Though the review was requested for a specific GP-HES linkage project, NIGB/ECC members concluded that when using Sapior’s eTTP service there was “no disclosure of patient identifiable data without consent” and so no permission was required to legitimately carry out the collection and linkage activity.

The NIGB/ECC committee did add the caveat that if the recipient of the de-identified data intended to further link with other data sources then NIGB/ECC should be approached.

What this means is that for projects which:

• only require de-identified data
• currently have to collect, link and de-identify their own data
• can not obtain consent from all the patients

they no longer have to seek permission for this collect, link and de-identification activity if using the Sapior eTTP service.

The reason this is the first time unconsented sensitive data collection and linking can legitimately proceed (without first requiring NIGB/ECC review) is that Sapior’s eTTP service builds upon the latest privacy enhancing technology research combined with NHS based testing. No sensitive data ever leaves the facility it is usually housed in and at no time does Sapior (employees or servers) ever see unencrypted data.

“This represents another milestone on the way to enabling ethical data sharing” says Robert Navarro, Managing Director of Sapior Ltd. “Increasing legitimate access to health data without sacrificing patient confidentiality is key to unlocking improved patient outcomes and better health service efficiencies.”

The concept of a Trusted Third Party has been extended to address the privacy and legal concerns with exporting patient identifiable data from a health provider’s system, whilst still allowing for that data to be linked with other provider’s data.

The goal is to allow clinicians and commissioners to safely unlock the potential within a patient’s treatment profile that is naturally fragmented across specialist health providers (to the highest standards of information governance and lowest breach risks possible).

See Primary Health Info 2011 for conference details.

Far better to turn the issue around, decide where the harm could come from and then set about minimising that. It turns out that virtually all harm flows from people being identified in the data about them when they would rather that not happen. Stop this illicit re-identification and you stop any potential harm (there is an exception to this which I’ll talk about later).

Now if one focuses on reducing all sources of illicit re-identification then the use of that sensitive data cannot be harmful and so can proceed. No balance necessary, just privacy and utility!

If you were wondering about the “smaller cake” in the title, this comes from noticing that the most effective way to reduce illicit re-identification risks is to hold less (and less sensitive) data, accessible by fewer folk for less long. No real surprises there.

Sapior is working with St. George’s University of London to develop a groundbreaking privacy-enhanced data collection process called SAPReL (Secure And Private Record Linkage).

St. George’s and Sapior made a joint application for support under section 251 to link routinely collected primary care data, data from the IAPT programme in the demonstration sites, and the secondary uses service. PIAG has approved this access to patient-identifiable data for the purpose of pseudonymising or de-identifying it for use in a cohort study.

In its provisional approval letter, the Advisory Group described the application to be “an exemplar”.

“Members noted the use of technology in the pseudonymisation process to be highly commendable and an example of best practice in order to achieve the pseudonymisation process.” (Source: PIAG Meeting Minutes, Monday 8th December 2008, pg. 10)

“Our flexible data harvesting solution removes identifiable information at the data source in a consistent way to allow the vital ability to link with other sources,” says Robert Navarro, Managing Director of Sapior Ltd. “This means researchers can develop a more comprehensive view of an individual’s record whilst still protecting the sensitive data during use.”

Sapior asked delegates at the recent NHS Alliance 2008 conference to score their organisations’ enforcement of the Confidentiality policy in terms of using de-identified patient data for commissioning, performance management, clinical audit and other secondary purposes.

Most respondents scored their organisations very well with over a quarter scoring 5 out of a possible 6. 36% of organisations scored in the middle of the spectrum (3 or 4 out of 6).

However, remarks from respondents indicated that many, including those in key management roles, were simply guessing on their organisations data privacy practices. “We must be here (5 of 6) because data privacy is important,” said one non-exec director.

Not surprisingly, there were also mixed responses from within organisations. One Chief Executive scored the PCT at an impressive 5 out of 6, whilst a Finance Manager from the same PCT scored it at 2, saying “Don’t tell my CE. We have a lot to do in this area.”

Whilst not an accurate measurement tool, the goal of the quiz was to encourage delegates to give mindspace to the high profile issue of data privacy and security. In particular, to the ongoing practice of using identifiable patient data for secondary purposes which conflicts with Confidentiality policy.

About the quiz

Respondents were asked to consider six areas where patient data is used for secondary purposes. (See below) Organisations were given credit for each secondary use area the respondent believed it was using de-identified patient data. For example, if an organisation was using any de-identified data for commissioning work and public health, the respondent could claim a score of 2 out of 6.

Clearly, scoring for the Mind the Gap quiz is very generous and not an accurate measurement. For example, an organisation using a single set of de-identified data for clinical audit would receive full credit for that area even if it was also using many identifiable data sets for other clinical audit work.

