Fear of making costly mistakes in respect of data sharing has led to passivity and in some cases fatal inaction by a number of health sector bodies. This has been highlighted recently by a number of high profile incidents in the context of health and social care, meaning that data sharing is now firmly in the limelight.
As we move towards a culture of integration of service delivery by NHS and private providers, the pressure on the health sector to share data lawfully and securely will no doubt increase. The law and guidance in this area is complex, but it is possible to share personal data within the confines of the existing law where appropriate and necessary.
This article outlines the key considerations for health sector bodies seeking to share information with third parties, and highlights recent and proposed changes in the relevant law and policy.
What is meant by the term 'data sharing'?
The ICO's Code of Practice on Data Sharing defines data sharing as: "the disclosure of data from one or more organisations to a third party organisation or organisations, or the sharing of data between different parts of an organisation". Sharing can take the form of routine data sharing where the same data sets are shared between the same organisations for an established purpose, and exceptional, one-off sharing. With regard to the latter, health bodies are left with little time to grapple with the relevant law, guidance and policy and document their decisions.
Why the fear?
For as long as we can remember, health sector bodies have been beating the 'confidentiality' drum, taking care to ensure that staff are adequately trained and systems are sufficiently secure, to maintain the privacy of patient information.
Whilst it has always been recognised that patient confidential data can be shared in limited circumstances for specified purposes, there seems to be an inherent uncertainty about how far the law allows such disclosures, and whether the circumstances in question justify it.
One side effect of the Information Commissioner's increased enforcement powers in relation to breaches of the Data Protection Act (introduced five years ago), is a sense of fear instilled in data controllers in respect of the disclosures they make. The ICO has now issued fines to the NHS totalling £1.3million for breaches of the Act, most of which have been high profile.
To date the Information Commissioner has concentrated his efforts on breaches relating to security of personal data; however, it seems increasingly likely that we are soon to see robust enforcement action in relation to unsound data sharing practices. Only this week the ICO has announced that it is investigating serious concerns about data sharing by a number of firms. The ICO's Head of Enforcement, Steve Eckersley, has commented on the sharing of health data and in particular stated: "People rightly consider information about their health to be sensitive, and in a recent survey we found that half of people consider it to be extremely sensitive."
With organisations feeling significant pressure not to 'get it wrong', it seems that in many instances important opportunities to share information are being lost, as the 'easier' option appears to be to refuse third parties access to information, even where its disclosure is of critical significance.
This sense of trepidation regarding decisions around data sharing has become the focus of the latest Caldicott review.
To share or not to share: the Caldicott Review
"Every citizen should feel confident that information about their health is securely safeguarded and shared appropriately when that is in their interest." Dame Fiona Caldicott
In the aftermath of the Francis report on failings at Mid Staffordshire NHS Foundation Trust, Dame Fiona Caldicott undertook a review into information sharing "to ensure that there is an appropriate balance between the protection of patient information and the use and sharing of information to improve patient care".
The review and subsequent report, "Information: to share or not to share? The Information Governance Review", identified a number of key concerns: that cultural change was required in the NHS and that there was an urgent need for education and training in this area. The principles, conclusions and recommendations contained in the report sought to achieve an optimum balance between safeguarding sensitive patient data and encouraging appropriate sharing of information where there is a legitimate need.
Where are we now? "Must try harder"
In December last year the Independent Information Governance Oversight Panel produced its first annual review examining the implementation of the recommendations from the Information Governance Review.
The report concluded that the cultural change called for in information governance "had only emerged in parts of the system". It found that the implementation of the recommendations had been neither quick nor comprehensive and that "the report card at the end of the first year after the Government's acceptance of the recommendations reads: "Must try harder"".
Recent developments in Rotherham regarding failures to protect children from exploitation have also highlighted the dramatic and damaging consequences of inadequate sharing of information across agencies. The Government's report on tackling child sexual exploitation highlights the need for clear guidance to dispel common myths about information sharing, and remove false barriers in the way of protecting children.
What's next? Spotlight on sharing
There are a number of key developments which have or are likely to influence the way in which health bodies approach data sharing:
ICO compulsory audits
For public healthcare organisations compulsory audits came into play in February this year. The ICO can now subject an organisation to a mandatory review on how it handles patients' personal information as well as looking at security of data, records management, staff training and data sharing. The Information Commissioner has indicated an intention to make good use of what he describes as this “new power to force our way into the worst performing parts of the health sector”.
The ICO’s three year plan seeks to ensure that data sharing develops in a way that respects information rights. Given that organisations have now had some time to get the sharing of information right in response to the Caldicott Review and with the risk of getting it wrong being so high, we anticipate that the ICO will take enforcement action in this area.
General Data Protection Regulation
Legislative developments in the near future will bring further scrutiny. The General Data Protection Regulation, proposed by the European Commission and adopted in draft by the European Parliament in March last year, is gradually edging towards approval by the EU members states in the Council of the European Union. Once enacted, and following a transition period, the Regulation will apply directly in the UK. There are strong sanctions proposed in the case of illegal data processing with fines of up to two per cent of global annual turnover.
The current draft Regulation includes a number of key changes, including new defined terms for 'data concerning health' and 'child' as well as a new high standard of consent. There is also a 'principle of controller' responsibility which will affect sharing arrangements as it places requirements on controllers to adopt policies and implement appropriate measures to demonstrate that processing is being undertaken in compliance with the Regulation. Data controllers will need to consider how those obligations will be stepped down where processing is being undertaken by third parties.
It is likely to be another year or so before the Regulation is approved which will be followed by a transition period, but the general direction of travel is clear.
Sharing to prevent fraud
Wider changes are taking place which will impact healthcare organisations such as the Home Office's recently issued 'Data Sharing for the prevention of fraud' code of practice for public authorities. The code is a requirement of the Serious Crime Act 2007 and promotes data sharing as a vital tool in preventing fraud. It seeks to demystify disclosure of sensitive information to fraud prevention organisations and the sharing of information across agencies to combat fraud.
With the increased ICO scrutiny of healthcare organisations and the focus on information sharing generally, the landscape on information sharing is changing. There is a move towards a more positive and open approach to sharing and healthcare organisations need to get this right.
Getting it right - what are the key considerations for the health sector?
The rationale for sharing will often help to determine the legal basis for sharing and will impact on the measures to be taken. The key to reducing the risks associated with data sharing is establishing:
- the purpose of sharing;
- a lawful basis for sharing;
- responsibility for control of the data (i.e. ensuring accuracy, managing storage and retention, providing subject access); and
- safe sharing and keeping shared data secure.
It may seem obvious, but establishing a clear and legitimate objective for sharing is central to any arrangement and is of fundamental importance. It is only by considering what the sharing of information is intended to achieve that the parameters for sharing become apparent. At that stage it is possible to determine the extent of information sharing necessary and who needs to receive the information to achieve the purpose. The purpose for sharing should be clearly documented as part of the decision making process.
2. Lawful basis for sharing
It is a common and potentially dangerous misconception that any agreement that exists between the sharing parties will provide a sufficient legal basis for sharing any information. This is simply not the case, and is often where data sharing arrangements fall down.
When considering any sharing arrangement involving personal data, data controllers must go back to basics and consider compliance with the First Data Protection Principle under the Data Protection Act 1998. The First Principle states that data must be processed fairly and lawfully and should not be processed unless:
- one of the conditions in Schedule 2 to the DPA is met; and
- for sensitive personal data such as health data, at least one of the conditions in Schedule 3 to the DPA must also be met.
The requirement to process fairly broadly translates to a requirement of reasonableness in sharing. Specifically, it means ensuring that data subjects are generally aware of which organisations are sharing their data and why. The privacy notice or fair processing notice will be key in fulfilling this requirement and organisations need to give some thought to how this is presented. For instance, in situations where sharing is expected, it may be enough to have a generally available notice whereas sharing sensitive personal data with organisations that an individual would not expect and for a potentially objectionable purpose will require an active communication of the notice.
Clearly there will be instances where it is not practical to communicate the sharing to individuals such as sharing for fraud prevention or to protect vulnerable individuals. In these situations data controllers should consider whether any of the 'exemptions' in the DPA allow the sharing of data without the need to comply with the Act's 'fairness' provisions.
It will always be necessary to consider the public body’s power to share the information. Occasionally there will be an express statutory power permitting health bodies to share information. However, it is more likely that the power to share will be implied, i.e. that sharing as an incidental part of carrying out the functions assigned to the body under statute. For every instance of sharing, the statutory basis will need to be identified and documented.
Careful consideration needs to be given to the conditions for processing. Unless a relevant exemption applies at least one Schedule 2 condition will need to be met before processing, and for sensitive data such as health and social care data a further Schedule 3 condition must also be met. The conditions include consent to processing, processing necessary to protect vital interest, processing for legal proceedings, for exercising statutory functions and, most commonly in a health context, that the processing is necessary for medical purposes, and is undertaken by a health professional or by someone who is subject to an equivalent duty of confidentiality.
Ensuring compliance with one or more conditions is one of the keys to ensuring that sharing is lawful and should be a starting point for data controllers.
3. Responsibility for control of the information
In considering sharing arrangements it is important to determine who will have control of the data. Ensuring that the data shared is accurate (complying with the Fourth Data Protection Principle) and continues to be updated for accuracy is critical.
Common rules need to be established for the retention and deletion of data bearing in mind that data should not be kept longer than necessary under the fifth data protection principle. Organisations need to agree what happens on termination of a sharing arrangement and who is responsible for taking the necessary action.
Similarly, consideration needs to be given to the rights of the data subject. In line with the points made above, procedures need to be in place for allowing data subjects to correct inaccuracies and to request the information held. Establishing responsibility for complying with requests and for notifying one another of requests is important to ensure public bodies comply with their obligations.
Whilst health organisations tend to have a reasonable grasp of the importance of protecting the information they hold, the security of shared information is not always considered.
Security arrangements differ between organisations and establishing common ground will be necessary before transmitting personal data. Health organisations need to have confidence in the systems for the transmission and storage of information to avoid security breaches.
This is not simply whether information is sent using a secured system or in encrypted format but also covers how access to the information is monitored and controlled, work from home arrangements, clear desk policies and reporting breaches.
A shift towards openness?
One thing seems clear: both private health and NHS bodies are being encouraged by the Government to be less risk averse when it comes to sharing of data, particularly where patients are in potentially critical situations. Until the introduction of the new Data Protection Regulation, data controllers are bound by the DPA. However, where they were once averse to making voluntary disclosures in compliance with DPA processing conditions, perhaps there may now be a shift towards slightly bolder decisions being made.
If the four factors set out above are given due consideration prior to sharing and are documented accordingly, then the possibility of a breaches and resulting enforcement action will be minimised. Equally, this is likely to reduce the risk of a failure to share personal data which could result in potentially catastrophic consequences.