ACT NOW to protect your medical confidentiality

ACT NOW to protect your medical confidentiality

*BREAKING NEWS* 7/2/14 – NHS England leaflet misleads patients about opt out

Sometime in January 2014 you may have received a leaflet via junk mail, entitled ‘Better information means better care‘ (2MB PDF file). It may not be clear from the leaflet that a significant change in what is done with your medical records is about to happen.

Unfortunately, NHS England – the commissioning body that now runs the NHS in England – decided not to include an opt out form with the leaflet and the information in it says you should “speak to your GP practice” if you want to stop your or your family’s confidential medical information being uploaded and passed on.

This is misleading.

You do not have to speak with your doctor or book an appointment. The choice to keep your medical records private is completely down to you; all you need do is inform your GP of your choice, which you can do simply by writing a letter or dropping a form into your surgery.

To make things more straightforward, medConfidential is providing both a form and a letter for you to use. You can use either one of them. Click on one of the links below to download a copy. Print it off, fill in your details, sign it and send it to your GP or drop it into the surgery reception for their attention:

Opt out form (PDF)

Please do take a few moments to e-mail this PDF to your family, friends and colleagues, or send them the link to our download page – www.medconfidential.org/how-to-opt-out – or share it on social media. You might even print off copies of the form (it conveniently prints double-sided and folds to fit in a DL envelope) to give to others who may not have heard about what’s going to happen to their medical records, and won’t know what they can do.

Opt out letter (PDF)

Opt out letter (MS Word)

Opting out will not affect the care you receive and you can change your mind at any point and opt back in if you like. If you have any specific concerns, we recommend you speak with your GP.

As you will see from the letter, there are TWO codes that your doctor will need to add to your record – one to prevent identifiable information being uploaded from your GP practice and one to stop the Health and Social Care Information Centre from passing on identifiable information about you that it gathers from anywhere else, e.g. hospital records, clinics or testing laboratories.

Remember, the choice is yours. You don’t need to justify it but if you want to keep your medical records private and confidential you do need to act now.

http://medconfidential.org/

http://www.healthwatch.co.uk/

Police will have 'backdoor' access to health records despite opt-out, says MP

David Davis says police would be able to approach central NHS database without a warrant as critics warn of catastrophic breach of trust

• Randeep Ramesh, social affairs editor
• The Guardian, Thursday 6 February 2014 19.48 GMT
• Jump to comments (1031)

Patients' records at a GP surgery. According to David Davis, in the past police would need to track down the GP who held a suspect's records and obtain a disclosure order. Photograph: Christopher Thomond for the Guardian

The database that will store all of England's health records has a series of "backdoors" that will allow police and government bodies to access people's medical data.

David Davis MP, a former shadow home secretary, told the Guardian he has established that police will be able to access the health records of patients when investigating serious crimes even if they had opted out of the new database, which will hold the entire population's medical data in a single repository for the first time from May.

In the past, Davis said, police would need to track down the GP who held a suspect's records and go to court for a disclosure order. Now, they would be able to simply approach the new arms-length NHS information centre, which will hold the records. "The idea that police will be able to request information from a central database without a warrant totally undermines a long-held belief in the confidentiality of the doctor-patient relationship," he said.

The records will include mental health conditions, drugs prescribed, as well as smoking and drinking habits – and will be created from GP records and linked to hospital records. Ministers have defended the incoming system – which supporters say could bring huge benefits to care and research – saying it has mechanisms to de-identify records and a series of committees which will consider requests from thinktanks, businesses, universities and government bodies, as well as offering opt-outs for patients concerned about the use of their data.

But opting out of data sharing outside the NHS will not prevent records being sucked up and state agencies in some cases will be able to get access to them.

In the case of the police, officers will be able to request all of the medical data held for specific suspects with their correct identities, regardless of whether they had opted out.

With a national database in place, the request only has to be considered by officials at the information centre, who will not know the patient personally.

