Last month, the Health of the Nation, the British government’s long-term
strategy to improve public health, celebrated its first anniversary. Over
the past twelve months, the Department of Health has encouraged doctors
and health workers to provide the kind of education and screening that will
help reduce the incidence of disease in five key areas – common cancers,
coronary disease and strokes, mental illness, HIV/AIDS and sexual health
and accidents. The aim is to meet certain target levels by the beginning
of the next century. But if a draft privacy directive currently being discussed
at the European Commission in Brussels becomes law it may be difficult
to assess the success of the strategy.
While the directive reflects public demand for greater protection of
personal details, medical researchers fear that tighter controls could prevent
them from using named records. This would make it difficult to tell whether
the incidence of diseases such as skin cancer fall to meet the government’s
targets because the vital information is held in named files at Britain’s
18 cancer registries. And in the long term, it could also seriously threaten
the future of epidemiological research in Britain.
Leo Kinlen, director of the Cancer Research Campaign’s epidemiology
unit in Oxford, points out that ‘epidemiological studies have told us practically
everything we know about aspects of the environment that cause cancer’.
This view is shared by Michel Coleman, director of Britain’s largest regional
cancer registry, the Thames Cancer Registry, which has a vast database showing
incidence, treatment, survival and mortality since 1960.
Advertisement
‘The current draft of the directive, if implemented without derogation,
would make the kind of work we do here illegal,’ says Coleman. Or as Nicholas
Wald, head of environmental and preventative medicine at St Bartholomew’s
Hospital, London puts it ‘approval of the rules would for practical purposes
stop record-based epidemiological research taking place in this country’.
One of the problems facing these researchers is that they rely on a
technique called data matching for their studies. This enables researchers
to link and merge a variety of records, held on different computer systems
– or in some cases filing cabinets . To do this all records have an identifier,
usually a person’s name.
Cancer registries, for example, match records from GPs, hospitals, cancer
screening centres, pathology laboratories, and ultimately from death certificates
to build-up a wider picture of cancer in Britain. This is precisely the
type of information that the officials monitoring the Health of the Nation
strategy will need. Such medical records also played a part in establishing
the links between cigarette smoking and cancer of the lung, and between
oestrogen-based hormone replacement therapy and cancer of the womb. Many
other epidemiological studies, such as those on the side effects of the
contraceptive pill, also used this approach.
But this kind of matching appears to fall foul of at least two of the
principles laid down by Britain’s Data Protection Act. This specifies that
personal data shall be obtained and processed ‘fairly and lawfully’, and
that ‘Personal data held for any purpose or purposes shall not be used
or disclosed in any manner incompatible with that purpose or those purposes.’
So it could be argued that using patients’ treatment records for large epidemiology
is incompatible with the original purpose, and that the information was
not fairly obtained.
In practice, however, the act has get-out clauses. The guidelines to
the act point out that an organisation can use personal data for any purpose
as long as they register their intention to do so with the data registrar.
In other words, data users can legally hand your details on to anyone they
like, as long as they tell the registrar they’re going to do so.
Data protection law is much tighter in some other European countries.
Denmark, for example, forbids data matching for commercial purposes. If
the current proposals for the European directive become law, they will tighten
up many of the loopholes found in the British act. Some of these proposals
could spell the end for data matching if member states interpret the directive
strictly – and it’s not clear whether there will be leeway for countries
to opt out of some of the legislation.
Article 6 of the amended proposal, for example, says that data can be
held ‘no longer than necessary for the purposes in view’. One interpretation
of this is that NHS records, held for the purpose of treating patients,
would need deleting once the patients had died, destroying an important
source of information for retrospective health studies. Article 7 sets out
a number of principles to control the type of data processing that can be
done. One of these is that anyone who wants to link one set of records with
another, even for the purposes of statistical research, should first go
back and get the consent of the subjects associated with that data. And
Article 8 states that data holders should not process data concerning ‘health
or sexual life’, unless there is ‘manifestly’ no infringement of individual
privacy.
Of these three restrictions, the most problematic for epidemiological
researchers is the requirement to obtain permission from the ‘data subjects’
before carrying out records-based research. By their nature, many of these
studies involve very large numbers of records; the need to contact everyone
involved would often make the research not feasible. As Kinlen points out:
‘There are very few situations where the risk is so huge that it can be
detected by studying just twenty or thirty people. The only way you can
get an answer in a reasonable timescale – say, five years – is to follow
up many thousands of people.’
Legal bind
In some other European countries, data protection legislation strangles
epidemiological research at birth. In France, it is against the law for
a doctor to pass identifiable medical data on to another doctor not involved
in the patient’s treatment. In Germany, patients generally have to give
their consent for cancer registries to hold their personal information.
In both countries, researchers have attempted to carry out studies using
encrypted data. But this has proved less than perfect, because the data
used in matching programs is not always accurate, often human intervention
is necessary – and that means using data that they can read.
Even before the directive was mooted, epidemiological research using
computer records was coming under tighter control in Britain. The Department
of Health has said that local research ethics committees (LRECs) in hospitals
and regional health authorities must be consulted about proposals involving
access to the records of past or present NHS patients. This advice is being
incorporated into guidelines being prepared by the Medical Research Council.
Researchers already consider the need to approach all the LRECs as a burden.
Add to this the need to obtain consent from individuals, say researchers,
and the task of carrying out large-scale studies would become impossible.
