Free text, CPRD and yet another threat to medical confidentiality

Thanks to Professor Julia Hippisley-Cox and Helen Wilkinson for pointing out that the Clinical Practice Research Datalink (CPRD) has extracted highly sensitive ‘free text’ from patients’ GP records without approval or fair processing.

Free text is your GP’s own notes, attached to the codes that are entered onto their computer systems. It can basically contain anything – names, highly sensitive personal details, medical and non-medical information about you or other people. Free text is for your doctor’s own use when providing you care, and to provide context that will help any other doctor you may see in future to provide you care.

See page 15 of CAG meeting minutes 3 October 2013 – 6a. CPRD – processing of free text information [CAG 6-06(a)/2013]

N.B. CAG is the Confidentiality Advisory Group, now based at the Health Research Authority, which advises the Secretary of State on the use of the extraordinary ‘Section 251‘ powers that allow the common law duty of confidence to be set aside so that patient identifiable information may be used without consent.

That free text has been extracted is confirmed by this presentation on Using free text in primary care research, on slide 55, which states:

“We plan to run FMA on free text within +/- 90 days of myocardial infarction [heart attack] for 2000 patients… Software will be run at CPRD without anonymisation”

(N.B. You will need to add .pdf to the filename of the file once downloaded in order to view it in Acrobat Reader.)

And this published study on BioMed Central suggests that GPRD (the General Practice Research Database) the precursor to CPRD, had been collecting free text for years.

Even more worrying is this statement on page 16 of the CAG minutes from 3/10/13:

“It was noted from the discussion that CPRD were seeking to progress solutions and were in discussion with those leading on the care.data mechanism.”

So CPRD had been using an out-of-date leaflet from 2008 to ‘notify’ patients about what it was doing and was in discussion with care.data leaders about using whatever ‘mechanism’ they were going to use to inform the public – which we now know was a junk mail leaflet!

If you even received a junk mail leaflet in January, did you see any mention of CPRD? Or any suggestion that your doctor’s private free text notes about you would be extracted? If you didn’t, why not check the leaflet out now. It says:

“Details that could identify you will be removed before your information is made available to others, such as those planning NHS services and approved researchers.

We sometimes release confidential information to approved researchers, if this is allowed by law and meets the strict rules that are in place to protect your privacy.”

So, you have been lied to on at least two counts; details that could identify you (i.e. free text) clearly are not always removed before information has been made available to researchers, and confidential information has been ‘released’ unlawfully and without meeting these so-called “strict rules”.

Because, as the CAG minutes clearly state:

“The CAG agreed that the minimum criteria under the Regulations did not currently appear to be met, and therefore advised recommending deferral to the SofS and the Health Research Authority, to enable the following actions to take place to bring the application within the framework of the Regulations:

a. Fair processing actions to be progressed in conjunction with the Information Commissioner’s Office; assurance and approved patient information materials to be provided at the relevant time before any final approval could come into effect.

b. Revision of the application form to fully incorporate responses to the issues set out above. This was to include a cover paper to clearly show which sections reflected these responses within the application.

c. A favourable ethical opinion to be provided from a Research Ethics Committee on the revised application to be considered by the CAG.

d. A satisfactory level to be achieved within the IG Toolkit before any final approval could be provided; this could be carried out in parallel to CAG consideration of the application.”

So there you have it. Yet another way that sensitive patient information has been taken from GP records without consent or proper approval. And care.data leaders knew all about it.

The problems aren’t just limited to HSCIC, folks.

We’re not saying research shouldn’t happen – of course it should – but it must be done with proper consent and/or proper authorisation, e.g. Section 251 support, which CPRD clearly didn’t have and doesn’t have yet.

Please note: we are not suggesting that the researchers referred to in this post are necessarily at fault; they may simply have been using a ‘service’ provided by GPRD / CPRD, without knowing that the free text had not been gathered with consent or proper approval.