246. Storing and managing health information electronically can bring a range of additional benefits alongside improvements to direct patient care. The management and commissioning of health services, as well as clinical audit and research, known collectively as "secondary uses", can all be enhanced by quicker and easier access to health information. These secondary uses are profoundly important to improving care: as one witness put it, "there is no distinction to be made between health services and research for effective health services".[354]

247. In order to regulate access to electronic health databases for such "secondary uses", the NCRS will include a national application known as the Secondary Uses Service (SUS). In this chapter we examine the SUS, focussing particularly on its potential impact on clinical research. We look at:

• Descriptions of the SUS, including both its current and intended future form, and a discussion of the potential offered by the SUS; and
• The existing governance and consent arrangements which regulate access to data for "secondary" uses, and how these could be improved.

Description and potential

248. In this section we examine:

• How the SUS works at present;
• Plans for the development of the SUS, particularly by giving access to data from the SCR and DCR systems for secondary purposes; and
• The impact of access to NCRS data on the SUS.

HOW THE SECONDARY USES SERVICE CURRENTLY WORKS

249. In its current form, the SUS has taken over many of the functions previously provided by the NHS-Wide Clearing Service (NWCS), which was decommissioned in December 2006.[355] Like the NWCS, the SUS mainly uses data provided by Hospital Episode Statistics (HES), which are derived from existing PAS applications and paper records. HES data includes administrative information and some clinical information, for example about diagnoses and procedures, presented in a coded form. The existing SUS also accesses aggregated administrative data from outpatient clinics.

250. The data currently provided by the SUS are used for a range of management purposes. In particular, SUS datasets are used to support Payment by Results by exchanging activity and price information between commissioners and providers.[356] SUS data can also be used for a range of other purposes including clinical audit and research. However, existing data sources such as HES do not provide detailed clinical information, and their value for research is therefore limited. The current functions of the SUS are much the same as those previously offered by the NWCS.

PLANS FOR THE DEVELOPMENT OF THE SECONDARY USES SERVICE

251. In future, it is intended that information from both SCR and DCR systems will be made available through the SUS. Thus the SUS will be a key element of the wider NCRS. BT described the SUS as a system for providing "anonymous patient data for research and planning purposes".[357] The Department of Health described the goal of the SUS as "to rationalise data abstraction, data flows, data management, analysis and reporting". According to the Department, SUS data will support "healthcare planning, commissioning, public health, clinical audit, benchmarking, performance improvement, research and clinical governance".[358]

252. In order to achieve this, the SUS will access data from a widening range of sources, both national and local, including clinical data from the SCR and DCR. Data extracted from these rich sources will be collated by the SUS, pseudonymised so that identifying data is removed, and then presented to users in a searchable format. Users will be able to access the SUS online and make specific data requests. As with the SCR and DCR systems, users will require a smartcard to access the SUS and role-based access controls will regulate the level of access for each user.[359]

THE IMPACT OF NHS CARE RECORDS SERVICE DATA ON THE SECONDARY USES SERVICE

253. The expected growth in the amount of clinical information available electronically, through the introduction of SCR and then of DCR systems, will dramatically increase the usefulness of the SUS. At present, SUS data is coded manually and contains very little clinical detail, while information from different care settings cannot be integrated. The SCR and DCR, by contrast, have the potential to provide detailed, integrated clinical data, made available to the SUS promptly and without the need for laborious manual coding procedures. Such data would be significantly more detailed and of a profoundly higher quality than that which the SUS currently offers. For this reason, the Department of Health said that the introduction of SCR and DCR systems "represents a major opportunity" for expanding the scope and usefulness of the SUS.[360]

The threat to privacy

254. As with other EPR systems, however, the increasing availability of health information through the SUS will bring new risks as well as new opportunities. Witnesses expressed particular concerns about the possible effects of increasing the breadth and depth of data held electronically while simultaneously widening access to this data. Dr Martyn Thomas argued that easier access to data could make breaches of privacy more frequent and more serious. He pointed out that:

…a lot of patients whose privacy was never really under threat with paper records, because it would simply have been too hard to go and trawl through large numbers of those records, are now potentially at risk…[361]

255. Professor Douwe Korff warned that the increasing availability of health information would lead to a corresponding increase in the range of organisations seeking access. He argued that:

Once the data exist in this kind of accessible form there will be pressure…to identify illegal immigrants in this way; and there will be pressure from the police and certainly the anti-terrorist authorities…It is a recipe for disaster.[362]

The research opportunity

256. Other witnesses were much more positive, pointing out the many opportunities offered by access to detailed health information via the SUS. In particular, the benefits for health research were underlined. Research organisations consistently argued that the depth and breadth of data accessible via the SUS could act as a "unique selling point" for UK research.[363] The Academy of Medical Sciences observed:

