Patient Privacy: Determining Who Can Acess Private and Confidential Data

Patient Privacy: Determining Who Can Acess Private and Confidential Data
Page content


Uses of personal data including health records, need to have permission to use the data and then only for specific defined purposes. Thus, a doctor may have permission to hold personal data for operational health care delivery, but not for other purposes such as research, or entertaining his or her friends at the dinner table. In some cases, this may be addressed by anonymization of the data, which may remove it from the scope of privacy legislation. Purposes such as audit, performance monitoring, planning for future demand do not normally require identifiable data, and should be carried out on properly anonymized data.

The issue of purpose is more complex where one person or organization has multiple purposes. For example, a private health insurance company may both employ clinicians to treat patients, and employ telesales staff to sell new products to the same people. In countries such as the U.K. and Canada, with a strong tradition of a public health care system, there is increased usage of private providers within the public systems to reduce waiting times and address bottlenecks in access to care. This usage of organizations who may be perceived to have conflicts of interest, raises particular concerns for the public.

Within the U.K. and European legislative framework, explicit consent is required for the sharing of personal identifiable information for each purpose. In order to represent this, a privacy people-purpose matrix has been proposed.

The Privacy People-Purpose (PPP) Matrix

The PPP matrix represents graphically, the extent to which a patient is happy to share their information on a two dimensional matrix. The x-axis represents the people or organizations that might have a legitimate right to access the data; the y-axis represents the purpose to which they may wish to put the information. The top left corner represents the use of information for immediate operational health care; the bottom right represents the widest disclosure.

Patients should be able to give their consent for disclosure to a two dimensional subset of this matrix, and to a larger subset for the use of their information in an anonymised form. The red and blue zones reflect my own views of how far I would give consent for my personal summary data to be shared.


The Privacy-People-Purpose matrix allows a richer appreciation of privacy issues than traditional unidimensional protocols, and reflects much more closely patients issues around the use of their personal medical information

Further Reading

Gillies AC (2008) The Legal and Ethical Changes in the NHS Landscape Accompanying the Policy Shift from Paper-Based Health Records to Electronic Health Records, Studies in Ethics, Law and Technology, vol 2 no 1 article 4, Berkeley Electronic Press.