PSEUDONYMISATION POLICY

Version / 3
Name of responsible (ratifying) committee / Information Governance Steering Group
Date ratified / 14 March 2018
Document Manager (job title) / Information Governance Manager
Date issued / 27 March 2018
Review date / 26 March 2020
Electronic location / Management Policies
Related Procedural Documents / Data Protection Policy, Confidentiality Code of Conduct, Information Governance Strategy, ICT Security Policy, Information Risk Policy
Key Words (to aid with searching) / Pseudonymisation, Safe Haven, Secondary Use, Information Risk, Data Protection, Information Asset, Information Asset Owner, Information Asset Administrator, Senior Information Risk Owner, Information Governance

Version Tracking

Version / Date Ratified / Brief Summary of Changes / Author
3 / 14 March 2018 / Added new responsibility (section 5.7) for staff who create reports.
Revised section 6.3 New Safe Haven Concept to be clearer on what the concept is and how it relates to Trust process.
Added additional clarification to section 6.4 Managing Information Flows to explain that report creators need to consider the purpose for which their work will be used and decide whether its contents need to be aggregated and/or anonymised. / P Lago
IT Principal Development Consultant (Data Warehousing)
2 / 15 March 2015 / No material changes – changes to mandatory training requirements and policy monitoring practices / Information Governance Mgr.

CONTENTS

QUICK REFERENCE GUIDE

1.INTRODUCTION

2.PURPOSE

3.SCOPE

4.DEFINITIONS

5.DUTIES AND RESPONSIBILITIES

6.PROCESS

7.TRAINING REQUIREMENTS

8.REFERENCES AND ASSOCIATED DOCUMENTATION

9.EQUALITY IMPACT STATEMENT

10.MONITORING COMPLIANCE WITHPROCEDURAL DOCUMENTS

EQUALITY IMPACT SCREENING TOOL

APPENDIX 1: Provider Business Processes

QUICK REFERENCE GUIDE

This policy must be followed in full when developing or reviewing and amending Trust procedural documents.

For quick reference the guide below is a summary of actions required. This does not negate the need for the document author and others involved in the process to be aware of and follow the detail of this policy.

  1. Person Identifiable Data (PID) may only be used for Non-Healthcare Medical Purposes (“Secondary Uses”) where there is a legal basis for use (i.e. explicit consent, use is covered by legislation, or where Section 251 approval (of the NHS Act 2006) has been obtained).
  1. Pseudonymisation is the method employed for de-identifying person identifiable data items for Non-Healthcare Medical Purposes (Secondary Uses).
  1. The key aim is to ensure, as far as is practical, that individual patients / service users cannot be identified or identify themselves from data that are used to support processes other than their direct care or to quality assure the care provided.
  1. Where this is not practicable data should flow through business processes that minimise the risk to data.
  1. A new Safe Haven concept relates to the restricting of access to identifiable data only when required to support a primary, clinical purpose or for other activities legitimately requiring access to identifiable information such as record linkages.
  1. The Trust’s primary New Safe Haven sits with the Trust’s Data Warehouse (Chimera). The data warehouse is the only Information Asset to employ pseudonymisation functionality and where this functionality extends to all Information Assets that sit within the data warehouse.
  1. Secondary New Safe Havens relate to roles / posts which are required to create reports and analysis for legally valid purposes which use Patient Identifiable Data.
  1. The Trust’s Flow Mapping Registers are tools used to identify and manage the risks associated with flows / transfers of PID. They are also a means of identifying potential exchanges of PID for Non-Healthcare Medical Purposes.

1.INTRODUCTION

1.1This policy has been developed to support the establishment and maintenance of the data protection and Information Governance (IG) functions and assurance.

1.2Person Identifiable Data (PID) may only be used for Non-Healthcare Medical Purposes (“Secondary Uses”) where there is a legal basis for use such as explicit consent, use is covered by legislation, or where Section 251 approval (of the NHS Act 2006) has been given by the Health Research Authority (HRA) for research applications and the Confidentiality Advisory Group (CAG) for both research and non-research applications[1].

