Care.data safeguards detailed
- 28 January 2014
Patient identifiable information extracted as part of care.data will not be available via Section 251 requests while NHS England establishes trust in the data sharing programme.
A privacy impact assessment published by NHS England reveals that the flow of ‘red’ or patient identifiable data collected as part of care.data will be restricted “in the first instance to exceptional circumstances, for example in the event of a civil emergency."
Its disclosure would be permitted where there is section 251 approval, which allows the Secretary of State for Health to set aside the common law duty of confidentiality in specific circumstances where anonymised information is not sufficient and where patient consent is not practicable.
But “in order to establish trust in care.data from patients and healthcare professionals, personal confidential data collected for care.data will initially only be disclosed where there is an overriding public interest," the paper says.
“If it is agreed in the future that personal confidential data, collected as part of the care.data programme, will be disclosed by the HSCIC, patients can object to this by informing their GP and such objections will be honoured.”
Care.data involves extracting a monthly set of identifiable data from GP practices, covering patient demographics referrals and prescriptions.
This will be stored in the ‘safe haven’ of the Health and Social Care Information Centre and linked with data from secondary care and other care sectors to create new Care Episode Statistics.
The HSCIC will regularly disseminate this data in two formats. The first is anonymous or aggregated data, published in line with Information Commissioner’s Office anonymisation code of practice.
Pseudonymised data will be made available to specific approved groups of users. This will initially be for commissioning use only.
The HSCIC Independent Advisory Group has not approved NHS England’s application to expand the group of potential recipients to researchers such as universities or private companies.
Identifiable data can also be released if a patient gives their direct consent.
The NHS England paper says that in order to protect confidentiality, patient identifiers – NHS Number, date of birth, postcode and gender – will be held separately from clinical data.
Wherever practicable, HSCIC staff will be assigned access rights to either the patient identifiers or the clinical data, but not both.
Once the record has been linked, the identifiers are removed so a new record is created that does not identify the patient.
The paper says there is a “remote risk that a patient could be identified even though identifiers are removed” by maliciously combining the pseudonymised data with other available datasets in a technique known as a "jigsaw attack".
“Risks of jigsaw attacks increase as more effectively anonymised data are made available, to more organisations,” it explains.
However, it adds that the chances of a patient being identified are higher with local processing than with central processing.
Other risks identified are that confidential information could be accessed and viewed without knowledge or consent of patients, or that data could be accessed illegally and then sold or otherwise misused by commercial organisations, criminals or others.
The paper says that further safeguards will be put in place to protect the information collected, including that the HSCIC will publish a Code of Practice to govern the use of confidential data supplied to it that encompasses care.data.
The HSCIC has also been asked to look at ‘pseudonymisation-at-source’, which allows people’s data to be linked without revealing their ‘real world’ identities.
The technique relies on the use of a common key across all care settings, which generates a unique pseudonym for each individual that allows their data to be linked.
“At the moment, the HSCIC considers pseudonymisation-at-source to be impractical because there is such a diverse range of care settings providing data to the programme and such a diverse range of information systems used in each setting,” the NHS England paper says.
“However, the protection of patient confidentiality is a priority for the HSCIC and NHS England so a review of the use of pseudonymisation tools within the HSCIC is underway to ensure that the organisation is applying privacy enhancing technologies in the most effective ways.”
Dr Paul Hodgkin reflects on what the care.data row says about the tension between ‘big data’ and ‘big voice’ in today’s Insight.