The Department of Health has issued guidance on the creation of patient data ‘safe havens’ that will govern access to confidential data held by Health and Social Care Information Centre.
The guidance, entitled ‘Protecting Health and Care Information’, sets out the department’s proposals to allow organisations to set up accredited safe havens that will have access to identifiable patient data, held by the HSCIC.
The DH says that, when enacted, the new measures should strengthen safeguards on patient data. The guidance says that any safe haven will have to be accredited by the health secretary and that only the minimum “necessary level of identifiable information” will be used.
“Our vision is that ASHs will provide a secure environment within which data that could potentially identify individuals can be lawfully processed for a limited range of approved purposes, under controls that minimise reliance upon identifiable data and constrain how the data is processed in the ASH,” the guidance says.
The government says it would expect the majority of non-research organisations that are currently processing data under temporary controls, such as section 251 of the Health and Social Care Act, to apply to become an ASH.
Section 251 currently allows some identifiable data sets to flow from HSCIC to commissioning support units and clinical commissioning groups.
“Bodies seeking to become an ASH will have to be sponsored by the DH or NHS England,” the guidance says, and adds that the health secretary will approve their ASH status “on the advice of the HSCIC.”
The current s251 exemption expires in October this year, and EHI reported last week that NHS England has applied for an extension to April 2015.
All commissioning support units and some clinical commissioning groups have expressed an interest in becoming an ASH and have said that they cannot carry out essential work such as risk ratification without being able to process patient data.
However, Dame Fiona Caldicott’s second review of information governance said that non-identifiable information should be used.
The government’s proposal says it will require an ASH to remove any information that could identify the person it relates to “as far as it is practical to do so”, and the organisation will have to provide evidence of the steps taken towards anonymising the data.
It says that as new technology becomes available, the need for identifiable data should be reduced and that it will expect ASHs to implement technology to “reduce or eliminate the need for those working in the ASH to handle identifiable information.”
Privacy campaigners have argued that there is scope for potential misuse of the information and that by linking datasets that would not in themselves contain identifiable data, re-identification could occur.
“Information which does not itself identify individuals could potentially be linked with other information and used to identify individuals by a motivated person,” says the guidance. “The proposed regulations would require HSCIC or an ASH to limit disclosure of potentially identifiable information.”
It adds that the regulations would include controls to ensure that those receiving the information will not be able to use it to re-identify individuals.
If a recipient of data does this, it is a breach of the Data Protection Act and this could allow the Information Commissioner to impose a fine of up to £500,000.
The guidance says that the ASHs will have to review their needs to process confidential patient data yearly and report any incidents of loss of data or information governance breaches to the HSCIC through an online reporting tool.
In December last year, the HSCIC proposed that ASHs would be subject to significant fines if they breach their requirements for handling patient data. The DH guidance says that providers will be liable for a civil penalty not exceeding £5000 if they do not comply with the appropriate safeguards and rules.
The consultation will run until 8 August and organisations can respond to it here