Patient privacy and confidentialityBMJ 2003; 326 doi: http://dx.doi.org/10.1136/bmj.326.7392.725 (Published 05 April 2003) Cite this as: BMJ 2003;326:725
The debate goes on; the issues are complex, but a consensus is emerging
- Jim Chalmers, consultant in public health medicine (, )
- Rod Muir, consultant in public health medicine ()
The NHS is engaged in a debate about what can and cannot be done legitimately with patients' data. On one hand, anxieties exist about who should have access to the data and for what purposes; on the other hand, requirements for more accountability, performance assessment, effective health protection, and efficient administration are increasing the need for more and better information. How is this being addressed, and how can it be resolved?
Health services have belatedly realised that they have work to do in order to comply with modern legislation about data protection and recent professional guidance.1 In England and Wales a new Health and Social Care Act has been passed, leading to the establishment of the Patient Information Advisory Group, and the NHS Information Authority has just completed a public consultation on the privacy of patients. 2 3 In Scotland the Confidentiality and Security Advisory Group for Scotland has, after 18 months' deliberation, recommended major changes in practice, although these do not include new legislation for Scotland.4 Other countries are also wrestling with similar issues and there is a recognition that there is value in developing internationally consistent practices.
Confidentiality has always been an essential element in medical consultation. Privacy, however, is not an absolute right and has to be balanced against counterclaims such as the rights of others or societal groups.5 How are we to strike the correct balance? Should explicit consent always be sought from patients for any use of their data apart from direct clinical care? This was considered and rejected by the Confidentiality and Security Advisory Group for Scotland.4 The evidence implies that where informed consent is required completeness of data suffers and incomplete data, skewed by unquantifiable biases, are often not worth the cost of collection.6–9
Perhaps patients should be asked whether certain, specified items should only be shared with certain individuals or organisations or for defined purposes? Although this might be possible, it would create expensive bureaucracy and use up resources badly needed for health care.
At times the debate has been in danger of becoming polarised between unhelpful extreme views. Happily, signs of a way forward are emerging. The NHS Information Authority's new draft code of practice for NHS staff and the recommendations of the Confidentiality and Security Advisory Group for Scotland emphasise similar priorities: access to identifiable data must be only on a “need to know” basis; patients must be told what happens to their information; they may refuse disclosure outside the immediate care team (but should understand the potential detriment to their care and that of others); the law requires that some information may be shared beyond the immediate care team; when health information is used for planning, management, surveillance, and research these activities should use “anonymised” data, and in these circumstances consent is not required. 3 4
Some details, however, remain to be clarified. For example, what levels of “anonymisation” are acceptable in practice? The Confidentiality and Security Advisory Group for Scotland after considerable debate concluded that for use in the NHS, removal of name, address, and full postcode should suffice for most purposes.4 In addition month and year could be used instead of full date of birth and the NHS number encrypted. It seems likely that this would satisfy most patients. Further restriction would be needed only if data were to be released to outside bodies.
The draft code of practice of the NHS Information Authority proposes more stringent anonymisation.3 Its requirement to remove “any other detail or combination of details that might support identification” could, if strictly interpreted, produce data of little value. The law of diminishing returns operates here. Patients as well as doctors will resent resources being spent on complex information technology systems that provide little additional benefit.
Ensuring the accuracy of anonymised data presents additional challenges. For example, databases for cancer or congenital anomaly need to be assessed for quality and kept free of duplicates. It is still unclear whether information technology solutions that have been implemented in other countries can provide data of adequate quality.10 There may be no alternative, for some purposes, to identifiable data being quality checked by specially trained and supervised NHS staff. Patients will expect the data on which their health services depend to be of high quality and, indeed, the maintenance of accuracy is one of the principles of the Data Protection Act.11
One further ingredient will be required and that is trust. In general, when NHS patients are asked about respect for personal privacy, satisfaction is high.12 But trust relating to the use of data needs to be earned. In practice this means health professionals need to understand current anxieties about the ways in which health information is handled; they need to learn the rules and apply them and accept that unfettered access to personal health information is a thing of the past and that, among the many tools they need for modern clinical practice are those of skilled information management.
Competing interests Competing interests: Both authors are employed by an NHS organisation responsible for data collection and processing. Neither has been paid any fees for consultancy or other external work in this field. JC is chair of the Information Committee of the Faculty of Public Health Medicine and RM is Caldicott guardian for the Common Services Agency of NHSScotland.