BMJ 2014;348:g1547 doi: 10.1136/bmj.g1547 (Published 17 February 2014)

Page 1 of 3

Feature

FEATURE BRIEFING

The NHS’s care.data scheme: what are the risks to privacy? Extraction of data from patients’ medical records to create a new national database in England will begin next month. Jon Hoeksma explains what you need to know Jon Hoeksma editor E-Health Insider, London, UK

Among the pizza flyers on your doormat last month you may have seen a leaflet called Better Information Means Better Care. If you read the leaflet rather than throwing it out with the two for one pepperoni deals, you may have realised that the clock is ticking on plans to create one of the world’s largest patient databases, care.data.

The leaflet, sent to everyone in England, says the new database will not be used for clinical care but instead focus on secondary uses such as supporting commissioning, planning, and research. For the first time hospital and general practice data on individuals will be linked. Full patient medical records will not be loaded, but individuals’ diagnosis and treatment codes and unique patient identifiers, such as postcode and date of birth, will be. A wide range of approved organisations will be able to buy access to the database, including to patient identifiable data, with a scale of fees.

However, the publicity campaign has attracted criticism from privacy campaigners and the Information Commissioner’s Office for not making it clear that patients have a right to opt out of the data collection scheme. Privacy campaigners have also warned that the database poses a threat to patients’ confidentiality and privacy and have voiced concerns that its scope may creep.

What is care.data?

Care.data is being developed and will be run by the Health and Social Care Information Centre (HSCIC), a quango that has been instructed to establish the service by its main customer, NHS England. It will use a monthly extract of data from every general practice patient record system in England and link these data with data from hospitals and other providers such as social care. This will create a single linked dataset for every NHS patient in England.

No match is expected in a sizeable minority of cases because some people will not have had hospital treatment.

By linking together data it is hoped that researchers, planners, and commissioners of NHS services will be able to better understand what happens to patients after they receive a particular drug or treatment and identify national variations in care and outcomes. What, for instance, happens to patients who have had a myocardial infarction after they are discharged from hospital into the care of their general practitioner?

How much will it cost? The cost of building care.data is more than £50m (€61m; $83m), though this has not yet been approved by the Treasury.

Where will care.data get data from? Care.data will link existing data sources, initially hospital episodes and statistics (HES) and data from general practice systems. It’s the linking of the GP record that is causing concern. Most people only occasionally visit hospital, but general practices generally have a much richer lifetime record of conditions, prescriptions, family history, blood tests, and referrals. It’s a record that can often contain far more sensitive personal information.

When will extraction begin? The more controversial general practice data are due to start being automatically extracted in March, with full collections from May. The first linked datasets are expected to be available in June. Crucially, the general practice data extracted will initially date back only to April 2013, meaning that most patient data will not be included. A key issue is whether fuller retrospective extracts will be needed in the future.

[email protected] For personal use only: See rights and reprints http://www.bmj.com/permissions

Subscribe: http://www.bmj.com/subscribe

BMJ 2014;348:g1547 doi: 10.1136/bmj.g1547 (Published 17 February 2014)

Page 2 of 3

FEATURE

How will patients’ privacy be ensured? The data collected contain unique patient identifiers, NHS number, date of birth, sex, ethnicity, and postcode. These will be used to enable different datasets on a particular person to be linked together.

Once the data are linked, the HSCIC will remove these identifiers through a process known as pseudonymisation before the information is made available to approved end users, such as NHS commissioners. Aggregated anonymised datasets will also be made public, and identifiable data will be released in the case of civil emergencies. Eventually, identifiable data will also be made available to patients, who have a right to see information held about them.

Can pseudonymisation be reversed once the data are released? Theoretically, yes. HSCIC has acknowledged the risk, and researchers granted access to the data will have to sign legally binding commitments not to do so. The main risk is through so called jigsaw attacks, in which secondary data are combined with the pseudonymised record to identify the individual.

Are there alternatives to central pseudonymisation? Yes. The main alternative advocated by experts is to pseudonymise at source. This avoids having to ever have patient identifiable data in a single database. Julia Hippisley-Cox, professor of clinical epidemiology and general practice at Nottingham University, has developed an award winning open source tool, Open Pseudonymiser, to enable pseudonymisation at source and secure linkage of difference datasets without re-identification.

unleash scrutiny, analysis, and insight and drive improvements in new services.

He has pointed out that analysis of death rates from HES showed that the Mid Staffordshire NHS Foundation Trust was an outlier, one of the triggers leading to the Francis inquiries. Speaking on BBC Radio 4’s Today programme on 4 February, Kelsey said that in 25 years NHS privacy has not been compromised through HES, though it does not contain anything like the same level of patient identifiable data as care.data will. Kelsey has acknowledged, however, that communication on opting out has been poor.

