I started losing my digital privacy in 1974, aged 11 We already live in a world where pretty much every public act - online or in the real world - leaves a mark in a database somewhere. But how far back does that record extend? I recently learned that record goes back further than I'd seriously imagined. On my recent tour of the United States (making it through immigration …
I agree yes you want medical records kept, patient history is always useful and provided they are only shared with the patient or a doctor or other professional they have consented to be cared for by, and who is not engaged in malpractice, it's not harmful. The hard part is drawing the line on how much anonymised data can be used for research, ensuring that data remains anonymous and managing consent for sharing data when patients are treated elsewhere or researchers want to use data from multiple sources.
and if you keep them for someone's entire lifespan then you should provided they did not object in their lifetime and next of kin explicitly consent or at least don't object probably archive it for future research in the near/medium term and historical value in the long term. Again managing consent, allowing reasonable anonymised research in the public interest, preventing de-anonymisation and deciding the limits of how long parts of it stay private vs when genealogists and historians can have unrestricted access.. is the challenge.
To do any of this effective durable storage, access control, authentication and authorisation are just some of the challenges. I have seen data analytics firms who's job is just this struggle to get everything correct so a group of organisation just trying to provide healthcare, research, treatments, disease, prevention.... Having to do this as an add on with a limited budget I am honestly impressed its only now with ransomware we are starting to see issues and paper records were not being stolen and abused on a massive scale in the past...
I don't know the answer but I don't think its the delete key
"If the old records showed you had your Appendix removed and you were in with suspected Appendicitis, then it would definitely be relevant."
One would hope the medical staff would ask if you've ever had your appendix removed. It's not uncommon. The interview will be to try and rule out things before committing to surgery or to determine what can be the least invasive if they need to have a look around or know they need to go in and do some work right away.
Yes, seriously.
I can understand other records, but not medical ones.
I was able to get proper medical care, including surgery, for a broken coccyx after proving I had fallen off a hay bale in 1973 and seriously injured myself, and thus it was a chronic thing and not just the minor recent incident my doctor insisted it was. I would have otherwise not been considered eligible for the surgery.
And after you're dead, it's no longer a privacy issue and becomes historical records. It's no different than census records.
Should this data be held indefinitely? Yes.
This is the same sort of data that let me piece together that my great^9 grandfather was Edward Reavis, born 1680 in Paddington, England, and left to come to Virginia, after being held in Newgate prison for his religious beliefs. He moved to Henrico county, Virginia in 1721 and died in Northampton county, North Carolina in 1751. I've also found 454 other relatives down to me, through a ton of things including bible notes, estate papers, census records, marriage records, medical records, military records, family papers, private letters, obituaries, social security records, tombstones, and even old wedding invitations.
"I was able to get proper medical care, including surgery, for a broken coccyx after proving I had fallen off a hay bale in 1973..."
Unfortunately that is a two-edged sword: insurance companies call that a pre-existing condition and may refuse you as a customer, hike your premiums, or exclude coverage for anything that could possibly be related to that fall, on the basis of that same data.
I don't have insurance. It turns out it's cheaper to not have it, as you get a much reduced rate, instead of the insurance company getting the full bill and not paying 90% of it.
The money that would have gone to premiums is in securities earning interest.
That depends entirely how much contact you need with the medial system. For reference, the first numbers I check on insurance plans are the premiums and the out-of-pocket maximum. My wife has hit the latter number most years for decades...
If that is not your experience, please do be aware that it is the experience of more than a few.
Insurance? Not for us in the EU/UK. In *civilised* countries, there's such a thing as universal health care. Having patient records up to date and online means that the paramedics can avoid drugs I'm allergic to, before I die on the road and they then get told about it by a doctor when they get to the morgue.
> Having patient records up to date and online means that the paramedics can avoid drugs I'm allergic to, before I die on the road and they then get told about it by a doctor when they get to the morgue.
There is no need for "patient records" (assuming you meant a person's full/general record) to be made available to paramedics/ambulance crews/A&E staff - rather only such allergy and perscribed medicine information need be made accessible.
In Northern Ireland such (limited) information is provided by the Emergency Care Summary (ECS) IT system, which would be fine if the ECS (as part of the NI Electronic Care Record) had ever actually operated lawfully (it has breached Data Protection law in numerous ways since its foundation 12+ years ago).
You're happy for me to treat your STEMI without knowing what your angiogram results are? Informed consent requires me to tell you how much more likely that makes you to die; if you're happy to wait while I do that, fine. I'd rather get on with saving your life.
> You're happy for me to treat your STEMI without knowing what your angiogram results are?
Not being medically trained I don't know what the above means.
However my previous AC comment was specifically responding to the previous poster's comment about drug allergies.
Obviously the HSC NI (i.e. "NHS in Northern Ireland") are "happy" for only allergy and prescription information to be automatically made available to ambulance and A&E staff.
"Having patient records up to date and online"
Hahahahahahaha!! Oh wait, you're serious?
I've recently had to come to the aid of a close family member who has had some age related (plus some self inflicted) health issues and I have lost track of how many times I've had to repeat the SAME information to people within the NHS and social services. Even between wards in the same hospital as it turns out one is funded by the local authority rather than the NHS so its on a different computer system. Encountering things like 'we don't send anything to your GP, you need to get them to request it from us'. It is all completely disjoint and broken.
I nearly lost it completely with social services as there is one department that fitted an additional stair rail but fitting grab handles in the shower is someone else and they didn't have any grab handles in stock and it was going to be 8 weeks lead time as the supplier had none all while the people doing the discharge were moaning about bed blocking and saying 'they don't really NEED the grab handles?' despite the primary reason this person was in hospital was a fall at home.
Heck, my GP can't even locate my previous lot of blood tests....
I agree. Sort of.
Deleting data is the easy way to ensure privacy. Like a lot of easy ways, it mostly works for its intended purpose, but it has significant side-effects.
The proper way would be to have a well-designed data ownership framework, both technical and legal, that allows me to declare who can access what of my data and when, regardless of storage. Then I could declare that e.g. my health data is only available to a list of entities I explicitly approved (e.g. my doctors), and if anyone else (e.g. an insurer) turned out to have it, I'd be able to sue and win easily. I wouldn't even have to prove it was obtained illegally, because there would be no lawful way for an insurer to have it. If there was such a system, then I mostly wouldn't need to delete my data in order to safeguard my privacy, and if I wanted it deleted, I would be able to do so myself - the system would automatically take care of clearing copies and caches, and the institutions holding them would not be able to prevent this, legally if not technically. Same process for revoking consents.
Unfortunately, creating such a system would be an enormous task of both politics and technology. Not unfeasible, mind you. I sometimes like to hope I'd be able to see it in my lifetime. But I'm not holding my breath.
Deleting data is the next best thing. Should there be an exception for health data? Possibly, but there would have to be a fix for the insurers problem.
This one. A d is not so difficult. Here my data are protected by medical card. But for urgent care - and that only after I approved it beforehand - to access my medical records such card is needed. The only stupid thing they did is it was managed in a US like way, in a federal way. So there are tens of slightly different systems that do not talk to each other properly.
First you need to be able to prove your identity. National identity cards would be useful for this. I honestly don't understand why the UK is so extremely allergic to the principle.
On the other hand, I don't see why your gender or age should be on the card. If you want to prove you are a junior or a senior, that could easily be a separate piece of paper with a QR code. Scan the identity, scan the qr code, get result. Both issued by a national authority. Appropriate alert to your phone when your identity is accessed.
