NHS England’s director of patients and information Tim Kelsey says ‘pseudonymisation at source’ technology is not ready for use on the care.data programme.

However, experts spoken to by EHI reveal that the technique is already used for large-scale research projects and they believe it could be applied to care.data.

Care.data involves extracting a new monthly dataset from GP practices and linking this with other datasets, such as the Hospital Episode Statistics, within the ‘safe haven’ of the Health and Social Care Information Centre.

NHS England announced on Tuesday that it would delay the start of extractions by six months to allow more time for the benefits and implications of the programme to be explained, following a public outcry over potential privacy issues.

The data extracted for the national database will include a person’s age, post code and NHS Number, but pseudonymisation at source would mean that this information never leaves the GP practice.

The technique uses a common key across all care settings, which generates a unique pseudonym for each individual that allows their data to be linked. Nearly half of all respondents to a recent EHI survey on care.data said pseudonymisation at source would allay the concerns that they have about the programme.

However, Kelsey told BBC Radio Shropshire on Thursday that while NHS England is “very excited about” pseudonymisation at source, it is a new technology and extractions "can’t be done like that at the moment”.

“The technologies are in a test phase and there are various legal reasons why it’s a problem; we are still looking at it,” he said.

Kelsey confirmed that extractions of GP data will begin in September, whether or not pseudonymisation at source becomes available, saying the NHS has been handling HES data safely for 25 years and if people are unhappy about it, they can opt out.

Julia Hippisley-Cox, professor of clinical epidemiology and general practice at Nottingham University, won the John Perry Prize in 2013 for developing the Open Pseudonymiser tool.

The free tool is used by the two major GP system suppliers, Emis and TPP, as well as the HSCIC and the National Office for Statistics.

She said that over the past year, pseudonymisation at source has been used by QResearch in a large-scale project involving data from 750 practices and 14m patients.  The data has been successfully linked to HES, cancer registry and mortality data from the last 20 years.

“We believe this method of protecting patients' data is scalable and could potentially be used by NHS England for care.data extracts, subject to large-scale testing,” explained Hippisley-Cox.

A TPP statement says the company uses strong pseudonymisation techniques that have helped to ensure that any large scale data linkage projects, such as ResearchOne meet all national ethical and governance requirements.

“There is no reason why this methodology could not (or should not) be delivered for national data extracts from clinical and administrative systems across the NHS,” it says.

Dr John Parry, TPP’s clinical director, described the pause in the care.data project as, “a golden opportunity for the NHS to set data export standards, facilitating important information flows whilst protecting patient confidentiality”.

“Strong pseudonymisation is an approach that will help to restore confidence in the governance of stratification processes and big-data linkage. It will substantially reduce the need for section 251 approvals and greatly legitimise the processing of data,” he said.

Joint chair of the Emis National User Group, Dr Hasib Ur-Rub, said the group met with Kelsey in December and put the case forward for pseudonymisation at source to be considered. 

“We had a very good meeting with him and hopefully have persuaded him of the importance of this for a successful roll out,” said Dr Hasib.

“It provides much better protection for patient confidentiality whilst still allowing for the data to be used for research and service planning.”

He added that while, “most patients are fine with anonymised data sitting on a government database, they remain very anxious about identifiable data sitting there when it is not for direct patient care.”

The HSCIC is reviewing the use of pseudonymisation at source.

However, a care.data privacy impact assessment published by NHS England says: “at the moment, the HSCIC considers pseudonymisation at source to be impractical because there is such a diverse range of care settings providing data to the programme and such a diverse range of information systems used in each setting.

EHI understands the HSCIC does not plan to make its review public, unless requested under the Freedom of Information Act.