Care.data and Personal Data Protection

Trials on NHS England’s GP patient information sharing programme, known as care.data, are due to start in the New Year, the ICO (Information Commissioners Office) has said in its November newsletter. This controversial new system was postponed earlier in 2014 following concerns about how the programme will affect the handling of patient records and medical data.

Of course, as an organisation – and individually – the NHS and all its staff do care deeply about their patients and the information they hold on them. But as data controllers (so-called because they originally collected the patient information), how much real control do they have, when they are bound by new laws to release this information with the altruistic aim of improving the care and health services throughout England?

We are being told that we will be kept informed along the way of how our personal data is going to be used, but how many people understand what this actually means in real terms?

In brief, this is how care.data is going to work. Under the new Health and Social Care Act of 2012, GPs are being directed by NHS England – the organisation that owns the care.data programme – to pass on their patient records to the Health and Social Care Information Centre (HSCIC) who are the national provider of information, data and IT systems for health and social care. The HSCIC prepares all this information to pass on to those bodies that plan NHS services, as well as to ‘approved’ researchers and organisations outside of the NHS.

The HSCIC must only use data for the purposes it has been directed to do so by NHS England, and it is responsible for ensuring that what it does with the data complies with the Data Protection Act (DPA).

This should be reassuring news, but the DPA – although it is obliged to ensure fair processing of data – cannot stop any of the personal information being taken by the HSCIC. Also, some of the data the HSCIC will provide to others won’t fall under the DPA. Any data that is anonymised (i.e. the individual can’t be identified from the information), is no longer considered under the law to be personal data and therefore the DPA no longer applies to it.

The ICO is monitoring this new system, with a view to making sure there are as few data security breaches as possible, and will continue to regulate the care.data campaigns, and handle any complaints. However, the ICO cannot dictate to NHS England, the HSCIC or GPs how they handle the dissemination or collection of the data.

Earlier this year, the ICO noted that patients need to be properly informed about the changes to the way their information will be used, if GP surgeries are to meet their legal requirements under the DPA. This has been taken on board as part of the trials. Patients registered with GP surgeries that are part of the trial phase will now receive an individually addressed letter explaining the changes.

According to the ICO: “The letter will include a copy of the opt-out form which patients can complete and return if they don’t want their data shared. Some patients will also be provided with information about the changes by email and text message.”

The health sector has always provided a wealth of data protection challenges, and the care.data programme looks set to top these challenges. Watch this space! The ICO certainly will be.

For further information on the care.data programme have a look at the following websites:

• NHS choices
• nhs.uk/caredata
• hscic.gov.uk/patientconf
• ICO.org.uk
• Legislation.gov.uk (for information on the DPA)

For additional information on how to protect confidential information in the healthcare sector, check out our Why a Secure Shredding Service is Critical to Healthcare Compliance factsheet.