The development of NPfIT and EPR offer unparalleled opportunities for research that could have a real and significant impact on future health in the UK.[364]

257. The Department of Health also acknowledged the great potential of the SUS to improve health research in its January 2006 publication, Best Research for Best Health. The paper envisaged that the UK could offer "unique benefits" as a site for clinical research, because of its plans for detailed electronic records systems, and due to the fact that the NHS provides care for the vast majority of citizens. Best Research for Best Health concluded:

The new national IT system for the NHS in England offers a unique and unrivalled opportunity for research into health that the Department of Health is determined to realise.[365]

258. A UK Clinical Research Collaboration R&D Advisory Group to Connecting for Health has also been established to helped ensure that the research opportunities offered by SUS are maximised.[366] As part of this work, Connecting for Health commissioned a series of research simulations to assess the impact of expanding SUS data on different types of research. The simulation outcomes were published by the UK Clinical Research Collaboration's in June 2007.[367]

259. Witnesses from research organisations described a range of specific types of research which would benefit from improved access to electronic health data, including:

• Research into public health, including both risk factors and interventions;[368]
• Studies looking at the side effects of particular drug treatments. Researchers argued that the association between non-steroidal anti-inflammatory drugs and cardiovascular disease could have been discovered more quickly using electronic data;[369]
• Genetic research. Researchers argued that the UK is "uniquely positioned" to conduct genetic studies;[370] and
• Research linking maternal health with children's incidence of disease in later life, for example the effects of complications during pregnancy on the incidence of schizophrenia.[371]

Maximising research benefits

260. While the potential is huge, research organisations also warned that the opportunities to improve research would be lost if excessive constraints were placed on access to data or if capacity for linking data from diverse sources was limited. The Academy of Medical Sciences (AMS) commented:

…disproportionate constraints on the use of health information can compromise the quality and validity of research results, leading to potentially misleading claims, or even costing lives.[372]

261. Researchers therefore made a range of suggestions for ensuring that the opportunities offered by the SUS are maximised. These included:

a)  Establishing a single unique patient identifier for each NHS patient and mandating its use whenever a patient comes into contact with the health service. Professor Carol Dezateux described this as the "most critical factor" in improving research through the SUS as it would allow previously separate parts of the patient record to be integrated.[373] Lord Hunt expressed confidence that this could be achieved through wider use of the NHS number, describing this as an "unseen but huge advance".[374] The NHS number is discussed in more detail in Chapter 4, above.

b)  Achieving better linkage of databases, particularly in order to answer complex or unexpected public health questions. Professor Dezateux commented that: "We should not have data sets that are not patient-level and that are not linkable, because we cannot answer the important questions that society wants us to address".[375] Witnesses gave the examples of Denmark and Finland as countries with good database linkage.[376] The Health Protection Agency also argued that better database linkage would help them to monitor public health risks, such as potential infectious disease outbreaks, by accessing relevant clinical data in real time.[377]

c)  Improving public communication about the research opportunities offered by the SUS and the potential benefits from strengthening the infrastructure which supports research using electronic health data.[378]

d)  Updating and strengthening the governance framework which regulates access to data for research and other purposes. Witnesses argued for more transparent governance and consent systems which would maximise privacy without constraining research.[379] We discuss these issues in more detail below.

Governance and consent

262. Exploiting the opportunities offered by the SUS will require a careful and balanced approach to governance arrangements for regulating availability of and access to SUS data. Witnesses put forward a range of arguments and suggestions regarding patient consent, pseudonymisation, and other aspects of governance. In this section we look at:

• Existing measures for regulating access to SUS data;
• Doubts and debates regarding the governance framework, including arguments about the appropriate model for patient consent and the effectiveness of the pseudonymisation of data; and
• Suggestions for changes to the governance framework in light of current problems and the expected growth in demand for access to health information.

