NHS data governance in critical condition

The NHS desperately needs to rebuild public confidence in its ability to handle sensitive data - but so far it appears to be in denial over the crisis, writes Sooraj Shah

Just when the NHS needed a boost its image in the eyes of the public – at a time when Health Secretary Jeremy Hunt is trying to push through his controversial care.data plans – trust in the organisation has reached an all-time low.

A shocking internal review into NHS practices found that millions of patients’ NHS data was sold to private companies over the last decade. This, coupled with recent reports that 13 years of hospital data – covering 47 million patients – was sold by the NHS for insurance purposes, has shattered what little confidence the general public had in the organisation.

The review into data handling within the NHS, undertaken by Sir Nick Partridge on behalf of the NHS Information Centre (IC), found that it had made “significant lapses” in recording the release of the data.

Between 2005 and 2012, 588 data releases were made to private-sector organisations excluding charities, for the purpose of “analytics, benchmarking and research”. The organisations included technology companies, healthcare consultancies, insurance firms and pharmaceutical giants AstraZeneca and GlaxoSmithKline.

Partridge said the Health and Social Care Information Centre (HSCIC) should “learn the lessons from the loosely recorded processes of its predecessor organisation”, and put forward a number of recommendations for the organisation to act on. But is this enough? Or do Partridge’s revelations justify a tougher response and perhaps a complete overhaul of the NHS’s data handling practices?

After all, the HSCIC is essentially the same NHS IC that Partridge castigates, but under a new name.

Phil Booth, from privacy campaign group MedConfidential, believes there must be serious repercussions.

“You can’t just wipe the slate clean. This is like a million records, it’s one of the largest [data breaches that has been uncovered] in NHS history so there has to be consequences,” he says.

The Partridge Review revealed that in two separate cases there were data releases to organisations, but no record to show which organisation received the data.

According to Rhys Thomas, partner at law firm Jones Day, we may never know how much was given away, or where it is now.

“Who knows where the data ends up – there needs to be a robust system in place to ensure this isn’t repeated,” he says.

In his review, Partridge acknowledged that this was unacceptable.

“Data of this type should not have been released without a data sharing agreement including restrictions on how the data should be stored, used and eventually destroyed – all of which should have been monitored by the NHS IC,” Partridge wrote.

The Information Commissioner’s Office (ICO) is currently undertaking an end-to-end audit on the NHS’s historical data, and it remains to be seen how the data protection watchdog will proceed after its findings.

What is known is that the ICO seems increasingly willing to slap fines on public-sector bodies – with penalties so far amounting to over £4m. But Thomas believes the NHS should be more worried about the resources it might have to put into rectifying its data processes.

“There is going to be a lot of work going into that audit, in ensuring there are remediation steps that are taken to resolve any lapses – this will dwarf any fines that the ICO might issue,” he says.

The Partridge Review suggested several changes to ensure tighter controls and better transparency over NHS data practices.

Booth welcomed the recommendations but argued that with the controversial care.data scheme on the horizon, the NHS must be able to demonstrate that it has taken the prescribed steps before GPs start sharing data on patients.

“They propose to use huge amounts of GP data, even though they are still sending things into black holes and failing to comply with basic procedures,” he says.

But the NHS isn’t alone in being cack-handed, or at worst downright shady, in the way it handles patient data. For example, one of its partners, ultrasound technology provider Diagnostic Health, suffered a data breach that potentially affected up to 10,000 patients.

In this instance, the legal liability remains with the NHS because it is the original controller of that data, but there is also a responsibility on behalf of the third party.

“It would be a framework agreement stating that you need to store this data as if you were an employee of the hospital. The onus is then on the company to operate within that framework,” Orlando Agrippa, deputy CIO at Barts Health NHS Trust, explains.

Elizabeth Robertson, partner at Jones Day, adds that any such contract should be “robust” and incorporate existing data protection legislation, which states that third parties should protect the data, only use it for the purposes that it originally set out to use it for, and critically, hand the data back at the end of the contract.

The problem, according to Booth, is that many third parties with NHS contracts keep hold of patient data indefinitely.

HSCIC’s chief executive, Andy Williams, has written to three of the re-insurers who hold Hospital Episode Statistics (HES) data, asking them to delete it, but Booth claims that no one knows if those firms have complied.

He adds that it’s worrying that the Partridge review did not point to a single instance of an audited deletion of data.

“Specific mention is made of the suspension of research use, but no such action appears to have been taken in the case of commercial users (or re-users) of NHS patient data, which one can only assume still hold and process data,” he says.

There are three entities that can order data to be deleted in the event of a breach: the first is the data subject or subjects themselves; the second is the ICO; and the third is the NHS itself.

“In [law firm Jones Day’s] view, the NHS should be doing this to protect its reputation,” says Robertson.

Moving forwards, Booth suggests that there should be an “end-to-end audit” available to patients so that every patient knows who has their data and what they’re doing with it.

But unlike Booth, Agrippa believes that sharing patient data with the likes of AstraZeneca could “further advance healthcare for the greater good”.

“If it means that we use the intelligence from a free system, to further healthcare without increased premiums, then I endorse that,” he says.

He argues that with the rise of social media and personal dietary and health-related apps, people are more willing than ever to share information such as calorie intake and location-based data, adding: “It is slightly different but not completely. Is HSCIC sharing that data outlandishly bad compared to the data that’s already out there?”

However, Partridge believes opposition to care.data will only fade once the HSCIC and the wider NHS regain the public’s trust. “To earn the public’s trust in future, we must be able to show that our controls are meticulous, fool-proof and solid as a rock,” he said.

But HSCIC’s best chance of earning the public’s trust is to take responsibility for its past actions - something it is strenuously avoiding. Despite the HSCIC being branded as a new organisation, it is basically the same as the old NHS IC, with many of the same staff. Partridge suggests that things can improve because the organisation has a new name, a new board and several new members on its senior executive team. But until the organisation is prepared to throw open the curtains on its shady practices with patient data, this will be seen as a simple marketing exercise, and will fail to win public trust.

@Sooraj_Shah