Davis, who established the existence of these "backdoors" in a parliamentary question answered by health services minister Dan Poulter, said he had "no problems with the data being used for licensed medical research, but when we have police accessing from a database that people have opted out from, and companies being able to buy this data, I think we need to have a debate about whether my property, which are my patient records, can be sold and used".

Advocates say that sharing data will make medical advances easier and ultimately save lives because it will allow researchers to investigate drug side-effects or the performance of hospital surgical units by tracking the impact on patients. But privacy experts warn there will be no way for the public to work out who has their medical records or to what use their data will be put.

The extracted information will contain a person's NHS number, date of birth, postcode, ethnicity and gender. Once live, organisations such as university research departments – but also insurers and drug companies – will be able to apply to the new Health and Social Care Information Centre (HSCIC) to gain access to the database, called care.data.

Last year it emerged that the private health insurer Bupa was among four firms that had been cleared to access "sensitive" patient data.

If an application is approved then firms will have to pay to extract this information, which will be scrubbed of some personal identifiers but not enough to make the information completely anonymous – a process known as "pseudonymisation".

Speaking generally about the new system, Davis said that medical records were a person's "fingerprint".

"I have had my nose broken five times. Once you know that, I am probably in a group of 100 people in England. Then you figure out when I had my diptheria jab, usually done at birth, and bang you got me. Let me be clear: people can be identified from this data."

This week, the Information Commissioner's Office warned that information provided to patients on care.data was not clear enough about how to opt out of the programme.

Brian Jarman, who developed the statistical methodology used to pinpoint high death rates in the NHS and is director of the Dr Foster research unit at Imperial College London, said the system should be "opt in, not opt out". He said: "There is simply too much data and the risks that something leaks are too great. We need to slow this process down to ensure we have the right checks in place."

Phil Booth of medConfidential, which campaigns on medical privacy, told the Guardian: "This is precisely the danger when you create a giant database of highly sensitive information about people – all sorts of other people want to go rifling through it, including the government." There's always another good reason to go digging, but no one thinks of the catastrophic breach of trust this represents."

"The lack of independent oversight and transparency is what's most worrying. People trust their GP, but who's heard of the Health and Social Care Information Centre or the four people who sign off on access to all our medical records?"

A Department of Health spokesperson said: "There are strong legal safeguards in place to protect patients' confidentiality. If people do not want their data to be shared, they can speak to their GP and information will not leave the surgery. Any release of identifiable data without consent would only be in a very limited number of exceptional circumstances, where there is a clear basis in existing law – such as for the police to investigate a serious crime."

• This article was amended on 7 February 2013. The earlier version said incorrectly that Brian Jarman was the co-founder of Dr Foster and professor of health economics at Imperial College, and referred a database of "the entire nation's health records".

http://www.theguardian.com/society/2014/feb/06/police-backdoor-access-nhs-health-records#start-of-comments

INVESTIGATIONS

REUTERS2 days

INVESTIGATIONS

Snowden Docs: British Spies Used Sex and 'Dirty Tricks'

BY MATTHEW COLE, RICHARD ESPOSITO, MARK SCHONE AND GLENN GREENWALD, SPECIAL CONTRIBUTOR

British spies have developed “dirty tricks” for use against nations, hackers, terror groups, suspected criminals and arms dealers that include releasing computer viruses, spying on journalists and diplomats, jamming phones and computers, and using sex to lure targets into “honey traps.”

Documents taken from the National Security Agency by Edward Snowden and exclusively obtained by NBC News describe techniques developed by a secret British spy unit called the Joint Threat Research and Intelligence Group (JTRIG) as part of a growing mission to go on offense and attack adversaries ranging from Iran to the hacktivists of Anonymous. According to the documents, which come from presentations prepped in 2010 and 2012 for NSA cyber spy conferences, the agency’s goal was to “destroy, deny, degrade [and] disrupt” enemies by “discrediting” them, planting misinformation and shutting down their communications.

Both PowerPoint presentations describe “Effects” campaigns that are broadly divided into two categories: cyber attacks and propaganda operations. The propaganda campaigns use deception, mass messaging and “pushing stories” via Twitter, Flickr, Facebook and YouTube. JTRIG also uses “false flag” operations, in which British agents carry out online actions that are designed to look like they were performed by one of Britain’s adversaries.

