Author Archives: medcon

NHS #4 ‘Anonymisation’

If you’ve ever played ‘twenty questions’, you will already know how easy it can be to identify an individual from a relatively small amount of information. Each question narrows down the field, and the more unusual the person’s attributes, the easier it becomes to guess who it is.The same principle applies to data. If we say that someone is male, that tells us only that he belongs to a group that represents one half of the population. By adding that he is aged 42 we reduce the size of that group, but we’re still not going to guess his identity.

Such general information isn’t likely to be of much use to researchers either. They are approaching their research from a different angle: they are likely to be investigating the unusual and are therefore looking for certain characteristics in their study subjects. The rarer those characteristics or the more of them in combination, the easier it becomes to identify individuals within the study. Consider, for example, a study examining the prevalence of skin disorders caused by exposure to the sun in red-headed males aged 40-45 who live in Devon and Cornwall.

The more data that can be linked together about an individual, the easier it becomes to find out who they are. Journalists and private investigators already know this – and so do large companies. There is a huge industry around data-matching aimed at identifying those who can be targeted with specific advertising and products.

Removing or obscuring pieces of information that most obviously identify a person doesn’t make data about them ‘anonymous’. And in any case, despite claims it will only ever share ‘anonymised’ data, NHS England has already applied for and been granted permission to pass around patient data in identifiable form. (We’ll explain more about that later)

So does it matter if you can be identified? Your answer might well depend on whether you suffer from a condition, or live in circumstances, that you would prefer to keep as a secret between you and your doctor. It might also depend on whether you are actually asked if you will participate in a research study. Probably most red-headed 42-year-olds would be happy to contribute to research that could conceivably help them, although even then they might want to draw some lines about what exactly is released.

The point is, people generally regard their medical records as private and want to keep control of access to them. They can talk to their doctors about highly sensitive and embarrassing things like sexual health problems, worries about their erratic moods or their alcohol intake precisely because they believe they are talking in confidence. If they are to continue talking to their doctors, they need to know that they will be asked for permission before that confidence is breached.

NHS #5: Consent

The burning question, then, is: ‘will your permission be asked before your medical information is uploaded?’ To which the answer is a straightforward ‘no’. The default position is that the uploads will go ahead unless you do something to stop them.

The original plan was that nobody would have any say about the use of their data. After concerns were expressed by doctors, NHS England agreed that there could be a ‘right to object’. Following our meeting with the health minister Jeremy Hunt, he announced that there would be a right to ‘opt out’ and that the 750,000 patients who had already opted out of the Summary Care Record would automatically have their existing opt-out respected.

On 29th May, NHS England published its guidance to GPs  which makes it clear that existing opt-outs will not be respected. Those who opted out of the previous, more limited upload of their Summary Care Record will now need to opt out all over again.

NHS England is currently in discussions with the Information Commissioner. The Information Commissioner’s Office is obviously concerned that patients should be made aware of the data-upload plans, informed of their ability to opt-out and given sufficient time to exercise it. It should be noted, though, that the ICO’s powers are limited by the way in which the legislation has been framed.

NHS England has prepared posters and leaflets for GPs to display in their surgeries. You may feel that these are short on detail. More informative is the patient leaflet prepared by EMIS one of the main suppliers of GP surgery systems.

Pilots of the care.data system are imminent. They will be taking place in 82 GP surgeries dotted around England. Meanwhile, all GP practices in the north of England have been told to be ready for the full roll-out within the next 8 weeks.

NHS #6: ‘care.data’

care.data is the name of NHS England’s programme to extract information from GP surgery systems and from health and social care providers, and to link it all together. It is a massive undertaking. At the moment we are concentrating on the first stage of this programme – collecting patient data from GPs – but ultimately all health and social care will be drawn into the system. Hospitals have been told to be ready by 2014; social care will join in by 2015. We’ll talk about that later on.

