Reducing the disclosure of confidential patient information - guidance for CAG applicants and potential applicants
The below case studies provide examples of methods used to reduce the amount of confidential patient information required.
- Organisation (data controller) supplies identifiers for cohort directly or via a third party with unique pseudonym references assigned to each individual (Transfer 1)
- HSCIC matches individuals against its patient index and ‘flags’ each patient
- Organisation (data controller) deletes/destroys any identifiers they hold
- HSCIC supplies pseudonymised updates on cohort using unique pseudonyms as supplied by customer organisation (Transfer 2)
In this scenario, linkages will be carried out by a trusted third party using pseudonymised patient identifiers so that the third party does not have access to any patient identifiable information. The current data controllers processing the datasets pseudonymise the NHS number and date of birth from their datasets in the same way (pseudonymisation at source). The third party carries out the matching and can then provide a pseudonymised dataset to the applicant. Depending on the content, it should be considered whether the dataset can still be considered to be identifiable. If the dataset is to be returned to any of the original data controllers it should be ensured that the dataset cannot be re-identified.
In this scenario, the applicant required access to patient postcode in order to derive deprivation score. The intention was to include this within a monthly dataset sent from GP practices. Following advice, software was developed that could automatically convert a postcode into a deprivation score, simultaneously deleting the original postcode entry. This software was made available to GP practices and meant that no patient postcodes were required by the applicant.
In addition, date of birth was requested in order to estimate the age of the patient receiving the intervention. However, following advice, only year of birth was provided from GP practices to allow the approximate age of the patient to be calculated.
In this scenario, the Health and Social Care Information Centre (HSCIC) would be carrying out the linkage of two datasets and providing the linked dataset to the applicant. The applicant had requested postcode and date of birth and death within the linked dataset in order to determine deprivation score and the days survived. The applicant was advised to consult with the HSCIC to determine whether it would be feasible for the HSCIC to determine deprivation score and calculate days survived on behalf of the applicant and prior to disclosure. It was confirmed that this would be possible and therefore the applicant would not require an identifiable dataset.