I honestly don't understand why the UK is so extremely allergic to the principle.
In the Netherlands, in the 1930s, they kept extremely good records of everyone's identity, including address, ethnicity, and religious background. When Germany invaded, they used this information to systematically track down and murder specific groups of people on an industrial scale.
This is why people object to such a thing; not because it provides a convenient way to prove your identity, but because it can be abused to identify specific sections of society that are the scapegoat of the day, and commit genocide, or, at best, refuse them work, imprison them, or otherwise derogate their human rights. If you think there aren't well-funded powerful groups, on the rise in the UK, and elsewhere, right now, who would absolutely commit his kind of abuse, then you are so naïve that you should probably have a responsible adult assigned to you for your own wellbeing.
In the Netherlands, in the 1930s, they kept extremely good records of everyone's identity, including address, ethnicity, and religious background. When Germany invaded, they used this information to systematically track down and murder specific groups of people on an industrial scale.
And knowing that, it is surprising, despite all politicians saying "So we remember but never forget" that the Netherlands was very quick (and all encompassing) to invent and execute a new registration system. SOFI number, burgerservicenumber (note that fact it is a SERVICE number!), iDEAL and more of these numbers you will be refused flat out if you don't have it.''
But on the OP topic: keeping medical data is also good for later medical research. However... All medical, e.g. epidemiological data is always anonymous. It is not the data that is the problem. The fact that they (want to) "tattoo it on your body" is, so "it is helpful when needed". Oh, and don't worry, we will keep it safe for you, so you silly you can't loose it.
Not at all! The Burger Service Nummer (BSN) is for the exclusive purpose of SuperSizing the mayo! ;)
The Dutch BSN is no different to a US Social Security Number, or a UK National Insurance number. It is linked to your medical records, so you can (if you choose) get healthcare that can communicate across different parts of you treatment plan. It is linked to your banking records so that you can make a one off payment through iDeal without have to actually hand out your bank or credit card details. It is linked to your employment records. It is linked to your tax records. When the average citizen files their yearly taxes, most of the fields in the form are pre-filled with data from your bank, mortgage, employer etc. Sure, having a single point of attack is problematic for all these services - as it always will be when a single ID number is used for everything. But there are mitigations in place to minimise risk of identify theft.
But there are mitigations in place to minimise risk of identify theft.
Sure there are. There always are. No need for a backup plan, like that new technical invention called paper. Or humans for that matter. Trust us, we sent you details on it per email.
I honestly don't understand why the UK is so extremely allergic to the principle.
The approach last time round was that we in the UK would have to have a national ID card that did no more than other existing forms of ID. And that we would have to pay for it and keep paying for it on every renewal. That's a major reason that they were told where to shove it.
Not only that, but by law you had to provide more information than was needed, and by law had to keep that up to date, and pay for it all. All backed up by fines for minor omissions.
But IIRC the real thing that got people against it was the "and we'll do whatever we like with the information, link it to whatever other information we like, and you have no choice in that so there" attitude from government. I.e. there was not the slightest nod to data security or privacy.
I worked on the first PACS sysstem in the UK - digital X-ray storage and viewing. (Yes PACS covers other modalities)
Before digital X-rays films were routinely 'deleted' after a few years - X-ray film contains silver, which was recovered. Also film is bulky to store.
Regarding digital imaging data there are requirements to store it for a certain number of years - I forget how many.
It is not an infinite time.
"Regarding digital imaging data there are requirements to store it for a certain number of years - I forget how many."
A friend of mine had a business that would digitize records for doctors/dentists and set up a workflow that captured new "paperwork" going forward. A mis-filed chart for a patient wasn't uncommon with paper and cost a lot of time to find them again. It was also tons of material to store with much of it for patients seen once or twice.
"In the Netherlands, in the 1930s, they kept extremely good records of everyone's identity, including address, ethnicity, and religious background. When Germany invaded, they used this information to systematically track down and murder specific groups of people on an industrial scale."
In USA the IRS keeps records of all federal tax payments everyone makes alongside address and contact details. DHS sent the IRS a list of 400,000 suspected "illegal immigrants" with jobs who were supposedly paying tax. The IRS only matched against about 3% of them. DHS demanded the details of the 3%. The recently appointed (2 months ago) controller of the IRS refused. Trump fired the controller of the IRS and will now appoint someone who will illegally hand those details over to DHS so they can round up a specific group of people on an industrial scale.
Obviously if they did jobs that US citizens refused to do, got paid and paid taxes, health insurance and so on, then they belonged there.
Most of the people complaining are just lazy dim witted thugs with nothing ever to be proud of in their life.
The idiocy was registering religion and ethnicity - which are useless. Still the US census asks for such data, doesn't it? And again despited that, Europe but UK usually have ID cards, and nothing bad happens. Actually, identity theft is much, much harder this way.
Meanwhile, banks, Facebook & C. have the same data, even more, since they correlate anything - and don't worry, when an authoritarian government will ask them - and they are working hard to buld an authoritarian government so they can make money unrestricted - they will hand them immediately.
It's just a false sense of security - you have to fear an authoritarian government and ensure none will ever take power - but it looks actually many people like dictatures. And when one takes power, don't believe you're safe because there are no ID cards....
"In the Netherlands, in the 1930s, they kept extremely good records of everyone's identity, including address, ethnicity, and religious background. When Germany invaded, they used this information to systematically track down and murder specific groups of people on an industrial scale."
In France, the local Gendarme held a list of every household that had a firearm. The Germans found that handy as well.
Just like ore, concentrations of data are juicy targets. The definition of "ore" is where there's enough value in mining it to make financial sense. Otherwise, it's just dirt or rock.
> I honestly don't understand why the UK is so extremely allergic to the principle.
Ireland also does not have compulsory National Identity cards.
According to Wikipedia, only 15 countries in the EU/EEA have compulsory ID cards: https://en.wikipedia.org/wiki/National_identity_cards_in_the_European_Economic_Area_and_Switzerland
"A utility bill is still the pinnacle of identity in Ireland."
As neither Ireland nor the UK have ID cards (I'm not counting Passports as that), and due to the CTA travel between Ireland and the UK is "borderless" I've had the joy of watching the Guards/Garda (Irish Police) doing "spot checks" on the Belfast to Dublin bus occasionally just after it crossed the border from Northern Ireland.
There is no requirement for "locals" to carry ID (whereas AFAIK some imigrants are required to carry a plastic ID card issued to them by Irish or UK gov). I remember one occasion where the only form of ID a woman could produce was her Tesco Clubcard (she was heading to Dublin for a day's shopping). The Guard readily accepted this as proof of her ID, I guess he was only really interested in "foreigners".
"Fun fact, Ireland has invented credit-card sized passports. So they pass as ID cards."
The US has one as well for use at the Canadian (possibly Mexico too) border. It easier to handle than a regular passport and there's no stamps going in either direction for US citizens although it is logged. Not only logged, but when passing through, the border patrol get a screen of data about number of trips, how long you stay, etc. The criminals often seem to forget the patrol has this info when they make up their story that doesn't fit those facts.
One intrinsic option if you have universal identification is that others start to ask for it, and now you have two problems:
1. People you don't know or trust, assuming that you do trust your government, have copies of your identification information and may be storing it with terrible security procedures.
