EMIS NUG update on Care.Data 29th August 2013

Mon, 29/07/2013 - 22:07 -- Geoff Schrecker

1.1 Background

  • The EMIS NUG is working on behalf of its members to help clarify the information governance arrangements relevant to NHS England’s care.data initiative in order to help provide the best possible protection for patient confidentiality and practices.
  • The care.data project is a new data flow which involve the extraction of identifiable data on every patient for submission to the Health and Social Care Information Centre unless a patient opts out. The government would like to link GP data to other data sources, including social care, and use it for a broad range of purposes.
  • The potential benefits of the care.data extract include helping to plan and monitor effective patient services, especially where patients receive care from several different organisations
  • Though the NUG recognise the potential described above they believe that there are at least two mechanisms available for linking data which is pseudonymised at source (reference http://www.openpseudonymiser.org/ and http://www.sapior.co.uk/), but NHS England has not provided a convincing argument why these could not be used for this care.data extract to further safeguard patients’ confidentiality.
  • EMIS NUG remains concerned that patients may not understand that their clinical information will be extracted in identifiable format, nor understand how that information will be used in the future.
  • Guidance has been issued by the BMA/RCGP/NHS England which can be found here http://www.england.nhs.uk/ourwork/tsd/data-info/
  • The NUG understands that some practices have already been told they are in the pilot project and that data extraction will begin shortly. There is no published list of pilot sites but we understand 76 practices are taking part in the pilot. All practices will then be required to take part in the Autumn. 
  • Before the data is extracted,  the NUG suggests the following issues and actions points are considered :

1.2 Information for patients

  • There is a poster suggested by NHSEngland/BMA/RCGP, or an alternative which we have uploaded which can be downloaded from this page, for the waiting room. Practices as data controller are responsible for ensuring their patients are fully informed under the Data Protection Act.
  • Care.data will extract patient information from the practice data base.  The practice as data controller cannot decline the request from care.data without the risk of prosecution. The only person who can decline the extraction of data is the individual patient. 
  • If patient data is extracted from the practice clinical data base without the patient being made aware then the practice could be prosecuted by the patient.  It is thus vital that the practice takes steps to try and inform its practice population about the care.data extraction so that individual patients have the opportunity to opt out of their personal data extraction.  The NUG suggests you consider the following actions.

Five NUG Recommended Actions

  1. Practices should check the poster and see if they think it explains the issue to their patients. If not they could look at the NUG alternative poster [See Downloads on right].
  2. Practices should check the information on their practice leaflets and website to see if it is correct i.e. explains that confidential patient identifiable data will be extracted at some point after 1st April 2013. 
  3. Practices should ensure that staff are informed of the change so that they are able to inform patients and add the correct Read code (9Nu0 for patients who wish to opt out of upload to HSCIC or 9Nu4  for patients who are happy for their data to be uploaded to HSCIC, but do not wish HSCIC to share their data with other organisations unless de-identified) should patients wish to opt out
  4. Practices should consider
    • putting up posters in prominent positions in the waiting room,
    • similar information could be added to patient information screens, patient newsletters and the practice web site.
    • Practices should consider discussing the issue with its practice participation group
    • Practices should also have leaflets prepared to hand out to patients.  An example leaflet can be down loaded from the Downloads link on the right of this page, or is available in web format at http://emisnug.org.uk/article/patient-information-caredata
  5. Practices should ensure that they have received a “deed of undertaking” and it has been executed between their practice and EMIS before any identifiable data is extracted from its system.

1.3 Deed of undertaking

  • NUG representatives have been told that a ‘deed of undertaking’ must be executed between each practice and the system supplier (Data Processor) (1) in order to
  1. document the data processor’s role as data processor for the practice
  2. document where liabilities and responsibilities lie should there be any inadvertent breaches of the Data Protection Act, such as the disclosure of confidential patient information before the data reaches another data controleer such as  the HSCIC
  3. help protect the practice from any financial penalties or legal action by patients whose confidentiality has been breached through no fault of its own
  • The deed of undertaking is currently being drafted by the BMA/GPC in discussion with the Health and Social Care Information Centre, RCGP, Medical Defence Union, MPS and BMA lawyers. The practice must receive and execute this with EMIS before any identifiable data is extracted from its system (action 5). 

1.4 Concerns from the Information Commission’s Officer

  • The NUG understands that there are still some matters raised by the ICO to resolve before the care.data extraction begins.
  • The ICO’s representative kindly attended NUG committee meeting in May 2013 and provided NUG the following interim statement on 1st July 2013.
  • The ICO will also be running a session at the forthcoming EMIS NUG conference on Thursday 3rd October to which NUG members are invited.

1st July 2013 ICO Interim Statement

“Whilst the Information Commissioner’s Office understands that the Care.data initiative has the potential to enable the health service to derive significant public health benefits from the large amount of data it generates, it has to be recognised that much of the data is about individuals their treatment and conditions.  This is data that the public would expect to be handled carefully. 

Under the Data Protection Act (DPA) this is considered sensitive personal data and the Act has specific requirements that organisations must meet if they wish to process personal data. It does not mean it cannot be used but rather that it is handled in a way which complies with the law.     

Currently every indication is that the organisations concerned are making a concerted effort to ensure compliance with the DPA and they have shown a strong desire to work with the ICO to make this happen. However, there is still a lot of work to be undertaken to ensure that all of the obligations of the DPA will be met. 

We are currently working with key organisations and representative bodies on several important issues in relation to this initiative these include;

·      Application of the Health and Social Care Act 2012 (HSCA) and its interface with the DPA.

·      The engagement of section35 of the DPA (2)

·      The obligations of GPs to disclose the information to the HSCIC and their remaining obligations as data controllers

·      The obligations of the Health and Social Care Information Centre as receivers of the information and as data controllers

·      The fair processing responsibilities of GPs, the HCSIC and the NHSCB in providing information to patients, including the basis and process of the proposed opt-out scheme.    

We are due to have further discussions with the parties involved in the care.data initiative. This is a priority issue for the ICO and once discussions have taken place we will issue a further statement setting out our views regarding the above topics and any other data protection implications of care.data.

Our understanding is that the pilots are underway. We have made it clear that it is the fair processing we are most concerned about in making sure that the messages are clear can be easily understood and that if an ‘opt-out’ scheme is offered it is simple to initiate”.

End of ICO statement.

(1)  “where the processing of personal data is carried out by a Data Processor (DP) on behalf of a Data Controller (DC) the DC is not regarded as complying with the 7th principle of the DPA unless;The processing is carried out by contract; which is made or evidenced in writing and under which the DP is to act only on instructions from the DC and the contract requires the DP to comply with the obligations of the 7th principle” ICO 29/8/2013

(2) section 35 states “Personal data are exempt from the non-disclosure provisions where the disclosure is required by or under any enactment, by any rule of law or by the order of a court”. It is NUGs understanding that there  is uncertainty whether section 35 can apply to a routine data flow rather than a one off extract.

Attachment: 
PDF icon Care data PiL v7 A4_0.pdf
Microsoft Office document icon Care data PiL v7 Booklet.doc
PDF icon Care data PiL v7 Booklet_0.pdf
Microsoft Office document icon Care data PiL v7.doc
PDF icon Care.data patient poster v6.pdf

Test your knowledge

Use the EmisNUG courses to establish the knowledge level of you and your colleagues using Emis.

Try it today

"EMIS National User Group has made life for our non-technical users so much easier"

EMIS NUG Member

"Meeting a range of different users, there is always something to learn and to give back"

EMIS NUG Member

"I was really pleased to discover I was a member due to all the online tools."

EMIS NUG Member
1
2
3