Information Sharing Options Phil Walker

Outline I have been asked to present a range of options for lawful data sharing. There is unlikely to be one approach that meets all requirements but there may be options to co-design the most appropriate solution for local areas. But first, a reminder about the different categories of data and the associated legal requirements. Purpose

Principles 3 Information Anonymised Information Personal Information Confidential Personal Information Other Personal Information

Non-confidential personal information 4 Cannot contain or be used to link to anything that informs about clinical or social care matters Can include demographic information and administrative items e.g. NHS number Can be used for purposes that support analysis, e.g. NHS Number tracing People must be informed in broad terms about how information that identifies them may be used Needs to satisfy Data Protection Act 1998 (principles & schedule 2) Anonymised information Cannot contain anything that might lead to re-identification in the context that applies e.g. pseudonymised data or data that has been de-identified for local use can be anonymous in its context but not outside of controls that prevent re- identification. If meets the requirements of the HSCIC ‘Anonymisation for Publication’ standard it may be published For most organisations anonymised data can be used for any purposes desired

Sharing Confidential Personal Information for Care Confidential Personal Information Confidential personal information is protected by law and should not normally be shared against the wishes of the individual concerned, whether for care or any other purpose. This is in addition to meeting DPA requirements (principles & schedules 2 & 3) When an individual consents to receiving treatment or care the common law duty of care imposes a duty to share the information necessary to deliver what is needed – subject to meeting confidentiality requirements. People have the right to say no to information sharing even if this results in a worse outcome for them However, it is generally accepted that people who use health and social care services understand that social workers, doctors, nurses and other professionals will need to share confidential information among the care team and with other professionals along the care pathway in order to provide effective care, but …… –Direct Care does not provide a legal basis for sharing without consent! 5

Summary Four choices for sharing confidential data about groups and populations: Consent (will generally need to be explicit rather than implied) HSCIC power Support under s251 Regulations Anonymised/pseudonymised data 6

Options The options for local areas are as follows and initial pros / cons / areas to consider are included. -Option 1: Pseudonymisation at Source (no re-identification); -Option 2: Pseudonymisation at Source (variation using Public and Private Key); -Option 3: Pseudonymisation on Landing; -Option 4: Full Consent; -Option 5: Section 251 application to the CAG; -Option 6: Department of Health issued directions to HSCIC (and therefore DSCROs); -Option 7: A mix of the above (e.g. Southend-on-Sea).

Data Source: Social Care (Local Flow) Option 1: Pseudonymisation at Source Data Source: Community (Local Flow) Encryption 1 Create “digest” using NHS number (SHA-2 256) One way hash Encryption 2 Create “digest” using NHS number (SHA-2 256) One way hash Data Source: SUS (DSCRO) (National Flow) Encryption 3 Create “digest” using NHS number (SHA-2 256) One way hash Third Party Data Processor Data Linkage Data Analysis Delivery of aggregated outputs for research and analysis purposes Data Analysis Delivery of pseudonymised patient level data using outputs Only minimum data required flows between source providers and data linkage organisation

Outline Points for Consideration – Pseudonymisation at Source Pros of ApproachCons of Approach Avoids the need to use central organisations for data processing; Long-term future proof – recommended longer-term option by the CAG; Avoids the need for full patient consent (no confidentiality issues) and S251 as data isn’t personal under DPA; Open source data available to enable this processing to take place; No issues about what data can be shared as long as it is linkable; Likely to only be effective if data quality is positive – identifiers removed before transmission to data processor; Needs implementation of pseudonymisation software; Unable to re-identify patients / users for those in a direct care relationship so only useful for secondary purposes; Need to identify a separate data processor that doesn’t have access to clear data; Key Points to Consider There needs to be a separation between the organisation providing the information and the organisation providing the data linkage (need to ensure no ability to re-identify); Organisation providing the linkage must have strict controls and not be able to re-identify individuals; Pseudonymised outputs (whether aggregated or at patient level) need to still be handled in a secure environment given the risk of re-identifying patients when linking information together Still requires Data Sharing Contract and Data Sharing Agreements to be in place;

Data Source: Social Care (Local Flow) Option 2: Pseudonymisation at Source (Variation) Data Source: Community (Local Flow) Encryption 1 Pseudonymisation using PKI Key Encryption 2 Pseudonymisation using PKI Key Data Source: SUS (DSCRO) (National Flow) Encryption 3 Pseudonymisation using PKI Key Third Party Data Processor Data Linkage Data Analysis Delivery of aggregated outputs for research and analysis purposes Data Analysis Delivery of patient level data using outputs from data linkage Third Party Provider Public Key Infrastructure – one way public key No access to the data for 3 rd Party Private Key Re-Identifer Only minimum data required flows between source providers and data linkage organisation Private Key Re- Identifier (only to those with direct relationship) Fair Processing and Opt Out Arrangements recommended as best preactice. Direct Care legitimate relationship

