Confidentiality costs

Written by Sheila Bird on . Posted in Features has met a hail of criticism. Technical solutions which both protect patient-confidentiality and enable linkages in the public interest had been eschewed. Why? Each of three possible reasons - economy, expediency, ignorance - is unacceptable. Confidentiality costs, but the pay-off from properly designed, ethically approved record linkage is great potential for new discoveries in the public interest.

But I want to relate another story that illustrates the lack of attention to affordable detail in persuading the public that their personal information is safe in the public sector.

This year, I was one of those selected to receive the GP Patient Survey: my opportunity (apparently) to shape local GP and dental services in England’s NHS. These questionnaires are issued by a contractor, Ipsos MORI, on behalf of NHS England to patients whose name was randomly selected from the NHS list of persons registered with a general practice. This meant that Ipsos MORI had been passed my contact details (name and home address and GP practice identifier) but only uses them, I was assured, to send me reminders about the GP Patient Survey if I do not reply (which I did not).

Ipsos MORI had not been given any information about my health - but would hold information about my health if I chose to answer some of the well-posed survey questions such as Q30 & Q31: do I have a long-standing health condition? And which on a list of conditions do I have - from Alzheimers to diabetes to mental health problems. Or Q34 (my EQ-5D quality of life), Q36 (Do I have a written care plan), Q41 (have I made an out-of-hours GP service call in the past six months), Q52 (my age-group), Q54 (Am I in full-time paid work), Q 58 (Am I a deaf person who uses sign language), Q59 (my smoking habit), Q 61 (my sexuality) and Q62 (about my religion).

Included with the GP Patient Survey form was a letter, addressed to Mrs Sheila M. Bird at my home address and image-signed by Tim Kelsey (National Director for Patients and Information at NHS England). The letter - which bears my name and full address - also shows the GP Patient Survey reference number which had been assigned to me and which appears on my survey form, thus denying me demonstrable anonymity1. By survey answers being linked - via the reference number - to a potential respondent’s name and address, if she answers all the questions, she wittingly reveals much about her name-attributable own health. 

In effect, I have to take on trust that no-one at Ipsos MORI will browse my answers while linkage exists at Ipsos MORI between my identity and my GP Patient Survey responses. But, I should not have to take this on trust - as research methods, more costly perhaps, clearly exist by which to protect my and your confidentiality. Wisely, over 60% of recipients of the GP Patient Survey do not respond and so the majority does not take on trust.

The GP Patient Survey is not alone in its use of survey methods that deny demonstrable anonymity but statisticians should defend the public against methods that unnecessarily jeopardise their confidentiality. How many elementary design errors and breaches of, or risks to, confidentiality were made in just that one letter and questionnaire issued by NHS England’s contractor, Ipsos MORI?  

Preserving confidentiality costs

NHS England seems to have been unwilling to afford me demonstrable anonymity. As potential responder, I should be guaranteed - by design - that my responses are unlinkable to my identity.

The Tim Kelsey letter should surely have been addressed to 'Dear Patient'. Two separate prepaid envelopes could have been provided: one for the return to Ipsos MORI of my unlabelled completed questionnaire on which is shown, however, my GP’s practice-code, and the other for the return to the list-holder of my GP Survey reference-label (which is linked at source to my name and address) together with a tick-box declaration that I have either returned the completed survey questionnaire or that I wish to make a nil return and receive no postal-reminders. No names and addresses need be passed to the contractor, Ipsos/Mori.

The GP Patient Survey is analysed by general practice and so the covering letter should explain that the survey form needs to include a practice-code and that, every six months, a GP Patient Survey form is posted to approximately R randomly-sampled adult patients registered to each practice-code. How large R is, and how many of those recipients share my gender and age-group, determines how identifiable I am among either potential respondents or patients of the same gender and age-group registered to my practice-code.

