information sharing options phil walker. outline i have been asked to present a range of options for...

Information Sharing Options

Phil Walker

Outline

I have been asked to present a range of options for lawful data sharing.

There is unlikely to be one approach that meets all requirements but there may be options to co-design the most appropriate

solution for local areas.

But first, a reminder about the different categories of data and the associated legal requirements.

Purpose

3

Principles

Information

Anonymised

Information

Personal Informatio

n

Confidential Personal Informatio

n

Other Personal

Information

4

Non-confidential personal information• Cannot contain or be used to link to anything that informs about clinical or social

care matters• Can include demographic information and administrative items e.g. NHS number• Can be used for purposes that support analysis, e.g. NHS Number tracing• People must be informed in broad terms about how information that identifies them

may be used• Needs to satisfy Data Protection Act 1998 (principles & schedule 2)

Anonymised information• Cannot contain anything that might lead to re-identification in the context that

applies e.g. pseudonymised data or data that has been de-identified for local use can be anonymous in its context but not outside of controls that prevent re-identification.

• If meets the requirements of the HSCIC ‘Anonymisation for Publication’ standard it may be published

• For most organisations anonymised data can be used for any purposes desired

5

Sharing Confidential Personal Information for Care

Confidential Personal Information• Confidential personal information is protected by law and should not normally be

shared against the wishes of the individual concerned, whether for care or any other purpose. This is in addition to meeting DPA requirements (principles & schedules 2 & 3)

• When an individual consents to receiving treatment or care the common law duty of care imposes a duty to share the information necessary to deliver what is needed – subject to meeting confidentiality requirements.

• People have the right to say no to information sharing even if this results in a worse outcome for them

• However, it is generally accepted that people who use health and social care services understand that social workers, doctors, nurses and other professionals will need to share confidential information among the care team and with other professionals along the care pathway in order to provide effective care, but ……

– Direct Care does not provide a legal basis for sharing without consent!

6

Summary

Four choices for sharing confidential data about groups and populations:

• Consent (will generally need to be explicit rather than implied)

• HSCIC power • Support under s251 Regulations• Anonymised/pseudonymised data

Options

The options for local areas are as follows and initial pros / cons / areas to consider are included.

- Option 1: Pseudonymisation at Source (no re-identification);- Option 2: Pseudonymisation at Source (variation using

Public and Private Key);- Option 3: Pseudonymisation on Landing;- Option 4: Full Consent;- Option 5: Section 251 application to the CAG;- Option 6: Department of Health issued directions to HSCIC

(and therefore DSCROs);- Option 7: A mix of the above (e.g. Southend-on-Sea).

Data Source: Social Care (Local Flow)

Option 1: Pseudonymisation at Source

Data Source: Community (Local Flow)

Encryption 1Create “digest”

using NHS number (SHA-2 256) One way

hash



hash

Data Source: SUS (DSCRO)

(National Flow)



hash

Third Party Data ProcessorData Linkage

Data AnalysisDelivery of aggregated outputs

for research and analysis purposes

Data AnalysisDelivery of pseudonymised

patient level data using outputs

Only minimum data required flows between source providers and data linkage organisation

OutlinePoints for Consideration – Pseudonymisation at Source

Pros of Approach Cons of Approach• Avoids the need to use central

organisations for data processing;• Long-term future proof – recommended

longer-term option by the CAG;• Avoids the need for full patient consent

(no confidentiality issues) and S251 as data isn’t personal under DPA;

• Open source data available to enable this processing to take place;

• No issues about what data can be shared as long as it is linkable;

• Likely to only be effective if data quality is positive – identifiers removed before transmission to data processor;

• Needs implementation of pseudonymisation software;

• Unable to re-identify patients / users for those in a direct care relationship so only useful for secondary purposes;

• Need to identify a separate data processor that doesn’t have access to clear data;

Key Points to Consider

• There needs to be a separation between the organisation providing the information and the organisation providing the data linkage (need to ensure no ability to re-identify);

• Organisation providing the linkage must have strict controls and not be able to re-identify individuals;

• Pseudonymised outputs (whether aggregated or at patient level) need to still be handled in a secure environment given the risk of re-identifying patients when linking information together Still requires Data Sharing Contract and Data Sharing Agreements to be in place;


Option 2: Pseudonymisation at Source (Variation)


Encryption 1Pseudonymisation

using PKI Key


using PKI Key


(National Flow)


using PKI Key

Third Party Data ProcessorData Linkage



Data AnalysisDelivery of patient level data

using outputs from data linkage

Third Party Provider

Public Key Infrastructure – one way public

key

No access to the data for 3rd

PartyPrivate Key Re-Identifer

Only minimum data required flows between source providers and data linkage organisation

Private Key Re-Identifier (only to those with direct

relationship)

Fair Processing and Opt Out

Arrangements recommended

as best preactice.

