Apollo patient data mining software may breach DPA

Tags: Confidentiality DH GP GPs Security

31 Oct 2006

A primary care IM&T adviser has recommended that GP practices do not use Department of Health supplied software to extract data for a patient survey because of concerns over patient confidentiality.

Dr Simon Barton, GP IM&T adviser for Cornwall, wrote to all practices after the DH issued instructions to practices on how to use software from Apollo Medical Systems to extract patient-identifiable data for its GP Patient Survey entitled “Your Doctor, Your Experience, Your Say.”

The survey, which is also the subject of a separate dispute between GP representatives and the DH over the content of the questions, is designed to ask patients who have recently been seen in practices about their experience of getting access to services as part of a directed enhanced service (DES) scheme.

Dr Barton has advised GPs who want to take part in the survey to instead allow the data to be extracted from the NHAIS registration system. He claims GPs should be wary of allowing information to be extracted from their systems and sent to MORI, the company carrying out the survey, because as data controllers they are responsible for complying with the Data Protection Act.

Dr Barton says the Information Commissioner’s guidance on how the act should be interpreted for health records means that legitimate reasons for releasing personal data are if the patient has given informed consent, if it is required by law, if it is required by the NHS for administrative purposes and the data will remain within the NHS or if an acceptable data sharing agreement is in place which defines how the third party will use the data, their own security arrangements and employee confidentiality agreements.

He says the DH’s own letter to practices says data cannot be released “until data sharing agreements are in place” and claims practices faced unnecessary haste to sign up to using the software,

He told EHI Primary Care: “The Department of Health sent out the letter to practices the week before last and it arrived on the Friday, just before half term. Practices were told they then had to download the software and click ‘yes’ to the conditions by the following Wednesday to enable names and addresses to be sent to MORI. I think it’s a slightly bullying letter which was done in such a rush that practices couldn’t take a considered view on it.”

Since then, the deadline for downloading and installing the software has been extended to 1 November. But Dr Barton’s advice not to use the software remains.

A spokesperson for the Information Commissioner’s office told EHI Primary Care that if a data sharing agreement was in place between MORI and the NHS the extraction of data would not be in breach of the Data Protection Act.

However, she added: “If there was a breach of confidentiality at MORI the NHS would be responsible for that.”

A letter from the DH to GPs on data extraction for the survey says both proposed methods, using Apollo software and via NHAIS, will meet Data Protection requirements.

It adds: “For both methods no patient details can be passed to the GP Patient Survey provider until the data processing agreements to meet requirements under the Data Protection Act are in place.”

Dr Barton is right

mary.hawking@nhs.net

31 Oct 06 22:10

GPs are the data controllers *and* have a duty of confidentiality. Receiving a questionnaire implies that the recipient has had an appointment: my understanding is that this will not be corrected in patients sent questionnaires on random selection via Exeter. There is no way that putting up posters in the waiting room *after* the close of the selection window(July to December - letter received, I think, 25th October - the date by which we should have downloaded the software) could be considered to provide the information necessary to give - or refuse - consent for this use of that information.

My practice, for a number of reasons, is likely to withdraw from the DES questionnaire altogether: it will be interesting to see whether this will protect my patients from receiving questionnaires.

Is confidentiality really the issue?

01 Nov 06 09:11

The DoH have prepared a written contract that protects the GP Practices from any possible misuse of the information. Let's be honest here - the issue that has annoyed Practices is the additional questions. The bunfight over notices is smoke and mirrors as the information is passed to the NHAIS system anyway - its just the appointment date that will not be available. Where are the posters telling people that this already happens? What damage or distress will occur by receiving a voluntary survey letter? The purpose is compatible with health purposes. Instead the stance by some GP Practices means the survey will not be able to target the specific audience and the lack of co-operation means we pay more tax and send letters to the wrong people.

Data protection & confidentiality

paul.smith@gp-n81030.nhs.uk

01 Nov 06 09:11

What data protection and what patient confidentiality. All of our data freely available via QMAS & QOF strangers can come in and look at anything they want just need a badge that saays 'PCT'. The DH guidlines for confidentiality cover all the bases in terms of fraud checks accountability etc. The apollo system has just extracted over 4,500 patients data from our list of 11,500 whereas our QOF patient survey we ask about 450 patients to complete a survey in house, and some of them having made an appointment a day or two before cannot remeber whether they had made it on the day or in advance? What price patient confidentiality what price access?

Data Protection guidance

stewart.smith@cd-tr.wales.nhs.uk

01 Nov 06 09:11

Far be it from me to argue with the Information Commissioner, but what happened to the Fair Processing principle? There is no way that patients would expect this use of their personal data, even if it is a so-called "admministrative purpose", or supposedly protected by an information sharing agreement. When will we start telling patients what we do with their data and getting consent? We have had Data Protection law for 20 years and are still struggling with it.

Data Protection is not the issue

01 Nov 06 11:11

The BMA seem to be advising that we write to patients asking for consent to send them a survey. Then we send the survey to those that consent. Why not put the letter and VOLUNTARY survey in the same envelope - sounds too easy? Am I missing something here?