Confidentiality
Background
Since the NHS began, staff have collected information about patients to improve patient care. We also collect personal and health information to help deliver appropriate care and treatment. This information is also needed for administrative, public health, and audit and research purposes, which all contribute to improving people's health.
In Scotland, ISD brings this information together and manages it at a national level. We have published a leaflet Protecting Personal Health Information - Information Guide for Patients which explains our approach. We also have a leaflet explaining the Cancer Registry data.
Protecting Patient Privacy
ISD protects patient confidentiality in a number of ways:
Data Protection Act 1998
ISD's work is included within the entry for NHS National Services Scotland in the register of data controllers [link] maintained by the Information Commissioner. We follow the principles of the Act which governs how we use personal data.
Confidentiality roles for ISD staff
We have detailed rules about the care and release of confidential data. All new staff must read these and sign that they understand and accept the rules. Staff re-sign every year. Staff also have confidentiality clauses in their contracts.
Privacy Advisory Committee (PAC)
PAC advises ISD and General Register Office for Scotland (GROS) on the right balance between protecting personal data and making data available for research and audit. It makes sure that any information releases are carefully controlled.
If you want to use Scottish Morbidity Records (SMRs) for medical research, you must apply to the PAC.
Find out more and how to apply
Anonymised form of the national database
Most of our analysis is done on an anonymised form of the database. Only a limited number of trained staff can access patient identifiable information with special permission for a set time. All access to this information is recorded and audited.
Protecting patient confidentiality
The Confidentiality and Security Advisory Group for Scotland (SCAGS) published a report in 2002 which recommended improvements in how NHSScotland protects the privacy of patient data when data are used for public health planning, patient care and public health improvement. We reviewed how we process national datasets in light of this review and the following reports set out the good practice guidelines we produced as a result.
- Managing Patient Identifying Data: Best Practice Guidelines
[76kb] - Anonymisation: NHSScotland National Data Sets [164kb]
Audits
We regularly audit our confidentiality and security practice. In 2008 we completed a dataset review, which aimed to make sure all our datasets are of business value and contain no unnecessary identifiable data.
Research using personal data
The data that health organisations hold are potentially very useful for research. We are keen to support researchers who want to use our data. However, they must follow current legal and ethical guidelines. Many researchers feel that this puts too many barriers in the way of access to data. The report below shows the discussion from a meeting held in Edinburgh in November 2006 to look at these issues and suggest solutions.
Research Using Personal Data [83kb], a report on the discussions
Secondary uses of health information
NHSScotland collects and uses a large amount of data. Information collected while caring for patients is increasingly used in secondary ways for example to:
- plan services,
- track progress in improving health, and
- spot new threats to health.
We have developed electronic information systems to help us do this and this area will continue to develop. New systems of governance have also been put in place to make sure that privacy is not affected by these developments.
Patient confidentiality and disclosure control
Maintaining patient confidentiality is central to our work. We take particular care when supplying tables with small numbers which could potentially lead to disclosure. Disclosure is when confidential information is released either directly or indirectly in breach of laws or public trust.
Statistical disclosure control is how we reduce the risk of disclosure by suppressing, aggregating or modifying data before release. Our Statistical Disclosure Protocol is based on the guidance released by the Office of National Statistics in 2006 and was introduced in March 2009.
ISD's Statistical Disclosure Control Protocol [323kb]
Links
The Information Commissioner's Web site: www.dataprotection.gov.uk contains a register of data controllers, ISD's entry is included with that for the NHS National Services Scotland