Design details such as above were explained to Scottish prisoners when we invited them to take part in Willing Anonymous HIV Surveillance (WASH) studies2, but were not explicit in the 'Dear Patient' letter. In our WASH studies, a prisoner’s no-names self-completion questionnaire was linked to his saliva sample by a pair of sealed labels, which the prisoner himself selected. One was affixed to his questionnaire, the other to the salivette containing the prisoner’s saliva sample. As the prisoner exited the surveillance hall, he placed the questionnaire in a blue bin, the salivette in a red bin: making them physically separate. Response-rates were typically over 80%.

The GP Patient Survey achieves a response rate below 40%, which better survey methodology - in terms of demonstrable anonymity for respondents - should surely improve upon. Each year, some 2.5 million questionnaires are issued. Sampling is at least random, which is excellent, but undermined by the low response rate. Disclosure of 2.5 million sampled patient names and addresses annually to contractor Ipsos MORI should also be avoided.   

Assuring respondents that 'Your answers will be kept completely confidential' is not the same as confidential-by-design. Confidential-by-design may cost more but then confidentiality does cost. True respect for patients’ confidentiality is what good statistical method delivers and is what all patients have a right to expect from (bio)statisticians.

Next up in February 2014 was also fronted by Tim Kelsey

Page one of the NHS leaflet 'Better information means better care' exhorted all in the household to read this information carefully and told me: 'You have a choice'. But how a child or person who lacks capacity was to make their choice did not merit a page one mention. The information sheet failed by a mile in the research ethics and transparency standards expected in public health.

For example, the third paragraph of the Introduction purported to explain the nature of the proposed linkages - using information such as your postcode (full or partial?) and NHS number (which links to your name and address if you are GP-registered). Names are not explicitly mentioned as a basis for the proposed linkages - should I infer that names shall not be used? Or, was the leaflet just economical with the truth?

The public should know the bases for linkage between each pair of linked-in databases (database 1 to be linked with database 2 by use of X, Y, Z; database 2 to be linked with database 3 by use of X, W; and so on). Once it has been established by linkage that record A on database 1 links with high probability to record N on database 2, then the allowable-data-records from databases 1 and 2 can be abstracted (but with A/N overwritten by a common, randomly-assigned link-code).  

However, since Health and Social Care Information Centre (HSCIC) already holds the database on hospitalisations, HSCIC may be able to de-identify my linked record. The public needs to be told explicitly about the design-safeguards which have been set up to prevent any breach of my or your confidentiality to, or by, HSCIC personnel.

HSCIC and NHS England seemed to think that it was permissible for HSCIC staff to have access to identifiable GP patient records because linkage required it. Properly safeguarded linkage does not require it.

The public should be told explicitly what design safeguards are in place to prevent breaches of confidentiality: to or by HSCIC personnel in respect of or Ipsos MORI with the GP Patient Survey. Criminalisation, albeit a deterrent, is not a design safeguard. Better methods exist - use them or forfeit the public’s confidence.


The views expressed in the Opinion section of StatsLife are solely those of the original authors and other contributors. These views and opinions do not necessarily represent those of The Royal Statistical Society.


  • 1. Bird AG, Gore SM. Inside methodology: HIV surveillance in prisons. AIDS 1994; 8: 1345-1346.
  • 2. Bird AG Gore SM, Cameron S, Ross AJ, Goldberg DJ. Anonymous HIV surveillance with risk factor elicitation at Scotland’s largest prison, Barlinnie. AIDS 1995; 9: 801-808.
  • 3. Bird SM. Editorial: Counting the dead properly and promptly. Journal of the Royal Statistics Society Series A (Statistics in Society) 2013; 176: 815 – 817.
  • 4. McCarthy M. why are Scotland and Wales doing it differently? British Medical Journal  2014; 348: g1702.

Ipsos MORI National Health Service Data privacy

Join the RSS

Join the RSS

Become part of an organisation which works to advance statistics and support statisticians

Copyright 2019 Royal Statistical Society. All Rights Reserved.
12 Errol Street, London, EC1Y 8LX. UK registered charity in England and Wales. No.306096

Twitter Facebook YouTube RSS feed RSS feed RSS newsletter

We use cookies to understand how you use our site and to improve your experience. By continuing to use our site, you accept our use of cookies and Terms of Use.