2. It is now much easier to link all activities you've taken with that single identity, whereas there are various methods available for somewhat anonymizing other identifiers for you if you're motivated to do it.
"You mean, like Social Security numbers in the US - where the official guidance is that it should never be used as an identifier, but many organisations do just that."
Like the DMV in many states who encode it onto the license? I had a local package store want me to allow them to scan my license. I left my purchases on the register and walked out. At my age, I shouldn't be required to show proof of age, but when asked, I tell them 1/1/1970 so they can go through the motions since the register requires something is typed in and is valid for purchasing bevvies.
Conveniently, my DL's mag stripe is scrambled and the "bar" code is worn in places. Coppers can type the number into their computer and everything comes up, but they spend more time doing that and I'm all for making it harder on government to do things TO me when they should be doing things FOR me according to the lessons I had in school.
In today's world - you will be asked proof of identity for many different reasons - even more then before. Would a bank lend you money without proofs? And so on. And they will also share those proofs with other entities to vet them. So maybe having something that doesn't need to be shared with a lot of third parties is better?
If you don't trust your governent enough, ask you why? Maybe because you and others ara voting to ensure there are crooks at the helm so you can ignore rules too? But in dictatures, people get the politician and goverments they vote for.
Conpanies like Google and Facebook have very sophisticated systems for correllating all your activities... and you still have many unique identifier available. Can't understand why people fear government more than opaque financial and tech companies with have even more interests to exploit people - and upon which people have no power.
"In today's world - you will be asked proof of identity for many different reasons - even more then before."
Exactly my point. If identification is universal, it makes it very easy for anyone I interact with to demand it. I am of the opinion that a few things, yes, including getting a loan, justify collecting it, and most other things do not. If other places demand it, I do not approve and would like to prevent it, especially when they store something which, if it turns out they leaked it, will cause significant problems for me.
"If you don't trust your governent enough, ask you why? Maybe because you and others ara voting to ensure there are crooks at the helm so you can ignore rules too?"
An interesting theory, and we could probably debate why I approve or disapprove of various governments for a long time. It's irrelevant to this, though, because we often seek to restrain governments before they do dangerous things, not because we mistrust the people running them now but because the dangerous things are too prone to abuses.
"in dictatures, people get the politician and goverments they vote for"
I think you may need to learn what dictatorships do again; it seems you missed out something the first time.
"Can't understand why people fear government more than opaque financial and tech companies with have even more interests to exploit people - and upon which people have no power."
That's an interesting interpretation of my post describing private users of the identity as the bigger risk than government, stating that you don't trust the private users and that you might, I even assumed it, trust the government. But to argue the point I never said, I do have a little more power over private companies because I have some choice of whether I interact with them. Not a lot, certainly, but if some business demands my passport in order to use their services, I can leave and try to find someone else's services, whereas if the government demands it, I probably don't have a choice. Hence, I will try to improve privacy in my connections with both types of groups to the meager extent available to me, and if you agree with any of those areas, I'd welcome your collaboration where we agree.
"So maybe having something that doesn't need to be shared with a lot of third parties is better?"
Banks have their own databases that are probably much better than the government's. It's also more focused on financial matters since that's what they want to know before approving a loan or extending credit. Google and Facebook want all your info since that gives them a larger customer base to sell into.
Yes, a little like that, but the fact remains that there are at least some things you can do if they request a phone number. In countries that don't require identification to obtain them, you can get another phone number, often for relatively little, which you can provide to people you don't trust. The risk of leakage is also much less. If someone who stored my phone number along with my name leaks it, I can expect scam calls. If someone who stored government identification on me leaks it, I can expect identity theft and, since gaining access to something with a phone number in it is likely, also scam calls. I'd prefer not being asked for a phone number unless they need it, but if the choice is between providing a phone number and scanning a passport or identification card, phone number, every time.
> First you need to be able to prove your identity. National identity cards would be useful for this.
> I honestly don't understand why the UK is so extremely allergic to the principle.
"Papers please!"
Brit here. I'm always amazed when watching clips of cops in America how routinely they ask people for their ID, and everyone thinks that it's normal.
The nearest I have to ID is my credit card, or maybe a "utility bill showing my address". Obviously I don't go around carrying that, and often I'll be out and about without my credit card.
Always carrying ID to leave the house is the antithesis of freedom.
My first trip abroad, when I was 12 or so, my mother tried to write my name and address on my skin!
In the UK, if you're driving the traffic cameras record your every movement, for more detail you're carrying a mobile phone that's constantly telling the phone company where you are.
I think its fair to say that carrying a proof of identity is not a relevant factor in your privacy, and can be useful in many situations.
Equally I think any national government has the right to know who is living in the country.
I often go for walks, or to the beach without my car or a phone.
Anyway, it's more the principle off the thing, like I think the previous poster was suggesting.
> Equally I think any national government has the right to know who is living in the country.
That's some scary thinking right there.
Traffic cameras with ANPR can indeed be used to track vehicles, but they are generally widely spaced, so can only really be used to say if a vehicle was in a certain area at around a given time, if it happens to have driven past one, most of which will be on main roads, motorways, and routes into and out of city centres. It's quite possible to drive around all day and not pass one if you are on local or minor roads.
As for mobile phones, they can be used to work out which mast your phone was near at a given time, again, this isn't exactly fine-grained information, and isn't going to work if you leave your phone at home, turn it off, or are in a building with thick walls, or underground, unless there are repeaters within that structure to provide a signal (such as those now fitted to most stations on the London Underground).
It's worth noting that neither of these things actually proves your identity, they provide information about the location of your car, and the location of your phone. These can be loosely tied to your identity, but unless your phone is surgically grafted to you, or you are part-man-part-car, that is all. There's a reason you get a letter asking if you were the one driving the vehicle when you get caught by a speed camera.
> As for mobile phones, they can be used to work out which mast your phone was near at a given time, again, this isn't exactly fine-grained information
The mobile networks' idea of your location is more fine grained than that - as a mobile phone is surprisingly designed to be mobile then the mobile networks have to be able to handle handoffs between adjacent mast sites. In order for this to work the network has to not only know which cell you are in but also your phone's signal strengths with adjacent cells.
Based on these measurements of signal strengths for multiple mast sites and the rate of change in those signal strengths then an estimate of movement speed (which would indicate if you are walking or driving) and direction can be calculated.
Whilst this is true, in open spaces, in places where people are concentrated, such as towns and cities, there are many things that can affect signal strength. Buildings block, reflect, and destroy signals, as do various sources of RF. I frequently find my phone switches between cells (or between 4G and 5G services) while lying in bed at home, which would imply that the relative signal strength between towers is varying without me even moving (or that they are doing some sort of load-balancing). In rural areas, where towers are few and far between, even the sort of triangulation that can be done across wide open spaces is going to give limited accuracy. Admittedly, a lot of cell towers are directional and aimed along sections of road or railway, so may give better accuracy for moving vehicles, but there are also still plenty of dead spots in rural areas (as I discovered when driving around Suffolk recently and attempting to use Google Maps to find specific rural churches).
So, yes, triangulation *can* give fairly good location accuracy, in some cases, but it is also far from universal. It has uses, notably for police knowing which cell a phone was attached to when it was turned off, or lost power; my understanding is that they still need to have to apply to get this information from the mobile operator.
