The Telegraph reported today that hospital records from 1997-2010 have been sold to insurance companies. They appear to be referring to HSCIC’s Hospital Episode Statistics, a database of NHS hospital records.

[…] a report by a major UK insurance society discloses that it was able to obtain 13 years of hospital data – covering 47 million patients – in order to help companies “refine” their premiums.

The report by the Staple Inn Actuarial Society – a major organisation for UK insurers – details how it was able to use NHS data covering all hospital in-patient stays between 1997 and 2010 to track the medical histories of patients, identified by date of birth and postcode.

− [Hospital records of all NHS patients sold to insurers](http://www.telegraph.co.uk/health/healthnews/10656893/Hospital-records-of-all-NHS-patients-sold-to-insurers.html), The Telegraph, February 23rd 2014

The Telegraph haven’t published the report being discussed which makes the details very hard to determine, although HSCIC offer a custom data extraction service that might be able to provide details beyond summary statistics.

The combination of postcode and date of birth is absolutely not anonymised data, and so should be subject to the Data Protection Act. That Staple Inn were able to unmask it is further proof in this regard.

HSCIC have questions to answer, but the naivete the Department of Health showed to The Telegraph is remarkable:

The Department of Health said: “The rules changed last year so this would no longer be allowed. Information like this can only be accessed now if there is a clear benefit to improving health or health systems.”

This is a huge misunderstanding of the situation. Having sold 13 years of medical records to the private sector, a rule change to prevent further sales is naive at best. The problem is not that the data is for sale, the issue is it was ever sold. In 5 years, in 10 years, the DOH can just sell the new data.

In future, giving patients notional ownership of their records seems a good idea. Any sale should have to be approved by them, and a portion of any upside given to them. David Kendal has already started to try this approach, offering to sell his medical records to interested researchers.

Certainly a start might be to add a clause to the data contracts stating that any attempt to deanonymise the data breaches contract. The Data Protection Act prevents reversible disclosure, so the loss of value of the data should not be a concern.