Notably, not a single delegate responded that it was “Not my responsibility”. Several were comfortable with guessing on their responses, although 15% said they didn’t know for sure whether de-identified data was being used or not.

Areas of Secondary use:

• Checking quality of care (e.g. clinical audit)
• Managing NHS spending (e.g. PbR, PBC, QMAS)
• Managing health service (e.g. commissioning)
• Investigating healthcare concerns/complaints
• Protecting public health
• Supporting research

*Total percentage greater than 100 due to rounding.

Financial justification for pseudonymisation to mitigate privacy breaches

The European Commission on Data Protection (DP) has defined Pseudonymised data as non-personal data and not subject to the Data Protection Directive in certain instances. This new position effectively permits organisations to meet DP responsibilities more economically when sharing data with partners, as in the case of cross-border data flows which have previously required expensive, complex, and time-consuming contracts.

In its “Opinion 4/2007 on the concept of personal data”, the European Commission Article 29 Data Protection Working Party (WP) clarified the notion of “personal data” thus enhancing legal certainty through the uniform interpretation of the EC Directive 95/46/EC. Adopted on 20th June 2007, the document describes the following conditions necessary to consider Pseudonymised data as non-personal data and thus not subject to the Directive:

• the Data Controller pseudonymises or key-codes Personally Identifiable Information (PII) to be given to a Data Processor that does not receive the key
• the goal of the processing must not be to identify individuals and influence or treat them differently from others.

In addition, the WP clarified its position on “retraceably pseudonymised” data which may be considered indirectly identifiable and thus subject to the Directive. If the linking to the individual is done by the Data Controller only under predefined circumstances, the risks to the individuals are considered to be low. In these cases, the WP claims the application of the Directive will be more flexible than if information on directly identifiable individuals were processed.

The Opinions of the WP can be found at:

http://ec.europa.eu/justice_home/fsj/privacy/workinggroup/wpdocs/2007_en.htm

“This enhanced legal certainty finally provides an economic justification for those organisations who have delayed implementing pseudonymisation in their privacy breach mitigation strategies,” said Robert Navarro, Managing Director of Sapior Ltd.

About Pseudonymisation

Pseudonymisation, a Privacy Enhancing Technology (PET), is essentially the replacement of Personally Identifiable Information (PII) – such as name, address or account number – with pseudonyms. Key-coded data are a classical example of pseudonymisation. Personally Identifiable Information (PII) is earmarked by codes, while the link between the code and the PII (like name, date of birth, address, etc.) is kept separately. Pseudonymised data can be used for audits, research, analysis, and administrative tasks or other work that requires access to relationships and trends in the data but not to PII.

Sapior has been selected as one of a number of suppliers working with prime contractor BT on the NHS Care Records service. This national patient record database will be one of the largest in the world and will eventually contain a summary care record for every NHS patient in England. The use of the Sapior pseudonymisation solution will ensure the confidentiality of these data, whilst they are being used for secondary activities such as financial transfers, management information and medical research.

“Sapior offers a mature, forward-looking data privacy solution that integrates easily and already meets significant future requirements,” explains Rob Story, NHS Care Records Service programme director, BT. “Sapior has been extremely responsive to the demands of this ambitious project.”

“Our significant experience in Business Intelligence enables us to understand and provide for the unique security needs of sensitive data being analysed or shared over extended time periods, as well as to accommodate the performance required by such a massive database,” said Robert Navarro, Managing Director of Sapior Ltd.

Pseudonymisation, a Privacy Enhancing Technology (PET), has been suggested by the UK Information Commissioner as a way to permit necessary access to patient information whilst hiding patient identities and other sensitive information. Also known as “reversible anonymisation”, pseudonymisation is essentially the replacement of identifiers – such as name, address or NHS number – with pseudonyms. Pseudonymised data can be used for audits, research, and administrative tasks or other work that requires access to relationships and trends in the data but not necessarily to all of the sensitive patient information.

More information about the NHS Care Records Service (CRS) Secondary Usage Service (SUS) can be found at:

http://www.connectingforhealth.nhs.uk/delivery/programmes/sus

As stated in Informatics Planning 2010/11,  “All NHS commissioners and providers of NHS commissioned care should complete the implementation of pseudonymisation by March 2011 in line with plans submitted in October 2009.”

The Pseudonymisation Implementation Project (PIP) supports NHS policy and legal requirement to de-identify patient data when it is used for purposes not involving the direct care of the patient, i.e. Secondary Use, unless the patient’s consent or Section 251 approval is received for that specific purpose.

DH has produced a summary for chief executives outlining the organisational obligations to deliver pseudonymisation. There is a suite of supporting implementation guidance available on the Connecting for Health PIP website to support organisations in this work.