There is also Advanced Mobile Location for emergencies though whether it's supported or not apparently depends on the mobile phone and the network provider. According to Wikipedia it is deployed in the UK.
Whether or not it can be activated remotely and how much of a legal faff is required to do so is unknown.
It can be activated remotely, and if you call an emergency number the phone will activate it, presumably because if you're calling emergency services you want to be found. In the US, all it would take is a warrant to turn it on remotely, and depending on how many cell towers you are connected to they can get to within 3 feet.
Later on, when the cell phones add on satellite connections, they will be able to pinpoint you to the inch in three dimensions - and may even see the top of your pointy head depending on how surveilly they decide to get in the future by putting cameras on board.
"So, yes, triangulation *can* give fairly good location accuracy, in some cases, but it is also far from universal. It has uses,"
All that may be able to be sorted is that you were "in the area", not in the bank vault at 9pm. You might have been in the chippy at the end of the block and had nothing to do with the burglary. As a sole piece of evidence, your phone's location isn't enough to hang you, but can be a piece of the puzzle to go along with your past arrest record of bank burglaries, a partial fingerprint inside the vault in question and your sudden purchase of a flash car with cash while you were "unemployed".
I keep data/wifi/BT off on my phone unless I'm using them. The phone co knows where I've been, but I'm not leaking the same amount of spore as I might. It also saves loads on battery usage to not have all of that switched on. I've also been on long trips and just switched the phone off so it wasn't going to full power to ping towers along the way when I didn't need it. If somebody fails to leave a VM, they didn't call.
"Traffic cameras with ANPR can indeed be used to track vehicles, but they are generally widely spaced, so can only really be used to say if a vehicle was in a certain area at around a given time, if it happens to have driven past one, most of which will be on main roads, motorways, and routes into and out of city centres. It's quite possible to drive around all day and not pass one if you are on local or minor roads."
I knew a Los Angeles police officer and he told me of a course they took to demonstrate the sort of data they had on vehicles. The officers were allowed to search their own personal cars at the class. He told me that there were loads of hits on his license plate. Data is gathered from readers on patrol cars, fixed locations, temp locations, etc. He lived north of LA and worked a 3/4-4/3 schedule and had a van conversion he would sleep in parked at a city facility and used another car to commute from his home to LA and back. His work schedule was pretty obvious from the data he was allowed to see. For somebody living in the area and running errands, the movements would be very telling. The officers were also shown some of the ways the data could be analyzed. If a family was sharing one car, who had it when could be shown. If they did a school run, estimates could be made on the age and number of children they had (not all grades get out at the same time). All of the things they could assume just got refined with more data. Consider that the ANPR stuff doesn't require a subpoena. They do keep it limited so it can't be accessed by just anybody at the PD and gratuitous snooping was verboten. Files of VIPs were flagged so peeking at their files without a legitimate needs would get a detective in trouble.
> for more detail you're carrying a mobile phone that's constantly telling the phone company where you are
How else do you expect your mobile phone to work? The mobile network has to know (approximately) where you are at all times in order for phone (and sms and data) service to work.
If you don't want the mobile phone company knowing where you are then either set your phone to Airplane Mode or switch it off - but then don't complain that you cannot make or receive calls etc.
"I think its fair to say that carrying a proof of identity is not a relevant factor in your privacy, and can be useful in many situations."
Outside of a traffic stop many years ago, I don't think I've had any government entity outside of the post office ask for my ID. The post office wanted it to verify it was me picking up a package. I also needed to present it when I applied for a PO Box along with something that showed my name and physical address such as a utility bill. My DL has my PO box on it. The police will see my physical address if they run my ID, but everybody else won't.
I don't leave the house without my wallet since if I'm leaving the house I'll likely need something that's in it. If I were stopped by the police for an investigation they were conducting, they need to be sure I'm who I say I am before I'm free to go. It's highly unlikely it would be me they're looking for so the sooner I can allay any suspicions I'm who they are looking for, the sooner I'm on my way. If I'm driving, of course I must have my license with me, it's a requirement. I'd rather not have my time wasted going to the police station to be fingerprinted and then wait while nothing comes back and I have to do it again and wait some more all for nothing. One can whinge all they like about the intrusion of needing to show an ID and how it's not legally required to have one at all times, but they® are going to identify you one way or another since THAT is something they can legally require. I just as soon fight the fights worth fighting and staying out of the ones that aren't. When the bouncer says you're 86'd, you leave or they make you leave. There's no point in pleading your case with them or resisting and bouncers don't have powers to put you in a cell for the night until they get to the bottom of something and the entity they need to confer with isn't open until 8am and it's 6pm right now.
"If I'm driving, of course I must have my license with me, it's a requirement."
I assume you live in the USA.
In the UK it is not a requirement to have your driving licence whenever you are driving. If the police stop you and you don't have it with you then typically you can be required to turn up at the local police station within 7 days to present the licence.
There's a thing in Physics that 'information' cannot be destroyed, which kind of translates to digital data, on the basis that once a digital record has been created, especially at an institutional level, it is very difficult to guarantee that copies of the data are not held somewhere.
Just as when the Police promise that your data will be/has been deleted after enquiries have concluded no action is required. Yeah, right.
Which reinforces the point above that 'effective ethical management', rather than 'deletion', is probably the more useful way to go, even alongside an active 'deletion' policy.
Exactly. I'll grab the chance to add a concept to my post - "deletion" is a technical solution to a legal problem, which is why it can only ever be a partial solution.
Ultimately, the fundamental issue is that, currently, if I find out that someone has my personal data, it's far too difficult to define whether they have it lawfully. There are far too many different lawful ways to get my personal data, and orders of magnitude more "semi-lawful" ways to get it which would take far too many lawyers to navigate. It cannot be any other way: data is far too easy to copy, transmit and store. Once it exists, you cannot hope to prevent others from having it.
But if there was only one way of having it lawfully, clearly defined, easily verifiable, easily revokable, then suddenly the nature of data as "21st century uranium" becomes manifest. Then everyone handles it very carefully, only uses as much as needed and no more than that, and if they are storing it illegally, they can't do anything too obvious with it, which by itself prevents most abuse. Mr. insurer can't deny me coverage based on data they are not supposed to have, if they know that as soon as anyone finds out they will be sued out of existance, with zero possible defenses as just having unauthorized personal data is illegal by itself, regardless of how it was acquired or its declared purpose.
This is a legal solution, and it would work. It needs a technical framework, which would be difficult but feasible. The main obstacle is that there are far too many and far too powerful actors that thrive on the legality of data ownership being ill-defined.
I only partly agree because much of that is already enshrined in EU & UK GDPR - if you hold or process personal information and don't have a legal basis for holding or processing it then you are breaking the law<period>. It is true that people are "creative" with their interpretation of the rules, but the rules are actually not that complicated.
The big problem is that we have a body which is supposed to enforce this, but anecdotally won't do anything unless it's on the scale of the Facecesborg/Cambridge Analytica incident. Even when it does act, it doesn't do much more than tell people "don't do it again or we'll tell you more strongly not to do it again". So basically unless you do something spectacularly bad, the likely penalties will be loose change from the back fo the sofa scale to many.
> The big problem is that we have a body which is supposed to enforce this, but anecdotally won't do anything unless it's on the scale of the Facecesborg/Cambridge Analytica incident. Even when it does act, it doesn't do much more than tell people "don't do it again or we'll tell you more strongly not to do it again". So basically unless you do something spectacularly bad, the likely penalties will be loose change from the back fo the sofa scale to many.
