HSCIC tightens controls over patient data following data lapse

The Health and Social Care Information Centre (HSCIC) aims to guarantee stricter controls over the use of patient data within the NHS

The Health and Social Care Information Centre (HSCIC) has released a number of steps that it claims will guarantee stricter controls over the use of patient data within the NHS.

The HSCIC hopes its new guidelines will also guarantee greater openness and reassurance to the public, as well as better clarity for end data users.

The steps come after a review was made into the data releases of the HSCIC’s predecessor, the NHS Information Centre (NHSIC), whose role from April 2005 to March 2013 was to collect and manage health records data, including sharing it with third parties under data-sharing agreements that restricted its use.

During the review, data lapses were discovered, where two cases of data went missing.

“It disappoints me to report that the review has discovered lapses in the strict arrangements that were supposed to be in place to ensure that people’s personal data would never be used improperly,” stated Nick Partridge, a non-executive director of the HSCIC and leader of the review.

The review made a series of recommendations to the HSCIC Board, which have all been accepted. 

Partridge stated that the HSCIC must learn lessons “from the loosely recorded processes” of the NHSIC.

“The public simply will not tolerate vagueness about medical records that may be intensely private to them,” he said in the report. “We exist to guard their data and we have to earn their trust by demonstrating scrupulous care as to how we handle their personal information.”


The Partridge Report comes three months after the Care.data furore during which the NHS was forced to put its plans to expand the collection of patient care data on hold.

The NHS has since admitted that failures to communicate the benefits and safeguards of Care.data to the public caused the outrage, and in turn the delay to the programme.

In February, NHS England was experiencing increasing pressures from medical groups to reconsider its roll-out of the Cae.data scheme, until it decided to finally to delay the roll-out by six months.

Two weeks later, on 5 March 2014, Partridge was asked to lead a review of data releases of the NHSIC.

In the report, Partridge stated that there was an “added importance and urgency” to conduct the review due to the “growing public interest” in the Care.data plans.

“The revelation that the NHS IC had released data to an actuarial body added to public concern, amidst a wide misunderstanding that personal medical records were being easily accessed by insurers,” he said. “Further concerns expressed by the Health Select Committee on 25 February 2014 prompted the HSCIC Board to ask me to lead a review of all the data releases made by the NHS IC, its predecessor organisation.”

"Administrative failue"

As part of the review, Partridge commissioned PricewaterhouseCoopers (PwC) to carry out independent inquiries into data-sharing agreements over the NHSIC’s existence.

The review turned up an “administrative failing” where two cases of data were released without any record of which organisation had received the data.

Partridge stated: “Data of this type should not have been released without a data-sharing agreement including restrictions on how the data should be stored, used and eventually destroyed – all of which should have been monitored by the NHSIC.”

The report states that staff are still trying to track down the data, and believe that the lapses “may have been harmless”, meaning that no identifiable or potentially identifiable data went missing.

“To earn the public’s trust in future, we must be able to show that our controls are meticulous, foolproof and solid as a rock,” said Partridge.

Andy Williams, HSCIC chief executive, added: “In the interests of building an organisation that gains public confidence, I want to draw a line under the past. It is vital we learn valuable lessons from a previous time but we need to move forwards now and focus on ensuring our processes and decisions are robust, clear and transparent.

The HSCIC Board has agreed a programme of work put forward by HSCIC chief executive Andy Williams for positive change:

1. Patients and public representatives will be part of the new membership of the HSCIC’s data oversight committee, the Data Access Advisory Group (DAAG). This work will be overseen by the Confidentiality Advisory Group, which will gain statutory powers later in the year.

2. All data agreements will be reissued, to ensure activity is centrally logged, monitored and audited, resulting in a clear and transparent process. Decisions will be documented and published.

3. A new, strengthened audit function will monitor adherence to data-sharing agreements and halt the flow of data if there are any concerns exposed. This will also monitor that data has been deleted when an agreement comes to the end. Any failure on the part of data users to abide by their agreements will entail no further release of data to them.

4. A programme of active communication to the public and patients will help to bring greater clarity about an individual’s right to object to their data flowing to or from the HSCIC.

5. A list of all active data-sharing agreements will be published in the HSCIC quarterly register, including 14 that originated in the NHS IC. Numbers of all people tracing requests by law enforcement agencies will also be included.

6. Working with partners through the National Information Board, we will begin a public consultation and vision for a new national collection strategy for health, public health and social care data, and report by May 2015 on its findings.

7. The HSCIC will take forward its new responsibility to oversee NHS data security across the health and social care sector, to ensure best practice is followed and the most up-to-date technology is employed to protect patients.

8. The HSCIC will plan a new "data laboratory" service that will protect the public’s information by allowing access to it in a safe environment with HSCIC managed networks and facilities.

9. The HSCIC will work towards the externally assessed, highest industry standards of ISO27001 for data security, and ISO9001 for data management, as part of its efforts to build public confidence.

10. The HSCIC intends to invite stakeholders to a meeting to discuss the implications of these actions and gain views about their effectiveness in helping maintain secure and trusted information systems on 15 July.

Read more on Healthcare and NHS IT