Care.data: why are Scotland and Wales doing it differently?BMJ 2014; 348 doi: https://doi.org/10.1136/bmj.g1702 (Published 20 February 2014) Cite this as: BMJ 2014;348:g1702
All rapid responses
Prof Bhopal's advice to England
Prof Bhopal says (para 2) that individual consent from patients is not going to be practicable. Therefore, he and his collaborators are able and willing to bypass the patients.
This is not acceptable to me. Is it really acceptable to the Scots? Or, are the Scots in blissful ignorance?
Competing interests: Opponent of privacy invaders
Controversies around NHS England's ambitious care data programme are threatening to undermine progress in the extremely challenging field of linkage of primary care data to maximise their health care planning, evaluation and research benefits. While the current controversy largely centres on individual consent and confidentiality of data, there are a multiplicity of challenges that need very detailed appraisal, in the linkages underway or planned in England, Scotland, Wales and Northern Ireland. While currently the emphasis is on linking primary care and secondary care data, without doubt, in due course more widespread linkages will be needed.
Our experiences of linking primary care data in the context of the Scottish Health and Ethnicity Linkage Study have provided a number of insights that might be helpful to progressing national data sets. First, there is merit in having a clear and readily understood purpose for undertaking linkages. Since individual consent from patients is not going to be practicable, it is primary care teams and approval bodies that should judge whether the benefits exceed the risks. In our case, substantial ethnic variations were being shown by analysis of hospitalisation/mortality data using our linkage to the Scottish census 2001 to calculate rates and risks. These variations required explanation using risk factor, medication and comorbidity data, which are not available from any other source except for primary care. Our purpose-based case led to 10/17 general practices who were invited to do so to agree to provide the limited data set we requested to assess the feasibility and value of data linkage. We were able to obtain all necessary approvals including from ethics committee and privacy advisory committee to link these data to our pre-existing linkage of Census 2001 and Scotland's hospitalisation & mortality combined database (SMR-01) . Approvals were gained because of our extremely tight security procedures including the fact that data are held on a standalone PC in a locked room in a safe setting. All outputs are scrutinised by a data disclosure committee. We extracted the data using automatic methods with the only identifier remaining being an encrypted committee health index number. In other words, we created a pseudo-anonymised primary-care database, of just over 100,000 records. About half of these records were linked to our pre-existing encrypted census number-encrypted community health index number, look-up file.
Our work is in progress but already we have learned of the difficulties of recruiting general practices, maintaining communications, ensuring the data extracted can achieve the stated purposes, and, most of all, that the data are either in the format required for analysis or can be manipulated appropriately. We have also learned that the interpretation of the data is extremely difficult, with a multiplicity of different ways of recording the same information across records e.g. risk factors such as smoking status, medications, and comorbidity. A great deal of data preparation is required prior to analysis. At this point, we are learning that the utility of such data from a sample of general practices may be limited, compared with data from general practices that have been specifically recruited, developed and trained to provide particular kinds of data. We have found there to be far more difficulties at every stage than we had ever imagined. Our experience in SHELS is being documented for presentation at conferences and for publication, and we hope this will be useful for guiding our extremely ambitious national projects. In the meantime, we recommend that studies should be undertaken to check that the purposes for which these national databases are being compiled can actually be achieved. Otherwise, the expense and energy expended, especially amidst controversy and much resistance, may well turn out to be unjustifiable in the long-term. Quality and validity of data are both vital issues. However, when and if our national primary-care datasets holding high quality and valid data are available and linked successfully we can anticipate substantial advances in health care planning and opportunities for research.
Raj Bhopal, other co-authors as above, on behalf of the Scottish Health and Ethnicity Linkage Study Researchers
Competing interests: No competing interests
Dr McCartney's recent feature article accurately describes the NI Electronic Care Record (NIECR). The NIECR is for direct care purposes only. The robust access controls and audit trail in the NIECR give confidence to patients that their identifiable information will only be viewed by those providing direct care. In fact, patients are asked for their explicit consent by health and care staff before staff access the patient's record.
In the context of care.data it is more relevant to consider the plans Northern Ireland has for using data from GP clinical systems for secondary uses such as commissioning, risk stratification and public health surveillance.
This year over 90% of Northern Ireland GP practices have signed up, under an Enhanced Service, to provide a pseudonymised at source extract from primary care to inform risk stratification which is a key enabler of the Transforming Your Care programme. The Health & Social Care Board (HSCB) will receive pseudonymised data which it will analyse on behalf of the GP practice to generate a practice level risk stratification report on the clinical priority areas as set by the Department of Health, Social Services and Public Safety (DHSSPS). When practices receive their risk stratification report back they will be able to re-identify the patients to facilitate care interventions for those patients identified as having more complex needs, for example complex comorbidity. Only the GP practice that provided the pseudonymised data can decrypt the pseudonym key to re-identify the patients.
The data will also be used to plan health and care services and inform public health interventions. However to further minimise the very low risk of patients being re-identified in the pseudonymised dataset via a jigsaw attack the data will be aggregated before being shared with health service commissioners and public health staff.