The ICO is even worse with Public Authorities - their current policy is "we don't punish Public Authorities at all for their past breaches of data protection law, rather we work with them to improve their future compliance".
Another factor is that the ICO gets to decide what they actually investigate - I previously raised a complaint regarding activities that occuring both whilst the current GDPR (since 25th May 2018) and the previous UK DPA 1998 were in effect - the ICO case officer initially claimed that the ICO currently had no powers to investigate issues that occurred prior to the GDPR's introduction, then later when I complained the story was changed to "the ICO has a *policy* of not investigating issues that occurred prior to the GDPR's introduction unless criminal activity occurred", then when I pointed out the potential (UK DPA 1998-defined) criminal offences that my complaint covered the ICO again changed its story to "the ICO has a policy of not investigating issues that occurred prior to the GDPR's introduction unless criminal activity occurred and only if sufficient complaints have been received" (i.e. my individual complaint was not sufficient).
I don't disagree in an ideal world. The ultimate challenge with your hypothesis is that *you* own your data and as such get to deem who can hold and process it. Your insurer can't deny you based on information they're not supposed to have...but let's extrapolate (with some hypotheticals around both you and "placeholder" organisations/scenarios). I cite the EU's "choose your browser" debacle or "this site contains cookies" popups for how much the public hate being bombarded with choices, so another of these around "we're storing data" would be popular. Remember that if you accept once for a period, and your data is sold in period, then retract, your data can't be un-sold.
You have a $socialmedia profile and have done since '08 when, at the (legal, terms-appropriate) age of 13, you selected some options about your data - perhaps not understanding yet, perhaps not caring, perhaps just not intending to use $socialmedia for "that". You're diagnosed with $condition in 2021 and join a group for that on $socialmedia to discuss and get support. Your insurer legally purchases a number of email addresses from $socialmedia company, based on permissions you gave at sign up, who are members of groups with $condition in the title as part of a wider profiling approach and cross-reference that against prospects or customers. They see you have 3x accounts on 3x platforms. Another dataset from $searchengine (because you're registered under your country's local extension of the UK's Online Safety Act so it's tied to your email) shows you interacted with an advert for $medicalproduct that has good applications for $condition and/or your search results show you suffering complications. Your store card data shows your purchasing habits changing because of $condition, and you agreed to the data use by signing up - noting that in the UK, pricing without one is ~30-40% higher on around 30% of your shop.
$insurer now has a decent idea that you (whether you and your medical provider has noticed it or not) are significantly more advanced with $condition and has profiled you in the 5% that will degrade at greater cost to them. As such they refuse insurance and cancel your policy. With car insurance in the UK, this insurer-side cancellation has to be declared in future and is punitive so not only is there a highly visible marker on you as a warning to others, but costs skyrocket - if you can get insurance.
Well, if you want to be pedantic, he's right.
Not even black holes can destroy information - see https://en.wikipedia.org/wiki/Black_hole_information_paradox
"Just as when the Police promise that your data will be/has been deleted after enquiries have concluded no action is required. "
In places that have an ability to issue a "caution", it becomes a way to log information when an officer doesn't feel they have enough probable cause for an arrest, but still have a gut feeling that you aren't a little angel. It's a good mechanism so data is captured and can be retrieved if more information comes in.
> The proper way would be to have a well-designed data ownership framework, both technical and legal, that allows me to declare who can access what of my data and when, regardless of storage.
Well Northern Ireland has had an IT system for providing various organisations with access to people's health data, the NI Electronic Care Record (NIECR), for 12+ years now.
However the NIECR has *never* actually complied with Data Protection law and so the "checks and balances" you referred to have not been in place:
"allows me to declare who can access what of my data" - the NIECR initially had an opt-out (not opt-in!) available for people to prevent their GPs (but not other organisations!) from sharing their health data with the NIECR system. "Good" if you knew about it, not so good if you didn't. However the opt-out did not let you control which organisations could access your health data on the NIECR system, it only controlled whether or not your GP's records system automatically shared your details with the system itself.
The NIECR itself had another opt-out mechanism where, again if you knew it existed, you could fill in a paper form to "lock" your personal data which was already stored on the NIECR system from being accessed by anyone. This "lock" blocked all access, there was no selective lock mechanism to control only specific organisations' access. Of course this 2nd opt-out mechanism was unilaterally withdrawn 7 years after the NIECR's launch due to the "success" of the NIECR, despite those opt-out forms clearly stating any "lock" could only ever be removed by the individual themself and only when/if they submitted a "lock removal" form.
> Then I could declare that e.g. my health data is only available to a list of entities I explicitly approved (e.g. my doctors), and if anyone else (e.g. an insurer) turned out to have it, I'd be able to sue and win easily. I wouldn't even have to prove it was obtained illegally, because there would be no lawful way for an insurer to have it.
Dream on!
Meanwhile in the real world, the NIECR has been a voluntary agreement between multiple organisations (mainly Hospital Trusts and the organisations running NI's GP Practices) acting as Data Controllers. However since its launch on 2013 there has never been any *valid* written agreement in place between these organisations.
Data Sharing Agreements (DSAs) were written in 2013 and 2016 which were intended to define the NIECR arrangements, however neither of these ever came into effect. Another DSA was written in 2023 (10 years after NIECR's launch!) and allegedly came into effect but this document has various issues/mistakes in it that question its legality. Also for the whole of the NIECR's lifetime no legally valid contracts were implemented for the NIECR Data Controllers to lawfully engage any Data Processor used, something that both the existing (UK) GDPR and the previous UK DPA 1998 have required.
> if I wanted it deleted, I would be able to do so myself - the system would automatically take care of clearing copies and caches, and the institutions holding them would not be able to prevent this, legally if not technically.
In the case of the NIECR I have attempted to have my personal (health) data (previously shared against my wishes by my GP with the NIECR) deleted from the NIECR system but this has not occurred despite ICO intervention. The ICO decided both my GP Practice and the central IT organisation breached data protection law in failing to delete my personal data from the NIECR, but the ICO took *no* action despite this finding, not even to demand that my data be deleted - it still remains on the NIECR despite the ICO's findings.
Allegedly NIECR is considered a Public Record and so personal data on the NIECR cannot be deleted.
"The proper way would be to have a well-designed data ownership framework, both technical and legal, that allows me to declare who can access what of my data and when, regardless of storage."
Storage is a big problem. Just peruse Reg articles on data breeches. That data isn't just held for ransom, it's gets sold to Big Data companies and once out, it never gets locked up again.
If the proposed framework were in place, those large companies would stop buying the data, taking away incentive by ransomware folks to collect it. Why bother if it can't be quickly and easily sold? Sure, they could possibly build blackmail profiles with it, but that requires spinning the Wheel 'O Effort a lot faster, with a much smaller possible payout. Most folks merely have mildly embarrassing information out there, and would not pay to keep their predilection for, say, sniffing shoes a secret. And, that person would just claim that $Ransomware threatened to start telling people that "lie" if he didn't pay them not to. Maybe 1 in 100,000 might have a secret worth paying to keep quiet, but that would still mean building 100,000 profiles with no guarantee that 1 would pay.
"If the proposed framework were in place, those large companies would stop buying the data, taking away incentive by ransomware folks to collect it."
