Not only is pseudonymisation essential for protecting patients’ rights when private data is used for secondary purposes, it is also an important legal requirement for all NHS trusts, says Mastek vice president of healthcare Laurence Cook.

The use of medical records for research purposes has long been a contentious issue.

On the one hand, patients’ rights groups are concerned with the need to protect an individual’s privacy, and yet on the other hand, medical researchers argue that the studies they’re conducting will increase their knowledge of human disease and treatment, and will therefore help to bring a number of valuable benefits to patients.

Patients in the UK allow the NHS to gather a wide range of sensitive information relating to their health, as well as other matters related to their treatment. They do so in confidence, and therefore have the legitimate expectation that staff will respect their privacy and act appropriately.

As a consequence, the NHS Code of Practice regarding confidentiality states that any information “that can identify individual patients must not be used or disclosed for purposes other than healthcare without the individual’s explicit consent, some other legal basis, or where there is a robust public interest or legal justification to do so”.

As such, these same guidelines go on to state that the use of anonymised data is preferable for research purposes, as it is not confidential and may be used with relatively few constraints.

The fact that anonymisation/pseudonymisation negates the need for patient consent makes the need for effective pseudonymisation even more important, since any data that has been partially or inadequately pseudonymised could potentially be linked back to an individual patient.

Legal issues aside, this kind of breach would be completely unacceptable, as patients have the right to know that their health records will remain confidential – and shared only with the doctors, nurses and other medical staff who are providing direct patient care – unless they’ve given consent for this information to be released and/or their personal data has been sufficiently pseudonymised.

The subject of pseudonymisation is now especially relevant, since all commissioners and providers of NHS care will be required to complete the implementation of pseudonymisation by the end of March 2011 for any data that is being used for a purpose other than the direct care of the patient concerned, as set out in the 2010/11 NHS informatics planning guidance.

As such, it’s vital that all of these organisations have an effective strategy in place to meet all the relevant legal requirements in this area, and thus mitigate against the risk of incurring significant fines – as well as potential damage to both brand and reputation brought about through non-compliance.

The need to protect patient identifiable data

With the storage and transfer of electronic data now part of everyday life, pseudonymisation is more than just a legal requirement: it is also a moral one. All patients have a right to privacy when it comes to their medical records, and indeed any of their personal data held by organisations. Unfortunately, mistakes can and do happen, and patient data can be easily exposed. 

Recently we were contacted by a patient who had received another patient’s details from the blood sciences department of her local hospital by mistake. The document contained many of the most sensitive fields, including patient name, address, date of birth, postcode and hospital number. Full details of the procedure and patient’s telephone number were also included. 

Unsurprisingly, the recipient of this information was left very concerned as to where his/her own details may have ended up.

In this case, although some of these fields needed to be completed in full (clearly the letter required a name and address in order to be delivered), other fields could have been pseudonymised. 

Incidents like these serve to remind us how vulnerable patient identifiable data can be, and therefore underlines the importance of keeping this data 100 per cent secure – not only in the event of errors like these, but also when being transferred between various healthcare organisations and/or when used for purposes other than the direct care of patients.   

Secondary uses of patient data

According to the NHS Connecting for Health’s guidance on terminology (contained in the Pseudonymisation Implementation Project’s Reference Paper 1), the primary use of patient data covers two types, those that directly contribute to the diagnosis, care and treatment of an individual, and those used in the audit/assurance of the quality of the healthcare provided. Other uses of the data (i.e. those not directly related to patient care) are usually known as secondary uses.

For example, local NHS trusts will often share data with third parties such as those providing data verification or business intelligence services, as well as for research and teaching purposes. Although this information is no doubt very useful for all of these purposes, it’s not too difficult to see the risks of sharing patient data in this way – and the vital importance of effective pseudonymisation.  

The Department of Health’s informatics planning 2010-11 guidelines clearly state that all NHS Commissioners and providers of NHS care should therefore:

  • Complete the implementation of pseudonymisation by March 2011 in line with plans submitted in October 2009;
  • Ensure that relevant staff are aware of and trained to be able to use anonymised or pseudonymised data;
  • Ensure appropriate changes are made to processes, systems and security mechanisms in order to facilitate the use of de-identified data in place of patient identifiable data; and
  • Use the latest information governance toolkit to assist in the implementation and assessment of compliance with policy and legal requirements.

Because the secondary use of patient data has been deemed to be vital for medical research, it is likely to continue. As such, it is essential that the appropriate steps are taken to comply with these Department of Health guidelines, as well as the latest NHS policy guidelines and legislation in this area.

Working with the information governance toolkit

The basic need to maintain confidentiality over patient records stems from many sources, including the Caldicott Principles, the Data Protection Act 1998, the Human Rights Act 1998, and the Common Law duty of Confidentiality. 

The latest DH regulations surrounding information governance also have an important role to play here, as they concern the way in which the NHS and its partners handle personal information, including any data relating to patients.

As a result, the information governance toolkit (IGT) has been launched to provide an online system that will allow NHS organisations and partners to assess themselves against these Department of Health information governance policies and standards. To assist in this activity, the IGT draws together all of the legal rules and central guidance in this area, and presents them in one place as a set of information governance requirements.

The IGT makes it clear that robust information governance processes have been established to support the current Pseudonymisation Implementation Project and also states that all organisations should have achieved level 2 compliance by 31 March 2011, and that the following criteria must all be satisfied:

  1. Attainment of level 2 has been achieved against all information governance management, confidentiality and data protection assurance, and information security assurance requirements within the IG Toolkit. A completed IGT assessment will be required as evidence of this.
  2. The planned business process changes have been fully implemented, and pseudonymised and/or anonymised data is now being used for all secondary purposes where permission to process confidential service user data is not provided by law. The evidence needed to satisfy this requirement will include all relevant project documentation, including a project closure document as well as any additional project reports.
  3. The adoption of formal safe haven processes (whereby any work that needs to be undertaken on identifiable data must be controlled in terms of the function, staff and facilities involved), and pseudonymisation and/or anonymisation functionality in line with Department of Health guidelines, including multiple pseudonym generation, where appropriate. Again, project reports and a project closure document will be required as evidence. 

All of these objectives are vitally important, since everyone agrees that any research being conducted based on patient data should not come at the expense of patient privacy. In order to ensure that these objectives are met, however, trusts will clearly need to generate robust and effective pseudonymisation procedures to remove key identifiers that may associate any specific treatment or treatments with a particular individual.

Next steps for pseudonymisation

At the moment, there is a real need to define the specific criteria and deadlines that will be required to implement these new pseudonymisation guidelines effectively, and therefore to balance patients’ privacy concerns with the need to share their medical data for secondary uses.

Perhaps the 2010-11 NHS Operating Framework can satisfy this role, as it sets clear targets for all NHS bodies with regard to maintaining data privacy. Its Guidelines on Informatics Planning state that:  “It is NHS policy and a legal requirement that patient level data should not contain identifiers when they are used for purposes other than the direct care of patients, including local flows between organisations as well as data extracted from the Secondary Uses Service.”

In order to achieve this objective however, each NHS trust, will need to follow the strict guidelines set out by the Department of Health not only in order to comply with key requirements for pseudonymisation and avoid any penalties, but most importantly – to keep your patient data private, safe and confidential.