Outline Points for Consideration – Pseudonymisation at Source (Variation) Pros of ApproachCons of Approach Avoids the need to use central organisations for data processing; Avoids the need for full patient consent (no confidentiality issues) and S251; Avoids the need for full patient consent (no confidentiality issues) and S251 as data isn’t personal under DPA; Allows those in a legitimate relationship with the user to re-identify for direct care purposes; Needs an external party to provide public / private key (at cost); Likely to only be effective if data quality is positive – identifiers removed before transmission to data processor; Likely to need to be linked to system to allow for Role Based Access (for private re-identification); Need to identify a separate data processor that doesn’t have access to clear data Key Points to Consider There needs to be a separation between the organisation providing the information and the organisation providing the data linkage (need to ensure no ability to re-identify); Organisation providing the linkage must have strict controls and not be able to re-identify individuals; Pseudonymised outputs (whether aggregated or at patient level) need to still be handled in a secure environment given the risk of re-identifying patients when linking information together; Still requires Data Sharing Contract and Data Sharing Agreements to be in place;

Data Source: Social Care (Local Flow) Option 3: Pseudonymisation on Landing Data Source: Community (Local Flow) Data Source: SUS (DSCRO) (National Flow) Pseudonymisation and Data Linkage Pseudonymisation applied on landing within the data linkage organisation. Data linked based on common pseudonymiser and all identifiers removed; Data Processor Data Analysis Delivery of aggregated outputs for research and analysis purposes Data Analysis Delivery of patient level data using outputs from data linkage Data Controller Re-identification using Role Based Access (needs system in place)

Outline Points for Consideration – Pseudonymisation on Landing Pros of ApproachCons of Approach If system can support it allows for identification of data quality issues in originating organisation; Allows those in a legitimate relationship with the user to re- identify for direct care purposes; Needs clear approach to fair processing subject to DPA as data transferred in the clear; Needs to support opt-out; Likely to only be effective if data quality is positive – unless system can automatically push back where there are data issues to the originating organisation; Likely to need to be linked to system to allow for Role Based Access (where re-identification needed); Key Points to Consider Pseudonymisation on landing needs to be true pseudonymisation on landing (within “black-box” – no identifiable data accessible by processor); Pseudonymised outputs (whether aggregated or at patient level) need to still be handled in a secure environment given the risk of re-identifying patients when linking information together; Once the data is matched identifiers need to be stripped out so only pseudonymised data is available for analysis; Still requires Data Sharing Contract and Data Sharing Agreements to be in place

Outline Option 4: Full Consent Data Source: Social Care (Local Flow) Data Source: Community (Local Flow) Data Source: SUS (DSCRO) (National Flow) Data Linkage Data linkage using NHS number (and other key identifiers) – can be undertaken as full consent is in place. Pass back undertaken to specified organisations. One of the above or another data processor (specified) Any appropriate purpose as specified in the consent process

Outline Points for Consideration – Full Consent Pros of ApproachCons of Approach No issues about public concern regarding the use of data; Unlikely to be feasible (time and cost) for Pioneer sites (some areas have consent related to single datasets but not on others e.g. GP data / Acute data due to the size of the population); Key Points to Consider Can be used to transfer clear data to data processing organisations but needs to demonstrate a clear understanding to those for whom consent is being sought – e.g. who is processing, what information is being shared and what information can be viewed and by whom; This needs to be done in the right context and in a way which allows users to make informed decisions; Still requires Data Sharing Contract and Data Sharing Agreements to be in place;

Outline Option 5 - Section 251 Application to CAG Pros of ApproachCons of Approach Allows for access to information (if approved) Time taken to prepare the CAG application and ensure all areas are covered; CAG will still likely require an exit strategy – this is only a temporary solution; Need to demonstrate that alternative approaches have been considered e.g. pseudonymisation and consent; Background Common Law Duty of Confidentiality can be set aside by a Section 251 application to the Confidentiality Advisory Group allowing the Secretary of State to make a decision based on advice from them; An application must be submitted to the CAG so they can give this consideration; This is generally suited to one-off or short-term activities and still needs to highlight arrangements in terms of fair processing and how information will be kept secure;

Outline Option 6 – Department of Health Directions to HSCIC Pros of ApproachCons of Approach The request for Directions does not have to be country wide but can be done on a regional or local basis; Time taken to prepare for the regulations to be undertaken; The directions covers the flow of data into the HSCIC but not the flow of data out (unless in format suitable for national publication) This doesn’t cover datasets not within the remit of the remit of HSCIC for processing (therefore not long-term solution); Background Whilst HSCIC (and therefore DSCROs) have the legal basis to process adult social care data a new data flow requires directions from one of a variety of sources – this includes Department of Health, Secretary of State, NHS England, Monitor, NICE or CQC; This however only covers the inbound flow of data – no clear or pseudonymised information can flow out without s251 support or via one of the limited legal gateways in the 2012 Act (The Department of Health is exploring how these gateways work and will advise)

Outline Option 7 – Mixture of the Above Pros of ApproachCons of Approach Allows areas to migrate to long-term solutions over time; Allows those in contact and with a legitimate relationship to the patient to have access to that specified data but all other areas are pseudonymised; Needs time to work through how this is applicable for each locality – there is no one size approach for all; Background In reality areas may wish to implement a mix of the above. Southend for instance has full consent on social care data but not on health data and is therefore making a Section 251 application to the CAG to enable viewing of information across organisations. The model here will therefore be a mixture of S251 and Consent.