Anything that has value will be bought and sold. It's not the data itself that can become the product, but the results of analysis on that data. If I'm thinking of opening a dance school in an area, it would be great if I could buy a map that shows the density of households with young girls so I can site the school nearby. My mom is older and the pharmacy near the retirement community she lives in does loads of business. That's an obvious pairing, but if that pharmacy wanted to open a new shop, having a density map of homeowners over 60 can help them zero in on a good location that isn't next to a retirement community. A Kosher deli will do better in a neighborhood with lots of Jewish people, and so forth. The more data those companies can bring in, the more diverse their customer base can be and they won't be handing out PII too specific.
I've heard of a few data businesses that took some work to get set up, but wind up taking very little staff or hands-on input to provide their service. I only have a vague recollection of an article I read so I can't offer a link to the story.
This post has been deleted by its author
Simplest reason? Because doctors (and computer databases) can be wrong, and the wrong diagnosis can follow a patient around for much longer than it should, influencing doctors to make the wrong conclusions long after the diagnosis should have been tossed out as incorrect.
What you are touching on is the hard part of treating any patient.
From the care providers perspective they will ask: How reliable is the information I have? Is the information I am getting from the patient themselves reliable?
People forget, as you mentioned a misdiagnosis can lead to wrong conclusions, an error can follow you around because records cross. Who should ultimately be evaluating your records to determine is something is correct? The vast majority of patients are not experts in the medical field. Patients may learn a lot if they self advocate and seriously speak to the their care providers and can understand what they are being told. Generally speaking, I trust my care providers to be better informed than myself. But each time I interact with a new provider there is a discussion where we go over those records. I think it is really a shared responsibility. And this is from someone who is considered competent. There are many people who are not competent and have court appointed guardians. These guardians may not have very much information or personal experience with the person they are caring for especially if they are just appointed.
Personally, I don't think there will be a "right" answer here. We have to either trust the care providers or not. We have to trust the folks doing data entry or not. Or as is a common phrase in my line of work "trust but verify" and that is really where I think things will land varying on the individual's relationship with their providers. Advocate for yourself but listen to what you are hearing from your providers. Acknowledge they are human as well as yourself and work with it from there.
Short anecdote. I had the same doctor as my father for a while and we have the same name (technically I am Junior but never use it). Once when my records were being pulled so I could give them to a new provider my father's records were mixed with my own. These were paper records that were scanned and put on CD. New Dr gets them and see the error (the birthdate is on top each page). However they are all one PDF file. It stayed in the EMR system that way so occasionally I had to speak up with the nurse but the Dr knew me well enough that the mix up was not an issue. So yeah I can see mistakes being in the system and we as patients will have to advocate for ourselves.
"However they are all one PDF file. It stayed in the EMR system that way so occasionally I had to speak up with the nurse but the Dr knew me well enough that the mix up was not an issue. "
With "old fashioned" paper records, the wrong pages could be pulled from the file and put back or destroyed as needed. With a PDF, it can be baked in with no changes possible short of creating a new record from scratch and finding a way to delete the wrong one or at least mark it as deprecated. I see the merit in making it difficult to change some things or delete them, but it can also mean that errors live forever if no way is provided to make corrections. There's plenty of check boxes that you don't want being ticked the wrong way. If you've never had your appendix removed, you don't want a box ticked that you have or vice versa. A doctor might rule out appendicitis based on the chart and not check with you in time to get you into surgery before something really bad happens.
"And after you're dead, it's no longer a privacy issue and becomes historical records. It's no different than census records."
Some data, sure, but something such as a broken coccyx, not really. Historical records for something like that don't need to live on as PII as much as things that have public health ramifications.
I believe that those records are a matter of privacy if they have even the slightest chance of impacting family members in a negative way. Even in places that have socialized medicine, it's not unlimited and people wind up having to pay for treatment from their own pockets. A show on the telly interviewed a woman that had a cancer reoccur and since she'd been treated for it before, she was ineligible to receive any further treatment. The cost of her meds was a significant percentage of the family''s income and they felt that the promise of the NHS taking care of citizens was broken. There may also be some bias for those with a family history of certain illnesses.
"Even in places that have socialized medicine, it's not unlimited and people wind up having to pay for treatment from their own pockets"
GASP!! You don't say!!! In the US, they are trying to sell socialized medicine as a private 5 star hotel suite, gourmet cuisine and a team of doctors standing by to remove a splinter with a week's stay to make sure it heals, and no bill ever!!!
But you're telling me that it's really mediocre rationed care, run by the same people who run EVERY OTHER government agency with the same shit level of service you expect from a low paid public bureaucrat, and if you aren't fixed the first time you're out of luck unless there's a for-profit medical system in a nearby nation you can fly to for treatment??!? By ZOUNDS, I can't believe they'd lie about that!!!
Deleting old records safely and sensibly requires that decisions be made, procedures be designed, routines be written and systems to be adapted. That takes personpower (unless you want to leave it to the tender mercies of AI) and that means cost. Worse: that cost will not lead to any increase in profits, it only hurts the bottom line without any commercial benefit.
Storage, on the other hand, is cheap.
Also, the fine print you signed/clicked/agreed on protects the parties involved from any legal repercussions as a result of your data being kept/stored/shared but not from any damages resulting from the deletion of said data. And the US medical sector is one of the most litigious ones in the world.
So what do you think will happen? Exactly. Nothing.
Not that it matters. Our privacy has been a mere illusion for over half a century, old records or no, and we eagerly buy into new systems every day that make that worse.
Birthlink, who keep (kept?) records of adoptions in Scotland, so that children could, if they so desired, trace their birth parents, found out the hard way (BBC) that some records should not be deleted. ICO monetary penalty notice
Perty much, 1999, though some reckon it was: "You have zero privacy anyway, Get over it."
Either ways ... ;(
Considering the billions of pounds that have been wasted trying to integrate NHS medical records over the years so that Hospital A can view your records from Hospital B or GP Surgery C, it's ironic that at least one hospital in the U.S. appears to have managed it quite by accident.
I suspect that is was not by accident but rather as hospitals are totally driven by money in the US of A, the records are kept up to date to ensure maximal charging of the correct amounts on bills with the side effect of providing the Insurance industry with accurate data regarding who they can & cannot demand copays & other charges from.
[I hope I understood what 'copays & other charges' are in Healthcare in the US of A !!!]
:)
In the UK, GP Practices are private entities, and do indeed have financial incentives to get spending right, and consequently, the clincial systems used by GPs are incentivisted to properly interact with each or, and so do. But UK *hospitals* are directl lumps of NHS infrastructure, and have no incentives to get their internal administrative systems to be efficiently effective.
> no incentives to get their internal administrative systems to be efficiently effective.
Cue story from the Missus, an Oncologist whose office had to have two separate Windows PCs for viewing scan imagery. Because she worked with - and patients got moved between, depending upon available slots - two Trusts, each of which had slightly different versions of the front-end program. And each one's run-time requirements clashed with the other's*. "Sorry, Mrs Patient, but did you say your last appointment was north or south of the river?" (Squeak of chair turning to face the appropriate screen)
* IIRC they required different versions of the Java run time, and give that stuff like this is still posted, with a straight face, as a way to allow use of multiple JDKs in 2025, let alone before she retired, it is still not a sane situation.
