With potential fines of up €100 million under EU Data Protection Reform, accidental data breaches have moved up the boardroom agenda. Tony Morbin reports on data concerns at Health Authorities in England and Wales, where despite differing systems, data leakage is also being addressed.
Chris Phillips (left), John Taylor (right)
This month the £50 million ‘care.data' plan, should have been underway gathering the electronic patient records in every GP practice in England to be merged with data from hospitals, social care and community services, creating a single anonymised database that could be accessed by clinicians as well as researchers from academia and pharmaceutical companies. Instead, it has been postponed until the Autumn.
Among those who initially called for a delay in the introduction of Care.data was the BMA (British Medical Association), Dr Tony Calland, Chairman of the BMA Medical Ethics Committee, told SC Magazine UK, “Most people in the health sector, including the BMA, want the system to work and are supportive of achieving the solutions that Care.data can provide - we don't want to stop it in its tracks. But it's about using information appropriately for treatment while maintaining public confidence in confidentiality.”
Calland adds that the initial concerns were that this unprecedentedly vast amount of confidential patient data was being uploaded, and it was not clear that the patients had given informed consent (ie, many were not aware that they could opt out), as well as concerns about the role to be played by GPs as data ‘owners'.
John Taylor, head of operational services and design for NHS Wales Informatics Service NWIS, explained to SC how NHS England and NHS Wales have taken completely different approaches to the way they share data and use data. “Wales started from, ‘where is the best source of information about every patient,' with the answer being that it's already there in the GP patient record, so the issue was ‘how do we share the information that we have already got, integrate it to make it link up, and make it available where it's needed.' As a result, Wales doesn't have anything like the spine or a summary care record on a central database. All information in Wales is held in the GP system or the hospital system and then accessed and shared when it's needed. Its only information that the practice wishes to release. So some of the more sensitive data doesn't come out of there. Or if the patient says they don't want to share their data, it doesn't come out.”
This GP practice system is hosted nationally (fully by the end of 2015), with records stored on servers in Wales as NHS Wales does not currently use cloud services, instead it relies on a couple of national data centres within Wales and these services are provided from those data centres. As far as the GPs are concerned, it appears to be a cloud service, but really it's a national private cloud. In Wales there is a public sector broadband network. This single physical network serves the whole of the public sector in Wales, but it is virtually separated, and within it there is an NHS virtual network.
In England, under Care.data all confidential data is to be held on secure servers in protected data centres, which only authorised personnel can access and confidential data is encrypted whilst in transmission. A spokesperson for the English Health and Social Care Information Centre (HSCIC), which collects and analyses information from all providers of NHS care and ensures that information is used appropriately, told SC, “The safeguards we have in place exceed what is required of NHS organisations. This is so we properly balance the need to protect patient and service users' personal confidential data with the potential benefits for improving healthcare that can be gained from analysis.”
Calland observed, “People are comfortable with the data being shared for clinical reasons; tracking patients from primary to secondary care and back to primary care (eg following the outcome of an operation after the patient leaves hospital), evaluating NHS performance, and research using big data to identify correlations. But there is anxiety about giving it to others, such as marketing and insurance companies.”
These anxieties were fuelled when IT consultancy PA Consulting was accused of jeopardising privacy by uploading a year's worth of data on hospital visits across England to Google servers based outside the UK. And that accusation followed claims that hospital records were being used by private firms to advise companies on how to target their marketing to people on Twitter and Facebook, and that data mapping company Earthware published an online map which leaked hospital patient data.
PA subsequently insisted that the hospital patient data it stored “does not contain information that can be linked to specific individuals” and Earthware removed the controversial map from its website – but the PR damage had already been done. As a result the Information Commissioner's Office (ICO) was given the power to carry out ‘compulsory audits' on how well the health service looks after personal information.
The ICO wants to be able to just go in and have a look at general data protection practices covering everything from security through to making sure that health records are accurate, to training. An ICO spokesperson told SC: “The concerns around care.data come from this idea that the health service isn't particularly good at looking after personal information. Now we believe that the audit powers will help us to improve compliance where (English) NHS organisations are having difficulties or there's particular issues raised and brought to our attention.”
The HSCIC has sought to reassure patients, telling SC, “Information that will be collected from GP practices under care.data will only be released by the HSCIC for commissioning purposes. Applicants will therefore be required to demonstrate that they meet this criterion and will use the information to support this purpose.
“In line with recommendations made by the General Practice Extraction Service (GPES) Independent Advisory Group (IAG), the HSCIC will only release primary care data that has been linked to Hospital Episode Statistics at either an aggregate level or in ‘de-identified for limited access or disclosure' form following the guidelines set down in the Information Commissioner's Office anonymisation code of practice.”