Privacy Impact Assessments (PIAs) exist to aid policymakers mitigate identified privacy risks and minimise unintended privacy impacts. So did the care.data PIA miss important issues or were its recommendations mishandled? It would appear both, writes Edgar Whitley.
A recent edition of the Daily Telegraph led with a story about the details of the care.data proposals. In making its claims that patient confidentiality could be undermined by care.data, the Telegraph story drew heavily on the published Privacy Impact Assessment (PIA) undertaken by NHS England.
Privacy impact assessments (likely to be relabelled as ‘Data Protection Impact Assessments’ under the proposed new EU Data Protection Regulation) are intended to help decision makers identify and assess privacy concerns with systems that handle personal data. The logic behind PIAs is that it is generally much more effective to fix privacy problems at an early stage of a new system than to try to bolt on a fix when issues arise during the operation of the system.
PIAs are therefore intended to ask difficult questions so that decision makers can mitigate identified privacy risks and minimise unintended privacy impacts as these can have serious reputational consequences. The privacy problems that care.data is facing are precisely the kinds of things that a PIA is supposed to address. So did the care.data PIA miss important issues or were its recommendations mishandled? It would appear both.
The PIA is very clear about the privacy risks associated with care.data, noting that “the extraction of personal confidential data from providers without consent carries the risk that patients may lose trust in the confidential nature of the health service” (p. 6). Indeed, the PIA helpfully summarises (Table 1 p. 8) i) the reasons for care.data; ii) the impacts of care.data on personal confidential data; and iii) the controls and pledges that can be put in place to mitigate these impacts. In particular, it notes the risks that “some people may feel a loss of individual autonomy (no patient consent)” and that “some patients may not be aware of or understand their choices”.
To mitigate these risks, the PIA notes that there is a statutory basis for data collection, that “awareness raising activities will help patients understand how their data are used not only for care.data but other uses of healthcare”, and that “patients can object to the processing of the personal confidential data in GP records”.
I have covered the statutory basis for care.data previously. In terms of awareness raising activities, a Freedom of Information request has revealed that the leaflet sent to households explaining the benefits and risks of care.data “has not been delivered to households that have registered with the Royal Mail’s ‘door to door opt–out’” although “the leaflet has been delivered to households where an individual has registered with the Mail Preference Service”.
The third mitigation, whereby patients can object to the processing of the personal confidential data in GP records, seems relatively straight forward. The care.data leaflet states “you may want to prevent conﬁdential information about you from being shared or used for any purpose other than providing your care”. Indeed, the PIA notes that “the greater control over identifiable information held about them” is a “great step forward” compared to previous controls available to patients.
The PIA continues, however, with more detail about the specific data flows from GP surgeries into the Health and Social Care Information Centre (HSCIC). It notes that the data that is extracted “does not include patients’ names and addresses”. Normally, however, it does include NHS number, postcode, date of birth and gender. This data is used to enable GP records to be linked to health records from other sources. The PIA reveals that where patients have objected to the flow of their ‘personal confidential information’ from the general practice record, “the HSCIC will receive clinical data without any identifiers attached (i.e. anonymised data)”.
Buried deep in the PIA, therefore, is the acknowledgement that opting out of care.data doesn’t prevent a patient’s clinical data from passing from the GP record to HSCIC only that opting out will remove “any identifiers” from the clinical data that will be sent to HSCIC; with the presumption that removing these identifiers makes it difficult to re-identify the individual. (Presumably, in practice, the stripping out of identifiers would be handled by the HSCIC rather than individual GP record systems).
Unfortunately, although the PIA includes a helpful annex C containing “definitions of terms”, it doesn’t explicitly define the term “personal confidential information”. Related concepts including “confidential patient information”, “identifiable information” and “patient identifiable data” are defined.
In the light of the concerns with care.data, it is reasonable to question the effectiveness of the PIA. Arguably, a PIA which identifies privacy issues (which can then be mitigated) is more effective than one that doesn’t identify privacy issues. To that extent, the care.data PIA was effective. It highlighted the need for “awareness raising activities” even if these were primarily implemented in the form of leaflets sent to some households. It was less effective, however, at clearly articulating (for NHS decision makers as well as for the general public) what opting out would mean in practice, in terms of what data about individuals would flow from GP records to HSCIC regardless of patient opt out decisions.
Note: This article gives the views of the author, and not the position of the British Politics and Policy blog, nor of the London School of Economics. Please read our comments policy before posting.
About the Author
Edgar A. Whitley is Associate Professor (Reader) of Information Systems in the Department of Management at the London School of Economics and Political Science. Edgar was the research coordinator of the influential LSE Identity Project on the UK’s proposals to introduce biometric identity cards; proposals that were scrapped following the 2010 General Election.