1.3This is clearly set out in the NHS policy and good practice guidance document, Confidentiality: the NHS Code of Practice, which states the need to ‘effectively anonymise’ patient data prior to use for Non-Healthcare Medical Purposes.

2.PURPOSE

2.1This policy provides the framework for how the Trust will manage the use of patient identifiable data for secondary use purposes

2.2Its implementation and adherence will support compliance with a number of Information Governance Toolkit (IGT) requirements, the Data Protection Act (1998) and the NHS Pseudonymisation Implementation Project.

2.3The requirement to implement is contained within the Informatics Planning 2010/11 component of the Operating Framework 2010/11. Implementation compliance is to be achieved through performance management of provider organisations and the use of the IGT.

3.SCOPE

3.1.This policy is applicable to all areas of the Trust and is primarily for the attention of the Trust’s Information Asset Owners (IAOs) and Information Asset Administrators (IAAs).

3.2.All staff using PID and all staff using data for Non-Healthcare Medical Purposes (Secondary Uses) should be aware of the key principles of the Policy.

‘In the event of an infection outbreak, flu pandemic or major incident, the Trust recognises that it may not be possible to adhere to all aspects of this document. In such circumstances, staff should take advice from their manager and all possible action must be taken to maintain ongoing patient and staff safety’

4.DEFINITIONS

4.1Pseudonymisation – the method employed for de-identifying person identifiable data items for Non-Healthcare Medical Purposes (Secondary Uses).

4.2Person Identifiable Data (PID) – any data about an individual that could potentially identify that person.

4.3Personal Confidential Data (PCD) – the term introduced in the Caldicott 2: Information Governance Review and which may supersede the term Person Identifiable Data.

4.4Healthcare Medical Purposes (“Primary Uses) –uses which “directly contribute to the diagnosis, care and treatment of an individual” or “the audit / assurance of the quality of the healthcare provided”

4.5Non-Healthcare Medical Purposes (“Secondary Uses”) - uses such as for preventative medicine, medical research, financial audit and the management of health (and social) care services.

4.6Integrated Care - National Voices’ ‘A narrative for person-centred, co-ordinated care’ provides a definition of what good integrated care and support looks and feels like for people: “I can plan my care with people who work together to understand me and my carer(s), allow me control, and bring together services to achieve the outcomes important to me.”

4.7Information Governance Compliance Framework – an Information Governance compliance monitoring and management tool on the Trust intranet.

4.8Information Governance Toolkit – a nationally created website used by organisations engaged in NHS funded care to record and evidence their information governance compliance.

4.9Information Assets – in general Information Assets will be administration systems or databases used to process PID directly or used in any way that has the potential to affect the confidentiality / integrity / availability / legal processing of PID. The following outlines the main examples of Information Assets:

  • Databases and data files
  • System information and documentation
  • Back-up and archive data
  • Operations and support procedures
  • Audit data
  • Applications and system software
  • Data encryption utilities
  • Development and maintenance tools
  • Paper records (including patient care notes and staff records)
  • Environmental services necessary for the safe operational of Information Assets (e.g. power and air conditioning)
  • Business continuity plans

5.DUTIES AND RESPONSIBILITIES

5.1The Chief Executivehas overall responsibility for information governance and Data Protection compliance at the Trust.

5.2Senior Information Risk Owner (SIRO)The SIROacts as an advocate for information risk on the Board and is responsible for the Trust’s Information Risk Policy, which has the network and management of Information Assets in common with this Policy.

5.3The Caldicott Guardian has overall responsibility for ensuring that all information related to patients / service users is used confidentially, accessed legitimately and handled with appropriate safeguards.

5.4The Information Governance Manager has day-to-day responsibility for all aspects of Information Governance and co-ordinates the Trust’s Information Asset Registers.

