The Health and Social Care Information Centre is reviewing how it provides non-clinical information about NHS patients to law enforcement organisations, after concerns were raised by a privacy watchdog.
News of the review comes after EHI reported in July that more than 2,700 releases of non-clinical information about NHS patients were made to law enforcement organisations in the year to March 2014.
The information was included in the HSCIC’s quarterly register of approved data releases, which was established in connection with a review by HSCIC board member Sir Nick Partridge into how its predecessor the NHS Information Centre shared patient data.
The details about releases to law enforcement over the longer 12-month period were included after privacy campaign group medConfidential drew attention to their absence from the HSCIC’s data audits.
From April 2013 to March 2014, there were 2,758 releases of non-clinical information made from the National Back Office, including 491 to police forces, 321 to the National Crime Agency and 1,944 to the Home Office.
Phil Booth, the co-founder of medConfidential, told EHI at the time that the figures showed the scale of data being shared with law enforcement.
“We knew police were going and asking and getting data from the NHS… but we weren’t aware of the scale of it. It’s quite shocking. You’re talking of thousands of requests a year – it’s routine.”
In a new report on the HSCIC’s progress against the review’s recommendations, Partridge said the board has decided to undertake a review of the tracing service “in recognition of the wide range of views expressed” since information on the number of requests was published.
The review will be chaired by Maria Goddard, a non-executive board member and the director of the Centre for Health Economics at the University of York.
Partridge’s report says the review will “look at the checks and balances in place to assess requests, the utility of the service to law enforcement and the concerns of those who object to health data being used for this purpose”.
The HSCIC says it will release non-clinical information to assist law enforcement with tracing individuals when compelled to do so by a court order or under section 29 of the Data Protection Act.
The requesting organisation will generally only receive the name and date of birth under which the individual is currently, or has previously been, registered with a GP and the area in which the GP is located – but not the details of the individual GP surgery.
It says there are “rare cases” when demographic details may be given, such as when an individual has died, but not clinical information.
Booth told EHI the review is to be welcomed, but must be “absolutely transparent” on the rules in place for sharing data with law enforcement.
“They have to be absolutely clear, because we’ve got numbers but we don’t have a clear definition of what information is shared for and what decisions they’re making and why.”
A “clear, substantive set of rules” must be put in place to ensure the public can have confidence that their data is not being improperly shared with law enforcement organisations, he said.
An HSCIC spokesperson told EHI the review will also cover other tracing requests submitted to the NBO, which helps to track individuals who have been identified as potential bone marrow donors and aids charities who are supporting people wanting to re-establish contact with family members.
The spokesperson said the review will include consultation with law enforcement, charities and NHS services such as screening programmes, as well as civil liberty campaigners and thinkers and information governance experts.
Timelines for the review will be published after a steering group meeting this month.
The report from Partridge also addresses “serious issues” with managing a backlog of data requests that have built up at the organisation, which it says is partly due to more stringent checks and controls that have been put in place.
The report says: “The expectation is that the backlog will be cleared and new service standards fully introduced by the end of January 2015.”
The HSCIC has also identified problems with the legal permissions for nearly 30 university research studies and suspended their access to data.
Nine studies were suspended following an original June review which found that they had not reapplied for legal permission to receive data following a law change in 2008.
The report says the HSCIC is working with the affected projects to ensure they apply for the correct approvals and can regain access once the necessary safeguards are in place.