Patient confidentiality in a time of care.dataBMJ 2013; 347 doi: https://doi.org/10.1136/bmj.f7042 (Published 27 November 2013) Cite this as: BMJ 2013;347:f7042
All rapid responses
The Health and Social Care Information Centre recently began its leaflet campaign “Better Information Means Better Healthcare”(1) to inform patients about how it will share health records to improve the quality of care and health services for all. As Sheather and Brannan predicted,(2) this has sparked much public debate. Whilst recent surveys have indicated that four in five patients are in favour of sharing confidential health data with researchers,(3) responses to the campaign have highlighted a lack of trust about where patients’ data will flow and for what purpose.
Particular challenges arise because, counter to proposed developments in EU Data Protection law,(4) the care.data proposals override “the ordinary requirements to seek consent for disclosure”(2) with anonymisation of patient data offered as a safeguard against the risks of disclosure. Nevertheless, the limits of effective anonymisation are rapidly being reached(5) and, as whole genome sequencing becomes a part of standard clinical practice and research, this problem will worsen.
One solution is to move to a more effective, ongoing model of patient consent. This could provide information to patients about how their data are being used in many different healthcare situations. This supports the ‘data sharing model’ of the Caldicott review(6) that recommends improving patients’ awareness of their personal data use. Coupled with a transparent, reliable and easy-to-use system for revoking consent, this would provide confidence to patients about the uses of their data.
This model of dynamic consent,(7) where users provide and revoke their consent electronically through time with feedback to participants about the uses of their data, is being rolled out in the research context. Our group is starting to research patients’ views of using this model for controlling and viewing the secondary uses of their electronic medical records. Implementation is some way off, but this model could enable patient data to be lawfully used for a number of different purposes and importantly, with the patients’ trust.
1. NHS England. Better Information means better care. 06/01/214. Accessed: 21/01/2014. http://www.england.nhs.uk/wp-content/uploads/2014/01/cd-leaflet-01-14.pdf
2. Sheather J, Brannan S. Patient confidentiality in a time of care.data. BMJ 2013; 347:f7042.
3. Ipsos Mori/AMRC. Public support for research in the NHS. 09/06/2011.
4. Donnelly L. EU Proposals could outlaw giant NHS database. The Telegraph 20/01/2014
5. Gymrek M, McGuire AL, Golan D, Halperin E, Erlich Y. Identifying personal genomes by surname inference. Science 2013; 339(6117):321-324.
6. Department of Health. Caldicott review: information governance in the health and care system. 24/04/2013.
7. Kaye J, Whitley EA, Lund D, Teare H, Melham K. Dynamic consent - a patient interface for 21st Century Research Networks. Eur J Hum Genet 2014; In press.
Competing interests: No competing interests
Sheather and Brannan(1) highlight the importance of linked administrative health data for commissioning, population health monitoring and research. We invite readers to consider whether the alternatives to using administrative health data represent a safer option.
We recently completed a study of chronic conditions in children who die in the UK(2) for the Department of Health. Using death records linked to the child’s longitudinal hospital record, we showed that 70% of children who died aged one to 18 years were affected by a chronic condition. These data did not contain personal identifiers, but access was strictly controlled by the data providers. Extending our work to linkage with national primary care data would allow evaluation of the use of primary care services in children who die. Extended primary care involvement has been recommended by the Chief Medical Officer.(3) Use of national primary care data through care.data would be essential for such analyses, but is not yet possible.(1)
One alternative to using linked administrative data is to collect new data. Child Death Overview Panels (CDOPs), run by the Department for Education as part of their child safeguarding remit, collect new data on all children who die in England to assess preventability. CDOP data contain personal identifiers yet is collected without the consent of parents.(4) CDOPs have no national standards for secure storage of the data. Confidentiality and governance controls are weak compared with controls for users of health administrative data such as care.data. Data from CDOPs are collected as free text, making it impossible to analyse, let alone collate at a national level. There has been no overall evaluation of the benefits of CDOPs for children and families and there is currently no linkage between CDOP data and administrative or death records.
Based on the reported staff time per death, we estimate that CDOP reviews cost around £20 million per year.(4) In contrast, the Office for National Statistics estimate a £10,000 to £50,000 annual cost of linking and analysing national birth records to death records and other administrative data sources.(5) CDOP data collection is therefore expensive, difficult to analyse and potentially unsafe. In comparison, care.data would generate nationally representative and coded data using secure data management systems. We suggest primary data collection should only be considered by the government after an assessment has shown that the purpose cannot be fulfilled using administrative data sources.
1. Sheather J, Brannan S. Patient confidentiality in a time of care.data. BMJ 2013;347:f7042.
2. Hardelid P, Dattani N, Davey J, Pribramska I, Gilbert R. Overview of child deaths in the four UK countries, 2013, http://www.rcpch.ac.uk/system/files/protected/page/CHRUK_Module%20A%20lo..., Accessed: 30/09/2013
3. Chief Medical Officer. Annual report of the Chief Medical Officer 2012: Our Children Deserve Better: Prevention Pays, 2013, https://www.gov.uk/government/uploads/system/uploads/attachment_data/fil..., Accessed: 09/12/2013
4. Kurinczuk JK, Knight, M. Child Death Reviews: Improving the Use of Evidence Department for Education, 2013, https://www.gov.uk/government/publications/child-death-reviews-improving..., Accessed: 09/12/2013
5. Office for National Statistics. ONS Consultation on Statistical Products 2013, 2013, http://www.ons.gov.uk/ons/about-ons/get-involved/consultations/consultat..., Accessed: 09/12/2013
Competing interests: Both authors use administrative health data for their research.
It is pleasing to see the comment about the processing of personal pseudonymised data needing to be under contract. ( "Secondly, pseudoanonymised data that may, exceptionally, be identifiable, such as when a patient has a rare condition, can be released only to approved organisations and when a legal contract is in place. )
Whilst I was the caldicott Guardian at my PCT, we applied contracts to many data sharing agreements and published the details of the contracts on a public facing website. This supports the first Data Protection principle - "1 Personal data shall be processed fairly and lawfully ..... in the case of data obtained from the data subject, the data controller ensures so far as practicable that the data subject has, is provided with, or has made readily available to him, the information specified ..." )
As for the reasons for the contract principle 7 states "Data controllers are required to take "Appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data." " 12 Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller is not to be regarded as complying with the seventh principle unless—
(a) the processing is carried out under a contract—
(i) which is made or evidenced in writing, and
(ii) under which the data processor is to act only on instructions from the data controller, and
(b) the contract requires the data processor to comply with obligations equivalent to those imposed on a data controller by the seventh principle. "
Maybe the BMA, RCGP and GPES members can assure that these contracts are written, signed, monitored and adhered to.
Competing interests: No competing interests