Experts at Weightmans reveal the potential dangers behind the recent decision to make NHS medical data available to external agencies
Last month it was revealed that medical data harvested from GP and hospital records will be made available to researchers, drug and insurance companies when that data is uploaded to a new NHS information centre repository from March this year. In this article, Weightmans’ partner, Tony Yeaman, head of healthcare; and Simon Charlton, an associate in the healthcare team, give their take on the controversial decision and reveal what it will mean for patients
There has been much comment recently in the media as to the creation of a single English database of medical data, which it is feared will lead to patient information being sold to commercial organisations.
In the next few weeks a leaflet entitled Better information means better carewill be delivered to households throughout England and Wales, explaining why patient information held by GP practices and hospitals will be brought together in the care.data programme run by the Health & Social Care Information Centre (HSCIC).
The centre was set up by NHS England, under the Health & Social Care Act 2012, to collect data from every provider of care funded by the NHS. There is the possibility that this information may be sold on to, or made available to, private organisations and researchers, but in an anonymised form.
This process highlights concerns about the use, protection and storage of personal health data.
From a legal point of view, if NHS organisations follow the guidance provided by HSCIC, and ensure that information is safely transferred to the correct recipient in a properly-anonymised form, then they should not have any concerns
The NHS is a huge repository of health information which can be of use to many legitimate organisations including commissioners of health services and researchers. There is a fear that the NHS is not good at protecting this information, as evidenced by the recent heavy fines levied by the Information Commissioner’s Office upon NHS organisations, in some cases totalling £375,000 for data security breaches.
In response to these concerns, Dr Geraint Lewis, chief data officer for NHS England, has set how the data is classified. There is ‘anonymous or aggregated data’ (green data), ‘pseudonymised data’ (amber data) and ‘personal confidential data’ (red data). The green data might be published average values for large groups of patients, or completely anonymised data. Amber data covers the situation where patients’ identifiers (date of birth, postcode etc) are replaced with a meaningless pseudonym that bears no relation to their ‘real world’ identity. Red data is patient identifiable information. This would only be released where required by law, with the patient’s consent or limited authority has been obtained from a body such as the Secretary of State for Health.
Concern seems to have arisen from the use of amber data and possible re-identification. This can occur when anonymised data is disclosed and the recipient organisation has other data, which if combined with the anonymised data, could lead to identification of an individual or individuals.
The Information Commissioner, who is both the regulator and the enforcement body for personal data in the United Kingdom, has produced a Code of Practice entitled Anonymisation: managing data protection risk code of practice. The code states that it is essential to carry out a thorough risk analysis on the likelihood and potential consequences of re-identification at the initial stage of producing and disclosing anonymised data. The Information Commissioner takes the view that where an organisation collects personal data through a re-identification process, without individuals’ knowledge or consent, it will be collecting personal data unlawfully and can be subject to enforcement action.
Any organisation which releases information as part of this programme will need to ensure that the information is being sent to the correct recipient, and that they are following the guidance produced by HSCIC and the Information Commissioner.
The supplier of information will always be the data controller under the Data Protection Act 1998; HSCIC will be the data processor.
Clearly NHS trusts cannot be held responsible for how the HSCIC control and deal with data, but they must be satisfied that the HSCIC has the correct safeguards and processes in place to secure the data, and ensure that it is being used for the correct purposes.
The NHS has had more than enough bad publicity recently in respect of data security and must deal openly with such data security failures
NHS England has produced Privacy Impact Assessment : care.data , which illustrates its, and HSCIC’s, awareness of the privacy issues as a consequence of the care.data programme. This sets out how they are going to protect privacy, how they are managing risk, and to what use the information is being put. Clearly it is important that the general public is reassured as to the ability of HSCIC to protect their information and to use it lawfully and correctly in accordance with the data protection principles as set out in Schedule 1 of the Data Protection Act 1998. These principles demand that information is used for the correct purpose for which it was provided, that consent for such use has been provided by the data subject, that the use is lawful, and that the data is accurate and secure.
From a legal point of view, if NHS organisations follow the guidance provided by HSCIC, and ensure that information is safely transferred to the correct recipient in a properly-anonymised form, then they should not have any concerns. As stated above, such concerns can arise when for example data controllers are aware that there is a possibility that other information available to the recipient organisation may allow re-identification to take place, or if there is inadvertent disclosure of patient-identifiable information. At that point legal advice should be taken and the Information Commissioner informed.
The NHS has had more than enough bad publicity recently in respect of data security and must deal openly with such data security failures.