Monday, February 04, 2013

Medical privacy a losing/lost battle?

I learned indirectly early last week that over 2500 GP practices have outsourced the management of their websites to the self styled "number one website provider for GP surgeries in the UK", My Surgery Website. The surgeries use the website for e.g. the administration of repeat prescriptions, so it would be useful to know the who, what, where, why, when and how of data flows, processing, storage, protection and control.

From the 'About Us' section of the website:
"The 'My Surgery Website' product was developed in 2006 to offer professional, sensibly valued websites with pertinent content to primary care providers in the UK. We have worked on many large-scale NHS IT projects over the last fifteen years and have the experience in the health sector that is necessary to appreciate fully the needs of Primary Care professionals.
Now the largest supplier of websites and intranets to the Primary Care market, My Surgery Website has developed into the most successful provider for GP online services in the UK. Our systems deliver the very latest information and interactive services to more than ten million NHS patients, so you know that we have the expertise and the commitment to help you.

My Surgery Website has become part of First Practice Management (FPM) which is a member of the SRCL Group of Companies. FPM is the UK’s premier information and support resource for GP practice managers. Visit the website for further information."
The privacy link is at the bottom of the page and leads to (I've highlighted some key elements in green font for readers susceptible to the soporific effects of legalese):

1. Website Availability

We cannot guarantee uninterrupted access to this website, or the sites to which it links. We accept no responsibility for any damages arising from the loss of use of this information.

2. Data Collection

We collect information from users who communicate with us via the website, aggregate information on which pages users access or visit, and information volunteered by the viewer (such as survey information).

3. Cookies

You can be assured that My Surgery Website does not use cookies to track your activity online.
3.1 My Surgery Website Limited does not set first party cookies on this website containing any personal data unless specifically instructed to do so by the user. For example, if a user requests to be remembered on a form then a cookie is set to retain the form data for next time.
3.2 The Web Site uses third-party Cookies to collect anonymous traffic data about your use of this website. This information is stored by Google and subject to their privacy policy, which can be viewed here: Google Analytics collects information such as pages you visit on this site, the browser and operating system you use and time spent viewing pages. The purpose of this information is to help us improve the site for future visitors.These cookies are not used to track you or your activity but if you do not wish these cookies to be stored on your computer, disable cookies in your browser settings.
3.3 You may delete Cookies at any time. See the help in your internet browser to find out how to delete your cookies.

Cookies Used

The following cookies are set by Google Analytics:
__utma Cookie
A persistent cookie - remains on a computer, unless it expires or the cookie cache is cleared. It tracks visitors. Metrics associated with the Google __utma cookie include: first visit (unique visit), last visit (returning visit).
__utmb Cookie & __utmc Cookies
These cookies work in tandem to calculate visit length. Google __utmb cookie demarks the exact arrival time, then Google __utmc registers the precise exit time of the user.
Because __utmb counts entrance visits, it is a session cookie, and expires at the end of the session, e.g. when the user leaves the page. A timestamp of 30 minutes must pass before Google cookie __utmc expires. Given__utmc cannot tell if a browser or website session ends. Therefore, if no new page view is recorded in 30 minutes the cookie is expired. This is a standard 'grace period' in web analytics. Ominture and WebTrends among many others follow the same procedure.
__utmz Cookie
Cookie __utmz monitors the HTTP Referrer and notes where a visitor arrived from, with the referrer siloed into type (Search engine (organic or cpc), direct, social and unaccounted). From the HTTP Referrer the __utmz Cookie also registers, what keyword generated the visit plus geolocation data. This cookie lasts six months.
__utmv Cookie
Google __utmv Cookie lasts "forever". It is a persistant cookie. It is used for segmentation, data experimentation and the __utmv works hand in hand with the __utmz cookie to improve cookie targeting capabilities.
The following cookies are set by My Surgery Website:
Cookie lasts "forever". Indicates that user has acknolwledged the 'cookie information' banner and so prevent the banner being shown again.
Cookie lasts until the next time the creating form is opened. It is created when user ticks the box to request that form data is retained for next time in the appointments or appointments cancellation forms. Prevents user having to type in all their details again.
Cookies last until the next time the no-registration verion of the prescriptions form is used. Cookies are created at request of user to retain form data for next time. Prevents user having to type in all their details again.
Cookie lasts 30 days. Records that user poll has been answered so that the poll is not displayed again.
other cookies
Other cookies are used when editing or when logged on to the staff section to enable the editor to function correctly and to assist with retaining state.

4. Data Storage

This Surgery Website uses third party vendors and hosting partners to provide the necessary hardware, software, networking, storage, and related technology required to run the website services.

5. Changes to this Policy

My Surgery Website Limited reserves the right to change this Privacy Policy"
First Practice Management's (FPM)  privacy policy is here.  FPM is a division of SRCL Ltd. SRCL's privacy policy is here. Selected highlights from FPM's:
"We will only use the information that we collect about you / your practice / organisation lawfully and in accordance with the Data Protection Act...
By using this website you agree that we may store and access cookies on your device.
This website uses the following cookies:
Google Analytics - Collects information about how visitors use our site. We use the information to compile reports and to help us improve the site. The cookies collect information in an anonymous form, including the number of visitors to the site, where visitors have come to the site from and the pages they visited. Further information can be found in Google Analytics Privacy Policy...
Users contacting this website and/or it's owners do so at their own discretion and provide any such personal details requested at their own risk... Your details are not passed on to any third parties...

