Confidentiality

On this page

• Protecting Patient Privacy
  • Data Protection Act 1998
  • Confidentiality rules for Information Services Division (ISD) staff
  • Privacy Advisory Committee (PAC)
  • Anonymised form of the national database
• Research using personal data
• Secondary uses of health information
• Patient Confidentiality and Disclosure Control
• Links

Protecting Patient Privacy

ISD has developed a number of measures to ensure the protection of patient confidentiality.

Data Protection Act 1998

The work of ISD is included within the entry for the NHS National Services Scotland in the register of data controllers maintained by the Information Commissioner. ISD abides by the principles which govern the care and use made of personal data.

Confidentiality rules for ISD staff

ISD have detailed rules which cover the care and release of confidential data. All new staff are required to read these and sign their acceptance of them. Existing staff re-sign every 6 months. Staff also have confidentiality clauses included in their contracts.

Privacy Advisory Committee (PAC)

PAC advises ISD and General Register Office for Scotland (GROS) on the correct balance between protecting personal data and making data available for research, audit and other important uses and ensures that any information releases are carefully controlled.

If you wish to use Scottish Morbidity Records (SMRs) for medical research studies then an application must be submitted to the PAC.

For more information and information on how to make an application please visit the Privacy Advisory Committee site.

Anonymised form of the national database

This is used by ISD staff to perform analyses where patient identifiable information is not required. Access to patient identifiable Data is restricted to a limited number of trained staff, requires special, time-limited permission and all access is recorded and audited.

Protecting Patient Confidentiality: The Confidentiality and Security Advisory Group for Scotland (CSAGS) report "Protecting Patient Confidentiality" was published in April 2002. It recommended improvements in the way NHSScotland protects the privacy of patient data whilst continuing to make data available for essential purposes of patient care, public health improvement and planning. CSAGS recommended that data flows should be anonymised whenever possible and that there should be a central service to anonymise national data. In response to this ISD undertook a fundamental review of its processing of the national data sets. The results of this review and a set of good practice guidelines based on the lessons learned during this work are set out in the following reports.

• Managing Patient Identifying Data: Best Practice Guidelines [76KB]
• Anonymisation: NHSScotland National Data Sets [164KB]

Audits: Audits of confidentiality and security practice take place regularly within ISD. In 2008 ISD completed a Dataset Review project. The purpose of this was to ensure all datasets are of business value and contain no unnecessary identifiable data and are processed, stored and accessed in line with the above "Managing Patient Identifying Data: Best Practice Guidelines". Recommendations from this review are currently being taken forward.

Research using personal data

The data held by health organisations is a potentially rich resource for research. ISD has always been keen to provided support to researchers who wish to exploit the data ISD holds. However this has to be done within current ethical and legal guidelines. Many researchers feel the current system puts too many barriers in the way of access to data. A meeting was held in Edinburgh on the 2nd November 2006 to discuss these issues and start looking at possible solutions.

Research Using Personal Data, a report on the discussions.

Secondary uses of health information

NHSScotland collects and uses large amounts of data. Information collected in the course of providing care for individuals is increasingly used in 'secondary' ways that allow us to plan services; track progress in improving health and spot new emerging threats to health. Electronic health information systems have developed to cope with rising demands for more and better information and NHSScotland's 'eHealth' strategy aims to develop this further. Concerns about the impact of this on privacy have required new systems of governance to be put in place. Governance arrangements will continue to evolve alongside changes in health information processing brought about by eHealth developments.

Secondary Uses of Information in NHSScotland, a review of recent developments of secondary use of data in Scotland.

Patient Confidentiality and Disclosure Control

Maintaining patient confidentiality is a fundamental principle in ISD's work. We take particular care when providing tabular information which results in small numbers appearing in table cells as this could potentially lead to disclosure. Disclosure is when confidential information about a person/body is released, either directly or indirectly, in breach of public trust or legal obligations.  ISD's Statistical Disclosure Control Protocol sets out, for ISD staff, guidance on 'statistical disclosure control'. 'Statistical disclosure control' is the practice of reducing the risk of disclosure by suppressing, aggregating or modifying data before release. ISD's Statistical Disclosure Control Protocol was implemented on 1st March 2009 and is based on the Confidentiality Guidance released by the Office of National Statistics (ONS) in October 2006.

Links

The Information Commissioner's Web site: www.dataprotection.gov.uk contains a register of data controllers, ISD's entry is included with that for the NHS National Services Scotland

Privacy Advisory Committee: www.isdscotland.org/pac

NHSScotland Information Governance:www.isdscotland.org/infogov

Main contact: nss.pac@nhs.net

 Printer friendly version