Researchers from Oxford University say that patients are not being adequately informed about possible secondary uses of their medical data for research and are "misled about the level of anonymisation of their data and the likelihood of re-identification"
The criticism is in a paper "The limits of anonymisation in NHS data systems" which was published yesterday by the British Medical Journal [2 February 2011].
The paper brings to the fore arguments over whether a patient's health data can remain confidential in an era of data collection and sharing, and what the paper calls the "increasing commercialisation of patient data".
Some researchers argue that it is easier to find out what treatments and drugs work, or don't tend to work, if the identity of the patient is known; and that genuinely anonymous data, as well as informed consent, would jeopardise the integrity of research and audit, which would hinder the progress of medical knowledge and could lead to incorrect conclusions.
The counter argument is that patients have a right to believe that their health records will remain confidential, and shared only with doctors and nurses who are treating them. Indeed few patients are aware that their GP-held medical records are being uploaded to the Secondary Uses Service [SUS] database which is run by NHS Connecting for Health under the National Programme for IT, NPfIT.
Officials at the Department of Health and NHS CfH say that health researchers cannot usually view extracts from the SUS database unless the data has been made anonymous or rendered mainly anonymous, a process called pseudonymisation. CfH describes pseudonymisation as a "method which disguises the identity of patients while allowing patient linking analysis such as longitudinal or readmission analysis".
But Ian Brown, Lindsey Brown and Douwe Korff of the Oxford Internet Institute, Oxford University, say in their BMJ paper:
"... Patients are not currently being adequately informed about possible secondary uses of their medical data for medical research; are not asked to give clear, specific, free and informed consent; are not offered unambiguous and effective opt-outs; and are misled about the level of anonymisation of their data and the likelihood of re-identification".
The paper's authors say that NHS data systems generously support the use of health data for research purposes, whenever the data is deemed anonymous or pseudonymous.
But there are serious misunderstandings of the science concerning anonymity; and there are "contradictions and unacceptable obfuscations in the official presentation of the facts and proposals".
The paper adds: "The Department of Health claims that patient data accessible through SUS [ Secondary Uses Service] should be available for use in medical research without consent, because the patient cannot be identified from such data. On the other hand, researchers want to be able to make historical or other linkages with data, and therefore data in SUS are only 'partially pseudonymised'.
"The current framework for regulating access to information through the NHS Secondary Uses Service allows the use of the data for 'health research' through three different routes:
- with the explicit consent of the patient
- by special permission from the National Information Governance Board (NIGB); and,crucially, - if the information has been pseudonymised (key coded)."
Re-identifying patients from partly anonymous data may not be difficult say the authors.
"Merely replacing name and address with postcode and date of birth achieves a level of de- identification that is trivially reversible: as a postcode typically contains about twenty houses, almost all patients are easily identifiable by reference to these facts," says the paper.
Neither the NHS nor the Medicines and Healthcare Products Regulatory Agency adequately address the serious issue of re-identification of anonymised or pseudonymised data, says the paper.
"Policymakers are not paying sufficient attention to the increasing difficulty of ensuring real anonymity in an environment in which data are ubiquitously gathered and shared. The risk of re-identification of patient data is greatly increased if the data are linked to other major datasets - as is expressly being done in GPRD and is inherent in the very concept of SUS.
"In an era of ubiquitous data collection and dissemination, and ever increasing commercialisation of patient data, the risk to data privacy and confidentially is growing significantly.
"It is irresponsible to insist that no regulation and governance (i.e. the requirement for individual consent) should interfere with researchers' access to health records or record linkage capabilities.
"While important, anonymity alone cannot be relied upon to protect the interests of participants..."
The Academy of Medical Sciences "proposes further relaxing" the rules, says the paper. The Academy's mission, it says, is to "ensure better healthcare through the rapid application of research to the practice of medicine".
In December 2010, the same authors questioned in a paper whether it is legal for researchers to use electronic patient records from NHS databases without explicit patient consent.
They said that the Secondary Uses Service and the General Practice Research Database are both characterised by a "serious lack of transparency, with patients not adequately informed of the potential research uses of their records".
Thanks to Neil Bhatia for spotting the importance of the BMJ paper.
The limits of anonymisation in NHS data systems - BMJ paper, published 2 February 2011.