Care.data: why are Scotland and Wales doing it differently?

Editor,

Controversies around NHS England's ambitious care data programme are threatening to undermine progress in the extremely challenging field of linkage of primary care data to maximise their health care planning, evaluation and research benefits. While the current controversy largely centres on individual consent and confidentiality of data, there are a multiplicity of challenges that need very detailed appraisal, in the linkages underway or planned in England, Scotland, Wales and Northern Ireland. While currently the emphasis is on linking primary care and secondary care data, without doubt, in due course more widespread linkages will be needed.

Our experiences of linking primary care data in the context of the Scottish Health and Ethnicity Linkage Study have provided a number of insights that might be helpful to progressing national data sets. First, there is merit in having a clear and readily understood purpose for undertaking linkages. Since individual consent from patients is not going to be practicable, it is primary care teams and approval bodies that should judge whether the benefits exceed the risks. In our case, substantial ethnic variations were being shown by analysis of hospitalisation/mortality data using our linkage to the Scottish census 2001 to calculate rates and risks. These variations required explanation using risk factor, medication and comorbidity data, which are not available from any other source except for primary care. Our purpose-based case led to 10/17 general practices who were invited to do so to agree to provide the limited data set we requested to assess the feasibility and value of data linkage. We were able to obtain all necessary approvals including from ethics committee and privacy advisory committee to link these data to our pre-existing linkage of Census 2001 and Scotland's hospitalisation & mortality combined database (SMR-01) . Approvals were gained because of our extremely tight security procedures including the fact that data are held on a standalone PC in a locked room in a safe setting. All outputs are scrutinised by a data disclosure committee. We extracted the data using automatic methods with the only identifier remaining being an encrypted committee health index number. In other words, we created a pseudo-anonymised primary-care database, of just over 100,000 records. About half of these records were linked to our pre-existing encrypted census number-encrypted community health index number, look-up file.

Our work is in progress but already we have learned of the difficulties of recruiting general practices, maintaining communications, ensuring the data extracted can achieve the stated purposes, and, most of all, that the data are either in the format required for analysis or can be manipulated appropriately. We have also learned that the interpretation of the data is extremely difficult, with a multiplicity of different ways of recording the same information across records e.g. risk factors such as smoking status, medications, and comorbidity. A great deal of data preparation is required prior to analysis. At this point, we are learning that the utility of such data from a sample of general practices may be limited, compared with data from general practices that have been specifically recruited, developed and trained to provide particular kinds of data. We have found there to be far more difficulties at every stage than we had ever imagined. Our experience in SHELS is being documented for presentation at conferences and for publication, and we hope this will be useful for guiding our extremely ambitious national projects. In the meantime, we recommend that studies should be undertaken to check that the purposes for which these national databases are being compiled can actually be achieved. Otherwise, the expense and energy expended, especially amidst controversy and much resistance, may well turn out to be unjustifiable in the long-term. Quality and validity of data are both vital issues. However, when and if our national primary-care datasets holding high quality and valid data are available and linked successfully we can anticipate substantial advances in health care planning and opportunities for research.

Raj Bhopal, other co-authors as above, on behalf of the Scottish Health and Ethnicity Linkage Study Researchers

Dear editor,

We would like to comment on the recently published article on the use of general practice data for research. We appreciate that it is difficult to capture the detail of complex systems in short feature articles.

The article is correct in its general description of the Secure Anonymised Information Linkage (SAIL) system operating in Wales. However, there is some potential for confusion in some of the language used which requires clarification and elaboration. The article states that ‘The Welsh system does not hold any fully identifiable data, and researchers need consent from individual patients to access red data’. The term ‘fully identifiable’ could be open to misinterpretation.

SAIL has been designed with privacy protection at its heart. It does not hold any ‘red data’, i.e. names, addresses, postcodes, dates of birth or NHS numbers that can identify individuals directly or by cross referencing to other sources. Instead, SAIL holds a set of unique encrypted numbers that enable data to be linked. These are derived via multiple separate encryptions by different organisations and hence it is not possible decrypt identities within SAIL.

We are well aware of the potential to identify individuals from de-identified data using so called ‘jigsaw’ attacks with linkage to other sources of data. This is not possible with the SAIL system as no data, with one exception, ever leave the system. Access to data in SAIL is through a secure remote analysis platform and then only to curtailed data. Researchers are provided with access limited to the data they require to answer the scientific questions within their projects. Each project requires approval of the Independent Governance Review Panel (IGRP) comprising experts in information governance and ethics, drawn from the British Medical Association (BMA), Public Health Wales, National Research Ethics Service, NHS Wales Informatics Service (NWIS) and members of the public. The IGRP mechanism ensures that the data put together for researchers conform to Information Governance regulations, and that the use of data is in line with the stipulations in the agreements between SAIL and data providing organisations [1].

SAIL has an active Consumer Panel made up of members of the general public. The Panel provides a public perspective on data linkage research and independent advice on data protection issues. Members are involved at the strategic level on the SAIL Advisory Board, and at the project level by reviewing proposals and information for dissemination[2].

We mentioned ‘with one exception’ earlier. In some cases, as part of a clinical trial or cohort study, members of the public give individual explicit consent that their medical records can be made available to those in charge of the study. In these cases the research team can apply to the NHS Wales Informatics Service (NWIS) to generate a separate linkage key which links to their anonymised data in SAIL. After approval from the IGRP, SAIL then complies with the expressed wishes of the patient and arranges for the secure transfer of data to the study custodians. At no stage, does SAIL hold any ‘identifiable, red data’.

Also, for the avoidance of any confusion the Health and Social Care Act 2012 that gave the Health and Social Care Information Centre the power to require all general practices in England to upload their data does not extend to Wales. General practice participation in SAIL is voluntary and is widely supported by GP leaders, including from GPC Wales and RCGP(Wales).

1. Jones KH, McNerney CL and Ford DV. Involving consumers in the work of a data linkage research unit. International Journal of Consumer Studies, January 2014, 38:1:45-51, doi: 10.1111/ijcs.12062

2. Jones KH, Ford DV, Jones C, D’Silva R, Thompson S, Brooks CJ, Heaven ML, Thayer DS, McNerney CL and Lyons RA. A case study of the Secure Anonymous Information Linkage (SAIL) Gateway: a privacy protecting remote access system for health related research and evaluation, Journal of Biomedical Informatics: special issue on medical data privacy, January 2014, doi: 10.1016/j.jbi.2014.01.003