Currently GPs are being asked to sign up to a daunting plethora of data-sharing agreements (DSA), which pass information between ‘data controllers’ (e.g. a GP practice or hospital).
Broadly there are two distinct categories of data sharing agreements between practices and other organisations: those that involve care record-sharing and those that involve data reporting. Different considerations apply to these categories.
Those requested by CCGs and local authorities for commissioning purposes fall into the category of a data-reporting agreement, which use anonymised or pseudonymised data to produce, for example, performance dashboards for payment or quality improvement purposes.
Those requested for clinical care could include a request from a hospital for an agreement to allow ward pharmacists access to the GP patient record when a patient is admitted to hospital. These latter agreements cover care record-sharing.
Practices must be clear at the outset whether they are being asked to agree a mechanism for data reporting (in which case anonymised or pseudonymised data is sufficient and more appropriate) or an agreement for sharing patient care records. Distinct considerations apply to each (most notably around patient consent).
A key problem we have encountered is that some organisations (notably CCGs) are requesting care record-sharing inappropriately (and in some cases illegally) when their needs can be met by a data reporting agreement with anonymised or pseudonymised data.
Few GPs find evaluating the reasonableness of requests for data sharing an easy matter and, mindful of their duty to protect patient confidentiality, most are understandably anxious about sharing their patients’ personal data.
This guidance covers DSA, which is a systematic, routine form of data-sharing involving general principles and often large volumes of data. It does not cover ad hoc requests nor does it cover sharing of data with data processors – where another party processes data on a data controller’s behalf (the Information Commissioner’s Office (ICO) have issued separate guidance on these circumstances).
When deciding whether to enter into an arrangement to share your patient’s personal data you can interrogate the data sharing agreement by asking the following ten questions.
1 What is the sharing meant to achieve?
You should have in the DSA a clear objective, or set of objectives. Being clear about this will allow you to work out what data you need to share and who with. It is good practice to document this.
2 Could the objective of the sharing be achieved without sharing the data or by anonymising or pseudonymising it?
The most important question to ask of any data sharing agreement is this. It applies particularly with a data reporting sharing agreement. It is not appropriate to use personally identifiable data for CCGs commissioning purposes or to plan service provision, for example, where this could be done with pseudonymised or anonymised data or aggregate data (number counts).
3 What information needs to be shared?
Here the ‘need to know’ principle applies and the DSA should not require more of a person’s record than is necessary for the objectives. So a patient’s consultation history may not be shared when a drug history is all that is needed.
4 Is explicit patient consent required?
Consent (explicit and informed consent for sensitive personal data) is one of the conditions the Data Protection Act provides to legitimise processing. There must therefore be some form of active communication where the informed individual knowingly indicates consent.
Whilst consent will provide a basis on which organisations can share personal data, the ICO recognises that it is not always achievable or even desirable. If you are going to rely on consent as your condition you must be sure that individuals know precisely what data sharing they are consenting to and understand its implications for them. They must also have genuine control over whether or not the data sharing takes place and be able to have their dissent respected.
It is bad practice to offer individuals a ‘choice’ if the data sharing is going to take place regardless of their wishes, for example where it is required by statute or is necessary for the provision of an essential service. Practices must allow patients to dissent from sharing their records and must record and respect that dissent. You must give patients this opportunity by informing them fully of the circumstances in which their data will be shared.
Practices must satisfy themselves that they can clearly identify patients (for example by the appropriate READ code) who have expressed an objection to their data being processed other than by the practice and or being transferred to third parties (even for a lawful purpose) outside of the GP practice system.
Additionally, prior to data extraction, it is incumbent upon the GP practice to ensure that all statutory prohibitions in relation to certain, special, conditions of their registered patients (such as those covered by the Human Fertilisation and Embryology (Disclosure of Information Act 2002) are readily identifiable and able to be excluded from data transfer. For advice on this visit the Information Commissioner’s Office (ICO) website (www.ico.org.uk).
5 Who requires access to the shared personal data?
Here it is important to establish ‘need to know’ principles, meaning that other organisations should only have access to your data if they need it for legitimate reasons, and that only relevant staff within those organisations should have access to the data. This should also address any necessary restrictions on onward sharing of data with third parties. The DSA should specify the potential recipients or types of recipient and the circumstances in which they will have access.
6 When should it be shared?
This should be clearly documented, setting out whether the sharing should be an ongoing, routine process or whether it should only take place in response to particular events.
7 How should it be shared?
Difficulties can arise when the organisations involved have different standards of security and security cultures or use different protective marking systems. It can also be difficult to establish common security standards where there are differences in organisations’ IT systems and procedures. Any such problems should be resolved before any personal data is shared and an agreed set of security standards must be signed up to by all the parties involved in a data sharing agreement.
There should be clear instructions about the security steps which need to be followed when sharing information by a variety of methods, for example phone, fax, email or face to face.
8 How can we check the sharing is achieving its objectives?
You will need the opportunity at some specified future date to be able to judge whether the DSA is still appropriate and confirm that the safeguards still match the risks.
9 What risk does the data sharing pose?
Is any patient likely to be damaged by it? Is any patient likely to object? Might it undermine patients’ trust in their practice?
10 Do I need to update my notification?
You need to ensure that the sharing is covered in your ICO register entry.
This advice is based on careful examination of the relevant legislation and guidance but it does not constitute a formal legal opinion.
Julie Sharman works for Londonwide LMCs.
ICO. Data Sharing Code of Practice. May 2011.
Department of Health. NHS confidentiality code of practice. 7 March 2003
Department of Health. The Caldicott Review. 26 April 2013.