惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

T
The Blog of Author Tim Ferriss
Know Your Adversary
Know Your Adversary
P
Palo Alto Networks Blog
D
Darknet – Hacking Tools, Hacker News & Cyber Security
K
Kaspersky official blog
L
LINUX DO - 热门话题
P
Proofpoint News Feed
P
Privacy & Cybersecurity Law Blog
Google DeepMind News
Google DeepMind News
Attack and Defense Labs
Attack and Defense Labs
Cisco Talos Blog
Cisco Talos Blog
AI
AI
L
LINUX DO - 最新话题
H
Heimdal Security Blog
Hacker News: Ask HN
Hacker News: Ask HN
Webroot Blog
Webroot Blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
The GitHub Blog
The GitHub Blog
I
Intezer
Blog — PlanetScale
Blog — PlanetScale
有赞技术团队
有赞技术团队
S
Securelist
博客园_首页
IT之家
IT之家
Schneier on Security
Schneier on Security
博客园 - 叶小钗
罗磊的独立博客
WordPress大学
WordPress大学
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
MongoDB | Blog
MongoDB | Blog
P
Proofpoint News Feed
阮一峰的网络日志
阮一峰的网络日志
A
Arctic Wolf
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
W
WeLiveSecurity
The Register - Security
The Register - Security
D
DataBreaches.Net
S
Security @ Cisco Blogs
Security Archives - TechRepublic
Security Archives - TechRepublic
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
腾讯CDC
Recorded Future
Recorded Future
NISL@THU
NISL@THU
N
News and Events Feed by Topic
T
Tailwind CSS Blog
N
News and Events Feed by Topic
Cyberwarzone
Cyberwarzone
T
Tor Project blog
www.infosecurity-magazine.com
www.infosecurity-magazine.com

Comments for medConfidential

How to opt out | medConfidential 10 year plan: say goodbye to your data (and say goodbye to your GP) Palantir Isn’t Magic – It’s Just Code (Part 1) GOV.UK’s Black App: and in the darkness (Departments) bind them… Lots of (contradictory) information on the politically-controlled Central Health Record (and some questions for suppliers, DH/E, and probably you)
Free text, CPRD and yet another threat to medical confidentiality
by Phil · 2026-01-25 · via Comments for medConfidential

Thanks to Professor Julia Hippisley-Cox and Helen Wilkinson for pointing out that the Clinical Practice Research Datalink (CPRD) has extracted highly sensitive ‘free text’ from patients’ GP records without approval or fair processing.

Free text is your GP’s own notes, attached to the codes that are entered onto their computer systems. It can basically contain anything – names, highly sensitive personal details, medical and non-medical information about you or other people. Free text is for your doctor’s own use when providing you care, and to provide context that will help any other doctor you may see in future to provide you care.

See page 15 of CAG meeting minutes 3 October 2013 – 6a. CPRD – processing of free text information [CAG 6-06(a)/2013]

N.B. CAG is the Confidentiality Advisory Group, now based at the Health Research Authority, which advises the Secretary of State on the use of the extraordinary ‘Section 251‘ powers that allow the common law duty of confidence to be set aside so that patient identifiable information may be used without consent.

That free text has been extracted is confirmed by this presentation on Using free text in primary care research, on slide 55, which states:

“We plan to run FMA on free text within +/- 90 days of myocardial infarction [heart attack] for 2000 patients… Software will be run at CPRD without anonymisation”

(N.B. You will need to add .pdf to the filename of the file once downloaded in order to view it in Acrobat Reader.)

And this published study on BioMed Central suggests that GPRD (the General Practice Research Database) the precursor to CPRD, had been collecting free text for years.

Even more worrying is this statement on page 16 of the CAG minutes from 3/10/13:

“It was noted from the discussion that CPRD were seeking to progress solutions and were in discussion with those leading on the care.data mechanism.”

So CPRD had been using an out-of-date leaflet from 2008 to ‘notify’ patients about what it was doing and was in discussion with care.data leaders about using whatever ‘mechanism’ they were going to use to inform the public – which we now know was a junk mail leaflet!

If you even received a junk mail leaflet in January, did you see any mention of CPRD? Or any suggestion that your doctor’s private free text notes about you would be extracted? If you didn’t, why not check the leaflet out now. It says:

“Details that could identify you will be removed before your information is made available to others, such as those planning NHS services and approved researchers.

We sometimes release confidential information to approved researchers, if this is allowed by law and meets the strict rules that are in place to protect your privacy.”

So, you have been lied to on at least two counts; details that could identify you (i.e. free text) clearly are not always removed before information has been made available to researchers, and confidential information has been ‘released’ unlawfully and without meeting these so-called “strict rules”.

Because, as the CAG minutes clearly state:

“The CAG agreed that the minimum criteria under the Regulations did not currently appear to be met, and therefore advised recommending deferral to the SofS and the Health Research Authority, to enable the following actions to take place to bring the application within the framework of the Regulations:

a. Fair processing actions to be progressed in conjunction with the Information Commissioner’s Office; assurance and approved patient information materials to be provided at the relevant time before any final approval could come into effect.

b. Revision of the application form to fully incorporate responses to the issues set out above. This was to include a cover paper to clearly show which sections reflected these responses within the application.

c. A favourable ethical opinion to be provided from a Research Ethics Committee on the revised application to be considered by the CAG.

d. A satisfactory level to be achieved within the IG Toolkit before any final approval could be provided; this could be carried out in parallel to CAG consideration of the application.”

So there you have it. Yet another way that sensitive patient information has been taken from GP records without consent or proper approval. And care.data leaders knew all about it.

The problems aren’t just limited to HSCIC, folks.

We’re not saying research shouldn’t happen – of course it should – but it must be done with proper consent and/or proper authorisation, e.g. Section 251 support, which CPRD clearly didn’t have and doesn’t have yet.

Please note: we are not suggesting that the researchers referred to in this post are necessarily at fault; they may simply have been using a ‘service’ provided by GPRD / CPRD, without knowing that the free text had not been gathered with consent or proper approval.