Here’s a little conundrum for you.
Imagine you are a journalist working on one of the many titles that the Information Commissioner found was involved in dubious practices to get hold of personal information about people.
Don’t you think it’s quite likely you would now and again have wanted to get hold of someone’s home address? Perhaps to track down someone to doorstep them. Or maybe to trawl round the relatives of someone famous to find if anyone is willing to give you an interview.
Now imagine there is a database of people in Britain which is so comprehensive and has been built up over time that it has 80 million records in it, 90% of which contain a postal address.
What’s more, nearly 700,000 people have access to the records. Plenty of opportunity there to hunt out someone to do you a favour.
Even better, less than 13,000 out of the 80,000,000 records are marked as sensitive and so have some protection against queries made against them.
There’s even a few extra bonuses in there as nearly 6.5 million records contain contact details for someone else close to the person in question – very handy when you’re trying to flush out someone willing to talk to you. And 10 million of the records have a mobile phone number with them. (You’d only want to get hold of that to call someone, of course.)
And just to round things off, experts have said that spotting inappropriate use of the database is “incredibly difficult if not impossible”.
So do you think you would make use of that database to dig out names and addresses?
The database, by the way, is the NHS’s Personal Demographics Service (PDS). You may well not have heard of it – because it hasn’t been featuring in the journalism ethics stories of the last few months (though it has been in the news thanks to the blunder over printing personal details on the front of envelopes).
Now, I don’t know if the PDS has been abused by journalists. I do know that health experts I have spoken to are concerned about its security and that similar concerns have been expressed by health professionals in the past.
And it seems to me puzzling to think that, given all that has (and is) coming out about what some journalists got up to, the PDS should have been left alone and not been used as a source of illegal personal information.
Oh, and a new version of the PDS is about to be rolled out which will allow for more personal data to be stored on each person (by permitting multiple contact people and persons per record).
Perhaps I’m wrong. But it seems to me rather likely that the widespread quiet over journalists, private investigators and the PDS is due to the right questions not having been asked rather than because the Personal Demographics Service has been a haven of secure personal information.
Notes:
1. Statistics from my freedom of information request.
2. Quote about policing the database from E-Health Insider.
3. A hat-tip to Neil Bhatia whose website has detailed information on this topic and helped plant the idea of the story in the first place.
4. Database and privacy experts have looked at services such as the PDS in the past but the resulting media coverage was not about misuse by journalists.
11 Comments
It would be unethical for journalists to be using it as health records are confidential.
Assuming the name is uncommon, a search of electoral roll data (assuming the person hasn’t opted out of the edited register) is usually sufficient to bring up an address.
You can easily use the electoral roll to search for other adult inhabitants (usually family members) past and present at an address.
The leaks of confidential information from the NHS tend to be what staff have in their memories and they have been known to use this in the future to cause trouble for patients.
Any use of the NHS’s Personal Demographics Service would (I would hope) result in a logfile so that if it was misused the people responsible could be identified (assuming they were using their own authentication details).
There are similar concerns with police information being passed onto journalists. However there are a myriad of other ways to find people whether online (Facebook, social networking sites, email etc) or offline (talking to people).
Oh and in a further point, some of us have opted out of having our Summary Care Record on the spine over these sorts of privacy concerns.
I suspect few users have access permissions which would give them access to the whole database.
And how many records will be held on Connect? How many people will have access to the data?
John: The PDS contains much more information than the electoral register, and although it’s true misuse of it would be unethical (and even illegal), that’s not stopped people misusing other records. Compared to some of those, the PDS’s audit trails look to be quite poor – and hence the quote I used in the piece.
Hywel: From what I’ve been told, that’s not the case – widespread access to millions of records is the norm (and is also sort of the point if you look at how the database is used for health services).
Mary: The big difference is (or should be and is planned to be) having lots of different levels of access in Connect so that nearly everyone has access to only relatively small parts of the data. The PDS however gives more people more access to more data.
That’s not to say that getting security around Connect right isn’t important – far from it – but rather that PDS looks to be an example of how to do such things badly.
“Did journalists really not misuse one of the UK’s largest databases of personal contact details?”
Not one of your most pithy titles, Mark. 😉
I do a lot of family history research and most people would be amazed what is available about them and their family and its almost free. I can usually create a skelton family tree going back several generations in only a few minutes. 192.com is a good place to start.
I usually only do it by request but sometimes when I see an interesting person in the news I often have a nosey around. Some aren’t quite as posh as they make out, when you go back 3 or 4 generations.
Database scare stories – don’t you just love them? You never hear stories about how someone died alone in a hospital because the relatives couldn’t be located. People moving house and not getting the results of a medical test. People missing routine checks because the NHS couldn’t contact them. The NHS can’t function without knowing where people live. If newspapers get information from medical databases and use that, prosecute them under existing laws or develop new laws to address this and set up sting operations to root out NHS employees who are not respecting privacy. If the press want to find me, there are 1001 other ways to find out where I live than this database – so will we shut them all down? Perhaps we should set up a parallel NHS for luddites where there are no databases, electricity, vaccines, in fact nothing remotely modern at all.
Keith: I do wonder how much family history is accurate given that it’s not unknown for the father of a child not to be who it is widely thought to be… and then that messes up a whole branch of the family tree. But that’s a whole other issue 🙂
Alistair: You seem to be implying that it’s simply a matter of having a large database or not, rather than addressing the question of whether the one that exists has sensible security arrangements. For example, why is it that health IT experts say it is so hard to audit suspicious activity on the PDS system; is it really that the only alternative would be to shut the system?
Mark – you referred to http://www.cl.cam.ac.uk/~rja14/Papers/database-state.pdf but I don’t see the PDS in the list of red or amber databases in the Rowntree report. In any case – the authors of that report are information specialists but not medical specialists. If we can narrow your issue with the PDS down to journalists being able to access name and address data, that itself is readily available from so many other government and private sources then it would be a poor use of public funds to protect that data excessively. Beefing up security excessively on name and address data when you yourself say that there is no evidence that this system is currently being abused is the digital equivalent of building a Maginot line. The NHS data that we should really care about is the medical data. Even there, its incredibly difficult to build and maintain a strong security scheme that is flexible enough to deliver information to medics in a timely fashion at an acceptible cost. If your fear is journalists accessing medical data – the solution is not necessarily better locks on filing cabinets or tighter security on databases, it may be to introduce a privacy law that specifically addresses medical data and then enforce it ruthlessly. IT experts will always be able to make systems more secure, more complex, more expensive, but apart from the additional cost the databases may become less useful – and where the NHS is concerned, sooner or later this affects medical outcomes. If you are an IT expert privacy may be king, if you are a patient you may just want the various people treating you to be able to access correct, relevant comprehensive information without being asked the same questions over and over.
Mark – you have done an excellent job ‘whitewashing’ your own internet profile – but then you are an expert and I would expect nothing else. You are ‘everywhere’ and ‘nowhere’ you dont want to be. Most people show up quite easily so I’m very impressed.