NHS records will supposedly only be released where there is a "clear health benefit", rather than for "purely commercial" use by insurers and other companies.
As testimony to a Parliamentary Committee last week indicated, there is disagreement about notions of "clear health benefit" and about the effectiveness of measures to ensure privacy through pseudonymisation of data released directly by the NHS or under the care.data initiative.
Importantly, the Government has indicated that it will "bolster criminal sanctions for organisations which breach data protection laws by disclosing people's personal data". That change will apparently centre on what is described as a "one strike and you're out" approach, with misbehaving organisations being permanently banned from accessing the data.
I have noted the growing controversy over reports that in 2012 the Institute and Faculty of Actuaries obtained hospital data about 47million patients. The supposed price was a mere £2,220.
The Government will now formalise a ban on the HSCIC releasing GP and hospital information "for commercial purposes". Presumably that restriction will not apply to pharmaceutical and medical device research entities, most of which operate on a commercial basis.
The legislation will also introduce new measures to "deter " misuse of NHS data, with companies that “recklessly disclose” personal information being liable to prosecution for criminal offence that carries a maximum penalty of £500,000. That penalty as such is inadequate, although for large organisations the risk of no longer being able to access the data may be a more effective sanction.
In what is apparently regarded as a major step forward (rather than what should have been a given), NHS data will reportedly only be released to organisations that have abided by data protection rules. Organisations wishing to use care.data information will have to prove that they are doing so on an “ethical basis” that will benefit patients and not breach privacy.
Growing criticism about inept handling of the opt-out arrangements for patients, highlighted by MedConfidential, is reportedly reflected in a plan that people will be able to opt out by phone and receive a legally-backed assurance that “no identifiable information” about them will enter the database.
Importantly, the Health and Social Care Information Centre and NHS will have to publish information about which organisations have received NHS data and the justification for the decision.
The Health Minister, noting that new measures are necessary to restore “public confidence”, is reported as stating
People want rights over how their health and care data, especially data that identify them, are being used. Safeguards will be put in place over and above what NHS England does to build public confidence.
We know there is an enormous prize in our grasp, but we know we will win that prize only if we are very careful and thoughtful about how to proceed, taking the public with us.Given the Caldicott Report we might wonder why the Government and senior officials hadn't had that recognition prior to now.
The UK Information Commissioner, who has traditionally adopted a more positive stance than the OAIC, has commented -
“Last summer I issued a warning to organisations across the UK that the public are now waking up to the value of their personal information and the importance of treating it properly. Any organisation or business that failed to handle people’s information properly in 2013, I said, would quickly find themselves losing trust and losing customers.
In the months that followed it was two big data developments in the public sector that provoked widespread public unease. First there was Edward Snowden with his revelations about the activities of the security services, in the United States and in Europe. Then the GP data extraction scheme, care.data, was put on hold because a significant number of patients were asserting their right to stay in control of their information.
We should see these developments as a line in the sand. Members of the public know this country has a Data Protection Act, they understand it requires organisations and companies to look after their information properly. Citizens and consumers expect organisations to be open and upfront with how their information will be used. In a digital age, this knowledge is invaluable and shows why the Act is so important. We must all get it right, or suffer the consequence