The first care.data request has now been agreed. This is a set of coded instructions that tells each GP system what information should be uploaded. The full specification for the first upload of care.data can be seen in Appendix A (p.22) of this document.

Here’s how it works:

  • NHS England applies to the HSCIC to have the information (care.data) extracted from GP systems.
  • HSCIC puts the application through the ‘customer’ procedure that we will outline in blog #8. It then actions the request and instructs GPES  to go ahead and take the information from each surgery system
  • The collected data is passed on to a regional Data Management and Integration Centre (DMIC) which sends it to a number of places – like a giant traffic-direction system.

For now, we’re going to focus on just one of these traffic flows: the data that goes back to the HSCIC.

The information is stored on the HSCIC system, still in identifiable form – ie with NHS number, date of birth and the other identifying details attached to the diagnoses and treatments. It is used to create regular reports but ‘customers’ can also request linked data. In the words of the HSCIC  this ‘often contains patient level information‘ and ‘When stringent Information Governance controls allow‘ they can ‘provide extracts of linked data sets in an identifiable form’.

Tomorrow we will look at those ‘stringent’ controls in more detail.

 

NHS #7: ‘Stringent Information Governance Controls’ and Section 251

We have already touched on the issue of ‘anonymisation’, but that isn’t the only problem. Confidential information that identifies an individual can be processed – gathered, stored and passed on – without any consent at all if there is a lawful provision for doing so.

Section 251 of the NHS Act 2006 is just such a provision. It: ‘…was established to enable the common law duty of confidentiality to be overridden to enable disclosure of confidential patient information for medical purposes, where it was not possible to use anonymised information and where seeking consent was not practicable, having regard to the cost and technology available.’  (Health Research Authority)

To put it simply, if an organisation has been granted a s251 exemption by the Secretary of State, they don’t need to worry about getting patient consent to use identifiable information.

The GPES FAQs say that: ‘Normally, data extracted will be anonymised, however where data that could identify patient is requested, it will only be released where a legal basis for disclosure exists (e.g. explicit patient consent)’ …but another example that hasn’t been given in the FAQs would be where an organisation has that vital s251 exemption.

Although NHS England is the ‘boss’ of HSCIC, insofar as it can direct it to do pretty much what it wants, it is also a ‘customer’ of HSCIC. Because of this, NHS England needs a legal basis for processing and passing on information gathered via the care.data extraction without seeking patients’ consent.  In May, NHS England’s application for s251 exemption (or ‘support’) was approved, initially for six months: ‘The approval has been given subject to conditions until October 2013 at which point NHS England can provide a report for consideration to CAG to identify the requirements for continuing and or amended support.

This means that identifiable data gathered under NHS England’s ‘care.data’ request – the extraction of identifiable patient information from all GP surgery records – can be passed on to a range of bodies without patients’ knowledge or consent.

Tomorrow we’ll look at the process of becoming a customer of HSCIC.

NHS #8: How do you get to be a ‘customer’?

The first step is to complete an application form here BUT, as the HSCIC information tells you‘If you wish to apply for personal confidential data you will need one of the following:

  • The consent of the individuals to whom the data relates. In this case you will need to provide evidence of the consent of the individuals concerned, i.e. the consent form and consent information literature. These will be reviewed by the HSCIC to ensure they are appropriate and, where necessary, approval will be sought from the Data Access Advisory Group (DAAG).
  • Approval under section 251 of the NHS Act 2006  In this case you will need to provide evidence of approval under section 251, i.e. a letter from the Health Research Authority Confidentiality Advisory Group (HRA CAG).Or,
  • The appropriate statutory regulation covering your organisation for the work required. In this case you will need to provide evidence of the statutory regulation concerned. This will be reviewed by the HSCIC to ensure it is appropriate.

…and now it becomes rather Byzantine. We’re reasonably certain this is how it works, but if you think we’re wrong, please explain it to us and we’ll correct it. We are quoting throughout from the descriptions of each group’s function that appear on their official web pages.