In connection with this report, NBC is publishing documents that Edward Snowden took from the NSA before fleeing the U.S., which can be viewed by clickinghere and here. The documents are being published with minimal redactions.

The spy unit’s cyber attack methods include the same “denial of service” or DDOS tactic used by computer hackers to shut down government and corporate websites.

Other documents taken from the NSA by Snowden and previously published by NBC News show that JTRIG, which is part of the NSA’s British counterpart, the cyber spy agency known as GCHQ, used a DDOS attack to shut down Internet chat rooms used by members of the hacktivist group known as Anonymous.

Read the first NBC report on JTRIG and the Snowden documents.

Read an earlier exclusive NBC report on the Snowden documents.

Civil libertarians said that in using a DDOS attack against hackers the British government also infringed free speech by individuals not involved in any illegal hacking, and may have blocked other websites with no connection to Anonymous. While GCHQ defends the legality of its actions, critics question whether the agency is too aggressive and its mission too broad.

Eric King, a lawyer who teaches IT law at the London School of Economics and is head of research at Privacy International, a British civil liberties advocacy group, said it was “remarkable” that the British government thought it had the right to hack computers, since none of the U.K.’s intelligence agencies has a “clear lawful authority” to launch their own attacks.

“GCHQ has no clear authority to send a virus or conduct cyber attacks,” said King. “Hacking is one of the most invasive methods of surveillance.” King said British cyber spies had gone on offense with “no legal safeguards” and without any public debate, even though the British government has criticized other nations, like Russia, for allegedly engaging in cyber warfare.

But intelligence officials defended the British government’s actions as appropriate responses to illegal acts. One intelligence official also said that the newest set of Snowden documents published by NBC News that describe “Effects” campaigns show that British cyber spies were “slightly ahead” of U.S. spies in going on offense against adversaries, whether those adversaries are hackers or nation states. The documents also show that a one-time signals surveillance agency, GCHQ, is now conducting the kinds of active espionage operations that were once exclusively the realm of the better-known British spy agencies MI5 and MI6.

Intelligence officials defended the British government’s actions as appropriate responses to illegal acts.

According to notes on the 2012 documents, a computer virus called Ambassadors Reception was “used in a variety of different areas” and was “very effective.” When sent to adversaries, says the presentation, the virus will “encrypt itself, delete all emails, encrypt all files, make [the] screen shake” and block the computer user from logging on.

But the British cyber spies’ operations do not always remain entirely online. Spies have long used sexual “honey traps” to snare, blackmail and influence targets. Most often, a male target is led to believe he has an opportunity for a romantic relationship or a sexual liaison with a woman, only to find that the woman is actually an intelligence operative. The Israeli government, for example, used a “honey trap” to lure nuclear technician Mordechai Vanunu from London to Rome. He expected an assignation with a woman, but instead was kidnapped by Israel agents and taken back to Israel to stand trial for leaking nuclear secrets to the media.

The version of a “honey trap” described by British cyber spies in the 2012 PowerPoint presentation sounds like a version of Internet dating, but includes physical encounters.

The version of a “honey trap” described by British cyber spies in the 2012 PowerPoint presentation sounds like a version of Internet dating, but includes physical encounters. The target is lured “to go somewhere on the Internet, or a physical location” to be met by “a friendly face.” The goal, according to the presentation, is to discredit the target.

A “honey trap,” says the presentation, is “very successful when it works.” But the documents do not give a specific example of when the British government might have employed a honey trap.

An operation described in the 2010 presentation also involves in-person surveillance. “Royal Concierge” exploits hotel reservations to track the whereabouts of foreign diplomats and send out “daily alerts to analysts working on governmental hard targets.” The British government uses the program to try to steer its quarry to “SIGINT friendly” hotels, according to the presentation, where the targets can be monitored electronically – or in person by British operatives.

NBC NEWS

A slide from the documents taken from the NSA by Edward Snowden and obtained by NBC News.

