Recent evidence has come to light that the NHS may be required to share patient data with the police to fight against criminal activity. Why is privacy in data becoming an increasingly important issue, what evidence do we have that the NHS and police will share information, and what could be the ramifications?

Why is privacy becoming more important?

Privacy has always been important to humans and most likely originates from the invention of clothes which introduced the concept of modesty. While privacy and its protection have always played a role in the computing world, it is only recently that concerns surrounding privacy are starting to gain traction and significant attention.

Going back a decade or two, most people would be perfectly happy to sign up for newsletters, free samples, and complimentary online services. However, a users private data such as name, age, and email address would often be the cost of a free service, and such details could easily be purchased by third party organisations.

The idea of selling private information has now started to become more looked down upon with multiple scandals in the tech industry, such as Cambridge Analytica who purchased private data on individuals from Facebook to alter voting patterns via targeted political ads.

Protecting personal information is also becoming increasingly important when considering the advent of AI and how it can create profiles around individuals. For example, China now has a social credit system that prevents citizens from booking flights, trains, and other services if they are considered socially harmful. While the system only operates in China, for the time being, there is not much to stop China from creating social profiles on individuals outside its country, which could lead to social destabilisation.

NHS may be required to release private patient data to the police

A recent report by the Independent has outlined that recent changes to the law could require the NHS to hand over patient data to the police in an attempt to better understand violent crime. According to Dr Nicola Byrne, data being sent over to the police would not only violate the privacy of patients but could lead to individuals providing false information. The submission of inaccurate data would make it hard for doctors to look at patient history and provide appropriate healthcare.

To be specific, the legislation that enables the police to obtain data from the NHS is the “Police, Crime, Sentencing and Courts Bill”. Under the Serious Violence Duty, the bill states that: “The serious violence duty will require local authorities, the police, fire and rescue authorities, specified criminal justice agencies and health authorities to work together to formulate an evidence-based analysis of the problems associated with serious violence in a local area. The Police would then produce and implement a strategy detailing how they will respond to those particular issues.”.

What are the ramifications of this?

Sharing personal data is something that governments, including the UK, US, and EU, have been working hard to prevent. In fact, the various privacy laws surrounding sensitive data now sees engineers required by law to create designs that can wipe personal data, not use common passwords to prevent unauthorised access, and integrate encryption methods to protect data during transit.

However, of all data gathered on an individual, medical history is arguably one of the most private. In fact, medical data is considered so personal that a practitioner is not legally allowed to share any data without explicit permission from the patient.

To start, we first need to understand the ineptitude of the NHS and other government-run services to appreciate their inability to protect user data. But, the NHS sharing patient data with the police is a clear violation of trust on multiple levels and could lead to mass exploitation by cybercriminals and the police themselves. Besides the fact that the NHS still uses fax machines, the NHS had spent £10 billion on creating an IT system to modernise, only to find that it never worked and had to scrap the entire project.

Suppose a government service such as the NHS cannot modernise itself and store data on a central electronic system. How can it be expected to protect user data from the latest cyber threats?

The second violation would be sharing medical data with the police under emergency powers without patient consent. Data is vulnerable in each of its main states: storage, transit, and processing. The act of moving sensitive patient data from the NHS to police databases already puts the data at risk of being intercepted and stolen. Such records could be transferred manually, but even then, any stored data on a police database is then vulnerable to an outside attack.

Data and privacy are primary concerns for engineers, and ensuring that our designs and products follow proper procedures has never been more critical. While third party companies can no longer get personal data without explicit permissions, the police may now be able to take NHS data on demand.