Resources & Further Information

If you have any questions about our Privacy Policy or the way we collect, store or use any data we collect about you/your practice/organisation, please email us at"
Likewise for SRCL's:
"We take our commitment to your privacy seriously and treat any information you supply to us with care...
Examples of the data we may collect and analyse include the Internet protocol (IP) address used to connect your computer to the Internet, connection information such as browser type and version, the full Uniform Resource Locators (URL), your clickstream to, through and from our website (including date and time), cookie number and pages you viewed. In using our website  you accept that your personal data may be used for such purposes.
We will not sell, distribute or disclose information about you or your personal usage of our website without your consent or unless required or permitted to do so by law...
We may monitor customer traffic patterns, website usage and related information in order to optimise your use of the website and we may give aggregated statistics to a reputable third party, but these statistics will include no information personally identifying you...
Sharing Data
We comply with, and are registered under, the Data Protection laws in the United Kingdom. We take all reasonable care to prevent any unauthorized access to and use of your personal data. In case any fraudulent activity is detected on the website, or, without limitation, in connection with the breach of intellectual property rights through the use of the website, we may release personal information in order to comply with any applicable law or regulation, or assert our rights as well as those of our business partners.
We will not provide your details to any third party without your consent, except where we are required to do so by law...
Your Consent
By submitting your information you consent to the use of that information as set out in this Policy. If we change our Privacy Policy we will post the changes on this page, and may place notices on other pages of the website, so that you may be aware of the information we collect and how we use it at all times.  Continued use of the service will signify that you agree to any such changes...
Governing Law & Jurisdiction
Any matter arising from or in connection with these Conditions of Use shall be governed by and construed in accordance with English law and the English courts shall have jurisdiction to resolve any disputes between us."
I don't propose to dissect these privacy policies in detail. This group of companies at least appear to have put some thought into the issue of privacy and there is no evidence to suggest that these policies are anything but well intentioned. But I would like to highlight one of the selected highlights above from the My Surgery Website policy i.e.
This Surgery Website uses third party vendors and hosting partners to provide the necessary hardware, software, networking, storage, and related technology required to run the website services.
So in relation to my original question we don't actually know the who, what, where, why, when and how of data flows, processing, storage, protection and control. Services and data relating "to more than ten million NHS patients" is in the hands of unspecified third party economic actors, unless I've misunderstood something here?

Just as highlighted in the excellent EU study, Fighting cyber crime and protecting privacy in the cloud, the issue here is the loss of control over personal data released into the Cloud. The risk arises from the management of the data. When treasure troves of personal data become the object of negotiation between self interested commercial and/or political actors, the privacy of individuals not party to the negotiations will be compromised.  All modern technological, social, economic and organisational systems that process and store sensitive personal data are leaky, in many cases seriously so.

So, if I can make some minor edits/adaptions to the executive summary of the EU study and apply it to this context it might say:
Patients’ rights are subsumed into a complex mesh of contracts among private
entities. Therefore, from a legal perspective, the challenge of jurisdiction is central.
The legal determination of both the responsibilities and legal liabilities of data
controllers and processors and the rights of the individual as ‘data subject’ are
Lack of legal certainty surrounding the legal frameworks of cloud-based health service commerce, as well as inadequate tools to safeguard privacy and data protection, increase the potential for mismanagement, misuses and abuses by economic and political actors and agencies. European citizens’ data are not sufficiently protected in this regard.  In this case, the question of the legal framework of data transfers/processing to third countries is critical.
These elements have been neglected in UK and EU policies and strategies, despite their very strong implications for UK/EU data sovereignty and the protection of citizens’ rights.
In fairness, SRCL make an effort at the end of their privacy policy to say UK law applies and UK courts have jurisdiction over disputes but they are unlikely to be able to pursue or have such a declaration enforced in all such eventualities.

We also learned last week that the Health Secretary has swallowed hook, line, sinker and mindset of the Blairite 'go forth and multiply thy giant database cures for all ills' black holes for privacy and resources, in the push for an "Everyone counts", no opt-out, 'biggest data grab in history', central health database.

This could almost considered to be funny if it wasn't so reckless, given the grief the coalition parties dished out to the previous Nu Labour government about their disastrous National Programme for IT in the NHS; and how they came to power with promising promises about dismantling the previous gang's database state.

As Ross Anderson, professor of security engineering at Cambridge University, said last week, ‘Under these proposals, medical confidentiality is, in effect, dead and there is currently nobody standing in the way.’

Commerce, politics, security services, public service bureaucrats of multiple ilks, are all more or less alligned - through ignorance, well meaning or malign intent, or mere sociopathic/psychopathic ambition - on pulling down the historic sociological architecture of personal privacy. When we combine these forces with the pathological calculus that is -
Privacy vs Convenience/attraction/gratification/access/community/conformity/convenience?
whereby so many individuals give up so much personal data for so little so often, is the medical privacy battle already just one lost vital organ in the decomposition of the value that once was personal privacy?

No comments: