Conclusions regarding scope of proposed anonymisation processing
Even with informed consent, or with new legislation to protect certain activities that depend on identifying data, anonymisation processing will still be required to remove excessive patient data in order to meet the demands of the Third Principle of the Data Protection Act 1998.
It is feasible to 'acceptably anonymise' electronic patient records for legitimate 'indirect' uses.
The main components of anonymisation processing are: to strip out and/or encrypt revealing input data; to create the 'acceptably anonymised' output by linking patient records and accurately assigning a patient pseudonym; and to impose access controls on the output created.
Proposed standards safeguarding patient confidentiality
There is a need to define standards on anonymisation processing and on what constitutes an 'acceptably anonymous' dataset, and for these to be applied nationally.
It is proposed here that, for a dataset to be considered 'acceptably anonymous', it must exclude patient name, address, CHI Number (or other external identifier), date of birth, full post code, and any free text fields. It could include CHI Number, full post code and date of birth in an encrypted form. It could include in unencrypted form any other relevant data about the person and their health, except for free text comment fields.
A request for 'acceptably anonymous' data must originate from an authorised user, be for a legitimate purpose, and not demand more data than are necessary to achieve that purpose.
These standards are only applicable in the controlled domain of NHSScotland, the Scottish Executive, and trusted partner organisations employing similar measures to protect confidentiality. Data would not be 'acceptably anonymous' without organisational and system protection, such as 'sacking clauses' in employment contracts, standards that prevent those with access to 'acceptably anonymised' data also having access to registers of patient-identifying data, strong system access controls, etc.
Anonymisation services should operate as data processors for data providers and data users, with their procedures stipulated in written contracts, and with matters of discretion referred to a service control authority containing representatives from organisations supplying and using data, and patients.
Proposed limits to confidentiality safeguards and associated risks
Non-clinical staff involved in the anonymisation process require access to confidential patient-identifying data for reconciliation purposes; some legal support for this can be found in the Data Protection Act requirement that data be kept accurate, and a public interest defence could be made. However, there is a risk that this could be challenged as a breach of confidence under the common law.
In order to keep costs to realistic levels, the majority of requests for acceptably anonymised data should be 'vetted' by software and a minority by a service control authority. Inevitably, this adds slightly to the risk to that a person's identity may be revealed.
Personal data provided by a patient to one organisation could be used in an acceptably anonymised form by another organisation for a necessary purpose, even if the patient objects to this use (this position is supported by the Data Protection Act)3.
Conclusions regarding scope of proposed anonymisation service
There should be a central anonymisation service to process national standard flows (like SMRs).
Local organisations should be able to choose whether to set up their own local anonymisation service centres, applying nationally-agreed anonymisation standards, or whether to use the national anonymisation service for processing local flows.
Simple anonymisation processing, such as control of access to local databases, should be the responsibility of local organisations rather than an anonymisation service.
Recommendations
Legal advice should be sought on specific issues identified within this report.
The GMC and Office of the Information Commissioner should be consulted on the proposals within this report.