NHS holds no record of who it shared two sets of patient related data with

Out-Law News | 19 Jun 2014 | 10:01 am | 1 min. read

The identify of organisations that the NHS Information Centre (IC) disclosed two sets of patient related data to in the past decade is unknown, according to a new report.

A report commissioned by the Health and Social Care Information Centre (HSCIC), which replaced the NHS IC last year, found no confirmed record of the organisations with which the two data sets were shared (91-page / 3.75MB PDF). It was "not possible to identify the organisation that received the data based on the information retained by the NHS IC", it said.

"One release related to HES (Hospital Episode Statistics) data post April 2009," the report said. "Further discussion with Northgate has indicated that this could relate to an internal Northgate request for data; however this could not be confirmed. The other release related to Population Health – Screening, where further investigation and review of a number of additional information sources has indicated that it is likely that this data was released to an individual at a Primary Care Trust in the North West of England for the purposes of medical research."

The HSCIC's report was published ahead of the anticipated rollout of the 'care.data' scheme this autumn. The scheme, which will involve the sharing of GP patients' medical data with third parties such as medical researchers under certain circumstances, was due to apply from earlier this year but was postponed amid privacy concerns.

In a bid to address concerns about how other types of medical data had been shared with third parties by the NHS IC, HSCIC commissioned PwC to audit NHS data releases between 1 April 2005 and 31 March 2013. Most of the data released during the period was anonymised and aggregated, the report said. PwC reviewed a sample of roughly 10% of the 3,059 data releases it had identified during the period and found that there was no "significant or systemic failings in terms of the processes, controls and overarching governance arrangements" around data releases during the period.

The HSCIC has agreed a number of measures to address inconsistencies in data handling practices that were identified in the study, including to re-issue all existing data agreements "to ensure activity is centrally logged, monitored and audited" and improve auditing practices so that "adherence to data sharing agreements" is monitored that data sharing arrangements are halted "if there are any concerns exposed".

Sir Nick Partridge, the HSCIC non-executive director who led the review said: "The HSCIC must learn lessons from the loosely recorded processes of its predecessor organisation. The public simply will not tolerate vagueness about medical records that may be intensely private to them. We exist to guard their data and we have to earn their trust by demonstrating scrupulous care with which we handle their personal information."