EXISTING MEASURES

263. The current framework for regulating access to information through the SUS was set out by officials on 26 April 2007. They commented that the legal framework for the use of data for health research currently permits access through three different routes:

• Information can be made available with explicit consent from the patient.
  • Access is permitted if information has been pseudonymised i.e. if data which could allow an individual patient to be identified have been removed. This is intended to be the usual basis for access to data through the SUS. In the US, a legal distinction has been drawn between fully and partially pseudonymised data. Fully pseudonymised data, from which 18 specific identifiers have been removed and from which the risk of re-identification is extremely limited, is known as "de-identified" information. However, as we discuss below, such data are often inadequate for research purposes. As a result, partly pseudonymised "limited data sets" are also recognised. "Limited data sets" may contain some identifying information but are made available to users subject to contractual and technical limitations, and with the agreement that no attempt will be made to identify individuals.[380] Although this contrast has not been formally recognised in England, the distinction between fully and partially pseudonymised data is used to clarify the discussion below.
• Identifiable or potentially identifiable information can be accessed with specific permission from the Patient Information Advisory Group, a body established by the 2001 Health and Social Care Act.[381]

264. Witnesses also pointed out that access to data for research purposes is subject to local controls and ethical approval. Professor Simon Wessely explained:

…there is this very complicated system of checks and balances by which we have to be governed…I cannot simply say, "Give me the data" on this that or the other, I have to apply to an ethics committee, a Caldicott committee, an R&D committee and so on.[382]

DOUBTS AND DEBATES

265. Questions and criticisms were raised by a variety of witnesses about the suitability and effectiveness of current access and governance measures. On the one hand, some witnesses argued that current measures do too little to protect patient privacy. The Foundation for Information Policy Research (FIPR), for example, argued that:

The UK has so far failed to develop a robust political and legal mechanism for balancing patients' privacy interests with the many requests by others for access to their data.[383]

266. On the other hand, research organisations often argued that regulations are currently too strict and therefore inhibit research. The AMS stated:

…confusing legislation and professional guidance, bureaucracy of process and an undue emphasis of privacy and autonomy, are having a detrimental effect on UK research activity…[384]

267. Both sides agreed that patients and the public would benefit from a fuller understanding of the current and potential future use of data for research and other secondary purposes. FIPR commented that:

…a gap has opened up between actual practice on the one hand, and the expectations and views of patients on the other… Many more people have access to medical records than most patients realise…Legal challenges are likely as more people become aware of what is happening.[385]

268. The AMS also argued for improving public understanding of how electronic data can be used for research, but contended that this would lead to increased support for relaxing access controls:

Urgent work is needed to increase public engagement about the value of research using healthcare records…in our discussions with patient representatives there was strong support for research using health data. There was great concern that a vocal minority, loudly proclaiming the right of privacy, might override the unexpressed desire of many people to contribute to the public good.[386]

Consent systems

269. Some witnesses argued that, unless data could be fully pseudonymised, patient consent should be required for data to be used for research purposes. Support for explicit patient consent in such cases was expressed by organisations including the Royal College of Psychiatrists and the Royal College of Surgeons.[387] Professor Douwe Korff went further, arguing that current UK consent procedures may not be strict enough to comply with European law.[388] Helen Wilkinson, founder of the Big Opt Out Campaign, argued that patients should have the right to prevent their data being used by the SUS, even in pseudonymised form. She warned that:

…patients tell me that they are prepared to lie about their symptoms, medication…and medical history as they cannot opt out of the DCR or prevent their records being used by the SUS.[389]

270. But other witnesses said that the reliance on specific patient consent should be limited and argued that maintaining or tightening consent requirements could have a negative impact on future research. Obtaining explicit consent, particularly for large studies, can in practice prove impossible.[390] Professor Carol Dezateux commented that consent is often more difficult to obtain from socially disadvantaged or ethnic minority groups, something which can inhibit research, particularly into health inequalities, or even bias research findings.[391] The AMS argued that the rights of individuals to restrict access to their data should not necessarily be seen to outweigh the public benefits of health research:

It could be maintained that a patient has the right to say 'use my data to treat me, but not to improve care for others'. Or more starkly, 'use evidence from other people's data to treat me, but don't use my data to help them.[392]

Pseudonymisation

271. Questions were also raised about the intention to pseudonymise data made available through the SUS. "Pseudonymisation" is achieved by removing identifying information such as the patient's name, address and contact details. However, as mentioned above, there is a distinction between fully and partially pseudonymised data. Witnesses stated that partial pseudonymisation will often not prevent patients from being re-identified, particularly if information such as the postcode and date of birth are retained.[393] Professor Douwe Korff added that, if full pseudonymisation did not take place, patients' consent should be sought before data were made available:

The issue hinges on identifiability…When the data used in research…are so flimsily anonymised that it is very easy to re-identify people, in my view they remain personal data and therefore cannot be used without the express, valid and free consent of the data subject.[394]

272. Doubts about pseudonymisation were also expressed by the Assistant Information Commissioner. He admitted that the Information Commissioner's Office had not examined the pseudonymisation techniques which will be used to encrypt SUS data but acknowledged that "we will be asking a few questions" in light of the concerns presented to the Committee.[395] Mr Bamford agreed that if the effectiveness of pseudonymisation could not be assured then the case for making data available through the SUS would be weakened:

