The Department of Health (DoH) is consulting on plans to give new local "accredited safe havens" (ASHs) in England the ability to gather, use and share personal health and care data (28-page / 242KB PDF) from other health bodies in England, such as hospitals, care homes and clinical commission groups.
The DoH is proposing to set rules on how the data is used and shared by these ASHs, although it confirmed individuals will be given a right to opt out of the use and sharing of their data by ASHs under those new rules.
Under its plans, personal health and care data could be processed by ASHs for the purpose of analysing differences between population groups or for "providing those responsible for providing care to an individual with information that might inform or support that care".
A number of other limited purposes for which ASHs would be permitted to use the data are also set out in the department's consultation. They include a right for the bodies to use data for "auditing, monitoring and analysing the provision made for patient care and treatment, including outcomes, costs and patient satisfaction" and for "ensuring that the correct payment is made for care provided".
The DoH's proposals are separate from the planned 'care.data' regime, which concerns the sharing of data held by GP surgeries in England, but it said that data gathered in accordance with the care.data scheme "could be disseminated to accredited safe havens" by the national Health and Social Care Information Centre (HSCIC).
The department has proposed a number of privacy safeguards to accompany its plans in light of failings identified in a review of information governance in the NHS by Dame Fiona Caldicott last year and after finding that existing regulations "do not provide either the coverage that is required or the strong controls that we believe should be in place to protect information".
"Our vision is that ASHs will provide a secure environment within which data that could potentially identify individuals can be lawfully processed for a limited range of approved purposes, under controls that minimise reliance upon identifiable data and constrain how the data is processed in the ASH. There is more detail about this below," the DoH said in its consultation paper.
"The data that will be used by ASH will be person-level data but as our starting point is that the risk of individuals being identified must be minimised, any identifiers that are not necessary of the processing will have been removed (for example names and addresses). In the wrong hands, the individuals could be re-identified and the controls that we propose seek to minimise this risk. In line with the Data Protection Act and the Caldicott principles, ASHs will be expected to use only the minimum data necessary for their purposes," it said.
The flow of data to and from ASHs would be governed by a number of "controls" the DoH has proposed should exist. One control would, if introduced, require ASHs to ensure that they "remove from the data it processes any information which identifies the person to whom it relates which is not required for the purposes for which it is being processed, and to provide evidence of the steps taken towards doing this" so far as it is practical to do so.
Other controls have been proposed around the access to and security of the data held by ASHs. In addition, the bodies would be under an obligation to "report any incidents involving loss of data, information security failing or breach" of the new rules.
The controls would also limit the ability of an ASH to release the data they hold to third parties where those third parties are "directly involved in the care of the data subject" or where there is another lawful basis for disclosure. In addition, the publication of data held by ASHs would only be permitted where the data "has been effectively anonymised" in accordance with standards set by the Health Secretary and NHS England.
ASHs that breach the rules that the DoH proposes to set could be fined up to £500,000, the department said.