5.5Information Asset Owners (IAO) IAOs are senior individuals involved in running the relevant business / service areas. The IAO role is to:

  • understand and address risks to the information assets they ‘own’
  • provide assurance to the SIRO on the security and appropriate use of these assets

5.6Information Asset Administrators (IAA) IAAs provide support to their IAO. To do this they will:

  • ensure that policies and procedures are followed
  • recognise potential or actual security incidents
  • consult their IAO on incident management
  • ensure that information asset registers are accurate and maintained and kept up-to-date

5.7.All staff who create reports, data sets and/or analysis must consider the intended audience for their work. If the data is to be used for Non-Healthcare Medical purposes then it must be in either aggregated (counts of people but nothing which can identify individuals) or it must be anonymised or pseudonymised.

5.8All staff(including temporary and agency staff) are personally responsible for ensuring that they comply with Information Governance requirements and policies

6.PROCESS

6.1Aim

The key principle is to ensure, as far as is practical, that individual patients / service users cannot be identified from data that are used to support processes other than their direct care or to quality assure the care provided.

Where this is not practicable data should flow through business processes that minimise the risk to data. In many circumstances this requires data to be received by part of the Trust designated as a New Safe Haven where it can be processed securely and only used in an identifiable form for specific authorised procedures within the New Safe Haven boundary. Onward disclosure for Non-Healthcare Medical Purposes should be limited to pseudonymised or anonymised data.

6.2Pseudonymisation

Pseudonymisation is the method employed with data for Non-Healthcare Medical Purposes (Secondary Uses) for de-identifying person identifiable data items. When pseudonymisation techniques are consistently applied the same pseudonym is provided for the same patient across different data sets and over time. Removal of identifiers can also be used: however, this will prevent de-identified records from being linked.

It is possible to produce consistent pseudonyms using techniques that do not allow the pseudonym to be reversed (to re-identify individuals). The use of irreversible pseudonyms allows the linkage of records for the same individual at the same time as effectively anonymising these records.

6.3New Safe Haven Concept

The NHS has used Safe Havens for over 20 years to ensure the safety and secure handling of confidential patient identifiable data. The first use was to provide security when faxes were used to transmit patient data between providers and purchasers. In such cases a physical location of a locked room was used to restrict access to fax machines and the patient identifiable data.

Rather than just being an access controlled secure physical location, the New Safe Haven can be considered in terms of access control and data management arrangements as these indicate which data can be accessed by what means and by whom.

The New Safe Haven can be defined in terms of

  • the activities to be undertaken to support de-identification
  • posts/people authorised to access identifiable data for the purpose of supporting de-identification
  • posts/people authorised to access identifiable data for the purpose of supplying identifiable data to authorised users
  • posts/people authorised to perform data quality, data derivations, and data linkage (between data sets) on patient identifiable data
  • the facilities and technology necessary to support the activities.

From a technology perspective, the Trust’s primary New Safe Haven sits within the data warehouse (also known as Chimera). The data warehouse is the only Information Asset to employ pseudonymisation functionality which covers all Information Assets whose data is held therein.

The Trust’s secondary New Safe Havens will be aligned to its:

  • Information Asset management structure – for the purpose of managing user accounts / access
  • Flow Mapping Database management structure – for the purpose of restricting transmission of PID to instances where:

-It supports a Healthcare Medical Purpose

-There is explicit consent

-Use is covered by legislation

-Where section 251 approval has been obtained

The secondary New Safe Havens are based on posts and the role they are required to perform. Predominately these are people who are required to prepare reports and analysis which require Patient Identifiable Data. Such people will fall into one of the following categories:

  • Data Warehouse administration team
  • Information Services
  • Designated Finance Income Analysts
  • Data Quality teams
  • Data Analysts / System Administrators for specific teams, e.g. Renal, Radiology, Theatres, Critical Care etc.

6.4Managing Information Flows

The Trust’s Flow Mapping Databases are tools used to identify and manage the risks associated with flows / transfers of PID. They are also a means of identifying potential exchanges of PID for Non-Healthcare Medical Purposes and, where recorded as such, the Information Governance Manager will raise to relevant staff for attention and action.