GP buy in to the process is essential and we have run a series of 11 workshops around Northern Ireland explaining the process to GPs and practice managers to demonstrate that no identifiable information will leave the GP practice and to address any other concerns they may have.
Longer term Northern Ireland is planning to establish an on-going extraction process very similar to the Scottish Primary Care Information Resource (SPIRE). The Data Quality in Practice Project (DQIP) will have an agreed pseudonymised at source minimum dataset and an editorial board to oversee requests for additional extractions. All extractions will be on a modular basis providing GP practices the ability to opt into or out of the various extractions. Identifiable data will only be extracted where there is a legal basis for doing so such as patient consent or to meet legal obligations such as the notification of infectious disease.
Competing interests: Dr Brendan O'Brien is a member of the project board for DQIP. He is also a council member of UKCHIP.
We would like to comment on the recently published article on the use of general practice data for research. We appreciate that it is difficult to capture the detail of complex systems in short feature articles.
The article is correct in its general description of the Secure Anonymised Information Linkage (SAIL) system operating in Wales. However, there is some potential for confusion in some of the language used which requires clarification and elaboration. The article states that ‘The Welsh system does not hold any fully identifiable data, and researchers need consent from individual patients to access red data’. The term ‘fully identifiable’ could be open to misinterpretation.
SAIL has been designed with privacy protection at its heart. It does not hold any ‘red data’, i.e. names, addresses, postcodes, dates of birth or NHS numbers that can identify individuals directly or by cross referencing to other sources. Instead, SAIL holds a set of unique encrypted numbers that enable data to be linked. These are derived via multiple separate encryptions by different organisations and hence it is not possible decrypt identities within SAIL.
We are well aware of the potential to identify individuals from de-identified data using so called ‘jigsaw’ attacks with linkage to other sources of data. This is not possible with the SAIL system as no data, with one exception, ever leave the system. Access to data in SAIL is through a secure remote analysis platform and then only to curtailed data. Researchers are provided with access limited to the data they require to answer the scientific questions within their projects. Each project requires approval of the Independent Governance Review Panel (IGRP) comprising experts in information governance and ethics, drawn from the British Medical Association (BMA), Public Health Wales, National Research Ethics Service, NHS Wales Informatics Service (NWIS) and members of the public. The IGRP mechanism ensures that the data put together for researchers conform to Information Governance regulations, and that the use of data is in line with the stipulations in the agreements between SAIL and data providing organisations .
SAIL has an active Consumer Panel made up of members of the general public. The Panel provides a public perspective on data linkage research and independent advice on data protection issues. Members are involved at the strategic level on the SAIL Advisory Board, and at the project level by reviewing proposals and information for dissemination.
We mentioned ‘with one exception’ earlier. In some cases, as part of a clinical trial or cohort study, members of the public give individual explicit consent that their medical records can be made available to those in charge of the study. In these cases the research team can apply to the NHS Wales Informatics Service (NWIS) to generate a separate linkage key which links to their anonymised data in SAIL. After approval from the IGRP, SAIL then complies with the expressed wishes of the patient and arranges for the secure transfer of data to the study custodians. At no stage, does SAIL hold any ‘identifiable, red data’.
Also, for the avoidance of any confusion the Health and Social Care Act 2012 that gave the Health and Social Care Information Centre the power to require all general practices in England to upload their data does not extend to Wales. General practice participation in SAIL is voluntary and is widely supported by GP leaders, including from GPC Wales and RCGP(Wales).
1. Jones KH, McNerney CL and Ford DV. Involving consumers in the work of a data linkage research unit. International Journal of Consumer Studies, January 2014, 38:1:45-51, doi: 10.1111/ijcs.12062
2. Jones KH, Ford DV, Jones C, D’Silva R, Thompson S, Brooks CJ, Heaven ML, Thayer DS, McNerney CL and Lyons RA. A case study of the Secure Anonymous Information Linkage (SAIL) Gateway: a privacy protecting remote access system for health related research and evaluation, Journal of Biomedical Informatics: special issue on medical data privacy, January 2014, doi: 10.1016/j.jbi.2014.01.003
Competing interests: Ronan Lyons and David Ford are co-Directors, and Kerina Jones the Information Governance lead, for the Secure Anonymised Information Linkage (SAIL) system
Mark Drakeford Minister for Health in Wales is currently embroiled in another row over claims that data has been insufficiently processed with regard to hospital deaths and serious failings in NHS Wales/Cymru. (BBC1 20th Feb 2014 This Week), stating that he is 'coldly furious' with the statistics being put out in a report and calls for an investigation being made by Mr Keogh of NHS England. Mr Drakeford claims there is no need for an investigation.
As for the specific proposal to collect personal data in England, after enquiring whether there is any intention to bring this into the Welsh NHS the only reference made was to the Individual Personal Care Record which people are able to opt out of- but again many people are unaware that this policy was introduced supposedly allowing shared records only with consent.
Competing interests: No competing interests
To clarify - it has been possible for researchers to use linked GP and hospital data up till now, eg via eg the CRPD database, http://www.cprd.com/home/, but not for all patients electronically as care data seeks to do.
Competing interests: I wrote the article