That investigation follows public and official expressions of concern earlier this year regarding the UK care.data initiative and the sale of ineffectively anonymised bulk health data, disregarding cautions provided in the Caldicott Report.
The Guardian comments that the UK Parliament's health select committee was unconvinced by the arguments put forward in February by the Health & Social Care Information Centre (HSCIC), operator of the 'care.data' central warehouse for health data, that patient privacy had been safeguarded.
The audit reportedly indicates that 3,059 data releases took place between 2005 and 2013. A detailed examination of 10% of those releases found "lapses in the strict arrangements that were supposed to be in place to ensure that people's personal data would never be used improperly". One research programme had no legal authority to get patient-identifiable data but was still accessing NHS records in 2014. A further eight were still getting mortality data (potentially enabling identification of individual patients) without approval.
There were "data sharing agreements" with three reinsurance companies that allowed reinsurers to continue to use the data until the agreements expired in 2015 and 2016. All three companies have now been asked to delete the medical records.
The HSCIC states that
Following an independent review into data releases made by our predecessor organisation the NHS Information Centre (NHS IC), our board has set out a series of steps to guarantee greater openness and reassurance to the public, stricter controls over data use and better clarity for data users.
These steps include:
- Patients and public representatives will be part of a new membership of the HSCIC's data oversight committee, the Data Access Advisory Group (DAAG).
- All data agreements will be re-issued, to ensure activity is centrally logged, monitored and audited, resulting in a clear and transparent process.
- Decisions will be documented and published.
- A new, strengthened audit function will monitor adherence to data sharing agreements and halt the flow of data if there are any concerns exposed.
- A programme of active communication to the public and patients will help bring greater clarity about an individual's right to object to their data flowing to or from the HSCIC.
The review, led by Sir Nick Partridge and carried out by PricewaterhouseCoopers (PwC), was published [PDF] on 17 June 2014. It concluded there were significant administrative lapses in recording the release of data at the NHS IC.Partridge commented that
It disappoints me to report that the review has discovered lapses in the strict arrangements that were supposed to be in place to ensure that people’s personal data would never be used improperly.
These lapses occurred before the HSCIC came into being and so it might be said that they are not the HSCIC’s fault. However, that is beside the point. The lapses are very much our responsibility to address. The HSCIC has a new Board and largely new senior executive team, but it inherited many of the NHS IC’s staff and procedures. Crucially it inherited information-sharing agreements with universities, companies, charities and other organisations that were given access to data by the NHS IC. Any lapses in the procedures for data released under the stewardship of the NHS IC during the eight years to 31st March 2013 may continue to have implications for the handling of the data today.He went on to make recommendations
1) That the HSCIC undertakes a programme of work to ensure that data has been deleted appropriately for all data releases referenced in the PwC report, where the agreement has ended.
2) That the HSCIC develops one clear, simple, efficient and transparent process for the management of all data releases.
3) That the HSCIC implements a robust audit function, which will enable ongoing scrutiny of how data is being used, stored and deleted by those receiving it.
4) That the HSCIC publishes its policy, process and governance for the release of data.
5) That the HSCIC ensures there is clear, transparent and timely decision making, via the appropriate governance for all data releases, and that all decisions are documented and published on its website.
6) That the HSCIC implements a robust record keeping approach and that the details of all data releases (including the purpose for which they are released) are made available on its website.
7) That the HSCIC develops one Data Sharing Agreement, which is used for all releases of data, and which includes clear sanctions for any breaches.
8) That the HSCIC actively pursues a technical solution to allow access to data, without the need to release data out of the HSCIC to external organisations.
9) That the HSCIC quarterly Register of all data releases includes the number of law enforcement agencies’ person tracing requests processed by the National Back Office. The Register will also include all data being released under NHS IC data sharing agreements, ensuring it is providing a comprehensive account to the public of all data being shared.The Guardian comments that
One set of records – which included a decade's worth of hospital data with patients' partial postcodes and partial date of birth, including month and year as well as gender, dates of admission, diagnosis, speciality, and treatment – went to French multinational reinsurer Scor. Another similar data set went to the UK subsidiary of the Reinsurance Group of America. Both were used to set "reinsurance premiums" for insuring critical illness conditions.
Another reinsurer Millman obtained two years of patient care data – detailing NHS number, age at start of hospital spell, gender, partial postcode, dates of admission, diagnosis, speciality, and treatment – to be used as part of a product sold to customers.
.... There was also apparent confirmation that a centralised database could be accessed by police to locate individuals. There were 12,733 "accepted and approved" approaches to the NHS, which led to 3,104 leads for officers. The HSCIC has said it will now report every quarter on requests from law enforcement, stressing that the data only reveals the location of the nearest GP and would only be given for investigations into serious crimes.