Keeping patient information safe when responding to FOI requests

The government recently published data on the number of late abortions carried out in England and Wales after the High Court ordered it to do so. The case highlights the task faced by NHS bodies as they balance the demand for statistics and the government’s push for greater transparency against protection of patient confidentiality in a world of media intrusion and instant information-sharing. 

Up until 2002, the Department of Health published detailed annual statistics on late abortions, including categories where only one or two cases were involved. From 2002, however, the Department of Health stopped publishing figures for categories in which there were fewer than 10 cases because it feared identifying the women concerned. 

But when the Freedom of Information Act came into force in 2005, the ProLife Alliance anti-abortion group asked for the medical reasons for abortions over 24 weeks to be released.

The Department of Health refused, stating that the statistics were personal data, and therefore protected from disclosure under section 40 of the Freedom of Information Act. The department argued that disclosure would not be appropriate as there was a risk that the public would be able to identify the women involved.

The Department of Health’s concern about identification was illustrated by the Jepson case. After examining the detailed data published in 2001, Reverend Joanna Jepson, who was herself born with a jaw deformity, asked the Metropolitan Police to investigate a particular abortion amid concerns that unnecessary terminations were being carried out on “less than perfect” babies. 

A series of disclosures by the Met and others revealed the identity of the doctor involved in the abortion. He was door-stepped by journalists and subjected to a campaign of abuse. 

The High Court, however, rejected the Department of Health’s arguments against the publication of data as being “divorced from reality”. The court made two key findings. First, the fact that the Department of Health held the original data from which the abortion statistics were produced did not mean that the anonymised statistics were personal data when disclosed under the Freedom of Information Act. In considering whether statistics relate to identifiable individuals, authorities should consider only information available to the public, i.e. the anonymised statistics plus other information in the public domain. 

Second, the court did not accept that there was a real risk of individuals being identified from the categories containing a small number of cases. The risk of identification in this case was “extremely remote” and the policy of not disclosing statistics on late abortions for categories containing fewer than 10 cases reflected the comfort threshold of the Department of Health rather than any statistical considerations or legal principles. 

In the Jepson case, an individual had not been identified from statistics alone, but from a sequence of subsequent disclosures.

Implications of the case

The High Court decision does not mean that statistics involving a small number of cases must be automatically disclosed. Equally, organisations cannot apply a general policy of withholding statistical categories below a certain size. The question is whether there is a real prospect of individuals being identified, which will depend on the nature of the statistics. 

For the abortion statistics, the key point was the size of the pool of individuals that the data could have been about. There are around 14 million UK women of child-bearing age who could have been represented in the statistics. This makes it extremely difficult to link individuals to statistics about particular types of abortion. The statistics cannot be regarded, therefore, as personal data.

Individual NHS bodies are likely to produce statistics relating to smaller pools of people within their area, rather than national statistics. This might in itself justify a more cautious approach to small category sizes. This will, however, depend on the nature of the statistics.

NHS bodies may now be required to disclose more detailed data, increasing transparency and assisting information sharing. Although the court thought that the Department of Health’s approach was “divorced from reality” and was clearly concerned that it would prevent the disclosure of meaningful health-related statistics, the policy of not disclosing statistical categories containing fewer than 10 cases was a rule of thumb widely used in the NHS. 

Before disclosing more detailed statistics, however, the organisation will have to make a careful assessment of the risks of identification. The principle in the Department of Health case - that the assessment should take account of the statistics themselves plus information already in the public domain - may sound simple. But in practice this requires awareness of the types of information published by the organisation itself and other bodies, and monitoring of the cumulative impact of disclosures over time.

This will become a more complex process if the Protection of Freedoms Bill becomes law in the autumn. The bill would require information provided by public authorities to be in “reusable” formats, increasing the ability of the public to manipulate the data and compare it with other datasets and potentially making identification of individuals easier. 

The judgment also indicates that organisations will need to avoid speculation about how future disclosures might affect the ability to identify individuals from the statistics. This is not easy for NHS bodies, with their strong concern about patients. 

In addition, the judgment does not answer the question of whether there is a distinction between speculative concern about future disclosures or leaks, and the rather different situation where an organisation knows of planned disclosures which would affect the ability to identify individuals. 

If you are concerned about identification, altering the nature of the statistical pool may be an alternative to removing small categories. For example, you might provide statistics across the whole of the organisation’s area rather than smaller districts. Or you might produce statistics that separately link age, gender and location to a particular condition, rather than a single statistic linking all of these factors. Whether this is appropriate, however, will depend on how the statistics are intended to be used. 

Whatever approach you decide to take, the key practical point is that you need to record clearly your assessment of the risk of identification of individuals from the disclosure being considered.