As the structure of the new NHS landscape takes shape, its responsibilities in relation to patient data will come under the spotlight, says Jenny-Lee Spencer
Patient data in the NHS is crucial for developing effective care pathways and for the research and innovation agenda. The government’s Open Data White Paper recognised patient data as a significant contributory factor in the country’s economic regrowth, citing its value in “holding governments to account; in driving choice and improvements in public services; and in inspiring innovation and enterprise that spurs social and economic growth”.
Nonetheless, a delicate balance must be found between protecting patient privacy and sharing patient data to improve care and aid economic recovery. Herein lies the challenge.
The recently published information governance review To Share or Not to Share makes 26 recommendations to government that are intended to strike such a balance.
‘NHS organisations will have to grapple with developments in terms of data sharing and approval processes under the new service structure’
The review builds largely on proposals by the NHS Future Forum and parallel government initiatives discussing patient data including the Health and Social Care Act 2012, which although it did not make substantial changes to the legal framework for data protection, did introduce a legal basis for the Health and Social Care Information Centre to access personal data.
These initiatives cited the importance of improved data sharing within the NHS and between the health and social care system. They promoted greater openness and access to patient records within a secure and trusted system to safeguard people’s data from misuse and protect the public’s right to privacy.
While the government is expected to respond to the information governance review, putting forward its own recommendations on how personal data may be shared, there is a far more significant challenge creeping over the horizon: the revision of the European data protection rules, which our own data privacy legislation is founded upon.
This revision is important because when the new rules are implemented they will be applied directly into UK legislation, without scope for interpretation at national level.
‘It is highly unlikely that the new EU regulation will allow NHS organisations to charge for access to personal data’
The timing of the new regulation renders the NHS debate around information governance somewhat problematic. A legal agreement is not expected to be reached before May 2014, with the new rules being applied approximately two years later.
In the meantime, NHS organisations will have to grapple with developments in terms of data sharing and approval processes under the new service structure, on the understanding that a new set of rules at EU level may require such processes to undergo major changes once again in just over three years time. Significant financial penalties may result for organisations not adhering to the changes. It is crucial those responsible for information governance in the NHS invest in legislative changes currently taking place at European level to ensure that the UK’s national long-term vision for information governance is integrated into the new EU regulation.
While the NHS European Office has made significant progress in amending the European Commission’s proposals to protect a number of major NHS interests − for example, implied consent within a healthcare context, the role of data protection officers and the safeguarding of personal patient data from commercial purposes − there remain outstanding challenges with regards to access to data, and the use of patient identifiable data for research purposes. Anonymous data is currently exempt from the scope of the proposed regulation.
No right to charge
In terms of access, it is highly unlikely that the new EU regulation will allow NHS organisations to charge for access to personal data. There is a possibility that a fee may be levied where requests are “manifestly excessive”, but this would have to be justified. At any rate, a GP practice or NHS trust charging a patient to cover administrative costs for access to their healthcare record would be considered unjustifiable according to the regulation.
‘If attention is not paid to regulatory changes in the field of EU data protection law now, the NHS faces some far greater challenges ahead’
This issue of charging also throws into jeopardy the information centre’s data extract and tabulation charges in relation to sensitive/identifiable data and de-identified data. In the first instance, the new EU regulation must recognise a lawful basis for such data to be made available, and where this is permissible, the prospect of tariffs will almost certainly be ruled out.
Campaigners are therefore right to highlight a concern about the sale of “sensitive” and “identifiable” patient data, particularly where the patient concerned has not granted consent.
Not only is this likely to be prevented in future, but furthermore, where individuals no longer want their data to be held by a third party, the onus will be on the original data controller to ensure the third party erases such data under a new legal stipulation known as the “right to be forgotten”; this right will allow individuals to request that data concerning them be erased retrospectively, even if they previously consented to such data being processed.
A further issue of concern is the use of section 251 of the NHS Act 2006 to support commissioning purposes. This allows patient identifiable data to be processed without a patient’s consent in specific circumstances where it is in the public interest to do so, and where it is not practical to gain patient consent; or where the use of anonymous or de-identified patient data is not feasible. However, any activity taking place with the support of section 251 must comply entirely with data protection law.
In recent weeks section 251 support has been approved to allow bodies under the new NHS infrastructure to access personal confidential data without consent, including the commissioning support units and all clinical commissioning groups. While NHS England told clinical commissioning group leads that alternative long term strategies are due to be developed that do not require section 251 support, attention must be paid to how personal confidential data is to be used in order to meet the requirements of the new EU regulation.
‘Finding the balance between protecting patient information and modernising the UK’s health and social care services is undoubtedly a challenge’
This is easier said than done. The regulation at present draws a distinction between data processed for health purposes and data processed for historical, statistical or scientific research purposes. Under the former, patient identifiable data may be processed without patient consent, whereas under the latter, patient consent shall be mandatory.
This mandatory requirement not only poses a major concern to the UK health research community, undermining existing national safeguards, but it also draws a tenuous line between where data is used for health research purposes and where data is used for statistical or scientific research purposes. NHS organisations will need absolute clarity in terms of how they intend to use personal confidential data in order to stay within the limits of the law, or face significant fines.
Without such clarity, proposed national measures such as the information governance review’s “accredited safe havens” or data management integration centres will be founded on unstable ground and may have to be revised once a new EU data protection regulation is applied.
There is still time to influence the debate. The NHS European Office is an active voice in discussions at European level to ensure a new regulation that safeguards data privacy while recognising the potential social and economic value of data flow within the EU. The NHS has a duty to promote research and a duty to share information in order to improve patient care.
Finding the balance between protecting patient information and modernising the UK’s health and social care services is undoubtedly a challenge, but one that must be addressed in the context of a broader European legislative context. If attention is not paid to regulatory changes in the field of EU data protection law now, the NHS faces some far greater challenges ahead.
Jenny-Lee Spencer is senior policy manager at NHS European Office