When I moved overseas from the UK, I tried to get copies of my medical records, because obviously my host country's systems aren't integrated with the NHS. My GP was able to give me a copy of a file with letters from/to my previous GPs, but they didn't have the detailed results of the day I spent in hospital having various tests after a previous GP had detected a worrying symptom. So I wrote to the hospital which carried out the tests, and they informed me that when I moved out of their Trust area they deleted all my records. I now know (following a different GP referring me to a specialist in a different hospital about a different symptom about a decade later) what was behind the original worrying symptom, but it would be nice to have the early record for longitudinal analysis.
PS I now try to get printouts of all test results and file them myself.
"PS I now try to get printouts of all test results and file them myself."
A very good practice. Even if your GP is diligent about keeping complete records, what happens if they retire or pass away. The records may still be somewhere, but you might not know who you would need to ask to get them. A hospital may be shut down and records transferred elsewhere. Where is that "elsewhere"? It may not be viable to spend a year tracking them down or even a few days. If everything were held in one central location, oh what a juicy fat target that would be.
I've often thought you should get a bill from the NHS at the end of your treatment/episode that would itemise the treatments and their price but at the grand total say that the cost to you is zero. This would both inform the people using the system of its value and force the various parts of the NHS's dismal infrastructure to play nice with each other.
After my last throat operation (still clear after five years, cross fingers!), I researched the costs of each bit of the procedure, based on amount of time and various peoples' wages, and commercial drug costs, specifically to educate myself of the cost of the procedure as distinct from the zero price of it.
I've talked about this at length before. The biggest issue is lack of drive from top management to front line staff to change working processes and align. Scope creep is endless because "Dave's always collected this information at Radiology in trust A, but trust B collects at admit" so there needs to be an option to have the boxes in both forms and the subsequent processes to support. Until we recognise that an X-Ray in Cardiff is the same as one in Hull and tell Janet that she can't have her triplicate paper print of the admittance form on a green sheet provided in to the box on the wall outside her office as part of the Outpatient team's onboarding because she's had it like that since she started in 1993, we're going to continue to have to build all-things-to-all-people massively configurable systems. I cite an annecdote of a single team in one of 20 "identical" country wide sites that on the day of go live of a phone system once announced a "critical" feature that cost us a £5.5k hardware interface card, two engineering days and a suite of wireless handsets - and a management stack (to directors) that cited that "the team is under too much workload to consider changing their processes to match everyone else" - that process for everyone else being to take a phone call in one of two offices (rather than in the 10 metre corridor between them or kitchen opposite) during an evening and take paper notes to add to their system later, or enter them directly (rather than relying on a voice recording).
Yes, different workflows and employee responsibilities do exist. It's a hospital and should be standardised.
I think keeping medical records for life is sensible, since it can be of direct benefit to the person concerned.
OTOH, exporting the lot to a foreign spy-tech company as the UK is doing is a whole other thing. Especially when they've named themselves after the tool of a fictional Big Bad. (When somebody tells you so explicitly who they are you should believe them.)
When asked we told the relevent authorities to fornicate elsewhere (twice), so the third time they decided that they didn't need to ask.
You forget to mention that somewhere in that mess they abolished one of the authorities so that the request from you/us to 'fornicate elsewhere' was 'lost' ... as you cannot ask a non-existant authority to do anything !!!
Government in action .... sorry I meant .... Government inaction !!!
All hail Palantir ... looking after our DATA with care amd attention ...... [ ... keep the face straight for a little longer ...]
:)
Here in Clogland the Inspectorate for Healthcare suggested patient records should be kept for the lifetime of the patient, up from the current twenty years (after last contact).
There was a lot of pushback from medical professionals and nothing has been heard of it since.
After twenty years it is allowed, but not mandatory, to delete patient data. So a lot will probably also live on for half a century or more.
When I still worked in a regular pharmacy and before digitization (*), we rented a garage box to keep all our prescriptions, but yearly we threw (**) the oldest out, if only to make room for the newer ones.
And in all of my 20+ yrs career, only once did I have to visit said garage box to dig up an old prescription.
* And initially, digitized prescriptions were not allowed as substitute for the paper ones.
** Secure processing of course.
Bulk anonymised patient data (and I mean *bulk*) is of incredible value to medical and epidemiological research. Only if data spans the whole life of the patient can it identify for example early causes of Alzheimers.
Currently we are reliant on certain Scandinavian and Far-Eastern countries which have digitised their patient records and curated them to a high standard, the Americans have quantity but not quality, the British have not much of either. This needs to change and many countries are developing a suitable privacy-respecting national biomedical databank. The Swedish "National Genomics Platform" is a prototype that other countries are wishing, currently, that they had the common sense and basic IT skills to implement.
"Anonymised" is the problem there. If there is enough detail to be useful there is too much to be genuinely anonymous. Those who keep saying, "It's ok, it's all anonymised" either don't know statistics (even less than me) or don't know ethics.
BTW, that Pluralistic article linked to includes the best solution to the problem that I've heard of.
If the full set of data is held securely somewhere (minus the name etc.) and research requests only get the bits of data they need then it shouldn't be much of a problem.
For example, let's say a researcher was wondering if there's value in investigating the possibility of a link between having your appendix removed as a child and an Alzheimer's diagnosis as a senior (which sounds crazy, but given what we now know about the function of the appendix, and the growing knowledge of the link between gut flora and overall health, who knows maybe my crazy example is someday found to be not so crazy)
They'd request from the custodian(s) of that data seeking records of people who are over a certain age, with a known status of whether their appendix was removed as a child and a known diagnosis or lack thereof of Alzheimer's. There would be no possibility of de-anonymizing these people, since they wouldn't provide full medical records but only what was necessary for a particular bit of research.
"There would be no possibility of de-anonymizing these people, since they wouldn't provide full medical records but only what was necessary for a particular bit of research."
Given your example, I'd agree. The cohort would be too large. If the research was being done between appendix removal and a later diagnosis of Lupus along with at least a broad indication of region, that might reveal too much. The problem is that somebody would have to make judgement calls over there being a very broad policy that gets applied universally. If the person judging the privacy implications holds a government post, they can just say "no" all of the time to avoid any enquiries, accusations, etc. They'd never be fired and continue to accrue retirement benefits while spending most of their wordk time reading romance novels and researching where they'll go on their next holiday.
Namely "My Health Record" which at its inception (2016?) had such piss poor security that I opted out. I just checked and discovered the legislation has been amended so that from 2025 records are uploaded by default.
The head rationale was this gem:
"ensure consumers do not need to retell their health and wellbeing story to different healthcare providers"
"Health and wellbeing story" makes communicating my complaints sound like retailing porkies.
I suppose anything to expedite my "wellness journey" but whither, ultimately ?
Well the problem is not that the data is kept, but who can access it. So for example if insurance firms can access your medical records to evaluate your risk, is this something you are happy with? What a future government decides to use AI to find parameters that migh show your liklihood of committing a crime, based on mental health records. is that OK?
The problem is not the data itself, but who own asd controls it. If you have to give permission for someone to access it like your doctor, fine, but unfortunately people have given these things away for free or for the price a like on facebook, only to find later that the others are using that data to enrich themselves at your cost
And yes, you should have the right to request such data is deleted, even if the cost maybe to you
This is one of the things I'm really really annoyed with myself at not discussing with my father before he died, while he still could discuss it. There will be illnesses he had - such as what killed him - that I am likely to be suseptable to, but his doctor in unable to tell me, and my doctor is unable to request.
