Police to be allowed searches of national database of NHS patient records

News analysis

It went largely unnoticed but the minister for the NHS’s National Programme for IT, Ben Bradshaw, has confirmed that data on a central database of millions of confidential health records will be made available to police where there is an “overriding public interest”.

The phrase “overriding public interest” is not defined.

Some people will say “So what? If police can better protect us by accessing health records we should be grateful the technology is now being provided”.

Others may say that allowing police access to the national electronic database of patient records information is a step towards allowing access to other public authorities, such as social services; and later on private organisations, including employers and insurance companies.

Officials at the Department of Health would argue that every access to the records leaves a flag in the audit trail. But we will be reporting on evidence shortly that NHS staff may not have the time to check increasingly long audit trails of electronic healthcare records.

Ben Bradshaw said that police will have access to data in the Secondary Uses Service [SUS] database where “it is in the overriding public interest” or there is statutory authority, or the courts have made an order requiring disclosure.

The SUS is to be supported by a database of millions of patient records. The database will draw from local detailed care records of patients and 50 million summary care records.

The SUS system has technical design features that allow data from different sources relating to the same person to be linked. The data is “pseudonymised” which means that records are made anonymous to healthcare researchers but the names and personal details of patients can be easily linked to individual records if police and other government authorities require it.

The disclosure about possible police access to data in electronic health records was prompted by a question from Conservative MP Jeremy Wright. He asked the Secretary of State for Health “whether it will be lawful for the secondary users database to be searched at the request of the police and for the police to be provided with the identity of individuals whose medical records contain specific information”.

Ben Bradshaw replied:

“Data from the secondary uses service will only be disclosed to the police where it is in the overriding public interest, for example to prevent, or support detection of, extremely serious crimes, where there is statutory authority, or where the courts have made an order requiring disclosure.”

Bradshaw’s words were chosen carefully. Police may access records where there have been “extremely serious crimes”, but this careful phrasing did not rule out access by police where there have been less serious suspected incidents.

One GP has suggested that police may in certain circumstances be able to ask for information such as details of all under-16s who have presented for contraception, or details of all caucasian men living in a particular postcode who have been treated for alcoholic liver damage.


The word “pseudonymised” is interesting. It was used by the Information Commissioner in 2002 to mean:

“data where the normal personal identifiers have been replaced by an artificially-created identifier so as to conceal the identity of the patient”.

However there is a link between normal and artificial identifiers; and though these are stored separately patients can be “re-identified” if necessary. Indeed the Information Commissioner has said that pseudonimised information may still fall within the Data Protection Act.

It seems to me that the word pseudonymised has a fictitious benevolence. That the Secondary Uses Service is potentially useful to healthcare researchers, and could improve the care and treatment of patients, is not in doubt. But this database of millions of patient records is only dressed up to be anonymous.


Since posting the above entry GP Paul Thornton, who has made a study of the legislation and implications for personal privacy of national patient databases, makes these useful points:

” 1. Currently the decision to release sensitive information can only be made by the GP practice to whom it was divulged by the patient. The professional can defend the principle of patient privacy, if needed in the judicial process prior to a court order. Under the new process, the decision is made by an agent of the state.

“There are clear examples in history of medical information being subverted by state agencies as part of the migration of societies from liberal democracy to totalitarianism. That is why European law is less complacent in this regard.

“2. Currently, the police can only seek patient information once they have identified the individual. With the national database it becomes possible to search the data to identify the individual.”


NHS staff view celebrity record

Jeremy Wright Parliamentary question and Ben Bradshaw’s answer

Wall St Journal poll on electronic health records

Safety and privacy of databases on children

New York City puts e-health records online

Privacy imperative in healthcare IT

Google your private health information

How secure are centralized e-health records?

Warning over privacy of 50 million patient files

Quote of the day

NPfIT wiki

BMA letter to Ben Bradshaw

Modernising healthcare – is the NPfIT fit for purpose?