SUMMARY

  In this evidence the Information Commissioner has made it clear that he is generally pleased with the current level of contact with NHS Connecting for Health (CfH) over the development and introduction of electronic patient records in England. He feels that some valuable progress has been made in ensuring that CfH plans and actions are compliant with the Data Protection Act 1998.

  The Commissioner is conscious that these plans inevitably pose significant data protection risks—for example in relation to patient awareness, confidentiality, accuracy and security—but throughout his discussions he has been assured that CfH is aware of the various risks and is taking steps to address them.

  He continues to monitor the implementation and operation of the NHS Care Record Service in order to ensure that;

—  Patients are provided with adequate information,

—  That information is fit for purpose, and

—  Effective security safeguards are in place to protect information.

  He has also outlined his concerns about the challenges in policing the consistency and security of access arrangements across the NHS as a whole and he has drawn attention to some of the possible abuses of the electronic patient record. In particular the unlawful obtaining, procurement and disclosure of personal data and the widening of the uses of the unique identifier that is the NHS Number for non-medical purposes.

  1.  The Information Commissioner Office is the UK's independent public body set up to promote access to official information and protect personal information by promoting good practice, ruling on eligible complaints, providing information to individuals and organisations, and taking appropriate action when the law is broken. The Information Commissioner is the regulator for the Data Protection Act 1998 (DPA) and the Freedom of Information Act 2000 (FOIA). The comments in this evidence are primarily from a data protection perspective.

  2.  The Information Commissioner fully supports the idea that the National Health Service (NHS) should make the best use of new technology to improve patient care by better management of patients' records. The Commissioner has been in discussion for some time with NHS Connecting for Health (CfH) about the plans for the introduction of electronic patient records in England. The Commissioner is conscious that these plans inevitably pose significant data protection risks—for example in relation to patient awareness, confidentiality, accuracy and security—but throughout his discussions he has been assured that CfH is aware of the various risks and is taking steps to address them. The Commissioner has made it clear in particular that information about a patient's health is sensitive data and the processing of such data must comply with the provisions of the DPA. He continues to monitor the implementation and operation of the NHS Care Record Service in order to ensure that this happens and that patients are provided with adequate information, that information is fit for purpose and that effective security safeguards are in place to protect information.

  3.  This is not only necessary to ensure that the NHS complies with its legal responsibilities under the DPA. It is also vital to gain the public's confidence about the introduction and operation of computer systems that ultimately will process sensitive personal data about everyone who uses the NHS in England.

  4.  The Information Commissioner is generally satisfied with the steps that CfH have taken so far to publicise the development and introduction of electronic patient records. However, in view of the opportunities to exercise choice that will be available, it is particularly important that each individual adult patient is fully informed of the way that these developments will affect them with sufficient opportunity to exercise the choices on record keeping that will be available to them.

  5.  The DPA requires, amongst other things, that any processing of personal data must be carried out in compliance with certain defined conditions. The DPA provides a number of possible conditions for the processing of sensitive personal data contained within electronic patient records. One of these conditions is where the processing of sensitive personal data is necessary for medical purposes and is undertaken by a health professional or a person who owes a duty of confidence equivalent to that of a health professional. The Information Commissioner is satisfied that the NHS can rely on this condition in order to process the sensitive personal data in electronic patient records. However, having established a proper basis for processing, the limitations attached to this basis must be complied with along with other aspects of the DPA most notably the eight data protection principles.

  6.  Amongst other things, the data protection principles require that personal data is adequate and fit for purpose. With this in mind the Information Commissioner expects that the arrangements for the "uploading" of personal data to create the electronic patient records will be robust enough to ensure that the highest possible levels of data quality are maintained at all times particularly as clinical judgments will be made based on this data.

  7.  The Summary Care Record (SCR) will form the first part of the full electronic patient record. The SCR will be launched in Spring 2007 in a small number of Primary Care Trusts (PCTs). Initially, the SCR will contain a patient's demographic information such as name, address and contact details plus basic details from existing GP records about such things as allergies, current prescriptions and bad reactions to medicines. The NHS has decided to allow patients an opportunity to opt out of a summary care record. This is a welcome option allowing an element of patient choice and patients who choose not to permit this use of their personal data will not have a SCR created for them but this is not a strict requirement of the DPA. Patients will be informed that they do not have a right to prevent demographic information being held by the NHS even if they choose not to have a SCR.

  8.  The local detailed care record is the main record which will be relied on for care and which will include detailed clinical information. The Information Commissioner is satisfied that the NHS could rely on the medical purposes condition to process the sensitive personal data in the local detailed care record. It is not yet entirely clear whether the NHS will still provide any options for patients to exercises any choices over the content of the detailed care record and whether this could result in confusion for patients over the different levels of control provided to them.

  9.  CfH is developing "sealed envelope" arrangements which, when fully functional in 2008-09, should allow patients to request that some specific sensitive information within their record is only accessible with their consent other than in exceptional circumstances. The Information Commissioner fully supports these proposed arrangements to give patients control over who may access their details and remains keen to ascertain how these will operate in practice.