Direct Care legitimate

relationship

OutlinePoints for Consideration – Pseudonymisation at Source (Variation)

Pros of Approach Cons of Approach

• Avoids the need to use central organisations for data processing;

• Avoids the need for full patient consent (no confidentiality issues) and S251;

• Avoids the need for full patient consent (no confidentiality issues) and S251 as data isn’t personal under DPA;

• Allows those in a legitimate relationship with the user to re-identify for direct care purposes;

• Needs an external party to provide public / private key (at cost);

• Likely to only be effective if data quality is positive – identifiers removed before transmission to data processor;

• Likely to need to be linked to system to allow for Role Based Access (for private re-identification);

• Need to identify a separate data processor that doesn’t have access to clear data


• There needs to be a separation between the organisation providing the information and the organisation providing the data linkage (need to ensure no ability to re-identify);

• Organisation providing the linkage must have strict controls and not be able to re-identify individuals;

• Pseudonymised outputs (whether aggregated or at patient level) need to still be handled in a secure environment given the risk of re-identifying patients when linking information together;

• Still requires Data Sharing Contract and Data Sharing Agreements to be in place;


Option 3: Pseudonymisation on Landing



(National Flow)

Pseudonymisation and Data LinkagePseudonymisation applied on landing within the data linkage organisation. Data linked based on common pseudonymiser and all identifiers removed;

Data Processor



Data AnalysisDelivery of patient level data

using outputs from data linkage

Data ControllerRe-identification using Role

Based Access (needs system in place)

Outline Points for Consideration – Pseudonymisation on Landing

Pros of Approach Cons of Approach• If system can support it allows

for identification of data quality issues in originating organisation;

• Allows those in a legitimate relationship with the user to re-identify for direct care purposes;

• Needs clear approach to fair processing subject to DPA as data transferred in the clear;

• Needs to support opt-out; • Likely to only be effective if data quality is

positive – unless system can automatically push back where there are data issues to the originating organisation;

• Likely to need to be linked to system to allow for Role Based Access (where re-identification needed);


• Pseudonymisation on landing needs to be true pseudonymisation on landing (within “black-box” – no identifiable data accessible by processor);

• Pseudonymised outputs (whether aggregated or at patient level) need to still be handled in a secure environment given the risk of re-identifying patients when linking information together;

• Once the data is matched identifiers need to be stripped out so only pseudonymised data is available for analysis;

• Still requires Data Sharing Contract and Data Sharing Agreements to be in place

Outline Option 4: Full Consent




(National Flow)

Data LinkageData linkage using NHS number (and other key identifiers) – can be

undertaken as full consent is in place. Pass back undertaken to specified organisations.

One of the above or another data processor

(specified)

Any appropriate purpose as specified in the consent

process

Outline Points for Consideration – Full Consent


• No issues about public concern regarding the use of data;

• Unlikely to be feasible (time and cost) for Pioneer sites (some areas have consent related to single datasets but not on others e.g. GP data / Acute data due to the size of the population);


• Can be used to transfer clear data to data processing organisations but needs to demonstrate a clear understanding to those for whom consent is being sought – e.g. who is processing, what information is being shared and what information can be viewed and by whom;

• This needs to be done in the right context and in a way which allows users to make informed decisions;

• Still requires Data Sharing Contract and Data Sharing Agreements to be in place;

Outline Option 5 - Section 251 Application to CAG


• Allows for access to information (if approved)

• Time taken to prepare the CAG application and ensure all areas are covered;

• CAG will still likely require an exit strategy – this is only a temporary solution;

• Need to demonstrate that alternative approaches have been considered e.g. pseudonymisation and consent;

Background

• Common Law Duty of Confidentiality can be set aside by a Section 251 application to the Confidentiality Advisory Group allowing the Secretary of State to make a decision based on advice from them;

• An application must be submitted to the CAG so they can give this consideration;

• This is generally suited to one-off or short-term activities and still needs to highlight arrangements in terms of fair processing and how information will be kept secure;

Outline Option 6 – Department of Health Directions to HSCIC


• The request for Directions does not have to be country wide but can be done on a regional or local basis;

• Time taken to prepare for the regulations to be undertaken;

• The directions covers the flow of data into the HSCIC but not the flow of data out (unless in format suitable for national publication)

• This doesn’t cover datasets not within the remit of the remit of HSCIC for processing (therefore not long-term solution);

Background

• Whilst HSCIC (and therefore DSCROs) have the legal basis to process adult social care data a new data flow requires directions from one of a variety of sources – this includes Department of Health, Secretary of State, NHS England, Monitor, NICE or CQC;

• This however only covers the inbound flow of data – no clear or pseudonymised information can flow out without s251 support or via one of the limited legal gateways in the 2012 Act (The Department of Health is exploring how these gateways work and will advise)

Outline Option 7 – Mixture of the Above


• Allows areas to migrate to long-term solutions over time;

• Allows those in contact and with a legitimate relationship to the patient to have access to that specified data but all other areas are pseudonymised;

• Needs time to work through how this is applicable for each locality – there is no one size approach for all;

Background

• In reality areas may wish to implement a mix of the above. Southend for instance has full consent on social care data but not on health data and is therefore making a Section 251 application to the CAG to enable viewing of information across organisations. The model here will therefore be a mixture of S251 and Consent.

information sharing options phil walker. outline i have been asked to present a range of options for...

Documents