Can patients opt out? Patients can opt out by telling their general practice that they don’t want their data to be extracted. A “do not share” code is then inserted on to files of people who object to having their data extracted.

Some GPs are encouraging their patients to opt out or are making it as easy as possible for them. In October the Information Commissioner’s Office delayed the extraction of general practice records because it was not satisfied that patients had been made aware of the scheme. There then followed the current £2m leaflet campaign, which the office has criticised for lacking clear details on how to opt out.

What are the data privacy concerns? Brian Jarman, who developed the statistical methods used by Dr Foster to pinpoint high death rates in the NHS, has called for the system to be “opt in, not opt out.” He told the Guardian, “There is simply too much data and the risks that something leaks are too great. We need to slow this process down to ensure we have the right checks in place.”

Open Pseudonymiser works by taking the NHS number and using a password to replace it with an identifier for each patient that is unique but has no real world meaning so cannot be reverse engineered.

Phil Booth of medConfidential, which is campaigning on data privacy, says the main problem is lack of transparency: “The lack of independent oversight and transparency is what’s most worrying. People trust their GP, but who’s heard of the Health and Social Care Information Centre?”

Who will be able to access the data?

Summary care record repeated?

The data will be divided into three categories: identifiable “red data,” pseudonymised “amber data,” and aggregated, anonymous “green data.” Initially access will be restricted to NHS commissioners, who will receive pseudonymised datasets.

Very similar debates on consent and privacy occurred six years ago over the creation of the summary care records, a summary clinical record primarily for use in unscheduled care. This was automatically created for all patients unless they chose to opt out.

The plan is to also make pseudonymised data available to other groups of researchers who can prove a benefit to patient care. This could include those working at universities or private companies.

Ultimately, patient identifiable data will also be made available to researchers who apply to the HSCIC’s Confidentiality Advisory Group under what is known as a Section 251 exemption. The group approved more than 30 requests for patient identifiable data between April 2013 and January this year.

Who is driving the project? The prime mover is Tim Kelsey, director of patients and information at NHS England and cofounder of Dr Foster Intelligence—best known for its Good Hospital Guide, which is based on HES data. Formerly the government’s “open data” tsar, Kelsey is a fervent advocate of the concept, currently in vogue with politicians, that publishing public datasets will For personal use only: See rights and reprints http://www.bmj.com/permissions

Why are some GPs worried? Although the Health and Social Care Act 2012 gave the HSCIC permission to extract general practice data without explicit patient consent, GPs are concerned because they remain legal custodians of their patients’ records. As data controllers, GPs are responsible for informing patients about potential uses of their data, and many believe that the leaflet drop and publicity campaign around care.data were insufficient. GPs are also worried that patients’ concern over what will happen to their extracted records will undermine their relationship with their GP.

In a February survey conducted by Pulse, 41% of GPs said that they planned to opt out of care.data.

Subscribe: http://www.bmj.com/subscribe

BMJ 2014;348:g1547 doi: 10.1136/bmj.g1547 (Published 17 February 2014)

Page 3 of 3

FEATURE

What does the public think? No surveys have been published, but since people have started to receive the leaflets care.data has attracted much national media coverage, which has generated a big online reaction. Articles in the Daily Mail and the Guardian have each received well over 1000 responses to their coverage of care.data.

Many of these online responses, an unscientific but revealing snapshot, have focused on anxiety that drug and insurance companies will be able to buy confidential medical data and that the data will be treated as a commercial asset. Responders do not seem to be reassured by the fact that users will be legally prohibited from re-identifying individuals.

What other data will be linked in the future?

genomic data. He argued that this had the potential to drive improvements in healthcare and provide a uniquely valuable research resource. The confidentiality, privacy, and ethical issues around the proposed creation, operation, and use of a future national database of identifiable genomic data linked to NHS records promise to make the current debate look like just a prelude. Competing interests: I have read and understood the BMJ Group policy on declaration of interests and have no relevant interests to declare. Provenance and peer review: Commissioned; not externally peer reviewed. Cite this as: BMJ 2014;348:g1547 © BMJ Publishing Group Ltd 2014

England’s health secretary, Jeremy Hunt, has outlined future ambitions to radically extend care.data by adding patients’

For personal use only: See rights and reprints http://www.bmj.com/permissions

Subscribe: http://www.bmj.com/subscribe

The NHS's care.data scheme: what are the risks to privacy?

The NHS's care.data scheme: what are the risks to privacy? - PDF Download Free
203KB Sizes 2 Downloads 0 Views