Sharing of patient data didn’t breach rules, says public health agency

BMJ 2018; 360 doi: (Published 22 January 2018) Cite this as: BMJ 2018;360:k293
  1. Jacqui Wise
  1. London

Public Health England has criticised media reports that it handed over the medical records of thousands of patients with cancer to a firm working for the tobacco multinational Philip Morris International, saying that newspapers had presented a “very distorted view of the facts.”

The Telegraph reported on 14 January that anonymised data covering 179 040 lung tumours diagnosed between 2009 and 2013 in England were given to William E Wecker Associates without the consent of any of the patients concerned or their families.1 The company has testified on behalf of tobacco companies in dozens of lawsuits. The report was then picked up by other newspapers, including the Daily Mail, Sun, Independent, and Daily Express.

Public Health England said that any data were completely anonymised and that its action was fully in line with guidance from the Information Commissioner’s Office. It said that the purpose of the request was to compare rates of incidence of different types of cancer in different countries, which is a standard function of cancer registries worldwide.

In a letter to James O’Shaughnessy, parliamentary undersecretary of state for health, Duncan Selbie, chief executive of Public Health England, said, “The safety of the release was established and tested statistically to ensure that patients’ interests were not at risk and there was no risk of a breach of confidentiality as a result of the release. The data released were counts of different types of lung cancer.”

Selbie added that public bodies were not in any way selective as to whom they provided information. The World Health Organization’s Framework Convention on Tobacco Control does not prevent the provision of data to tobacco companies, and instead there is a duty to ensure that tobacco firms use accurate data and information at all times.

Selbie also wrote a letter to the Telegraph which in which he said, “We are immensely grateful to all the patients who support the work of the register by making their data available. We ensure their data is held securely and confidentially at all times. Anything less would weaken our ability to fight cancer with the best data and evidence.”2

The cancer registry (the National Cancer Registration and Analysis Service, part of Public Health England) collects information on every single patient in England with cancer. To ensure that it has as much high quality data as possible, the cancer registry operates on an opt-out basis. A review by Cancer Research UK and Macmillan Cancer Support in 2016 found high levels of support for the registry and the opt-out approach. However, awareness of the registry was found to be low, and the two charities recommended how patients could be better informed about how their data were used.3

The Department of Health for England published its Your Data: Better Security, Better Choice, Better Care report on 12 July 2017 in response to the report by the national data guardian, Fiona Caldicott, on data sharing.45 One of the key changes was to give patients and the general public more access to, and control over, their personal data, and to give them a say in whether data could be used for research purposes, but precise details have yet to be finalised. A new national scheme will be phased in from May next year with the aim of it being fully implemented by 2020.6

At a meeting of the health select committee this week the Labour MP Rosie Cooper accused Public Health England of betraying patients’ trust. She said, “Is not this another example of the cavalier, irresponsible attitude from people in departments such as yours? Not learning any lessons. If you feel like sharing data you are doing it anyway. It’s a disgrace.”

John Newton, from Public Health England, responded, “The data released was not confidential data. It was anonymised data and was fully compliant with guidance on anonymised data. It is not at all the same as releasing patient identifiable data.”

The defence in this case was that anonymised data were used. However, a recent report found that anonymised information placed online by the Federal Department of Health in Australia could be re-identified.6


View Abstract