Risks From Large (Health) IT Systems

It is a long-standing privacy principle that an individual should have access to their personal information. This is particularly necessary in healthcare - after all there is nothing more personal than health information.

As the mass digitisation of health records increases, many issues arise about this access right.  The right of 'subject access' comes with its own complexities. One challenge is that individuals can sometimes be compelled to conduct subject access requests in order to share their sensitive information with other institutions who wouldn't normally be able to access this information. Another challenge is around the issue of parental access to the health information of adolescents.

In the UK, it is generally believed that between the ages of 12-16 when a person can take responsibility for their own medical decisions, depending on their competence to do so. While a person may be considered a child for some major decisions, by the time they are 16 in the UK they are believed to be able to make an informed choice on decisions about their health and subsequent access to that information. This has become contentious in many types of health care scenarios, but the most frequent is around sexual health decisions.

So, a difficult problem arises: If the mass digitisation of health records increases accessibility to health information and finally we have the ability to make the right of subject access a reality for all people, at what age does a child take responsibility of this data, thereby shutting out their parents from access?

Recognising that children are the difficulty of this problem -- given that parents are an important part of the decision-making process when it comes to their child's health -- Dame Fiona Caldicott in her recent review of Information Governance in the UK Health Service, said that where privacy can not be protected appropriately, “access should automatically be switched off”.

'Full' access should automatically be switched off when the child reaches the age of 12, although transactional online services, such as making appointments with a professional, would still be possible. 'Full' patient online access would be reinstated to the child when they reach 16 years old if they have capacity, or earlier if the health or social care professional judges, after discussions with the child, that they are competent.

Too often it's assumed that that all governments and private companies need to do is build databases and write privacy policies. But it's far more complicated than that.

Instead, whomever is building the project needs to think long and hard about the structure of the systems and the type of people they will ultimately affect. Using the above example, we have a situation where access to records is being determined ex post facto.  However, these are the types of things we need to think about when we talk about designing systems in the first place, with privacy in mind, or  'privacy by design'.

As legal frameworks around privacy are being updated to consider how to protect privacy in the modern era, this is an insight that should be reused in other projects.