The HPA is unreservedly committed to preserving medical confidentiality in all aspects of its work, both in its direct contacts with clinicians and patients and in aggregating data for surveillance purposes and research. Its aim and intention is always to be worthy of the trust that, each year, so many patients place in it.
The Caldicott Report (December 1997) and Executive Letter (January 1999) set in motion a process of continuous improvement in medical confidentiality within the National Health Service, including the organisations now comprising the Health Protection Agency (HPA). In accordance with guidance laid out in the report, the HPA has appointed a Caldicott Guardian and Security of Information Officers (SIO), whose functions are to ensure that data handling is in accordance with the recommendations of the Caldicott Committee, subsequent guidance and requirements of the Data Protection Act. These requirements especially affect data with Personal Identifiable Information (PII).
The principles in the Caldicott Report are summarised below:
The HPA has achieved a high level of compliance with the recommendations of the Caldicott Report. For example all staff have been familiarised with their responsibilities under the Report (a rolling process as new staff join the service); data flows have been mapped, and redundant records containing PII are being culled and securely destroyed. In addition all electronic data with PII are secured by password. The premises at Colindale have been reviewed and improvements made in physical security. Auditing performance in this area is ongoing so that continuous improvement is taking place. Staff are frequently reminded, and they remind each other, that PII is sensitive and its security the basis for patients continuing to have confidence in the clinical and surveillance work.
A Health Protection Agency-wide group meets regularly and has the remit of promoting and ensuring compliance with these issues across the whole of the Agency.
In December 2001 the Public Health Laboratory Service (the predecessor body to the HPA) applied to the Patient Information Advisory Group (PIAG) to secure the Secretary of State's support for the use of confidential patient information for the surveillance, control and prevention of communicable diseases. This application covered reporting of non statutorily notifiable infectious diseases, enhanced surveillance for certain diseases including some that are statutorily notifiable and for the surveillance and control of communicable diseases in general. Our application included many examples of our public health surveillance work.
A Infection reporting is in part covered by statutory notification to the local 'Proper Officer' and chiefly functions around local control measures. In addition other systems of reporting infections exist which are not part of the statutory notifications. In theory at least a clinician or microbiologist reporting such an infection could have been accused of breaking the common law duty of confidence unless the data were anonymised or patient consent obtained.
It is not always possible to obtain consent nor to undertake complete anonymisation. A system of obtaining permission to cover reporting and handling of such data was set up under section 60 of the Health and Social Care Act (2001). The Public Health Laboratory Service and the Cancer Registries were the first applications to be received by the group set up to advise the Secretary of State - the Patient Information Advisory Group (PIAG) which is now the National Information Governance Board (NIGB).
These permissions were passed by both Houses of Parliament under the Health Services (Control of Patient Information) Regulations 2002 (Statutory Instrument 2002 No.1438). The same permissions have been enacted under section 251 of the NHS Act 2006.
The Health Service (Control of Patient Information) Regulations 2002 make it both lawful and appropriate to share confidential patient information with the HPA in the circumstances specified in the regulations.
A For notifiable infections there is a statutory duty to report to the local Proper Officer (usually the CCDC). However many important infections are not statutorily notifiable and enhanced surveillance systems also exist for some of the infections which are statutorily notifiable. It is for these circumstances where reporting is encouraged by the regulations but it is not statutory ( ie compulsory) to do so. Public health surveillance and understanding of both outbreak situations and how infections are spreading is dependent on the voluntary confidential reporting of such infections.
We have now produced a leaflet for surgeries, outpatients etc. which informs patients about reporting procedures for infections:
If patients wish to opt out of their data being reported and insist on such action even when the reasons for collecting such data are explained, their patient identifiers should not be reported by clinicians. Opt-out is not, however, possible for infections which are statutorily notifiable.
A Yes, although release of such information will be in aggregate format and not personally identifiable.