@CorwinX "If I visit a doctor anywhere, I *want* them to be able to see my entire medical history."
But I would not want the check-in clerk* to be able to.
In this case find the address the author lived at 51 years ago, that's what it was searching for everywhere the author lived. The search was not for medical history, it was a credit check, they were performing an ID check for medical credit worthiness history**.
* I know the author said nurse, but check-in is just as likely to be some untrained box ticking monkey.
** Probably full credit checks against every address that matched.
WTF "Medical Information Bureau" when it comes to privacy they don't have a clue, just look at their idea of encryption. Highly confidential known only to the employees past and present of 500 health insurance companies.
https://www.mib.com/facts_about_mib.html
"Secure Codes
To protect your privacy, applicant information is shared and maintained in a coded format. MIB codes are proprietary, highly confidential, and can be thought of as a form of encrypting. Each code signifies a medical condition, hazardous vocation or other factor that can adversely affect the insurability of an applicant."
That's nice. I don't. If I can't tell someone what pre-existing condition or allergies I have and die as a result of that. That's okay.
Nobody will sue, nobody will be blamed but me. My family know my wishes.
If that slows down medical science I don't really care.
Nobody should have access to my medical history unless I want them to have access. I may change my mind at some future point. Again my choice.
Medical alert bracelet have existed for a long time. They tell the first responder enough not to kill the patient without revealing information to any random hospital/pharmacist/GP worker.
I don't want my siblings that work in the NHS viewing my records. I don't want my friends in the NHS viewing my records. I don't want any random person who gains access viewing my records.
Any records generated can go into cold storage and be deleted after a period I determine. If not, then I don't want you to record it.
I am currently going through a dump of paperwork I got from PCSE (NHS England) for my childhood medical records. Some interesting things, and helps to clarify stuff that I barely knew or wasn't paying any attention to (like you would care as a ten year old).
The only downside is that the cover letter said that it was partial information, with no indication of what may have been omitted or why. I'd be inclined to give people more rights to access all of their information (even if that involves signing a waiver).
Still, that stuff is kicking around from fifty years ago, not bad.
A former employer had their systems hacked and my information stolen. I stopped working for them 8 years ago, why did they still have my birthdate and social security number?
A ***FAR*** better way to handle even currently-active records is to verify birthdate and SSN upon initial hire, then delete them and use only a unique-to-that-employer ID number.
(They also waited 2 years after detecting the breach to actually notify us. In my case, I got 3 letters, addressed to "Firstname Lastname", "Nickname Lastname", and "Lastname Lastname". They clearly don't know what they're doing, even when notifying the victims. Just waiting for the inevitable class action suit...)
Well, now, this is an amazing story.
Mass General was indeed far ahead of the electronic health record curve. They had a language / info system / database called ""Massachusetts General Hospital Utility Multi-Programming System"" or MUMPS. Rollled out in 1966. https://en.wikipedia.org/wiki/MUMPS
The maintenance of the software was later taken over bt Digital Equipment Corp where this old coot, as a tech rep early in my career, included it in a bid to sell some hardware to some hospital. (Didn't get the sale.)
I wish I could have said that data put into it back then would still be around half a century later. But the would-be customer wouldn't have beleived me.
I share your concern about the longevity of records.
The first problem is that you can't get medical info, in an emergency, from an unconscious patient. Second, providing an id number that can be used to retrieve all relevant medical records is much quicker than filling out a new form every time you visit a doctor. Third, the entity holding your medical history will sell it to anyone willing to pay. Now there are two entities holding your medical history. Both of them will sell it to anyone willing to pay. Now there are four entities holding your medical history. All four of them will sell it to anyone willing to pay. Now there are 8 and one of them left the data in an unsecured S3 bucket. Now everyone has it.
Went to an urgent care facility (left medications at home), they asked if my address was still the same as it was 37yrs ago when I left to reside in Australia. I was quite stunned they had that information, little one can do. Even countries you haven't visited for some time have records, I've also lived in US, UK and others. I wonder what is out there on me?
I would expect all medical records to be held up to confirmed death or, say, 120 years from birth. Plus whatever period is necessary to protect the health provider from rapacious relatives etc. I would congratulate that American institution for having systems that worked so well.
And remember that these are not **your** records; they are **the hospital's** records (about you).
Here in the US, there’s been a “ Health Insurance Portability and Accountability Act” (HIPAA) on the books since 1996. Prior to that, the author’s urgent care facility was very unlikely to have been able to access MGH’s or any other medical facility’s records — but it was only able to do so in 2025 because the author had to fill out/assent to some printed forms that allowed the urgent care outfit to access his HIPAA-protected records. MGH may or may not have digitized its patient records prior to 1996, when the HIPAA clock started ticking, but eventually it had no choice, just as it had no choice but to insure the security of those data (well, OK, who knew from zero-days when that law was written?). Thus the paperwork I feel certain the author had to deal with before he could receive treatment in 2025, just as I do every time I visit a medical facility here.
The notes are a contemporaneous record of the things you told and your doctor (nurse, physio, laboratory people, etc) asked, felt, thought, and did, and many of the outcomes.
Statutes of limitation are ... flexible, so the estates and insurers of those doctors etc may be at risk beyond your hundredth year and your descendants' 30th year.
There are other reasons, several of them given above.
MUMPS became M which still works and is used, the VA medical system was written in it, and had, or perhaps has, much to commend it. And it is public source code.
Or your parent doesn't decide you shall, then one item a proportion of you would in 50 years or so time like to be in your medical records held by someone else (I suggest your GP, here) is one or more names of people who gave advice on which you relied, that you should or need not have it.
Why?
Well, some of them are rich - and the very few sources of such advice are not numerous, and quite to very very rich.
And someone with cancer of the cervix has a good start towards claiming recompense.
How much you'd get for genital warts from Them is another matter.
IANAL
This is pernicious. One of the largest pots of profit in the world is denied medical claims. I suspect what's going on here is the matching of desperate medical records from individuals entire lifetime searching for pre-existing conditions that would be the basis for denying payment. (I wish some reporter would investigate this) healthcare was and should defied long before other sectors and at this point everyone should assume that none of this is being done for patient benefit. Just follow the money. Who's connecting all of those databases and why?
One month ago, I had to get one tooth removed due to infection. Last time this happened to was 40 years ago.
It was hell. The dentist tried 5 times with me suffering like a dog, sweating, panting etc ...
He had to inject anesthetics some 10-12 times before I stopped suffering.
It lasted 10 long minutes before the tooth was removed.
2 weeks later, I started to think, and I now remember long ago to have been told that I am resistant to this very anesthetics. My last dentist knew it from the first time, but he's long retired now.
It would have been cool to have this documented somewhere, me think ...
I think I would prefer records to be kept, I've moved internationally several times which has effectively blanked my medical history. Plus I'm tired of filling in forms to recite a medical history which I probably accidentally selectively edit. I'd rather have my own records under my control which I can hand over for a particular consultation if I choose to....
I suspect you may have to draw a line somewhere between an admin (and given this is the US billing) record (you lived at house X 50 odd years ago) and any notes about the specifics of treatment you received at that time (patient had pan removed from head).
Admin records (in the days before GDPR) stuck around for a very long time because nobody spec'd the deletion requirements, clinical stuff depending on who generated it (in the days before Shipman), not always so much (because it was all on paper and storing that stuff forever costs money).
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2026