But not everyone is convinced by the researchers’ plight. Their voices
often get lost in the broader argument of data privacy. This includes worries
about the way credit-checking agencies get hold of private details, and
the potential use of personal data by government departments, such as those
involved with paying benefits. Privacy advocates point out that the risks
of data matching might outweigh its benefits. One of their concerns is that
the result of matching data from several sources is not always accurate.
New Zealand’s Data Protection Commissioner, Bruce Slane, says he’s handled
several cases where people still resident in New Zealand found their state
benefits suspended because their name was similar to that of a person who
had left the country.
Another argument against data matching is that, by bringing together
and making accessible information normally held in a number of different
places, there is a threat to a person’s right to keep themselves to themselves.
As Slane puts it, it’s rather like ‘somebody coming into your house when
you’re not there, taking a few things away, examining them, putting them
back, and you never know they’ve been there’.
From the hundreds of complaints David Smith, assistant registrar for
health and local government at Britain’s data protection registry receives
about the activities of the credit-checking agencies, many people would
prefer these organisations not to have access to their personal details.
But it is less clear whether they also want to see an end to research that
could one day save their lives.
Epidemiologists argue that epide-miology is painless, effective, and
has no direct impact on individual privacy. They believe that most members
of the public would prefer to make their records available for research
purposes and get the benefits of better information about health hazards.
To some extent, the small number of complaints referring to the use of medical
records supports this claim.
Ignorance is bliss
An alternative explanation is that people don’t actually know that researchers
use their medical records for purposes other than treatment. ‘Most of the
complaints have been when patients are contacted by researchers,’ Smith
says. ‘Recently we’ve been talking to small groups of patients about use
of their records, and we found that most of them were not aware that identifiable
information about them might be used for research.’
One of the few surveys of public feeling about use of medical records,
carried out by the German Ministry for Youth, Family Affairs and Health
in 1983, found that 78 per cent of the respondents were willing to have
their personal data reported to a cancer registry and made available to
researchers if they developed cancer. Only 12 per cent did not like the
idea of cancer registries at all, and of these half said that doubts about
data protection were their main reason for objecting. Sixty-six per cent
of the respondents thought that doctors should get the patient’s consent
before reporting a cancer to the registry.
Britain’s health department is considering the idea of asking people
when they first arrive for treatment to consent to releasing their health
records for medical research. But this is complicated, too. If you give
people the choice of opting out of research studies, researchers argue,
you create a self-selecting sample that could unacceptably bias research
results. If you don’t give them the choice, you could make them reluctant
to give information in the first place.
For some time researchers have kept their heads down over records-based
research. It is an emotive issue, and many people’s initial reaction is
to protect their own privacy rather than think of the benefits to other
people. Coleman from the Thames Cancer Registry, believes that these fears
are unjustified, and that presenting the issues openly is the researchers’
best policy for winning support for their cause among the public and the
European Commissioners.
It is not clear, in a political climate that champions individual rights
over those of society as a whole, how successful this argument is likely
to be. But one way or another, the impending European legislation means
that some explaining has to be done. Either epidemiologists convince the
public now that the value of their work outweighs the perceived invasion
of privacy, or someone will have to explain a few years on why it’s so hard
to find out what does us harm, or whether the incidence of diseases such
as cancer and coronory heart disease have met the targets prescribed by
government policy.
Candice Goodwin is a freelance writer specialising in information technology.
* * *
Match making
Computers rarely make mistakes, but people often do. They transpose
street numbers or numerals in dates of birth, spell names incorrectly, say
that an individual is Ms instead of Mr. Mistakes like these mean that records
on the same person from different databases will often not be a direct match.
Humans learn from experience to judge the odds that a pair of records
relate to the same person. And some of the more complex matching programs
build in this kind of experience.
To decide whether a pair of records is correctly matched, the computer
will compare the names on the records with other identifiers such as year,
month and day of birth, sex and marital status, and geographic details such
as place of birth, work or death. But what happens if the name and sex on
two records are the same, while the date and place of birth are different?
Since the late 1950s, when researchers first used computers for record matching,
organisations that use data matching have developed strategies for overcoming
problems like this, so enabling the rapid matching of large numbers entries.
The credit-checking agencies, for example, don’t match raw data directly.
When a new entry for the database arrives, the basic information in it
– name, address, and date of birth if available is converted into matching
keys for use in actual record comparisons. Names get phonetic codes, for
example, White, Wight and Whyte are the same code. The address also becomes
a matching key, with the street number in one field, the phonetically encoded
street name in another, and the street type – street, road, lane and so
on – in another. Towns have standard numbers.
When a customer logs on to the agency’s computer to request information
on a credit applicant, the program encodes the information, and compares
it against the table of matching keys in its database. In some cases it
will find a direct match; more usually, there will be a number of near matches.
But human experience also gets incorporated into tables that allocate scores
for the similarity of various matches. Goodwin and Godwin, for example,
would have a high similarity score, but Goodwin and Goodfield would not.
Similarly, the program may link Kilburn, Cricklewood and West Hampstead
in London, because although the names are different they need a high similarity
rating as they often refer to the same area.
By summing the weighted scores, the computer comes up with a final score
for each possible match and the inquirer gets those with a fairly high
score. But the final decision about which information is connected and which
is not will be made by a person, not the machine