According to the front page of yesterday’s Guardian, the NHS is to start selling our confidential medical records. Every doctor has a duty to keep patient-identifiable data secure, and only share it as far as is in the patient’s immediate best interests. At the same time, in order to run healthcare organisations or to carry out medical research, it is necessary to compile statistics about diseases and treatments. It therefore makes sense for some information collected in the course of caring for patients to be made more widely available – shared with managers, bureaucrats and researchers – but only if it is anonymised.

In 1997, a company called Source Informatics had the idea of buying data on GPs’ prescribing habits from pharmacists and selling it to drug companies. The Department of Health, concerned that GPs might be so effectively targeted by the drug marketing people that the public purse would suffer, tried to outlaw the practice of selling anonymised patient data. The DH’s lawyers argued that to anonymise the data, the pharmacists first had to access it, which constituted using the not-yet-anonymised data for a purpose to which the patient had not consented. The Court of Appeal wasn’t convinced and ruled that data which can no longer be associated with an individual is not personal data and not subject to the same protections. Given where we now are, it is interesting that they specifically declined to be drawn on the question of whether this kind of trade in patient data was in the public interest.

What happens, though, if data which ‘can no longer be associated with an individual’ can somehow be reassociated with that individual? In 1997, a US agency handed over data it believed to be anonymised describing the medical histories of 135,000 employees of the state of Massachusetts. The data included zip code, sex and date of birth. In Massachusetts you can also buy the voter registration list, which contains those three pieces of information. By linking the two datasets, the medical histories of almost all the named individuals could be ascertained. A recent review of policy in this area by Fiona Caldicott concluded that ‘deidentified but still potentially identifiable data’ should be collected and made available for research and other purposes only within ‘accredited safe havens’. The newly created Health and Social Care Information Centre (HSCIC) is one such safe haven which can, for a fee, provide reputable researchers with strictly controlled access to data collected from GPs and hospitals.

The current government is, to a quite extraordinary extent, convinced that there is money to be made in patient data. Last year, David Willets announced the creation of the £20 million Farr Institute of Health Informatics Research; Jeremy Hunt described the proposal to sequence 100,000 genomes and link them with electronic health records as ‘bigger than the internet’; and David Cameron spoke glowingly of the potential of such research at the launch of a new institute for big data and drug discovery at Oxford University. One reason they are so hopeful is, oddly, that they see the increasingly disintegrated NHS as a potentially integrated source of data, immensely attractive to Big Pharma. Already hospitals have to provide detailed information about their activity to HSCIC in order to get paid. From this year GPs are also being required to upload information about their patients to the HSCIC’s database, known as

The reason this is making headlines now is that the government was obliged to offer patients the choice to opt out from Two million pounds has been spent on leaflets that have been bundled with pizza flyers and minicab cards and pushed through letterboxes over the last few weeks. A small number of privacy campaigners – these are busy times for privacy campaigners – are trying to highlight the risks of reidentification. Some GPs have said they will refuse to upload data, even though they are legally required to. Some GPs are actively encouraging patients to opt out. Some of the claims being made here are quite dramatic, so it is worth stating that: names, addresses and obvious identifiers are being removed; access to data in safe havens is strictly controlled; and attempting to reidentify an individual from would be a criminal offence under the Data Protection Act.

Last year the Wellcome Trust published a survey of public attitudes to the use of health in research. Most of us are broadly in favour. Most of us broadly trust the NHS to look after our data well. We want to benefit from the new treatments that such research aims to develop. One concern stands out, though: people don’t like the idea of their data being used to make money, or at least not if the making of money is the primary goal.