The existence of the Royal Concierge program was first reported by the German magazine Der Spiegel in 2013, which said that Snowden documents showed that British spies had monitored bookings of at least 350 upscale hotels around the world for more than three years “to target, search and analyze reservations to detect diplomats and government officials.”

According to the documents obtained by NBC News, the intelligence agency uses the information to spy on human targets through “close access technical operations,” which can include listening in on telephone calls and tapping hotel computers as well as sending intelligence officers to observe the targets in person at the hotels. The documents ask, “Can we influence hotel choice? Can we cancel their visits?”

The 2010 presentation also describes another potential operation that would utilize a technique called “credential harvesting” to select journalists who could be used to spread information. According to intelligence sources, spies considered using electronic snooping to identify non-British journalists who would then be manipulated to feed information to the target of a covert campaign. Apparently, the journalist’s job would provide access to the targeted individual, perhaps for an interview. The documents do not specify whether the journalists would be aware or unaware that they were being used to funnel information.

The executive director of the Committee to Protect Journalists, Joel Simon, said that the revelation about “credential harvesting” should serve as a “wake up call” to journalists that intelligence agencies can monitor their communications. Simon also said that governments put all journalists at risk when they use even one for an intelligence operation.

“All journalists generally are then vulnerable to the charge that they work at the behest of an intelligence agency,” said Simon.

The journalist operation was never put into action, according to sources, but other techniques described in the documents, like the Ambassadors Reception computer virus and the jamming of phones and computers, have definitely been used to attack adversaries.

In Afghanistan, according to the 2012 presentation, the British used a blizzard of text messages, phone calls and faxes to “significantly disrupt” Taliban communications, with texts and calls programmed to arrive every minute.

In a set of operations that intelligence sources say were designed to stop weapons transactions and nuclear proliferation, JTRIG used negative information to attack private companies, sour business relationships and ruin deals.

The British cyber spies also used blog posts and information spread via blogs in an operation against Iran.

Other effective methods of cyber attack listed in the documents include changing photos on social media sites and emailing and texting colleagues and neighbors unsavory information. The documents do not give examples of when these techniques were used, but intelligence sources say that some of the methods described have been used by British intelligence to help British police agencies catch suspected criminals.

The documents from 2010 note that “Effects” operations, GCHQ’s offensive push against Britain’s enemies, had become a “major part” of the spy agency’s business.

The presentation from 2012 illustrates that two years later GCHQ had continued to shift its workload from defending U.K. cyber networks to going on offense -- targeting specific people or governments. The British government’s intelligence apparatus, which also includes MI5 and MI6, had a role in the 2010 Stuxnet computer virus attack on Iran’s nuclear facilities, according to sources at two intelligence agencies.

GCHQ would not comment on the newly published documents or on JTRIG’s “Effects” operations. It would neither confirm nor deny any element of this report, which is the agency’s standard policy. In a statement, a GCHQ spokesperson emphasized that the agency operated within the law.

“All of GCHQ's work is carried out in accordance with a strict legal and policy framework,” said the statement, “which ensure[s] that our activities are authorized, necessary and proportionate, and that there is rigorous oversight, including from the Secretary of State, the Interception and Intelligence Services Commissioners and the Parliamentary Intelligence and Security Committee. All of our operational processes rigorously support this position.”

Journalist Glenn Greenwald was formerly a columnist at Salon and the Guardian. In late 2012 he was contacted by NSA contractor Edward Snowden, who later provided him with thousands of sensitive documents, and he was the first to report on Snowden’s documents in June 2013 while on the staff of the Guardian. Greenwald has since reported on the documents with multiple media outlets around the world, and has won several journalism awards for his NSA reporting both in the U.S. and abroad. He is now helping launch, and will write for, a new, non-profit media outlet known as First Look Media that will “encourage, support and empower … independent, adversarial journalists.”

First published February 7th 2014, 2:14 pm

MATTHEW COLE

Matthew Cole is an investigative producer for NBC News focusing on national security matters. He joined NBC News in 2013 after three years as an investigative producer for ABC News. He has reported from... Expand Bio