Connecting for Health (CfH) has failed to convince the public that a central database of medical data would be safe.

People fear that it would be open to abuse and, as an indication of how spectacularly CfH has failed to persuade, The Guardian newspaper launched a national campaign encouraging patients to object to their medical details being uploaded to the spine.

The data protection laws already rule that personal data cannot be held on a computer without the subject’s consent, and yet, the government uploaded every citizen’s demographic data to the Personal Demographic Service, whether or not they consented.

If you are an important person (Tony Blair, for example) your details can be made more difficult to access — but instructions on how to do this for ordinary patients’ data has been conspicuous by its absence. Then CfH said that it would upload everyone’s summary record too, until reason (and the Guardian) prevailed.

Confidentiality fears
The grand CfH plan is now in tatters because many in the population will not allow their medical summary to be uploaded to the spine.

CfH needs to convince the public that it can keep this highly personal information secure and confidential.

With parliament’s health committee about to undertake a robust, in-depth investigation into the electronic health record, looking in part at confidentiality, I would like to offer a solution. Give each patient their own personal identification number (PIN) and make it impossible for medical staff to access their centrally–held record (either demographics or summary) without it. This PIN could be memorised, written on a piece of paper in the purse or wallet, or even held electronically on a plastic card.

So, a patient registers with your surgery. As well as gathering the name, date of birth and current address, the practice also asks for the PIN of the patient. Only then can the surgery access information and any summary information held on the spine.

The PIN is stored secretly in the practice’s computer system (but only held locally), so the practice can in future access the information when needed.

The same patient goes to casualty on a Saturday night: tells staff the PIN and from then on they are able to access the patient’s record. The same happens when the patient attends outpatients: but each specialty has to ask for the PIN on the first occasion.

There is no possibility that the patient’s estranged and violent husband (who works in the NHS and has a smartcard) can discover her current address or telephone number; and no nosy ‘friend’ who works in the surgery down the road can read her confidential medical details.

But what if the patient is brought into casualty unconscious? Assuming that the PIN is not written down, the failsafe procedure would be that casualty could override the need for a PIN: but the computer audit trail would trigger an investigation into its acceptability.

In this way the patient can give all relevant NHS staff access to records, but no one else will be able to access the record without the patient’s express permission (and PIN).

I have discussed this PIN solution with a number of experts in medical IT, who have given it a warm welcome. A similar system, created by Indivo, has already been used in the US with success.

I suspect it is the only model of holding central healthcare data that the British public will tolerate. Let’s use it.