The Health and Social Care Information Centre has admitted it has no legal power to force private companies holding potentially sensitive patient data obtained from its predecessor body to delete the information.
The centre announced last month it had written to three re-insurance companies asking them to delete patient data they had obtained legally from the NHS Information Centre.
A report by HSCIC non executive director Sir Nick Partridge published on 17 June said: “Being aware of public concern about insurance companies holding data drawn from health sources… the HSCIC’s chief executive wrote to the three companies concerned asking them to delete the data ahead of this legislation coming into force.”
New regulations are to be introduced under the Care Act this autumn restricting the flow of potentially identifiable data solely to purposes of benefit to the health and social care systems.
But Sir Nick yesterday told the Commons health committee that one of the companies, SCOR, had told the HSCIC it would not delete the patient data and planned to continue using data.
SCOR disputes the claim in Sir Nick’s report that the HSCIC had asked it to delete the data.
The information centre’s chair, Kingley Manning, told the health committee: “I am advised that we do not have powers to ask [the companies] to delete the data under the current sharing data agreement.”
The data sharing agreements had originally been drawn up by the HSCIC’s predecessor, the NHS Information Centre.
MPs on the committee raised concerns that the company could use the data for commercial use, an issue which has caused considerable unease amongst the general public.
Committee member Charlotte Leslie said that the company was effectively “completely entitled to give [the information centre] the finger”.
Health committee chair Sarah Wollaston told HSJ: “It is surprising that legally they are still allowed to do that… I directly questioned whether they could use the data for commercial purposes and the answer was yes. I think that’s surprising.”
Dr Wollaston added the agreement was likely to be reviewed when the new regulations come into force later this year.
Mr Manning and Sir Nick were giving evidence to the committee following widespread safeguarding concerns about patient records.
Sir Nick oversaw an investigation published last month which uncovered “significant administrative lapses” in processes used by the NHS Information Centre to oversee the release of patient records to organisations including research bodies, government departments and insurers.
Sir Nick said that the information centre had accepted all his report’s recommendations and had produced an action plan to complete them by November.
However, SCOR later told HSJ it was not asked to delete the data by the HSCIC in the letter it received from the organisation in June.
A statement issued by the company said it “never received a request from the HSCIC to delete the data”. It said the company had “acted in strict accordance” with its agreement made with the NHS Information Centre in March 2012.
It continued: “Insurers do not want or use data that enables them to identify individuals. They are interested only in data that shows population trends in health, including trends in how common specific illnesses are, and trends in recovery from specific illnesses.”
This story was updated on 3 July 2014, following receipt of the statement from SCOR.