NHS Digital vindicated in patient data confidentiality row

The Information Commissioner’s Office’s verdict, published last week, was welcomed by NHS Digital and researchers, who said it showed “robust” processes were in place when data was anonymised or pseudonymised for sharing outside the NHS. The data is seen as crucial for vital research projects.

However, privacy campaigners said patients’ right to opt out of their data being shared was being ignored. There are also concerns because the code of practice is not statutory, and the ICO warned earlier this year that it may not be robust enough.

The ruling comes as the NHS waits for the government’s response to Dame Fiona Caldicott’s review of patient data sharing,

An ICO statement to HSJ said: “We’ve looked at NHS Digital’s process for anonymising hospital episode statistics data and found the organisation has followed our anonymisation code of practice.

“However, we made it clear that our code is only a guide and it is for organisations to decide in any given case whether they are satisfied that data are anonymised.”

The HES data includes information from every hospital visit by patients in England, including details such as age, gender, operations, and accidents patients were involved in.

The ICO ruling followed campaign group MedConfidential accusing NHS Digital earlier this year of not sufficiently anonymising HES data before releasing it to researchers and private companies.

The group argued data from 1.2 million patients who requested no identifiable information held by NHS Digital is passed to a third party – a “type two” objection – should be excluded from HES data releases when it is sent out in pseudonymised form. The richness of the HES dataset makes “jigsaw re-identification” a genuine risk, MedConfidential argued.

Researchers said while there was always some risk of identification, it was worth taking – providing the most robust protections possible were in place – to realise the full potential of such a broad population database, which underpins substantial studies.

Nicola Perrin, director of Understanding Patient Data hosted by the Wellcome Trust, said the ICO’s ruling “should help reassure patients and healthcare professionals that there is a robust system of safeguards to protect data”.

She added: “It is important to be clear that patients can still choose to opt out of the use of personally identifiable data. MedConfidential is being disingenuous to imply that the ruling from the ICO removes that choice.

“Both the ICO and NHS Digital have recognised that the risk of re-identification can never be completely eliminated but it can be effectively reduced and managed by ensuring there are strict safeguards, contracts and meaningful sanctions if data is misused.”

MedConfidential said patients could still be identified from pseudonymised data, a process set out by the ICO code of practice for when patients’ identities are replaced by pseudonyms. Health secretary Jeremy Hunt has previously pledged to ensure patient data is protected.

The group said: “We are obviously disappointed that Jeremy Hunt has chosen to go back on his word, and continue selling the nation’s private hospital history to anyone who fills in a form correctly, after he offered patients a choice to opt out of that.

“The ICO has ruled that it was the secretary of state’s choice, and he was entitled to make it. This does not affect rights available to patients under the Data Protection Act.”

NHS Digital rejected this. Clinical director and data guardian Martin Severs said: “We are respecting type two opt outs robustly and consistently across all our disseminations.

“If patients have chosen to opt out then we do not share personal confidential information from any of our datasets, as set out in the direction from the secretary of state.”

The ICO’s warning about the strength of its guidelines was set out in February. It said: “More generally the code is not a statutory code and was never designed to be a standard for anonymisation.

“It was not drafted with a view to it being held up as something that ‘must’ be complied with or that, if it was complied with, was a sign that the data ‘was’ anonymised.

“It is designed more as a code for helping data controllers to manage data protection risk and suggests processes they could adopt to help them reach a point where they are satisfied to an acceptable level of risk that the data are anonymised.”

UPDATED: 12:00, 7th December 2016:

MedConfidential contacted HSJ after publication to ask that their position be made clear on opt outs. A spokesman said: “[We have been clear that] the opt out has begun to be implemented – it does do some things – but the main purpose of opting out of your hospital data being sold, is that your hospital data doesn’t get sold.”

Read a full statement here.