EMIS recently received a contact from NHS England seeking their assistance in obtaining patient level data on appointment and consultation activity. This was to support and monitor the transformational changes in the service.
As this was a direct contact from NHS England and had not passed through HSCIC established pathways EMIS sought the view of the National User Group on their response to this request.
The national User Group had a number of concerns which we communicated with EMIS:
- EMIS is a data processor, not a data controller. Therefore they can only supply data under direct instruction from the practice
- The extracts concerned have not been through any independent verification system (such as the GPES IAG, CAG or SCCI)
- Whilst the data requested were “de-identified” it was not clear that such data would not be readily re-identifiable. Again this is something that would need to be assessed through a proper independent review process.
We were pleased that this view was shared by EMIS who communicated this back to NHS England.
It is important to note that the approach to EMIS was very much a request to discuss the process, however it does raise issues which are of concern to the NUG.
It highlights the need for a clear, transparent and agreed independent review process for any request for data from the GP records. Such a process would would give support for those seeking, as well as those tasked with supplying such information and allow then to verify that any request for data from NHS clinical systems meets all the appropriate governance requirements from the outset.
It also highlights the importance of a clear understanding by those making requests for data of the respective Data Processor and Data Controller roles of the GP system suppliers and the Practices respectively.
Chair EMIS National User Group