If it is truly pseudonymised and it is not that easy to look back at the records or bring them together…I do not think it would be open to very much challenge. If the pseudonymisation is not effective then that is a much more open question.[396]

273. Researchers argued that the degree of protection offered by pseudonymisation depended on the type of research being conducted. Dr Mark Walport maintained that full pseudonymisation could completely protect a patient's identity,[397] but he also pointed out that many studies rely for their effectiveness on information, such as the patient's postcode, which might make re-identification possible.[398] It is in this context that partially pseudonymised information, known in the US as a "limited data set", is required. The AMS also pointed out a range of other important uses of identifiable information, including:

• Avoiding double counting of patients;
• Performing longitudinal studies which link risk factors, such as smoking, to health later in life; and
• Validating the quality of data and so the outcomes of research.[399]

274. Researchers therefore stated that the degree to which data is pseudonymised should be maximised but should vary depending on the specific requirements of different research projects.[400] BT, the company responsible for pseudonymisation, confirmed that the amount of data removed could be varied in practice.[401]

275. Professor Carol Dezateux argued that access to partly pseudonymised "limited data sets" for researchers could be balanced by more sophisticated audit of the way in which data is accessed and used, along with clear sanctions for the misuse of data. She pointed out that this will be made easier by the increasing use of electronic databases:

I can have an audit trail which shows what I, as a researcher, have done with that and which holds me accountable. I would lose my job if I did something wrong. I think you have to have those sanctions.[402]

276. So witnesses were in broad agreement that fully pseudonymised "de-identified" data would not be adequate for many research purposes. Thus the SUS will also need to provide researchers with partially pseudonymised "limited data sets" from which patients could in theory be re-identified. As witnesses pointed out, this increases the need for complementary governance systems to protect potentially identifiable information from abuse, which we discuss below.

The Patient Information Advisory Group

277. Finally, witnesses expressed concerns about the Patient Information Advisory Group (PIAG), the body which considers requests for access to health information in cases where researchers require identifiable data and consent cannot be gained. Professor Douwe Korff described PIAG as "quite easy about giving access" to identifiable information and argued that the group should do more to protect patient privacy.[403] But Professor Simon Wessely expressed the opposite view, arguing that PIAG was sometimes too protective of patients' privacy rights.[404] A recent report by the AMS, Personal data for public good, put this point more explicitly:

…PIAG currently stresses its role on protecting privacy and confidentiality, without equal emphasis on the public benefits derived from well-conducted research. The Academy considers that PIAG should more actively promote its role as a facilitator of research.[405]

278. Professor Wessely also described PIAG as an "emergency measure", established at short notice in light of changes to General Medical Council guidance on the use of data in research.[406] In addition, Dr Mark Walport argued that PIAG was initially seen as a temporary organisation, a view which has now changed:

…when PIAG was set up it was the philosophy that somehow PIAG might only be needed for a short time because we were moving to a world where consent would be possible for everything. I think it has been recognised that that really is not the case, that there are always going to be unforeseen questions.[407]

SUGGESTIONS FOR CHANGE

279. In light of these and other concerns, a number of witnesses suggested changes to the regulatory and governance arrangements for access to SUS data. Importantly, the case for reform was put forward both by exponents of greater protection for patient privacy, such as FIPR, and by research organisations seeking to improve access to information.[408] The following were amongst the suggestions for reforming governance systems:

• Introducing a system of class approval so that organisations such as PIAG could make judgements about granting access to identifiable data which would apply to whole categories of research, rather than considering each individual project in isolation. This was also referred to as a community assent model;[409]
• Introducing a national Information Governance Board to oversee the arrangements for regulating access to health data. It was suggested that PIAG, or a successor organisation, could be reconstituted as a permanent subcommittee of the national Board. [410] In a late submission, PIAG stated that "the creation of a new national advisory body, which will absorb PIAG and other similar groups" is likely to take place in future. The Department of Health, however, did not mention this;[411]
• Extending the use of third party brokerage as a system for protecting the privacy of health information. This approach was supported both by researchers and by the Assistant Information Commissioner;[412]
• Providing full pseudonymisation of data, for example so that only the patient's year of birth and home area are retained;[413] and
• A full review of governance systems, examining the role of local ethics committees, Caldicott Guardians, PIAG and the relationships between them. Witnesses suggested that this would help to bring "greater coherence" to a system which has developed in an "ad hoc" fashion.[414]

Conclusions and recommendations

280. The Secondary Uses Service (SUS), which succeeded the NHS-Wide Clearing Service, has for some years helped to improve the health service by providing access to and analysis of data for commissioning, management and audit purposes. However, the development of the SCR and DCR will allow access to clinical data which are timelier, better integrated and of a profoundly higher quality than those currently available. This will transform the SUS and offers significant benefits, most notably for health research. In particular, if the highly detailed data captured by DCR systems can be made available through the SUS then the possibilities for new and improved research are outstanding.

