Campaigners raise concern over sale of 'sensitive' NHS data

A 2013-14 price list for information published on the Health and Social Care Information Centre website includes a price for “sensitive/identifiable” data was branded “alarming” by Campaign group medConfidential.

The group’s co-ordinator Phil Booth told HSJ the information on offer potentially included “sensitive and identifiable data” and that even data described as “anonymised” could be “easily” identified to individuals by cross-matching with other datasets.

Mr Booth added: “Taking out a few bits of the most obviously identifying information in your medical record doesn’t make it anonymous.”

The information centre, which has been selling data, including potentially identifiable data, for a number of years, told HSJ it was confident sufficient safeguards were in place and that it charged fees to cover costs, and made no profit. It also said its data sharing agreements were “currently under review”.

The centre’s director of solution design, standards and assurance Clare Sanderson said in a statement it only provided “identifiable data” when “when there is a lawful basis to do so”, either with patient consent or through legal exemptions.

She said: “The data we provide is normally anonymised. When we refer to anonymised or pseudonymised data this will not include identifiers such as NHS number [or date of birth].”

She added that “anyone who is eligible and whom we agree to supply with data” had to “enter into a data sharing agreement” with the centre.

The agreements “include terms about the how the data is shared, purpose of the use, security requirements in respect of storage, restrictions on onward sharing or publication”. They also prevent “customers from attempting to link data and re-identify individuals,” Ms Sanderson said.

Dame Fiona Caldicott’s government-commissioned review of information governance was published last week. It highlighted “a lack of consensus” on information sharing.

Concerns about information security, chiefly raised by campaigners and GPs, have intensified following a recent focus on data sharing.

For example, GPs raised concern in April after an NHS Information Centre paper on the General Practice Extraction Service, which will be used to extract data from records for use by NHS England, concluded there was “a small risk of re-identification” for patients with rare diseases.