In June 2014, the UK Department of Health published its consultation, ‘Protecting Health and Care Information: A consultation on proposals to introduce new Regulations.’
One proposal featured in the consultation would introduce ‘accredited safe havens,’ which would allow organisations to store identifiable patient data securely. Margaret Tofalides and James Cassidy of Clyde & Co LLP examine the proposal and the concept of the ‘accredited safe haven.’
The Department of Health’s recently released consultation on proposals to introduce new Regulations to govern the management of patient identifiable data is an exciting new development in the critical world of sharing health data. The proposed Regulations will allow organisations to become a ‘safe haven’ facilitating their access to identifiable patient data currently held by the Health and Social Care Information Centre (‘HSCIC’). The Consultation proposes to introduce Regulations to create Accredited Safe Havens (‘ASH’) in order to provide further safeguards and comfort in relation to the processing of health information. This area has been relatively controversial having regard to historic breaches and the proposals promise to guarantee greater openness and reassurance to the public.
The Consultation, ‘Protecting Health and Care Information,’ sets out in some detail the proposals for ASHs, their purpose and the controls that would be in place. The Consultation acknowledges that there are a number of powerful and ‘obvious’ arguments to warrant the sharing of health data, but accepts that there is still a growing awareness of information rights and the need for suitable safeguards to be in place. Historically, accusations have been levelled at the ease with which health data was released to commercial companies. This needs to be contained to safeguard data subject’ interests but the really positive uses of data sharing for clinical commissioning and patient care show significant value in trying to get safeguards right for future use.
An ASH will ‘provide a secure environment within which data that could potentially identify individuals can be lawfully processed for a limited range of approved purposes, under controls that minimise reliance upon identifiable data and constrain how the data is processed.’ However, the NHS clearly needs to earn the trust of patients in the way it handles their sensitive and confidential data and therein lies the challenge.
What’s in an ASH?
An ASH would provide a process by which personal identifiable data could be securely and lawfully accessed, however the guidance states that data would be nonidentifiable wherever possible. The Consultation states ‘the data that will be used by ASH will be person-level data but as our starting point is that the risk of individuals being identified must be minimised, any identifiers that are not necessary of the processing will have been removed.’ The anonymised data will then be used by the ASH in order to identify ways in which to improve healthcare services.
The proposed Regulations would set out the broad purposes for which data could be disclosed to an ASH, and for which that data could be used within an ASH. The Consultation identifies the benefits of sharing information held by the HSCIC with those who can then analyse and interpret it, and the Regulations in general terms would seek to ensure that any information shared was done so appropriately and securely. With the increasing awareness of the public regarding their Data Protection Act 1998 (‘DPA’) rights and the growing enforcement power and profile of the UK’s Information Commissioner’s Office (‘ICO’), these Regulations effectively seek to ensure that any data shared with an ASH is done so in a manner that will be compliant with the DPA.
In terms of who would be likely to apply to become an ASH, the Consultation identifies that those currently under statutory control by virtue of Section 251 of the National Health Service Act 2006 would be likely to seek ASH status. In order to become an ASH, an organisation would need to be approved or ‘sponsored’ by the Department of Health or NHS England and the Secretary of State would approve the organisation’s status on the advice of the HSCIC.
Sharing data for a range of purposes
The Consultation identifies that information could be shared for broad purposes. An ASH would be able to receive information from more than one source and use it for purposes related to the commissioning and provision of public health and social care.
Once an ASH holds data, it would only be entitled to use the information limited to the following purposes:
- Making the patient in question less readily identifiable.
- Conducting geographical analysis
- Analysing differences between population groups
- Validating and improving the quality or completeness of information, or data derived from such information
- Auditing, monitoring and analysing the provision made for patient care and treatment, including outcomes, costs and patient satisfaction
- Understanding and analysing risks to individuals and informing those responsible for the care of the results of that analysis
- Providing those responsible for providing care to an individual with information that might inform or support that care
- Ensuring the correct payment is made for the care provided
It is proposed that the Regulations would seek to make it explicit in relation to the circumstances in which information could be shared, and also provide further safeguards to ensure that if information is shared on that basis, it is done so with sufficient controls.
In relation to the controls proposed by the guidelines, it is clear that there will be strict controls for providing information to and extracting information from an ASH. The Regulations would set out in some detail controls and requirements placed upon an ASH in relation to data received. This would include a requirement to publish information on the steps taken to comply with the regulation.
The ability for an ASH to release data would however be very limited indeed. At present the consultation proposes to only allow an ASH to release data in the following circumstances:
- To third parties directly involved in the care of the data subject
- To third parties able to receive the information on some other lawful basis
- Or by way of publication when it has been effectively anonymised
It is of note therefore that whilst information can be disclosed to an ASH for a large number of purposes, on first view, there are at present very few circumstances in which that information may be passed on to third parties. The proposal will however allow information to be shared on a ‘lawful basis’ and therefore this may mean that data could be shared by an ASH provided it meets the criteria set out in the Data Protection Act.
The Regulations confirm that those working for an ASH would also be subject to a civil penalty within the regulations not exceeding GBP 5,000 for any breach of the regulations. This again seems in line with the ICO’s more active and aggressive line in enforcing the rights of data subjects.
It is interesting to note that the Regulations would also permit data subjects to object to their data being processed by an ASH. The guidance states: ‘in line with the NHS Constitution, if individuals object to data about them being used in this way, their objection should be respected and their data will not be used.’ It will be interesting to see how this proposal is taken forward and in particular how individuals would be notified when their data is transferred to an ASH, particularly where their information may be used on an anonymous basis. The Consultation acknowledges that this issue will be considered carefully as the Regulations progress.
The Consultation runs until 8 August 2014 and all organisations are invited to make comment and engage with the process. The proposed Regulations take a further step towards increasing the safeguards around the processing of health data. It is of note that the Regulations effectively seek to put into law a number of the Caldicott Principles and provide clarity for data subjects about how and when their data may be used.