281. The Department has acknowledged the need to take advantage of the research opportunities offered by the SUS and has established a partnership with the UK Clinical Research Collaboration to achieve this. We welcome this, but researchers nevertheless told us that much more could be done to maximise these opportunities. We recommend that Connecting for Health:

• Mandate the use of the unique patient identifier, the NHS number, in all health service interactions in England;
• Develop appropriate linkage between databases within and beyond the SUS. This would also have benefits for non-research activities such as health protection;
• Ensure that the development of clinical information standards, which we recommended in Chapter 4, takes account of the needs of research; and
• Initiate a campaign of public engagement so that both the opportunities and risks from using health data for research purposes are better understood.

355   SUS replaces decommissioned NWCS ClearNET Service, See Connecting for Health press release, 19 January 2007 Back

356   See www.connectingforhealth.nhs.uk/systemsandservices/sus/ Back

357   Ev 128 (HC 422-III) Back

358   Ev 8 Back

359   Ibid. We discuss the psedonymisation process, which has attracted considerable debate, in more detail below. Back

360   Ev 8 Back

361   Q 113 Back

362   Q 230 Back

363   See Ev 17, Ev 121 and Ev 126 Back

364   Ev 12 Back

365   Department of Health, Best Research for Best Health: A new national health research strategy, 25 January 2006, p.28 Back

366   See www.ukcrc.org/activities/infrastructureinthenhs/nhsitprogrammes/advisorygroup.aspx for more details Back

367   UK Clinical Research Collaboration, The potential of electronic patient records: research for patient benefit, 7 June 2007 Back

368   See Q 335: Dr Mark Walport of the Wellcome Trust commented that "The greatest advances in health have come from public health measures…The opportunity in England to have potentially 50 million health records with good record linkage offers enormously important opportunities for improving patient health." Back

369   Q 335 Back

370   Ibid Back

371   Ibid. Professor Simon Wessely pointed out that research of this type often has to be carried out in Scandinavia because of the lack of linked electronic databases in the UK. Back

372   Ev 12 Back

373   See Q 337. Dr Gill Markham of the Royal College of Radiologists also pointed out (Q 522) that there are benefits to direct patient care of consistently using a single unique identifier. Back

374   Q 618 Back

375   Q 337 Back

376   See Q 335 and Q 337 Back

377   See Ev 69. The HPA concluded that "The benefits that Connecting for Health could realise for organisations such as the HPA cannot be overstated." Back

378   Q 337 Back

379   See, for example, Q 342 Back

380   See http://privacyruleandresearch.nih.gov/ for more details Back

381   Q 63 Back

382   Q 346 Back

383   Ev 64 Back

384   Ev 12 Back

385   Ev 63 Back

386   Ev 15 Back

387   See Ev 105 and Ev 109 respectively Back

388   Q 175 Back

389   Ev 192 Back

390   See Ev 13: The AMS gave the example of Professor D Barker's research into the links between conditions during pregnancy and cardiovascular disease. Because of the large sample size and the long period covered by the study, obtaining consent was not always possible. The study demonstrated a link between low birth weight and the risk of type II diabetes. Back

391   Q 352 Back

392   Ev 13 Back

393   Q 228 Back

394   Q 230 Back

395   Q 238 Back

396   Q 236 Back

397   Q 350 Back

398   Q 355 Back

399   See Ev 13-14 Back

400   Q 355 Back

401   Q 496 Back

402   Q 343 Back

403   Q 240 [Professor Douwe Korff] Back

404   Q 363. PIAG told us that of the 250 applications which it has received to date, 70% have been approved. Back

405   Academy of Medical Sciences, Personal data for public good: using health information in medical research, January 2006, pp.4-5 Back

406   Q 364 Back

407   Q 365 Back

408   See Ev 64 and Q 365 respectively Back

409   See Qq 364-365 Back

410   Q 365 Back

411   EPR 81, unpublished. Back

412   See Q 343 and Qq 242-3 respectively. Professor Carol Dezateux described (Q 343) the use of a third-party broker in new-born HIV testing: "The laboratory in my hospital sends information to the Office of National Statistics, they link the data, they remove the identifiers, and only then can the laboratory test the samples, when all this has been removed, so that it is very secure." Back

413   Q 229 Back

414   Q 365 Back