"Accredited Safe Havens": Government Proposals for Sharing Health and Care Data Securely?

Over the summer, the Department of Health ("DoH") collected responses to its June 2014 consultation, "Protecting Health and Care Information: A consultation on proposals to introduce new Regulations".

 

Consultation Summary

Much of the consultation focuses on building trust around information sharing, by providing clear rules for the dissemination of personal data as well as a robust system for regulating the organisations that will store and process it.

The consultation period ended on 8 August 2014 and new regulations to achieve its proposals are expected to be in place by the end of this year (subject to Parliamentary approval). The proposed new regulations would apply in relation to England only.

One of the consultation's noteworthy proposals is the introduction of "accredited safe havens" ("ASH"); organisations who would be permitted to access potentially identifiable patient data in a secure environment for approved purposes.

 

Accredited Safe Havens

Legal background

There is already a statutory mechanism for organisations to apply for confidential medical information, where such data is required for an approved purpose such as improving patient care. This process is referred to as "section 251 support" and derives from the Health Service (Control of Patient Information) Regulations 2002, made under section 251 of the National Health Service Act 2006 ("2002 Regulations").

The consultation discusses weaknesses in this current system, including that it may not provide as much data coverage as is required, and that organisations have to go through the section 251 support process each time that they require a healthcare data set for a specific purpose. It further argues that the existing regime does not put strong enough controls in place to protect the data once it has been released.

Who might become an accredited safe haven?

The proposals envisage that the majority of non-research applicants which are already processing data under the temporary statutory controls would apply to the Secretary of State for accreditation as an ASH. Such organisations would need to be sponsored by the DoH or NHS England, and would be approved on the advice of the Health and Social Care Information Centre ("HSCIC"), which is the recently formed arm's length body responsible for holding patient data at the national level.

Once an ASH has been approved by the Secretary of State it would be permitted to process data for appropriate purposes without having to seek further approvals (as is currently required under the section 251 support process).

Purposes for which data would be disclosed

The proposed regulations would set out the broad purposes for which data could be disclosed to an ASH, and for which that data could then be used it. The purposes for which an ASH could use the data would be limited to the following:

  • making the patient in question less readily identifiable from the data;
  • conducting geographical analysis;
  • analysing differences between population groups;
  • validating and improving the quality or completeness of information;
  • auditing, monitoring and analysing the provision made for patient care and treatment, including outcomes, costs and patient satisfaction;
  • understanding and analysing risks to individuals and informing those responsible for their care of the results of that analysis;
  • providing those responsible for providing care to an individual with information that might inform or support that care; and
  • ensuring that the correct payment is made for care provided.

Data Protection

The proposals emphasise that ASHs would be subject to numerous strict controls governing the circumstances in which data can be received and disseminated by them. These would include requirements to remove personal data which is not needed, provide evidence of proper data processing practices and publish information about the types of data which the ASH is holding.

ASHs would only release data to third parties in very limited circumstances:

  • where the third party is directly involved in the care of the data subject;
  • where the third party is able to receive the information on some other lawful basis; or
  • by way of publication when it has been effectively anonymised in line with the DoH's anonymisation for publication standard.

The proposals also envisage ASH employees being personally liable to a civil fine for breaching these rules. Under the current section 251 support process such fines are capped at £5,000.

 

ASHs and care.data?

As we discussed in our February 2014 Focus Sheet, autumn 2014 is the proposed start date for the phased roll-out of NHS England's "care.data" programme. The ambitious data sharing project aims to bring together information from public bodies such as GP practices and hospitals, to be held and processed securely by the HSCIC.

Whilst the consultation under discussion is separate to the work on the care.data project, the two programmes are likely to interrelate as care.data information could be disseminated to ASHs by the HSCIC under the proposals.

The full consultation document, and the response to public feedback once it is published, can be accessed online here.