The NHS struck four "data-sharing" deals with three re-insurance companies that allowed them access to patient information under agreements that don't expire until 2015 and 2016.
That's among the shocking findings of a review of data released by the NHS Information Centre - the predecessor to the Health and Social Care Information Centre, which is responsible for overseeing the shambolic care.data scheme that was delayed for six months earlier this year, after critics and GPs slammed the plans on privacy and trust grounds.
In a new report (PDF), penned by HSCIC non-exec director Sir Nick Partridge, it is disclosed that 588 data packages were sold to "a range of private sector organisations, typically for the purpose of analytics, benchmarking and research" between April 2005 and March last year.
Alarmingly, in two incidences, Partridge said that it had been impossible for independent auditors Pricewaterhouse Coopers - which examined 3,059 releases (PDF) - to identify the organisations and private companies that had received data from information retained by the IC.
He added that, although the HSCIC was created in the wake of supposedly tighter controls of medical records being shared based on legislation laid out in the Social Care Act, the NHS had kept on staff and procedures from the IC.
There was no single gateway into the NHS IC where data requests could enter and there were too many disparate, disjointed processes for the sharing of data. The process for ensuring the appropriate deletion of data at the end of an agreement was inadequate.
And, on a more technical point, there was confusion regarding the differences between a Data Sharing Agreement and a Data Re-use Agreement, and in what circumstances they were appropriate.
The upshot of all these defects is that it is not clear if data has been released for appropriate purposes in all cases.
Partridge recommended nine different measures in response to the damning findings. He said it is vital:
- That the HSCIC undertakes a programme of work to ensure that data has been deleted appropriately for all data releases referenced in the PwC report, where the agreement has ended.
- That the HSCIC develops one clear, simple, efficient and transparent process for the management of all data releases.
- That the HSCIC implements a robust audit function, which will enable ongoing scrutiny of how data is being used, stored and deleted by those receiving it.
- That the HSCIC publishes its policy, process and governance for the release of data.
- That the HSCIC ensures there is clear, transparent and timely decision making, via the appropriate governance for all data releases, and that all decisions are documented and published on its website.
- That the HSCIC implements a robust record keeping approach and that the details of all data releases (including the purpose for which they are released) are made available on its website.
- That the HSCIC develops one Data Sharing Agreement, which is used for all releases of data, and which includes clear sanctions for any breaches.
- That the HSCIC actively pursues a technical solution to allow access to data, without the need to release data out of the HSCIC to external organisations.
- That the HSCIC quarterly Register of all data releases includes the number of law enforcement agencies’ person tracing requests processed by the National Back Office. The Register will also include all data being released under NHS IC data sharing agreements, ensuring it is providing a comprehensive account to the public of all data being shared.
The review also revealed that between 2008 and 2013 law enforcement authorities made 28,744 trace requests to help identify individuals in an attempt to access "very limited information about the health area in which the person was, or was last, registered with a GP."
The records of 10,647 patients were successfully traced, the PwC report found.
"To earn the public's trust in future, we must be able to show that our controls are meticulous, fool-proof and solid as a rock," Partridge said.
But privacy campaigner Phil Booth of MedConfidential slammed the NHS for its pitiful record.
"HSCIC clearly know they are in a mess – data sent into black holes, limited information on a tenth of releases, no information on the uses to which data was put, no proper audit or audited deletions and dozens of commercial re-use contracts still in operation," he said. “This all has to be fixed, and be seen to be fixed, before NHS England can be allowed to proceed with any plan to hoover up yet more data."
He warned that the care.data scheme "could be a re-run of IC/Dr Foster 2006," if England's health service failed to act.
HSCIC boss Andy Williams said that the body had accepted the recommendations from Partridge and added that he wanted to "draw a line under the past". ®