NHS tries to distance itself from past data lapses (Wired UK)

Don't worry guys, it was a previous version of our organisation that messed up
Don’t worry guys, it was a previous version of our organisation that messed upShutterstock



The way data has been handled and released by the NHS over the
last decade has revealed a “disappointing” number of lapses,
according to the Partridge Review. However, the NHS has tried to
distance itself from the breaches, attributing the blame to an
organisation that has since been relaunched under another name.

Following a number of media reports about NHS data breaches and
concern about poor communication of NHS data sharing initiative
Care.data, Sir Nick Partridge was asked to review the data released
by the health service. His investigations have focused on the NHS’s
Information Centre, an organisation that existed between April 2005
and March 2013. Since March 2013, it’s been replaced by the Health
and Social Care Information Centre (HSCIC) — a rebrand and an
expanded remit are all that separate the two. The review — carried
out by PwC — aimed to explore how much data was released by the
Centre that could have run the risk of identifying patients.

The Information Centre collected information about health and
social care from hospitals, GPs, local authorities and other
service providers. Most of the data was supposedly “aggregated and
anonymised”, but much of it was pseudonymised, patient-level

The Partridge Review revealed a number of worrying lapses,
including the fact that there were two “data releases” (meaning
data where there is a potential risk of reidentification of
patients) to organisations that can’t be identified — the record
is missing from the archive. “Data of this type should not have
been released without a data sharing agreement including
restrictions on how the data should be stored, used and eventually
destroyed — all of which should have been monitored by the NHS
IC,” says Partridge — who is non-executive director of HSCIC — in
his findings. It is thought that some of the data “is likely” to
have gone to a nurse carrying out research, but it’s not

“To earn the public’s trust in future, we must be able to show
that our controls are meticulous, fool-proof and solid as a rock,”
Partridge says.

The other release relates to Hospital Episode Statistics from
after 2009 which may have been released by a contractor called
Northgate, which handled the data release management of this sort
of data on behalf of the NHS. Supposedly the data handling improved
after the NHS started to manage it internally, but PwC found that
around 10 percent of the sample data releases (around 3,000) it
examined didn’t have records to show procedural compliance.

The report points out that no individual has ever complained
that their confidentiality was breached (a fact disputed by privacy campaigners), but then how on earth would
an individual know if anĀ insurance company had accessed their medical records?

The answer is, they don’t. But in advance of a law chance to be
included in the Care Act (2014), it will be illegal for potentially
identifiable information to be used by anyone for purposes other
than those that benefit the health and social care systems.
Partridge says he’s written to three re-insurance companies that
had access to the data to tell them they have to delete it before
the legislation comes in.

Overall, Partridge says that the Information Centre had no
single gateway for data requests and that there were “too many
disparate, disjointed processes for the sharing of data”.

Partridge makes a number of recommendations, including making
sure that all worrying data releases are deleted appropriately,
that there is a transparent process for managing data release and a
robust audit function.

But the most glaring aspect of the report is how keenly the NHS
wants to distance itself from the previous iteration of the
Information Centre.

In his review, Partridge says: “It disappoints me to report that
this review has discovered lapses in the strict arrangements that
were supposed to be in place to ensure that people’s personal data
would never be used improperly.” Before adding: “These lapses
occurred before the HSCIC came into being and so it might be said
that they are not HSCIC’s fault.”

Of course HSCIC has a new board and a “largely new” senior
executive team, but it is fundamentally the same organisation with
the same procedures. It seems extraordinary to Wired.co.uk that a
government body should be able to have a swift rebrand in order to
absolve itself of responsibility for its past misgivings, but we’ve
already wasted enough pixels making that point. The government now needs to restore
public trust in data-sharing scheme care.data, which will see GP
records being stored centrally for the first time at the HSCIC.

MedConfidential campaigner Phil Booth said in a statement: “We welcome Sir Nick Partridge’s
recommendations, but patients need to see the evidence that they’ve
been acted on. Public confidence depends on actions, not just



“If patients are to trust that procedures and audit are working
they must be provided proof of who has their own data, what they
are using it for and when it has been deleted. If the systems being
constructed for a 21st century NHS cannot provide these answers,
they are not fit for purpose.”

If the article suppose to have a video or a photo gallery and it does not appear on your screen, please Click Here

20 June 2014 | 4:12 pm – Source: wired.co.uk

Leave a Reply

Your email address will not be published.