18.06.14
HSCIC uncovers ‘significant lapses’ in patient confidentiality
The Health and Social Care Information Centre (HSCIC) has set out a rolling programme of spot checks across a large number of organisations that have received medical records after an investigation uncovered “significant administrative lapses” in protecting patient confidentiality.
Following the completion of a review of information released by its predecessor organisation, the NHS Information Centre (NHS IC), to companies, charities, universities and government bodies, HSCIC has revealed that in some cases when recording the releases of data the decision making process was “unclear” and “incomplete”.
The audit found that 3,059 data releases had taken place between 2005 and 2013 – with a detailed examination of 10% of these. It found “lapses in the strict arrangements that were supposed to be in place to ensure that people's personal data would never be used improperly”.
Led by Sir Nick Partridge, HSCIC non-executive director, the review stated that this type of behaviour was “unacceptable” and has made a series of recommendations to the HSCIC Board, which have all been accepted.
Sir Nick said: “The HSCIC must learn lessons from the loosely recorded processes of its predecessor organisation. The public simply will not tolerate vagueness about medical records that may be intensely private to them. We exist to guard their data and we have to earn their trust by demonstrating scrupulous care with which we handle their personal information.
“Although there is a new Board and largely new senior executive team, the HSCIC inherited many of the NHS IC procedures and staff. This included data agreements with organisations, which have been highlighted by my review and which will subsequently be listed in future versions of the register of all data releases, first published by the HSCIC in April. We can now make sure we conform to recent legislative changes, so that data is released when it will benefit the health and social care system.”
The HSCIC Board has set out a series of steps to guarantee greater openness and reassurance to the public, including stricter controls over data use and better clarity for data users.
These steps include the provision that patients and public representatives will be part of a new membership of the HSCIC's data oversight committee, the Data Access Advisory Group (DAAG); and all data agreements will be re-issued, to ensure activity is centrally logged, monitored and audited, resulting in a clear and transparent process.
Additionally, there will be a new, strengthened audit function that will monitor adherence to data sharing agreements and halt the flow of data if there are any concerns exposed; and a programme of active communication to the public and patients will hopefully bring greater clarity about an individual's right to object to their data flowing to or from the HSCIC.
Kingsley Manning, chair of the HSCIC, said: “We welcome the government's commitment to set up appropriate oversight for the system as a whole in relation to protecting confidentiality.
“We look forward to our work being subject to the same scrutiny and also want to encourage the public to scrutinise our activities.”
But Phil Booth, coordinator of medConfidential, said: “This is clearly system failure over a period of years. Patient data is out there and the public don't know where it is. Companies receiving it did not know their duties as data controllers and they have not been able to distinguish between data sharing and reuse. This means we will never know who got hold of the data.”
Tell us what you think – have your say below or email [email protected]