This site is intended for health professionals only

At the heart of general practice since 1960

Read the latest issue online

A faulty production line

NHS England seeks permission to send patient-identifiable data to commissioners

NHS England has applied for a legal exemption so that patient-identifiable information can be extracted and shared with a variety of commissioning groups and information bodies.

If granted, the exemption - called the 251 exemption - would allow the health secretary to set aside the legal duty of confidentiality in certain cases. The decision, which will be made on 18 April, could give NHS England the ability to share data extracted from GP practices with CCGs, commissioning support units and the Health and Social Care Information Centre.

Under the clause, which is in the 2006 Health and Social Care Act, certain bodies are able to disclose confidential patient information for medical purposes. This is on the condition that it is not possible to use anonymised information and seeking consent is not practicable, taking the cost and technology available into account.

The organisation made a bid to the NHS Ethics and Confidentiality Committee (NHSECC) for the exemption in March. However, the committee sought clarification on a number of issues and NHS England will revise the bid and re-submit a draft in mid-April to be considered at the first meeting of the NHSECC’s successor organisation, the Health Research Authority’s Confidentiality Advisory Group, which will make its recommendation to the health secretary.

The CAG will then make a recommendation to the Secretary of State about whether the Board should be exempt under the regulations, as is the arrangement with PCTs.

A spokesperson for NHS England said: ‘[NHS England] is in discussion with the NHSECC on matters pertaining to transition and ongoing requirements for existing local and national data flows that are required as part of transition and ongoing commissioning activities relating to the changes in organisations ( PCT transition to CCGs, CSUs and NHSCB) post April 2013.’

A spokesperson from the Health Research Authority said: ‘Clarification was requested on this application at a meeting on 14 March. A revision is being considered to clarify data flows in relation to Secondary Uses Service (SUS) with a full application with additional data flows identified coming to the first Confidentiality Advisory Group Meeting on 18/19 April 2013.’

They added: ‘The key purpose of the CAG is to promote and protect the interests of the patient whilst at the same time facilitating appropriate use of confidential patient information for purposes beyond direct patient care. In considering applications the ECC and subsequently the CAG do so with these considerations in mind utilising the experience of its members to ensure credible advice is given.’

A BMA spokesperson said: ‘This is a highly complex issue. There’s always a tension between the rights of patients to privacy and confidentiality, and the need for data to flow in order for the NHS to function.’

Readers' comments (5)

  • Surely if the technology is there to support an opt out from the SCR, there is no reason not to give patients an opt out opportunity here as well.

    Unsuitable or offensive? Report this comment

  • Why wasn't this sorted long ago?
    Always has been in previous top-down reorganisations of the NHS!

    Unsuitable or offensive? Report this comment

  • It's not just data extracted from GP practices. At the moment NHS England (which includes all the CSUs) can't handle any patient level data (which includes NHS numbers) from anywhere, including providers, for things such as validating payments.

    Unsuitable or offensive? Report this comment

  • The SCR upload and access mechanism is lawful precisely because it is managed in two distinct stages. The first part involves GPs letting patients know that they were going to process their data in a way not originally intended, through the PIP or public information programmes. This hopefully satisfies the ICO requirements for fair processing or privacy notices.

    The second part involves clinicians other than the GP (the original data controller) accessing the data. This is only done once the patient explcitly consents with e.g. an Out Of Hours provider using an accredited system.

    The IC has a requirement for potentially much more detailed information, presumably does not intend to request explicit consent and therefore requires a S251 exemption to avoid potentially falling foul of the common law code of confidentiality (a S251 exemption was also the basis under which secondary care providers were permitted to share PID with PCTs).

    Of course any such data collections, even if originally lawful through granting of a S251 agreement, may become unlawful if the proposed EU Data Protection changes requiring explicit consent are introduced.

    Unsuitable or offensive? Report this comment

  • This is a disaster waiting to happen. Who will monitor what data is extracted and where it goes to? What further uses will that data be used for and what other data will it be combined with? Will all of these recipients have "appropriate technical controls" in place to give assurance on the data security? I agree with the above comment that EU Data Protection changes requiring explicit consent may affect this, I for one would not these to keep my data secure, especially as the ICO is asking for the right to audit the NHS because of repeated breaches of data.

    Unsuitable or offensive? Report this comment

Have your say