The Medical Research Council’s Sir John Savill (“Duty to share data”, Letters, 6 March) claims that MRC-funded research will use “rigorously de-identified data in an approved research environment with robust technical and security standards”. Yet none of the systems being promoted for the purpose comes even close. The Medicines and Healthcare Products Regulatory Agency refused to disclose the mechanisms used to de-identify Clinical Practice Research Datalink data, arguing that this would jeopardise security; the Hospital Episode Statistics data uploaded to the Google cloud appear to have patient postcodes as well as ages; and the Care.data records are fully identifiable. Again and again, we’ve been assured that our data are anonymous only to find that the assurances were false.
Pseudonyms do not work for medical data if individual care episodes can be linked. For example, it is public knowledge that Tony Blair had treatment for atrial fibrillation at Hammersmith Hospital on 19 October 2003; if all his other care episodes are linked to that, in a database to which thousands of researchers have access, his privacy is gone. This is common sense, but medical researchers appear to have great difficulty understanding it.
The only solution is transparency. We need to know who has access to our data, in what form and what they’re doing with it.
Ross Anderson, professor of security engineering, University of Cambridge
Ian Brown, associate director, Cyber Security Centre, University of Oxford, and senior research fellow, Oxford Internet Institute
Jon Crowcroft, Marconi professor of communications systems, Cambridge
Fleur Fisher, former head of ethics, science and information, British Medical Association
Douwe Korff, professor of international law, London Metropolitan University