  10.  CfH is developing comprehensive plans and procedures to deal with the controls over access to electronic patient records. CfH has kept the Information Commissioner informed of these plans and so far they appear to comply with requirements of the Data Protection Act 1998 although it remains to be seen how well they work in practice particularly as some abuses of the current access control arrangements have been reported recently

  11.  The NHS Care Records Registration Authority, which is responsible for registering and verifying the identity of NHS staff who need to use the NHS Care Records Service and related IT systems and services, is a key part of CfH plans. There will also be local Registration Authorities which will be responsible for validating users, registering user profiles and issuing smartcards. Access to electronic records by NHS staff will be via a personal Smart Card and Personal Identification Number (PIN). In addition the type and level of access a member of staff can have will be determined by their role. For example a doctor involved in a patient's care will need to have access to detailed clinical information whereas a receptionist in a surgery may only need access to a patient's contact and appointment information. NHS staff would have to have a recognised "legitimate relationship" with the patient to access patient records. Doctors in an A&E Department will be amongst the few NHS staff able to create an immediate legitimate relationship with patients. This is because care in A&E Departments is generally unplanned so there would probably be no existing legitimate relationship between doctor and patient.

  12.  The Information Commissioner can foresee some challenges with the control and policing of these access arrangements within the context of a national system for electronic patient records. Despite its name, in reality the NHS is not a unified organisation. It consists of numerous disparate and separately managed regional and local units such as Hospitals, Primary Care Trusts and GP Practices.

  13.  Initial decisions about what level of access to give to staff may be made locally. For example, it is conceivable that some Hospitals or GP Practices will give their reception staff access to the full patient record including clinical information whereas others may only give them access to patients contact and appointment information. These differences almost certainly exist already across the NHS and there may well be long standing and sensible operational reasons for them. However, within the context of a national system for electronic patient record, such differences could lead to inconsistencies in and increased risks to the security surrounding patient records in different parts of the country.

  14.  The Information Commissioner also has concerns about how the NHS will police the secure and proper use of access arrangements. Even though he is aware that there will be a detailed audit trail of access to patient records he is aware of one recent publicised incident in which the Board of a Hospital agreed that clinicians working in an A&E Department could share their personal Smart Cards to access patient records.

  15.  Whilst the Board defended its decision on operational grounds the Information Commissioner is concerned that if incidents of this type are allowed to continue they will increase the risk of serious breaches of security and confidentiality. This particular incident was the subject of discussions between the Information Commissioner and CfH. CfH has assured the Information Commissioner that it will take all action necessary to prevent any further such incidents during the implementation and operation of the NHS Care Record Service.

  16.  Patients will also have access to their own electronic patient records. As now they will have a statutory right of access under the DPA and those who choose to have a SCR will also be able to register for "HealthSpace" which will provide them with online access to their SCR. The Information Commissioner has already made it clear to CfH that the patient's right of access to their own health records under the Data Protection Act 1998 should not be adversely affected in any way by the implementation of the NHS CRS. With respect to HealthSpace, the Information Commissioner has asked about the present planned arrangements for access controls, registration and authentication of applications for access to HealthSpace and although reassurance has been provided in relation to these it remains to be seen how well they work in practice.

  17.  The Information Commissioner is concerned about the possibility of third parties requiring individuals to provide them with enforced access to their HealthSpace for example as a pre-condition of employment. Although it is not yet clear to what extent this may be a problem it is a matter that requires careful consideration.

  18.  The Information Commissioner is also concerned that, in common with most large scale computer systems, the NHS CRS will be vulnerable to the unlawful obtaining, procurement and disclosure of personal data. This type of offence is known as "blagging". The Information Commissioner's Regulatory Action Division has developed expertise in dealing with offences of this type. The nature and extent of the problems were documented in two reports published during 2006—What Price Privacy? and What Price Privacy Now? The Commissioner is delighted that, with CfH support, the government has recently accepted the central recommendation—to increase substantially the penalties available to deal with the illegal trade in personal information. The Commissioner has offered to work with CfH to research and develop the best methods of preventing and investigating the "blagging" of personal data from electronic patient records.

  19.  CfH has made the Information Commissioner aware of the increasing number of requests to share data from patient records that it has received and continues to receive from other public bodies. Given the drive for ever wider information sharing the Information Commissioner envisages an increase in the number of situations where the wider lawful sharing of information is appropriate within the public sector. However, a very cautious approach is appropriate where health records are concerned given the sensitive nature of much of the information likely to be on NHS systems. The Information Commissioner has offered to assist where CfH requires support when making decisions with difficult and questionable requests to share information from patients' health records. The Information Commissioner will be publishing a framework code of practice and associated guidance on information sharing in the next few months and will ensure that there is close contact over this with CfH.

  20.  CfH has informed the Information Commissioner that detailed policy recommendations from a multi-disciplinary group about wider, possibly non-medical, uses of the NHS Number are currently with Ministers for approval. The Information Commissioner is concerned about the use of unique identifiers such as the NHS Number for other than their original purposes and has made CfH aware of this. In order to safeguard patients' information and prevent misuse of the NHS Number the Information Commissioner has recommended to CfH that the NHS Number is prescribed by the Secretary of State as a general identifier under the DPA with additional safeguards restricting its use.

CONCLUSION

  The Information Commissioner is generally pleased with the current level of contact with CfH over the development and introduction of electronic patient records in England. He feels that some valuable progress has been made in ensuring that CfH plans and actions are compliant with the requirements of the DPA.

  He continues to monitor the implementation and operation of the NHS Care Record Service in order to ensure that;

—  Patients are provided with adequate information;

—  That information is fit for purpose; and

—  Effective security safeguards are in place to protect information.

Richard Thomas

Information Commissioner

14 March 2007