What exactly is going on at the NHS Health and Social Care Information Centre (HSCIC)? A story in the Guardian last Saturday, ‘£140 could buy private firms data on NHS patients’, seems to have prompted some edits to the HSCIC website. The page for the HSCIC’s Data Access Advisory Group (DAAG) used to say, for example:
The Data Access Advisory Group (DAAG) is an independent group hosted by the Health and Social Care Information Centre which considers applications for sensitive or identifiable data. – our emphasis, source: Google web cache from 11 May 2013
But the current DAAG page on the HSCIC website – which, according to the page metadata meta name=”DC.date.modified” content=”2013-05-21T16:59:14+01:00″ scheme=”W3CDTF”, was modified at 4:59pm on Tuesday 21 May – four days after the publication of the Guardian article – to read simply:
The Data Access Advisory Group (DAAG) is an independent group hosted by the Health and Social Care Information Centre that considers applications for sensitive data.
Other pages have also been changed in recent weeks, such as the one about the HSCIC’s Bespoke data extract services. The top section of this page currently reads:
What is the data extract service?
Customers can order bespoke patient-level extracts or tabulations of health and social care data.
The data we supply is normally anonymised or de-identified. We only provide identifiable data when there is a lawful basis to do so e.g. with patient consent, a statutory gateway or with s251 support.
This data can only be made available to those who meet HSCIC’s robust Information Governance standards to protect and control how data is managed.
We oblige anyone who is eligible and whom we agree to supply with data to enter into a Data Sharing Agreement. These Agreements regulate how the data is shared and used and also detail storage security requirements and restrictions on onward sharing or publication of this data. We also reserve the right to audit adherence to the Agreement. The Data Sharing Agreement specifically prevents customers from attempting to link data and re-identify individuals.
You can find out more about our services for researchers, including how we are working with the Clinical Practice Research Datalink (CPRD), in the Data Linkage Research section of this website.
As compared to what it said on 7 April 2013 [web.archive.org snapshot]:
What is the data extract service?
Organisations can order bespoke patient-level extracts or tabulations of health and social care data.
Data will be provided in a de-identified form and we will only provide identifiable data where there is a legal basis on which to do so e.g. the patient has consented. Researchers can access this service via the Clinical Practice Research Datalink (CPRD)
or on 20 March [web.archive.org snapshot]:
What is the data extract service?
Researchers and organisations can order bespoke patient-level extracts or tabulations of health and social care data.
And on all of these pages, if you scroll down a bit further, you come to a link that says: “How do I apply for access to sensitive or identifiable data?” The clear implication being that one can apply for access to identifiable data.
As far as medConfidential understands, HSCIC does provide identifiable patient data to third parties and that – on top of any other fees it may levy – it charges (or has charged) an additional £140 processing fee for doing so. This seems like peanuts for access to identifiable data on individual patients, whatever procedures someone has to jump through to get it. And with the Commissioning Board (‘NHS England’) applying for blanket Section 251 exemption to pass around identifiable data amongst a whole range of commissioning bodies medConfidential believes patients have every right to be concerned that what may up until now have been relatively constained amounts of identifiable data leaving HSCIC may be about to become a flood.
In the interests of fairness and transparency, we decided to write to the folks at HSCIC so they can explain what’s going on. Here’s the text of our letter:
To: Dr Mark Davies, Director of Clinical and Public Assurance & Chair of Data Access Advisory Group, NHS Health & Social Care Information Centre
24 May 2013
Release of identifiable patient data from HSCIC
Dear Dr Davies,
We are writing to you regarding the circumstances in which HSCIC provides patient data in identifiable form to third parties. It appears that the HSCIC website may have contained some errors and, while we are aware that things are still adapting post-April 1st, we would like to clarify some details of the procedures around the release of patient identifiable data.
We have, of course, read the DAAG Terms of Reference and other information published on the website. We understand that HSCIC does receive patient data in identifiable form from a variety of sources and that HSCIC does provide patient data in identifiable form to third parties – not least because the HSCIC website lists three instances in which it provides patient data in identifiable form: where there is “patient consent, a statutory gateway or with s251 support.”
We therefore ask:
1) Other than by patient consent, a statutory gateway, or Section 251, what are the lawful bases on which HSCIC will provide patient data to any third party in identifiable form? “Where there is a lawful basis to do so” is broad and non-specific; what we would like is a specific and comprehensive list, something that a member of the general public could understand.
2) If a person or organisation has a lawful basis for requesting identifiable data and they satisfy the DAAG’s requirements as regards information governance and the particular request for data, is it the case that the DAAG will approve the provision of identifiable data from HSCIC? If this is not the case, who is the Senior Responsible Officer for such a release and what is the process by which they make that decision?
3) Can you confirm that HSCIC charges all third parties a fee for the provision of data in identifiable form? If there are circumstances in which this fee would be waived, please would you list them.
If any of these questions are not clear, please contact us on coordinator@medconfidential.org
Thank you for your attention. We look forward to hearing from you in due course.
Your sincerely,
Phil Booth and Terri Dowty, medConfidential