Out-Law News | 05 Feb 2014 | 10:43 am | 4 min. read
Tim Kelsey, national director for patients and information at NHS England, said that pseudonymised data users would not be able to identify the data subjects. He told BBC Radio 4's Today programme on Tuesday that the NHS needs the data to improve treatment and services.
"Doctors, nurses on the front line need to understand whether their service is as good as it could be and to do that they need individual-level data," Kelsey said. He said, however, that that 'individual-level' data "is not identifiable".
From March, the Health and Social Care Information Centre (HSCIC) will start asking GP surgeries to hand over the personal medical records of their patients. The information is to be stored in a new database, known as 'care.data'. HSCIC has the power to compel the gathering of data from GPs under the Health & Social Care Act 2012, although individuals can opt out of the scheme through their GP.
NHS England has sought to alleviate concerns about how the data collected by HSCIC may be used and said there are three broad categories of data that will exist under the scheme. It has explained that HSCIC will publish data sets where individual patient information has been aggregated and anonymised.
It also said that personally identifiable data could be disclosed where there is a legal requirement for that information to be made available, such as in a public health emergency. In future that data may also be made available to other organisations with individuals' explicit consent or where legal approval has been granted to those organisations to access the information.
A third category of data that will exist under the care.data programme is pseudonymised information. Kelsey said that the names, addresses, postcodes and NHS numbers of patients would be "stripped" from the data collected from GP surgeries. This information will not be published but would be disclosed to "approved analysts for approved purposes", NHS England has said on its website.
"This data is stripped of all the identifiers ... and in their place is substituted meaningless pseudonymns in order that this data can be linked with other data sets," Kelsey said. "Can I be categorical – no one who uses this data will know who you are."
Phil Booth, coordinator at medConfidential, a group that campaigns for privacy in health care, told the Today programme that the pseudonymised data would not guarantee individuals' privacy.
"Most people are pretty comfortable if the data is properly anonymised, like aggregated statistics treated to remove any elements that might tend to identify an individual," Booth said. "Some other people might take issue with some of the uses, especially non-research uses, of identifiable information."
"The main concern here is this whole new class of data ... which is individual-level, pseudonymised data. That is data which is not anonymous but which contains individual patients' medical information and which can be reidentified," he added.
Booth said there is a risk that the public's trust in their GPs could be undermined by compelling doctors to send patient records to HSCIC where "neither the GP nor the patient" can control what is done with that data.
Kelsey said, though, that, in 25 years, there had not been a single case where pseudonymised data gathered from hospitals had led to the reidentification of individuals.
"For 25 years we've been analysing exactly the kind of data that Phil is objecting to being released now," Kelsey told the programme. "The NHS is very good at preserving the privacy of people in analysing that kind of data."
"We haven't had GP data [previously]. We operate the NHS on a very thin sliver of hospital data and in 25 years there's never been a single episode where the very strict rules have ever compromised the patient's privacy," he said.
Technology law expert Matthew Godfrey-Faussett of Pinsent Masons, the law firm behind Out-Law.com, said that whilst it is understandable that the NHS takes comfort from the fact that pseudonymisation has not been the subject of a challenge in the last 25 years, he said it would be wrong to assume that that the position will continue indefinitely.
"The rapid growth in data analytics technology fuelled by the explosion in big data means that there is an increasing risk that by combination with other data sources, granular data of the type found in health records will, over time, be capable of being linked back to identifiable data subjects," Godfrey-Faussett said.
"Initiatives such as the UK Personal Genome Project could potentially change the landscape and undermine the effectiveness of pseudonymisation. Therefore, pseudonymisation can be used as an effective means of enhancing privacy, not circumventing privacy obligations. As ever, transparency about the anticipated uses of the data and the extent of the analysis coupled with patient consent remains the most effective way of ensuring the ongoing availability of health data in a way that is compliant with privacy laws."
In the Today programme, Kelsey admitted that NHS England had perhaps not been "clear enough" about how individuals can opt out of the care.data scheme.
"People who don't trust the NHS to manage their data securely now have a new right to opt out of this scheme and to be honest all they need to do is contact their GP to opt out," he said. "They're opting out of any confidential data leaving their GP practice ... for this new scheme which we believe will be very important for the benefits of patients."
Dawn Monaghan, strategic liaison group manager at the Information Commissioner's Office (ICO), said that the watchdog has doubts about whether the public in England have sufficient information about how care.data will operate to decide whether to consent to the release of their data.
"At the moment we don't think it is clear enough on the website or in the information that has been sent out exactly what data is going to go and what is not going to go," she said. "What it says in the leaflet [distributed to homes by NHS England] is that ... you can object to your personal confidential data leaving the GP surgery or leaving the [HSCIC] and we're not sure without further explanation on the website and very clear views whether people will understand what that means."