We have already touched on the issue of ‘anonymisation’, but that isn’t the only problem. Confidential information that identifies an individual can be processed – gathered, stored and passed on – without any consent at all if there is a lawful provision for doing so.
Section 251 of the NHS Act 2006 is just such a provision. It: ‘…was established to enable the common law duty of confidentiality to be overridden to enable disclosure of confidential patient information for medical purposes, where it was not possible to use anonymised information and where seeking consent was not practicable, having regard to the cost and technology available.’ (Health Research Authority)
To put it simply, if an organisation has been granted a s251 exemption by the Secretary of State, they don’t need to worry about getting patient consent to use identifiable information.
The GPES FAQs say that: ‘Normally, data extracted will be anonymised, however where data that could identify patient is requested, it will only be released where a legal basis for disclosure exists (e.g. explicit patient consent)’ …but another example that hasn’t been given in the FAQs would be where an organisation has that vital s251 exemption.
Although NHS England is the ‘boss’ of HSCIC, insofar as it can direct it to do pretty much what it wants, it is also a ‘customer’ of HSCIC. Because of this, NHS England needs a legal basis for processing and passing on information gathered via the care.data extraction without seeking patients’ consent. In May, NHS England’s application for s251 exemption (or ‘support’) was approved, initially for six months: ‘The approval has been given subject to conditions until October 2013 at which point NHS England can provide a report for consideration to CAG to identify the requirements for continuing and or amended support.‘
This means that identifiable data gathered under NHS England’s ‘care.data’ request – the extraction of identifiable patient information from all GP surgery records – can be passed on to a range of bodies without patients’ knowledge or consent.
Tomorrow we’ll look at the process of becoming a customer of HSCIC.