Members of the secondary New Safe Haven have a responsibility to ensure that they consider the audience and purpose for which their report, analysis or data set is intended. Where their output will be used for Non-Healthcare Medical purposes then it must conform to one of the following:

  • Use only pseudonymised or anonymised data
  • Only contain aggregated data (counts of people rather than a list of individual patients). It should be noted that where a count shows less than 5 people, the criteria used to group the data(e.g. postcode area, gender, age, GP practice) should not be so specific that an end user could deduce which patient is being referred to.

Further information and guidance on these processes can be found in the ISB 1523 Anonymisation Standard for Publishing Health and Social Care Data Specification (Process Standard)

6.5User Access to PID

The Trust’s Information Asset Registers are tools used to identify and manage the risks associated with assets that directly or indirectly affect or influence the management of PID. They have formal management structures (Information Asset Owners and Information Asset Administrators) and known responsibilities.

Information Asset Owners / Administrators must determine the level of access each user of the Asset should have based on the purpose (where this is functionally possible), e.g.:

  • Full Access
  • Pseudonymised Access
  • Anonymised Access

The Confidentiality: NHS Code of Practice is the definitive guidance to information access and disclosure. The Trust has also implemented a User Access Tool to manage access and evidence it is justifiable.

Whilst justifying access is not entirely straightforward (e.g. special cases of ‘need to know’, or where legal exemption is being sought at a national level but not yet concluded) the Trust has the following guidance based on guidance from the Confidentiality: NHS Code of Practice and the Pseudonymisation Implement Project Reference Papers.

Ref. / Purpose of Access / Justification
1a / Face to face clinical interactions with the patient / Full access
1b / Information required as part of the referral or treatment process (e.g. use of PAS, writing clinic letter)
1c / Managing appointments for care
2a / Auditing the quality of care within an organisation
2b / Auditing the quality of care within a care pathway provided across several organisations
2c / Monitoring the safety of interventions
3a / Public health monitoring
3b / Drug safety monitoring (including particular activities aimed at improving the quality of clinical data reporting)
4a / Research purposes (allowed regardless of any obligation of consent provided approved by the Secretary of State and ethics committee)
5a / Data quality, data derivations and linkage of records undertaken within a Safe Haven environment
5b / Data quality, data derivations and linkage of records undertaken outside a Safe Haven environment / Access to de-identified data only
6a / Ensuring that providers of care are properly reimbursed for the care they have provided (e.g. Payment by Results) *
6b / Reducing waiting times – the Referral to Treatment Initiative *
6c / Word Class Commissioning *
7a / Invoicing (from provider to commissioner and which do not contain NHS Number, dates or birth and post codes) ** / Access under certain conditions (see **)
8a / Other purpose not listed above / Seek advice from IG Manager

*The position on the use of confidential information for these purposes is that their use may only be legal with the creation of new Regulations under Section 251 of the NHS Act 2006. However, many of these purposes are currently mandatory or with significant financial implications. Pragmatically, data should be ‘effectively anonymised’ where possible, or these Trust should seek proactive ways of minimising the use of personal data.

**For detailed invoicing guidance see page 16 onwards of Reference Paper 2 – Guidance on Business Processes and Safe Havens.

Additional definitions or purposes may be added as national guidance or other precedents dictate.

6.6Information Sharing with NHS Commissioners

The legal and structural changes introduced in the Health and Social Care Act 2012 (H&SCA) restricts access to personal confidential data. In general, commissioners and other users of secondary data must use pseudonymised data or obtain the patient’s explicit consent. Staff involved in providing direct care to patients are, of course, still able to access their own patients’ confidential data on the basis of implied consent.

There are no general powers under the 2012 Act for CCGs or NHS England to process confidential patient information for the purposes of commissioning. However, there is statutory support providing a legal basis to process specific types of data for specific purposes. Additionally, patient consent can also provide a legal basis.