Many of us would suppose that when personal medical information is looked at by researchers it is in an anonymous form. In the future that may not be quite the case.
Health information that is accessible to researchers as a result of the NHS’s National Programme for IT [NPfIT] will be “pseudonymous” which, it turns out, is significantly different from anonymous.
To our knowledge, no definition of pseudonymised had been given until 26 April 2007, at a hearing of the House of Commons’ Health Committee, into aspects of the NHS’s National Programme for IT [NPfIT].
It transpired at the hearing that pseudonymised means that researchers will have access to personal health records that have no identifiable information except a postcode and a date of birth.
In a densely residential area it will difficult to identify anyone from their date of birth and post-code. But in rural districts a post-code may encompass as few as four or five dwellings. In this event it would be easy to identify the patient from a date of birth.
So a pseudonymised record may be one that identifies the patient. On the basis of a post code and date of birth, researchers could associate a personal health record with the patient.
Some will say that this doesn’t matter: the confidentiality of patient information should take second place to being able to aggregate a mass of patient records to ascertain the likely causes of diseases, or to highlight the success or otherwise of certain drugs and treatments.
Others will say that patients would give their consent to having their records looked at or aggregated provided they know what is happening, what the information will be used for.
The problem is that it is difficult to know what is going on. For the outsider trying to look into the NPfIT, it’s like being torchless and negotiating your way around a maze of unlit tunnels.
What is known is that the NPfIT includes a “Secondary Uses Service” that is based on pseudonymous information. On the website of Connecting for Health, which runs the NPfIT, there appears to be no definition of pseudonymous.
A document on the CfH website says the vision for the Secondary Uses Service is to “capture, process and enable access and reporting on all data relating to NHS-commissioned activity”. It says: “The potential uses for an epidemiological database covering the whole of England are huge, with an impact on public health, research and development and ultimately on the quality of care provided.”
Another document on the CfH website says, vaguely, that pseudonymising is a “method which disguises the identity of patients while allowing patient linking analysis such as longitudinal or readmission analysis”. It adds that a pseudonym will be created for each patient identifiable data item and placed in a suitably allocated space in the records transmitted via Secondary Uses Service or held in the SUS database.
“It will not be possible to discover the original data without recourse to a strictly controlled and authorised de-pseudonymisation process.”
“Information used for purposes other than direct clinical care will be provided only in anonymous (or pseudonymous) form.”
Paul Cundy, a family doctor and joint chair of the British Medical Association’s GP IT committee today [[27 April 2007] questioned the legality of the Secondary Uses Service.
He said the law requires that personal, confidential medical records can be used for research only if patient-identifiable data is anonymous or patients have given specific consent.
Dr Cundy said: “Anonymisation is an absolute condition [for research]. Data is either anonymised or its not. Saying something is pseudonymised is a clever way of avoiding saying its not anonymised. On the basis of the evidence we heard yesterday [at the Health Committee on 26 April 2007] it would seem that the Secondary Uses Service is illegal”.