3.2 Confidentiality of health data

Personal information relating to an individual’s health is most frequently collected as part of their contact with the health care system as a patient. Although the detailed legal position differs between countries, the information disclosed as part of the doctor-patient relationship is generally considered to be confidential and only to be used in the provision of medical treatment. Health information is particularly sensitive because if it shared with inappropriate agencies it may affect individuals’ ability to gain employment, insurance or other benefits.

Despite these sensitivities, much of this information is also essential to the management of the health care system and research into patterns of disease, which can inform our understanding of disease causality and the formulation of health policy. Information collected from patients has been used for a wide range of purposes in health research and health care management. In the past this may have occurred without any direct attempt to obtain informed patient consent or to work within a data protection framework. Increasingly, this type of use is governed by legislation and procedures specifically designed to protect individual information. The general principles of data protection legislation include that personal data is kept securely and processed fairly and lawfully for appropriate purposes in accordance with the data subject’s rights.

the doctor-patient relationship is generally considered to be confidential

 

Contemporary UK approaches to the handling of patient-identifiable information have been strongly influenced by the 1997 Caldicott Report (Department of Health, 1997). The report recognises uses for patient-identifiable information for planning, operational and monitoring purposes. Planning here includes public health and epidemiological information which are among the most common GIS applications in health care analysis. Six general principles emerged from this review, which closely reflect those set out in data protection legislation:

  1. Justify the purposes
  2. Do not use patient-identifiable information unless it is absolutely necessary
  3. Use the minimum necessary patient-identifiable information
  4. Access to patient-identifiable information should be on a strict need-to-know basis
  5. Everyone with access to patient-identifiable information should be aware of their responsibilities
  6. Understand and comply with the law

One of the key considerations for the use of information for these broader purposes – not directly related to the provision of individual health care – is that the data be appropriately anonymised. The Caldicott committee recommended patient data be de-identified by the removal of name and address, but that date of birth and postcode (typically relating to 15 residential addresses) and National Health Service number be retained. Nevertheless, the unique combination of these data items, which include a small geographical area would be sufficient to identify individuals in many cases. After specific identifiers information, geographical detail is one of the greatest risks of individual data disclosure (Fienberg, 1994). Those charged with the security of patient data will thus often require further aggregation of records, depending on the sensitivity of the information contained. The degradation of geographical referencing for data protection purposes clearly has implications for the ways in which the data can be used in the analysis of health. Detailed geographical data linkage is a strength of GIS processing but also presents a potential opportunity to undermine the data protection measures applied to sensitive health data. Verity and Nicoll (2002) outline the important benefits of public health surveillance and note that many of the discussions about patient confidentiality do not fully take these into account. Nevertheless, they suggest that those involved in health surveillance should adopt procedures such as those outlined in the Caldicott report.

these data items, which include a small geographical area would be sufficient to identify individuals in many cases

The regulation of access to health-based data for research, as well as for clinical or health care delivery purposes is subject to continual development, such as the European Union’s new General Data Protection Regulation (GDPR) (https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/), which came fully into force in 2018 and has widespread implications for all organizations holding personal data.  Unlike earlier legislation, the GDPR has classed locational information as ‘personal data’.  It also steps up requirements for obtaining consent for processing of personal data including location, for example discouraging pre-checked tickboxes and explicitly itemising the different uses of data.

Health-related information gained from censuses and surveys is not governed by the same specific restrictions which affect data within the health care system but the same underlying data protection principles apply. Again, there are differences in the way that specific countries interpret these principles for their own official statistics systems. Wallman (2003) notes the important distinction between information that is collected for administrative and statistical purposes. In research design, the informed consent of the data subject should be sought wherever possible.

Activity

Choose one of the scenarios below, and decide whether or not the health GIS data set described in each case would pose any problems in terms of confidentiality under current legislation that affects you in your setting:

  • Scenario 1: You are working with a map layer that contains diabetes rates and counts of numbers of reported cases for a set health districts in a European country, together with associated boundaries. Each health district has a population of about 50,000 people.
  • Scenario 2: You are working with a data file containing records relating to pregnant women, together with their HIV status based on a blood test. Names and dates of birth have been removed from the file, as have any other personal identifiers. There is a code for the province within which each woman lives and each province contains around a million people.
  • Scenario 3: You are working with a map layer of unit postcodes. Attached to each postcode are two counts: one is the number of schoolchildren aged 6 to 8 years, and the other is the number of schoolchildren who are overweight for their age, based on a national primary school measurement programme being run by the government. Each postcode contains between 15 and 30 residential addresses.
  • Scenario 4: You are working with a point map layer representing cases of lyme’s disease, in which each point has been georeferenced by place of residence to the nearest 10 metres. Names, ages and all personal details have been removed from the data file.

What data protection issues might arise in each scenario?

References (Essential reading for this learning object indicated by *)

Fienberg, S. E. (1994) Conflicts between the needs for access to statistical information and demands for confidentiality Journal of Official Statistics 10, 2, 115-132 http://www.jos.nu/Articles/abstract.asp?article=102115 This paper addresses basic tensions in the protection and use of information about individuals.

Department of Health (1997) The Caldicott committee: report on the review of patient-identifiable information http://webarchive.nationalarchives.gov.uk/+/www.dh.gov.uk/en/Publicationsandstatistics/Publications/PublicationspolicyandGuidance/DH_4068403 This document sets the framework for contemporary treatment of patient data in the UK.

Verity, C. and Nicoll, A. (2002) Consent, confidentiality and the threat to public health surveillance British Medical Journal 324, 1210-1213 http://www.bmj.com/content/324/7347/1210.1.

Wallman, K. K. (2003) Privacy and confidentiality: a new era Journal of Official Statistics 19, 4, 315-319 http://www.jos.nu/Articles/abstract.asp?article=194315 This paper deals more generally with the tension between data subject confidentiality and access to official statistics.

The Information Commissioner’s Office provides a quick guide to personal data: https://ico.org.uk/media/1549/determining_what_is_personal_data_quick_reference_guide.pdf

Comments are closed.