How to solve the privacy and confidentiality riddle

I once spoke with a horrified patient participation group.

They had been on a tour of our practice and had witnessed just how many people could see the details of a clinical record. The patients had assumed that something they told a GP remained between the two of them.

What they saw were secretaries typing letters, administrators running reports and nurses organising clinics, all with access to their records.

Team effort

The problem in the small town where I worked as a GP was that many people employed in the practice were neighbours, friends and relatives of patients. This group of intelligent and insightful people had never really appreciated what a team effort healthcare really was.

I had to explain in detail the information governance framework our staff operated within, the NHS duty of confidentiality and the training given. I realised the fundamental problem was that we had never really explained to people how healthcare is organised.

Wind the clock forwards 10 years and I had a front row seat on the recent national information sharing debates. With challenges now well documented, the lesson was again the lack of mature debate about the risks and benefits of using health data to improve everyone’s care.

The foundation of a clinical encounter is that the contents of that exchange will remain confidential. The NHS duty of confidentiality makes the responsibilities clear on this.

The expectation of the patient is that a safe space is created that allows potentially the most intimate, embarrassing or distressing subjects to be discussed. That confidence is the bedrock of clinical practice.

Modern healthcare isn’t a one-to-one contract

However, modern healthcare isn’t a one-to-one contract. Whether it’s the secretary typing the letter or the professional from another team coordinating care, reality now often means a team of professionals involved in the efficient management of care.

We have a duty to make the flow of that data timely and accurate to support that team effort – to ensure care is safe and effective. We also need to do it in a way that patients understand and make sure they are aware of how information sharing happens.

That conversation is relatively straightforward when sharing is happening to support direct care. For all other uses the situation is more complex.

However, there should be no surprises. Most people see the value of using information to run healthcare services or to research what works and what doesn’t.

Most people also want to see their privacy preserved at the same time.

A sensible approach

There is a sensible approach to this which can meet both these requirements. The approach uses two techniques which in combination gives maximum protection to individuals.

The first goes by the unfortunate name of “pseudonymisation at source”. This means the sections of a record that can identify someone, including names, dates of birth, postcodes and others, are scrambled and replaced with a code.

This code is applied consistently to any data about this patient wherever it comes from meaning different encounters can be linked together to give a complete picture of a patient’s care from multiple organisations.

This approach avoids accidental identification of people but as you are still dealing with person-level data it is still possible in theory for malicious re-identification. Therefore, the second technique is required, which puts the information into a controlled environment with full audit and access dictated by the specific roles.

In this way, combining datasets to try to re-identify people is prevented and things like small numbers can be suppressed.

This approach isn’t perfect, but it is a sensible balance that renders the data effectively non-identifiable. Last year MedeAnalytics advocated such a system and engineered a solution that delivered just this.

The Confidentiality Advisory Group of the MHRA considered this and was of the view that sufficient steps had been taken to render the data non-identifiable. The Information Commissioner’s Office is of a similar view.

There is a need for an honest conversation about people’s health records

Even when this approach is adopted there are still clear responsibilities to inform patients of how their data is being used and kept safe. For the small number of patients who do not want their data used an objection can be raised that stops the data leaving the direct care environment.

However, most people will support the need for research and health planning especially when it can be done in a way that protects their privacy.

Clare Sanderson, a leading expert on IG, says: “Once people start to use the data in this way, data quality improves dramatically as it becomes an integral part of the job.”

There is a need for an honest conversation about people’s health records. Running the NHS without the contents of those records is not possible, but the NHS can do that without everyone knowing who you are.

The only person who needs to know your identity is the person caring for you at the time. 

To discuss this topic further, please contact Helen Parslow: helen.parslow@medeanalytics.co.uk.

Mark Davies, medical director, MedeAnalytics

Column sponsored and supplied by MedeAnalytics