On March 4, the Scottish parliament narrowly approved plans that will give public sector bodies access to non-medical NHS data on virtually all Scottish citizens. This access will ease the implementation of devolved income tax and could help to improve services. However, it establishes a national identity register in all but name, raising serious concerns about privacy.
Data-sharing forces a trade-off with privacy
Giving public sector organizations access to NHS Scotland’s central database should help them to deliver better services. It will also support the devolution of income tax powers, scheduled for 2016, by helping HMRC to track Scottish taxpayers. But by exposing it to bodies other than the health service, this new legislation turns the NHS database into a national identity register in all but name.
Improved data-sharing and the cooperation it brings allows government departments to cut waste, save time, and coordinate in order to better meet the needs of citizens. However, as is so often the case with the benefits of modern ICT, it forces a trade-off with privacy.
As the Information Commissioner’s Office has pointed out, the “creeping use” of unique identifiers, such as the Community Health Index numbers that identify NHS patients in Scotland, runs the risk of creating national ID numbers “by default.” Putting these numbers to uses for which they were not originally intended means they become de facto standard identifiers. This can happen even if it contradicts official policy on identity registers, because data-sharing is ostensibly about streamlining back-office bureaucracy, not authenticating citizens.
In Scotland and many other countries, especially those of the Anglosphere, national identity registers are unpopular because they expand the scope for data breaches and give government greater power to monitor citizens. These countries have worked hard to find alternatives, and they should not undo the progress made by ushering in through the back door an approach that has already been openly rejected.
Best-Practice Electronic Patient Record Deployment at Salford Royal NHS Foundation Trust, IT0011-000341 (February 2015)
“Making analytics a first-class healthcare citizen: lessons from Oracle customers,”IT0011-000335(November 2014)
“Patient privacy and consent management: progress is required,”IT0011-000327(September 2014)
ID Management for Public Services: Opportunities and Pitfalls, IT0007-000767 (September 2014)
“Federal agencies should welcome the release of the OMB data index,” IT0007-000802 (February 2014)
Nick Wallace, Analyst, Public Sector