Exclusive: ICSs may be breaching patient confidentiality, watchdog warns

In a letter to integrated care systems, National Data Guardian Nicola Byrne and UK Caldicott Guardian Council chair Arjun Dhillon said they had both “been made aware that within some local record sharing programmes, organisations could be processing confidential patient information without ensuring that the processing does not breach confidentiality”.

They added among the four areas of concern health and care staff had raised with them was that confidential patient information may be being transferred from local record sharing programmes to third party hosted secure data environments. Secure Data Environments are data storage and access platforms where organisations can apply to access data for planning and research purposes.

The letter (see below the story) comes as ICSs are being encouraged to develop shared care records and capitalise on the power of data — for example to analyse and improve population health — following increased data-sharing during the pandemic. 

The NHS is also set to increase its use of SDEs after the government backed the Goldacre Review, which called for research and planning based on NHS data to be done only through SDEs.

It is not clear what kind of patient data may have been unlawfully shared.

Data sent to third parties

Dr Byrne and Dr Dhillon said they were “aware” of cases where patient data provided to record sharing programmes for individual care purposes had then been transferred to third-party data controllers hosting SDEs and made available for purposes other than direct care.

They said they “recognised and accepted the potential advantages and benefits of SDEs”, but added patient data shared for secondary purposes “must be lawful”.

“If you are sharing information from your local record sharing programmes for purposes other than individual care, then you are required to consider how you will satisfy or set aside the common law duty of confidentiality,” the letter said. 

Another area of concern related to patient data being shared with third parties for the data to be anonymised.

Transferring data to a third party that is “not collecting it for individual care, so that they can undertake the process of anonymisation, cannot rely on implied consent for individual care as an appropriate basis,” the watchdog said.

Confusion over consent

The other two areas of concern relate to processing data for risk stratification, where patient datasets are combined to identify vulnerable and high-risk patients so they can be offered interventions.

While NHS England has previously said NHS bodies can process certain types of patient data – such as GP-held data – the legal basis does not extend to “implied [patient] consent” for all risk stratification.

Dr Byrne and Dr Dhillon said they were aware “some” NHS record sharing programmes believe processing patient data for population health purposes falls under the legal basis of implied consent for NHSE’s guidance, but they warned this was not the case for population health activities that do not offer direct interventions to people.

The letter added “some organisations” were not demonstrating compliance with NHSE’s “assurance statement”, which means they are not meeting the conditions necessary for processing the data.

Dr Byrne told HSJ “several individuals and organisations” had contacted her about “specific shared care record programmes” over their concerns. 

She added: “Giving people guidance, support and time to navigate this complexity is important if new ICSs are to use data appropriately to improve the health of their local population.” 

Public trust ‘crucial’

Phil Booth, coordinator of medConfidential which campaigns for patients’ data rights, said the letter picked up on “some, though not all, issues we’ve been pointing out about local record sharing for the past year”.

He said: “Guidance from the National Data Guardian on avoiding these illegal data practices is welcome, but will ICSs follow it?

“Rather than belatedly seeking legal exemptions for their reuse of patients’ data, NHS bodies must be up front with the public about what they are doing, and respect the decisions of patients who choose to opt out.”

The letter concluded that health and care providers must have “due regard” for public trust, especially where “commercial arrangements” are in place between the NHS and other data processors and researchers.

Dr Byrne and Dr Dhillon said: “Reaching a shared view that drives collaboration between partners providing local health and social care is an incredibly valuable aim.

“Ensuring that record sharing programmes use confidential patient information in ways that are legal, ethical and earn the trust of patients and professionals caring for them is crucial in realising the potential of integrated care”.

A spokesman for NHSE said: “Appropriate record keeping is vital. This letter gives further clarity to guidance issued by NHSE last year for local systems to ensure they are sharing records in line with the law.”

• Story updated at 11.05am on 17 November to include comments from NHSE and Dr Byrne.