Exclusive Requests for identifiable patient data have been approved more than 30 times since April by the group of independent experts which will oversee access to confidential records uploaded to the controversial care.data scheme.
A Pulse analysis of applications to the Confidentiality Advisory Group (CAG) reveals there have been 31 releases of confidential patient information since April 2013 – 12 of which were to bodies outside the NHS.
The frequent releases of data under the little-known Section 251 exemption are significant because a similar process will govern the release of identifiable patient data once GP records are extracted via the care.data programme.
NHS England announced last year that it plans to sell care.data access to private companies and researchers for a nominal £1 – and private companies will be able to make applications to access identifiable data via the Section 251 process.
Supporters of care.data have played down the prospect of identifiable patient data being shared as part of the scheme, and much of the debate to date has focused on the release of data which will be ‘pseudonymised’. NHS England is currently in the process of sending a leaflet to every household in the country which reassures patients that their ‘identity is protected’.
But Pulse’s analysis reveals that identifiable patient data is already being regularly approved for release by the NHS.
Under Section 251 of the NHS Act 2006, the health secretary is able to set aside patient confidentiality for ‘defined medical purposes’, but he has to take advice from the independent Confidential Advisory Group (CAG).
The CAG is based at the NHS Health Research Authority and assesses requests to see if there is a ‘sufficient justification’ to access confidential patient information.
A Pulse analysis of data published on the CAG website shows that in total 31 requests for identifiable patient data have been approved since April 2013.
In addition to this, at least 30 requests for identifiable data were ‘conditionally’ or ‘provisionally’ approved, as long as the applicant sought further approvals. Some 15 requests were rejected for lacking sufficient evidence.
The applications were mainly for commissioning or life science research, with information such as names, dates of birth, postcodes and NHS numbers requested alongside other medical data.
Approved applications include:
- A request from the University of Hertfordshire to access patient notes at six GP practices and pharmacies in order to review prescribing errors
- A request from the CQC for all the names and addresses of all adults who had one overnight hospital stay from June to August 2013
- A request from the Royal College of Anaesthetists for NHS number, hospital number and dates of birth and death for 40,000 patients who had an emergency laparotomy
- A request from Cardiff University for name, NHS number, date of birth, postcode and gender of all children presenting with a thermal injury
Dr Grant Ingrams, former chair of the GPC’s ICT subcommittee and a GP in Coventry, said it was important that patient consent was explicitly obtained before identifiable data was given to researchers, particularly as GPs were held responsible for any complaints.
He said: ‘I do not see why any researcher anywhere should have access to information without consent. I do not believe it’s the right model to upload peoples’ data without properly informing them that it’s being done this way.’
But Dr Tony Calland, chair of the BMA’s Medical Ethics Committee, said that identifiable patient data would only be given out if there was a ‘particular research project’.
He said: ‘[HSCIC] could only give out some or any of their identifiable data with Section 251 approval, which would only be given for a specific purpose.’
Dr Neil Bhatia, a GP in from Hampshire with an interest in IT and information governance, said: ‘What patients don’t realise is that once their information is out there it stays out there. If patients object to these organisations on ethical grounds that won’t make any difference, because the data could still be sent to them.’
A spokesperson for NHS England said: ‘Confidential information is sometimes released to approved researchers, if this is allowed by law and meets the strict rules that are in place to protect your privacy.
She added: ‘Patients who have objected to their data being used for anything other than direct care would not have their data shared under Section 251.’