The Health and Social Care Information Centre will take four weeks to audit the data releases of its predecessor, the NHS Information Centre, following intense public scrutiny of the bodies to which it released patient information.
The NHS IC came under fire at a meeting of the Commons health select committee last week on the care.data programme, after it emerged that it sold Hospital Episodes Statistics data to an insurers’ body.
HES will form the basis of care.data, which will combine this dataset with GP and other datasets, and release pseudonymised and anonymised information to researchers and to the public.
Care.data proponents had sought to rebut claims in the media that insurers would be able to obtain information from the new database; a claim that was apparently undermined by the revelations about HES.
It has since emerged that the NHS IC also released HES data to PA Consulting, which put it into a Google analysis tool based in the cloud.
NHS England head of patients and information Tim Kelsey told the Commons health select committee that care.data information would not leave the UK. But Google's distributed architecture makes it highly likely that it did, even though PA stresses that it "has done everything in accordance with HSCIC procedures" while delivering new insights for the NHS.
In response to these incidents, the HSCIC announced today that Sir Nick Partridge, the former chief executive of the Terence Higgins Trust, and one of its non-executive directors, will audit the NHS IC’s releases.
He will submit a report to the HSCIC board by the end of April. The HSCIC will also publish a report on detailing all the data it is releasing, and the legal basis on which it is being released, by 2 April.
Kingsley Manning, the chair of the HSCIC, said: “In both reviewing the actions of the old NHS Information Centre and publishing our own decisions, we are encouraging public scrutiny.
“The clear benefits to patients of research and analysis of medical outcomes must drive our lawful release of data.”
GP extractions to care.data were supposed to start last autumn and then in March, but they have been delayed until this autumn in response to concerns about whether patients have been given enough information to opt-out.
MPs at last week’s health committee meeting grilled officials from the HSCIC and NHS England about a leaflet campaign about the programme that did not mention it or include an opt-out form, the precise uses to which care.data will be put, and the code of conduct that will govern it.
Following the meeting, the HSCIC said it will put in place several measures to build public trust. One of these is to write to organisations that receive HSCIC data releases “reminding them of their responsibilities under their data sharing agreements with the HSCIC, including our right to audit their use of data released to them, as well as our intention to publish details of their access.”
Health secretary Jeremy Hunt also responded to the concerns raised by the committee by announcing that he would legislate to prevent the HSCIC from selling data for “purely commercial” uses by insurers and other companies.
He told the Telegraph and other papers that he would also seek a “one strike and you’re out” approach for organisations that abused public data, preventing them from accessing NHS data in the future.
Proposed amendments to the Care Bill, which was published yesterday, take forward these pledges, although critics have said they do not go as far as Hunt promised.
There is no explicit ban on data being sold or on it being released to insurers or other classes of company, although one amendment does say that information can only be released if the HSCIC “considers that disseminating the information would be for the purposes of the provision of health and social care.”
Similarly, there is no ‘one strike and you’re out’ provision, although a further amendment says the HSCIC can only release the data if “it has satisfied itself that the recipient is competent to handle the data in compliance with all statutory duties and to respect and promote the privacy of recipients of health services and adult social care.”
Manning said he welcomed health secretary Jeremy Hunt’s intention to strengthen the legal basis of the centre, which will increase patients’ ability to trust it.
Phil Booth, co-founder of the medConfidential privacy campaign welcomed the promise of legislation and said he was glad to see the health secretary “taking the care.data debacle seriously.”
But he warned the legislation might not go far enough, since the whole purpose of care.data was to provide information for ‘secondary purposes’ rather than direct care.
The HSCIC report will be updated quarterly. The centre says it intends to encourage public scrutiny of its decisions. It has also appointed three new non-executive directors.