Confidentiality and sharing health information

It is hardly contentious to say that there is a sea change taking place in the way health information is managed in the NHS. The government’s vision—if not its practice—is clear: the power of information technology will be fully unleashed to support the provision of 21st century health care (www.connectingforhealth.nhs.uk). The flow of high quality, up to date information, accessible to patients and immediately available to appropriate health professionals, will create a virtuous circle: clinicians will be able to do a better job, and patient outcomes will improve. The world being what it is, the government’s plans have not met with unanimous applause. Setting to one side the public sector procurement nightmares, the widespread fear of the unknown, and unease about the uses to which big government will put the data, the changes have nevertheless given new energy to a long running debate: who should have control of personal information, and what should be its limits?

The idea that personal health information should be shared among health professionals who are directly involved in providing care to the patient is not controversial. Consent to this sharing is a presumption of ordinary health care. Problems begin when those data are required for ancillary uses such as audit, research, care planning, or accounting. The current approach is confused. On the one hand, there is a perception in the research community that the principle of respecting confidentiality is a major impediment to good quality research. For example, as a result of the requirement to seek consent to identify individuals for potential enrolment in research—what has been called “consent for consent”—improvements in health care and technology are said to be withering on the vine. Given that different social groups respond differently to requests for them to participate in research, a consent based approach also leads to fragmentation and bias.1 On the other hand, custom and practice support the routine exchange of identifiable health information for such secondary purposes as planning and audit. Both these uses are important and both support substantive public aims, but the approach, in practice if not in law, is divergent. Adding to the confusion is the fact that the area is governed by a bewildering patchwork of common law, statute, and professional guidance.2

In some respects, these differing approaches have something to do with trust and history. The organ retention scandals at Alder Hey led to a collapse in public trust and, as a result, increased scrutiny of medical research.3 In view of the possibilities that a central national health database presents, in terms of individual and public benefits, and in terms of potential threats from data leakage, a coherent approach based on sound principles is surely needed.

Although the terms of this discussion are often shrouded in jargon, and muddied by factional interests and legal complexity, at heart it is an ethical debate requiring a balancing of important interests. The primary purpose for which individuals share sensitive personal information is the provision of health care. In the absence of either a legal obligation or an overwhelming public interest—preventing a terrorist outrage, for example—disclosure for other purposes is ordinarily governed by consent. This reflects the underlying belief that, where patients do not believe that their health information will be kept confidential, they will not disclose sensitive personal information to appropriate health professionals, and the health of individuals and the public will suffer.

Confidentiality therefore serves a substantial public interest. A number of other significant public interests are in tension with this. A centralised health database offers enormous potential for research, which will itself feed into potential future health benefits. How should these interests be traded against each other? The provision of high quality health care also requires large data flows for planning, audit, and accounting. If an absolute requirement for consent impedes this process, patient care is affected, and the projects for which the original data were gathered begin to suffer. Given the importance of these competing interests, and that the legal waters are muddied, perhaps it is time for a complete overhaul.

The Data Sharing Review Report by the Information Commissioner Richard Thomas and Mark Walport, head of the Wellcome Trust, was an interesting step forward.1 Unfortunately the government’s permissive response in the first draft of the Coroners’ and Justice Bill, subsequently amended, put to flight many who might otherwise have been sympathetic.4 Recent work by the General Practice Extraction Service, which has been looking at data havens and honest brokers to ensure appropriate data governance, is clearly moving in the right direction, but more work is needed.5

The issues are clearly important and complex, so here is a long shot for the future: perhaps in time we could seek to balance rights to health care with duties to share information for reasonable health related purposes. Health could be a true contract, a system from which we all benefit and to which we all contribute, in kind if not in cash.