The NHS could be forced to completely rethink its £6 billion patient database, because it is unlawful under the European Convention of Human Rights, it has been claimed.
Legal experts argue that a ruling from the European court in Strasbourg shows that punishments for misuse of data are not enough to ensure confidentiality. As a result, they say, the NHS database could be in breach of Article 8 of the convention, which protects the right to privacy.
The ruling concerned the case of a Finnish nurse whose colleagues discovered she was HIV positive after illegally accessing her health records.
The court ruled that laws which allowed the nurse to sue for damages were not sufficient to protect her privacy. 'What is required in this connection is practical and effective protection to exclude any possibility of unauthorised access occurring in the first place,' it said.
The NHS database will use smartcards and passwords to ensure that staff can only access records where they have a relationship with a patient. These will create an 'audit trail', documenting any misuse of data.
A spokesman for Connecting for Health pointed out that existing paper records have no such safeguards.
The agency 'has supported higher penalties for the inappropriate accessing of patient data when it is malicious,' he said.
UK courts are required to take account of rulings from Strasbourg. If a judge were to issue a 'declaration of incompatibility' with EU law, parliament would be forced to rethink the database.
Dr Paul Thornton, a GP in Warwickshire and campaigner for patient privacy, called on the DoH to abandon its plans for a single NHS database. If the system is to be lawful, the DoH 'will have to change its design to a lot of small, secure databases ',he said.
Professor Douwe Korff, a professor of international law at London Metropolitan University, described the ruling as a 'time bomb.'
'It shows it isn't good enough to say "this shouldn't happen",' he said. 'The government needs to take reasonable measures to ensure patient confidentiality.'
Professor Korff added that the use of penalties for inappropriate data access often failed in practice. There is evidence that some NHS staff leave their computers logged on to save time.
Others will ask colleagues for patient details by phone, citing computer problems, he said.
Comment below and tell us what you think