realise they have in effect just signed up to an ever growing storage requirement for a virtually unlimited amount of data?

    pork anyone?

  18. Anonymous Coward
    Anonymous Coward

    Code

    I'll volunteer to write the PL/SQL code, the database triggers, the jobs to delete the records, don't think it will take long to write that code, oh, how about a day including testing? !

    (assuming it's Oracle of course..

  19. Anonymous Coward
    Anonymous Coward

    Desctruction of data

    "As with all digital records systems, complete removal would require the hardware holding records to be completely sanitised. This is a process that destroys all data held, for example on a server or hard drive, and not just a particular record."

    Yeah, this is complete bullsh*t, they are intentionally mixing up two quite different concepts:

    Deletion of the record from the database, and deletion of the data from the hardware, from the hard disk itself, to ensure confidentially such that if the server is decomissioned, and sold at some point in the future, they need to ensure the total distruction of the data on the hard disk.

    And yes, for the database management system to delete a record would not be sufficient to satisfy the requirement of total destruction of the data in the event the server has to be decomissioned.

    They are two totally different things, being bought together, mixed up quite intentionally by the DoH to justify why they can't delete the data. It's bollox, and anyone in IT knows it.

  20. Anonymous Coward
    Flame

    I understand how they work now

    Having your records put in the database....easy.

    Having your records scrubbed....impossible.

    Having your records lost....priceless (yes, they do it for free).

  21. Anonymous Coward
    Anonymous Coward

    @Neil, Re: re: Unacceptable!

    Thanks for that!

This topic is closed for new posts.

Other stories you might like