Government shared patient data with no record of recipient

A Government information centre was unable to identify the organisations to which it released potentially sensitive patient data on two occasions, according to a critical report by the Health and Social Care Information Centre.

The report, which looked at failings by its predecessor body, the NHS Information Centre, criticised ‘administrative failings’ that meant reviewers were unable to identify which two organisations had received potentially identifiable patient data, with no record of any agreement on how it would be used.

The review of 3,059 releases- led by Sir Nick Partridge, a non-executive director of the Health and Social Care Information Centre – was initiated as a result of revelations that millions of patient records had been shared with an actuarial firm, in the wake of the care.data scheme being suspended following concerns raised by GPs.

As a result of the review, the HSCIC said it would bring in changes which will make data sharing more secure ahead of the rollout of care.data.

A HSCIC spokesperson said about the lapses in security: ‘Further investigations by the HSCIC have allowed us to establish with reasonable confidence that in one of these instances no data was released and in the other it was released properly to an individual at a primary care trust for the purpose of research. The HSCIC acknowledges that in these instances record keeping was not good enough at the NHS IC and we are taking measures to ensure this does not happen again.’

The report found four instances of data still being shared with insurance companies, which will have to be terminated before the introduction of the Care Bill, which will make it illegal to share data for purposes other than the improvement of health and care.

The releases were approved between 1 April 2005 and 31 March 2013 – at which point the NHS Information Centre was replaced by the HSCIC. Some of the agreements are still active but as part of the changes agreed by the HSCIC, these will now be reviewed.

An earlier review of the HSCIC’s data releases found 56 instances of records being shared with private companies.

As a result of the review, the HSCIC is moving ahead with plans to limit record access to ‘data laboratories’ which will protect data by holding it on HSCIC-managed facilities and networks and introducing new audit powers to monitor data sharing agreements.

Sir Nick said the HSCIC must ‘learn lessons’ about data handling, saying the public will not tolerate ‘vagueness’.

He added: ‘The HSCIC must learn lessons from the loosely recorded processes of its predecessor organisation. The public simply will not tolerate vagueness about medical records that may be intensely private to them.’

‘We exist to guard their data and we have to earn their trust by demonstrating scrupulous care with which we handle their personal information.’

Chair of the HSCIC Kingsley Manning said: ‘We welcome the government’s commitment to set up appropriate oversight for the system as a whole in relation to protecting confidentiality.’

‘We look forward to our work being subject to the same scrutiny and also want to encourage the public to scrutinise our activities – this is supremely important to me as chair of the HSCIC and to our new chief executive.’

The care.data scheme will extract patient records held by GP practices and collate them with records extracted from other parts of the health system. It was delayed in September to allow legislation to be introduced restricting how the data can be used, and give time to inform patients after two-thirds of the public reported they hadn’t received information on the scheme.

GP concerns will also be addressed, with NHS England agreeing to pilot the scheme in at least 100 practices, after GPs risked their contracts by opting patients out of the scheme. But at the recent LMCs Conference GPs said more drastic changes were needed, including requiring patients to opt in to the scheme.