Patient confidentiality in a time of care.dataBMJ 2013; 347 doi: https://doi.org/10.1136/bmj.f7042 (Published 27 November 2013) Cite this as: BMJ 2013;347:f7042
- Julian Sheather, deputy head of ethics,
- Sophie Brannan, senior ethics adviser
The NHS is in the midst of an information revolution. Powers introduced by the Health and Social Care Act will enable the Health and Social Care Information Centre to extract large amounts of personal confidential data from GP medical records. These powers override the common law duty of confidentiality and the ordinary requirement to seek consent for disclosure, although patients have a right to object to their data being disclosed.
Any large scale use of sensitive personal data inevitably raises ethical concerns, and, unsurprisingly, the new powers have sparked controversy. Public confidence in large publicly held databases, and in the politicians who commission and control them, is scant. Trust between doctors and patients and consequently in the wider health service is predicated on the belief that, in all but exceptional circumstances, confidentiality will be respected. But the potential benefits arising from the proper use of medical data are too important to be ignored without exceptional reason. We therefore must be clear about what the changes involve and what the benefits might be.
The first use of the new powers is the care.data initiative, commissioned by NHS England.1 Initially, it will focus on providing information for commissioners, so that they can better match services to patient needs. Good data are straightforwardly critical to the planning, commissioning, and delivery of high quality targeted care. Care.data will link data from GP records with data from secondary care to enable valuable analysis of care pathways. In the future, data could be made available for approved research purposes.
The potential locked in these data is extensive. Consider the possibilities for longitudinal studies in pharmacoepidemiology or in monitoring population health. Nor do these benefits come at the cost of a data “free for all.” The safeguards are stringent. Although the Health and Social Care Act makes uploading of data to the Health and Social Care Information Centre lawful, it can be released only if there is an existing legal basis to do so. Put simply, the act’s powers can get data into the information centre but not out. Consent from the patient, approval under s.251 of the NHS Act 2006, or another legal basis is needed before identifiable data can flow out.
So what of the security of the data held by the information centre? The data extracted from GP records include four identifiers: NHS number, date of birth, postcode, and sex, but not the patient’s name and address. These identifiers are needed to enable linking of GP data to other sources. Importantly, the information centre processes the data automatically: only rarely will its staff see any data. The information centre also keeps the data and identifiers separate. When GP data are linked to data from other sources they are pseudoanonymised: the identifiers are replaced with a code and a new record is created that does not identify the individual.
The release of data from the information centre is also controlled. Data can be released in three ways. Firstly, anonymised or aggregated data can be provided in accordance with the guidance issued by the information commissioner. Secondly, pseudoanonymised data that may, exceptionally, be identifiable, such as when a patient has a rare condition, can be released only to approved organisations and when a legal contract is in place. Thirdly, identifiable data can be released only when there is a legal basis, such as patient consent or with s.251 approval. Patients can also object to any of their identifiable data leaving either the GP practice or the information centre.
Arguably, patients now have more control over their data because, for the first time, they can simply object to any secondary uses of it. Also, although GPs are legally obliged to provide the data, they are still subject to the fair processing requirements of the Data Protection Act. This means that GPs must ensure that people’s personal data are used in ways that are transparent and that they would reasonably expect.2 Again, this is not a data free for all.
As with all large publicly held databases there are risks. Public confidence in the government’s ability to manage them properly is low. In the absence of public trust, it is easy to sow the suspicion that the data might be used for altogether different purposes. Extracting data without explicit patient consent could damage the public perception of the confidentiality of their data, thereby affecting trust and the uptake of health services. Although patients can object to their data being transferred, shifting the default position to “opt out” could be interpreted as restricting patient choice.
Given the volume and sensitivity of the data held, any breach is likely to have serious consequences. If even military databases can be hacked, there will inevitably be worries about the safety of the information centre database. But against these concerns—real as they are—must be weighed the enormous potential benefits for individuals, the proper functioning of the health service, and the development of future healthcare and treatments that are locked in the data. In our view, the ethical arguments in favour of data sharing are strong; after all, patients retain a right to object to any sharing of their data with the Health and Social Care Information Centre. And a leaflet drop to all English households in January, several months before the extractions start, will go some way to making sure that people know what is happening with their data. Unlocking the potential held in the records is a vital public good and is to be commended. But in taking this step, the government still has a job to reassure the public that its trust is not misplaced.
Cite this as: BMJ 2013;347:f7042
Competing interests: We have read and understood the BMJ Group policy on declaration of interests and declare the following interests: Apart from being employed by the BMA, which supports the care.data initiative, we have no other known conflicts of interest.
Provenance and peer review: Commissioned; not externally peer reviewed.