Data Protection

1

Data Protection Confidentiality Legally
Compliant Research Phil Walker Department of
Health
2
Key Fact 1

• The Data Protection Act 1998 places obligations
  upon those who wish to process personal data but
  does not prevent medical research!

3
Data Protection Obligations

• Fair Processing - telling people who will see
  their records and why
• Subject access
• Adequate information security
• Clarity of purpose
• Must be lawful!

4
Common Law

• Where information is held in confidence
• Consent
• Law or the Courts (section 60)
• Public Interest
• Anonymisation/Pseudonymisation

5
Confidentiality Strategy 1
Communications Strategy
Section 60
6
Confidentiality Strategy 2Implied Consent but
Patient Choice
7
National Programme for IT

• The NHS Care Record
• Information Governance
• Pseudonymisation

8
The NHS Care Record

• Will enable details of the key events of a
  persons healthcare history throughout their life
  to be
• collected, stored retrieved
• made available at all times
• across the whole country
• to those with authority to view

• Will enable details of the key events of a
  persons healthcare history throughout their life
  to be
• collected, stored retrieved
• made available at all times
• across the whole country
• to those with authority to view

A better use of information and communication
technology within the NHS would improve
efficiency and cut costs Wanless Report
April 2002
A better use of information and communication
technology within the NHS would improve
efficiency and cut costs Wanless Report
April 2002
9
Benefits

• It will provide secure instant access to patient
  records, diagnostic images and results 24/7
  across the country
• Improve the quality of time spent with patients
• Reduce the amount of administration and paperwork
• Significantly increase the amount of information
  that can be easily accessed
• Deliver healthcare to patients across
  disciplines, organisations, boundaries and
  locations

10
Benefits

• Automatic alerts, warnings, reminders reduced
  errors and omissions, and safer, more effective /
  efficient care
• Provide support for advanced decision making
• Will encourage best and evidence-based practice
• Will support research, audit, service planning
  and resource management
• Provide new, significant ways to study health,
  disease and treatments across the country

11
Information Governance

• Patient Consent to ICRS Data Sharing
• Patient Access to Health Information about
  themselves
• Access Control Framework
• Legitimate Relationships The control of ensuring
  only those individuals who have a legitimate
  reason for accessing a patients records are able
  to do so.
• Sealed Envelopes The process of enabling both
  Patients and Clinicians to apply special access
  restrictions to particular items of data
• Role Based Access Control The control of
  ensuring that of the data that an individual is
  able to access, only data and functions that are
  pertinent to the role which they are playing in
  the care of the patient is available to them
• Other Access Controls This includes special
  access controls for legacy applications, other
  national applications and certain specific
  functions

12
Information Governance

• Audit Trails containing information suitable for
  full auditing of a users actions, interactions
  and information accesses. Also, all ISPs are
  providing automated audit analysis tools.
• User Registration ensuring that all registered
  users of the NCRS have an identity of which the
  NHS is assured, and that all privileges assigned
  to them are done so through a robust, auditable
  process to which all parties can be held fully
  accountable.
• A User Authentication process which uses multiple
  factor authentication to securely and robustly
  permit an individual to authenticate their
  identity, registered with the NCRS.
• A Pseudonymisation and Anonymisation Service
  which will allow the linking of an individuals
  identity across multiple record sets, thus
  supporting the majority of requirements for using
  patient identifiable data, whilst protecting the
  privacy and confidentiality requirements of the
  individual. Also, single data sets can be
  produced which maintain the confidentiality of
  the patient.
• Secure Communications through a industry standard
  protocol implementation
• Compliance with international security and
  security management standards.

13
Pseudonymisation

• What are the requirements / business needs ?

14
Potential Users

• Health planners
• Clinical audit
• Statisticians
• Epidemiologists
• Researchers
• Managers

15
Potential Uses

• Patient contact
• As part of the activity
• As a result of the activity
• Selection of data from a range of sources
  relating to a specific cohort / sample of
  individuals
• Assembly of further information from data sources
  relating to individuals identified by the analysis

16
Personal Identifiers

• Availability of coded identifiers in data sources
• NHS / Non NHS
• Historic
• Reflected in questions outlined above
• Spatial analysis
• Assignment of cases to non-standard areas
• Calculation of proximity and accessibility
  measures

17
Levels of Pseudonymisation

• Identifiable personal information including
  uncoded information, eg name and address
• Identifiable personal information, which only
  uses coded information to identify the
  individuals, eg NHS Number
• Information in which identifiers have been
  pseudonymised, in a reversible manner
• Information in which identifiers have been
  pseudonymised, but with an irreversible one-way
  encryption facility this will enable subsequent
  linkage of data relating to the same individual
• Information that has no identifiers or keys and
  cannot be linked to other information relating to
  the same individual

18
Pseudonymisation

• Services
• Pseudonymised extracts from the Secondary Uses
  Service
• Ability to take a data file containing patient
  data and produce a pseudonymised version

19
Pseudonymisation Service

• All Pseudonymisation processing and access to or
  disclosures of Pseudonymised Data shall be
  appropriately recorded to the audit log.
• The Pseudonymised Data shall be in a form such
  that it will be possible to carry out searches
  and statistical analysis on the Pseudonymised
  Data
• Pseudonymisation shall ensure that the same
  information always yields the same pseudonym or
  derived values for a group of users, regardless
  of variations in the way the information is
  encoded

20
Pseudonymisation Service

• The pseudonymising method shall enable record
  linkage between pseudonymised records (of records
  for the same patient) by the user, where this is
  required. Record linkage must be capable of being
  performed over an extended time period, and
  across data from all Providers
• As the data will be held in the Secure Database
  indefinitely, the Pseudonymisation algorithms
  shall preserve the anonymity of individuals
  indefinitely.

21
Pseudonymisation Service

• It shall be possible to reverse the
  Pseudonymisation process under strict access and
  privilege control arrangements, e.g., in
  circumstances where patient identification may be
  necessary to support their care.
• This facility will be especially sensitive and
  will only be available to approved individuals
  under the direction of the appropriate authority
  or exceptionally through defined and monitored
  emergency override procedures.

22
Phasing

• Phase 1
• Release 2 Dec 2004
• Pseudonymisation service to be available
• Phase 2
• Release 1 - June 2005
• Secondary Uses Service, including
• NWCS Replacement
• National Clinical Audit Support Programme

23
Scientific Community
Privacy lobby
Now chaps, I know its a bit muddy and we cant
see all the way across, but we cant stay where
we are!
24

• Thank You