Ministers have gone against the findings of their own information governance review and allowed patient-identifiable data from GP records to be used in the NHS outside of the ‘safe havens’ recommended by the Caldicott report for six months.
Health secretary Jeremy Hunt has approved plans for NHS England to waive common confidentiality laws for six months under a legal exemption called section 251, allowing patient identifiable data to be passed to commissioners and support units.
This is despite the safe havens for potentially identifiable patient data recommended by the Government’s own Caldicott2 report published earlier this year not being in operation.
Dame Fiona Caldicott said that most commissioning activities could be carried out without patient identifiable data and that any data carrying a high risk of being identified and being used for ‘any purpose other than direct care’ should be transferred using an accredited safe haven.
Dame Fiona defined a safe haven as a ‘specialist, well-governed, independently scrutinised and accredited environment’.
Currently the Health and Social Care Information Centre (HSCI) is the only formally accredited safe haven, as final requirements for accreditation are yet to be determined.
But the exemption granted to NHS England means that patient identifiable information from GP records will now flow between NHS England, CCGs and CSUs.
The data include those on Choose and Book referrals, urgent care data sets (including walk-in centres and out-of-hours), accident and emergency, waiting lists, outpatient and diagnostic attendances, community care, payment by results data, radiology and pathology data, community health data and home equipment loans among other data sets.
Pulse revealed yesterday that NHS England will begin taking data from GP records in a ‘small number of practices’ in the upcoming months, in order to pilot their new data extraction system (GPES) before a wider rollout later in the year.
A guidance note on the approval of the exemption from the HSCI said that CSUs and CCGS can receive patient-identifiable data if they ‘provide evidence of completion of level 2 of the Information Governance Toolkit’ or plans to bring them to level 2 as well as a data sharing agreement and a signed data sharing contract in place, a guidance note from the HSCIC said.
It added that NHS England must demonstrate that it will only share personal confidential information where necessary.
It said: ‘The section 251 support is conditional upon regular reports to the Confidentiality Advisory Group to demonstrate the steps being taken to avoid the use of personal confidential data including improving upon the position of using weakly pseudonymised data.’
NHS England is expected to work towards an ‘end-state’ that reduces the need to process and handle personal confidential data, it added.
The exemption will run until October this year, conditional on an interim report to be considered by the Health Research Authority’s Confidentiality Advisory Group in June. The health secretary approved the section 251 exemption bid on the recommendation of advice from this group.
A Department of Health spokesperson said: ‘Following independent advice, approval has been granted to release information from the HSCIC to health bodies temporarily for a period of six months, subject to stringent conditions.
‘These include preventing individuals from being identified – and, that if a patient requests their personal information is not disclosed at all by the HSCIC, this is fully respected.
‘The bodies receiving the information must meet very high standards of information governance and if they breach information controls it could result in a significant fine of up to £500,000.’