If you apply for a ‘bespoke’ set of data, i.e. information that isn’t contained in the regular statistical bulletins, HSCIC forwards your application to its ‘Independent Advisory Group’ (IAG)

‘Acting as an advisory group to the GPES Business Unit, the IAG will consider requests for information from customers that could be collected and provided by GPES and recommend an appropriate course of action to the Information Centre.’

If you are applying for patient confidential data and you have each patient’s consent, or if there are reasons to believe that individual patients can be identified from the apparently ‘anonymised’ information you are requesting, your application will be passed to the Data Access Advisory Group (DAAG) – also hosted within the HSCIC.

‘The Data Access Advisory Group (DAAG) is an independent group hosted by the Health and Social Care Information Centre that considers applications for sensitive data.
This ensures that the use of patient data for research purposes and for improving patient care is done in a controlled environment where the risk of disclosure is minimised.’

If you are relying on s251 ‘support’, i.e. you have an exemption from seeking patients’ consent (see yesterday’s blog #7), or if DAAG believes the information you are seeking might identify individual patients, your application will go to the Confidentiality Advisory Group (CAG) of the Health Research Authority.

‘CAG has been established to provide independent expert advice to the Health Research Authority (for research applications) and the Secretary of State for Health (for non-research applications) on whether applications to access patient information without consent should or should not be approved’

NHS #9: Who gets to see your information?

What this all amounts to is a number of ways in which massively increased amounts of information from your medical record can be accessed by a range of organisations, including private companies.

One stated intention of GPES is to “drive economic growth through the effective use of linked data” [PDF, p6] with which researchers, public bodies and commercial organisations could match records at patient level, based on information they already hold. And NHS England’s chief data officer has revealed plans to reduce the cost of access to the ‘pipeline’ of pseudonymised patient data to just £1!

This on top of the register of customers already approved by the DAAG http://www.hscic.gov.uk/daag, including companies like Dr Foster and BUPA, who may pay a fee for direct access to “sensitive or identifiable” patient data.

Under the new arrangements a whole host of new commissioning-related organisations will be also able to access what is now being called personal confidential data (PCD).

While information from your medical record may initially go to HSCIC or one of the regional Data Management Integration Centres, it doesn’t stop there. As we mentioned before, NHS England has been given a Section 251 exemption to pass identifiable – not just anonymised – data on to its Area Teams, to Clinical Commissioning Groups and Commissioning Support Units. This, despite the conclusion of the Caldicott2 report that anonymised data should generally be sufficient for commissioning.

‘Commissioning’ itself covers a wide range of purposes – e.g. monitoring, surveillance and service planning, targeting treatment, even invoice reconciliation – not only expanding the number of people with access at local, regional and national level but creating a market for analysis and consultancy companies to sell services to the commissioners and their support organisations.

This commodification of your medical records means the default is to make them accessible to more and more people less and less directly related to your medical care, constrained not by the professional duty of confidentiality that most patients presume but by data protection compliance or contract terms and conditions.

And, of course, the merging of health and social care means ever more sharing between healthcare providers, social services and education. Following the abolition of the PCTs, local authority Public Health Teams have now taken on regulated public health functions such as the weighing and measuring of schoolchildren and providing some sexual health services, and may use data to target and drive additional discretionary services such as tobacco cessation, obesity initiatives, etc.

While it makes sense to integrate care delivery around those with particular needs, the direction of travel is towards a culture of universal health surveillance and ‘integrated’ records – whether you choose them or not.

medConfidential launch and the Secretary of State

medConfidential launched on Wednesday with a highly successful conference event, after working for nearly two months behind the scenes. We’ve now published audio and video.

This morning the Secretary of State for Health responded to the Caldicott report, confirming that there would be a patient opt-out on the sharing of health data, the details of which have yet to be finalised.

Continue reading