HSCIC publishes data audit

The Health and Social Care Information Centre approved 459 data releases to 160 organisations between April and December last year, an audit report reveals.

Of the organisations that received patient data, 56 were commercial.

The centre has today published a report detailing the data it has released since its creation. It has also commissioned an audit of the data releases of its predecessor, the NHS Information Centre, which is due for publication at the end of next month.

The report is a response to the intense public scrutiny of the bodies to which the NHS is releasing patient information that has followed the care.data row. 

Although supporters of care.data have sought to reassure the public that information will not be sold to potentially controversial users, such as insurers, or sent abroad, it has been revealed that the NHS IC sold Hospital Episode Statistics data to an insurers' body and allowed another organisation to process it using Google servers.

HES forms the backbone of care.data, which wants to combine an expanded HES data set with GP and other data and make the information available to researchers and other bodies, with the public given the chance to opt-out after a publicity campaign.

The programme was supposed to make the first data extracts from GPs this spring, but this has been put back to the autumn. NHS England's revised business case says that when it gets going care.data will build up slowly over three years.

Today's report shows that between April and December 2013, there were 347 releases of pseudonymised data and 75 releases of identifiable data by the HSCIC to 160 organisations.

The register lists each organisation, the type of data released, the legal basis for release and the purpose for which the data was provided.

Of the 160 organisations that received patient data last year, 104 were health and social care organisations, such as NHS trusts, or bodies such as universities and charities, while 56 were private sector organisations which provide services to the healthcare system.

Some of the commercial organisations that received HES data include Lightfoot Solutions UK, MedeAnalytics, Optum UK, Ernst and Young, and PricewaterhouseCoopers.

However, the MedConfidential pressure group, which has called for the public to be given more information about care.data – and a proper opt-out process – said the HSCIC had failed to declare companies that have long-running commercial licenses for HES data.

Phil Booth, the co-ordinator of the privacy group, said the ommissions included the license to PA Consulting, the organisation that had used Google's BigQuery cloud servers, which is now the subject of a formal complaint to the Information Commissioner's Office.

"It is inconceivable that the HSCIC was not aware the licence remains active," he said, adding that "another significant ommission" from the register was the release of data to police forces, who are known from Freedom of Information Act requests to obtain patient details from the HSCIC.

In response to public concern about the release of patient data to private companies, Jeremy Hunt recently announced new legislation to prevent the HSCIC from selling data for commercial use by insurers and other companies.

A proposed amendment to the Care Bill which is currently before Parliament is for the Confidentiality Advisory Group to advise the HSCIC on data releases.

In a statement accompanying the register, the HSCIC says it is reviewing its data sharing procedures and processes, including applications for new or renewed data agreements. It says it has already identified a number of areas of the register where it will seek guidance from CAG.

HSCIC chair Kingsley Manning said: “By placing this register before the public the HSCIC is taking an important step towards the full transparency needed to help the public gain confidence in the services we provide.

“This is about ensuring citizens and patients are clear about how data is used to improve the health and social care received by them directly and by communities as a whole.”

However, Booth said: "Despite saying it has turned a new leaf, the HSCIC is concealing releases of data that might cause itself, or ministers or other officials, embarrassment or political damage.

"Billions of records continue to be sold for commercial use without patients' knowledge or consent."