A few days ago a report, entitled the Data Sharing Review
by Richard Thomas, the Information Commissioner, and Mark Walport, the director of the Welcome Trust, was delivered to the government which commisioned it.
The review examined issues around the safety and security of personal information and the ways in which public sectors bodies, including the National Health Service (NHS), share data about individuals.
The review's conclusions were that:
- there is a lack of transparency and accountability in the way organisations deal with personal information
- there is confusion surrounding the Data Protection Act, particularly the way it interacts with other strands of law
- greater use could be made of the ability to share personal data safely, particularly in the field of research and statistical analysis
- the Information Commissioner needs more effective powers, and the resources to allow him to use them properly.
and it came with a series of recommendations aimed at transforming the personal and organisational culture of those who collect, manage and share information. These included:
- to improve leadership, accountability and training within organisations
- to ensure all organisations are as transparent and open as possible about how and with whom data are shared, with what authority, for what purposes and with what protections and safeguards
- to clarify and simplify the legal framework governing data sharing, including provisions to guarantee better and more authoritative guidance for practitioners
- to develop mechanisms that will enable population-based research and statistical analysis for public benefit, whilst safeguarding the privacy of individuals
- to help safeguard and protect personal information held in publicly available sources.
A key point for the NHS and other healthcare providers was the support for the assumption of implied consent, explicitly stating that:
"An NHS patient agreeing to a course of treatment should also be taken to have agreed that information given during the course of the treatment might be made available for future medical research projects, so long as robust systems are in place to protect personal information and privacy."
But warns that:
"However, implied consent is not satisfactory without considerable transparency. In the case of the NHS, we strongly encourage it to build on its existing efforts to educate patients by making general and widely advertised statements about how people’s health information might be used in the future."
I would suggest that we are currently a long way from achieving this aim and that the majority of the public have no idea how the information they give to a doctor, nurse or other healthcare professional might be shared.
The report also uses examples from health to look at the shring of clinical information for research processes, and includes a specific recomendation on this:
"Recommendation 17: We recommend that the NHS should develop a system to allow approved researchers to work with healthcare providers to identify potential patients, who may then be approached to take part in clinical studies for which consent is needed. These approved researchers would be bound by the same duty of confidentiality as the clinical team providing care, and face similar penalties in the case of any breach of confidentiality. If legislation is necessary to implement such a scheme, then we would urge Government to bring that legislation forward as quickly as possible."
If legislation is to be proposed then I feel it must always err on the side of patient safety and confidentiality, rather than being driven by the desires of the research community, including pharmaceutical companies, and clarify the "approval process" especially as many of them are not covered by the same professional codes (with sanctions for breaking them) as clinicians.
Action is definitely needed to improve the way in which organisations, such as the NHS, handle sensitive personal data and improve public confidence in these processes.
It will be interesting to see how any new legislation, including the implementation of EU directives, improve practice and achieve some of the laudable aims set out in the review.
Labels: Confidentiality, data security