Rule 3: Information that is shared for the benefit of the community should be anonymised

Information that has been collected by health and social care services while providing direct care for individuals has the potential to provide huge benefits for the community. However, to protect the individual’s confidentiality, anonymised information should be used wherever possible when it is for the benefit of the community, rather than in support of direct care.¹⁶

Information is considered to be anonymised when there is little or no risk of an individual being identified¹⁷This could include information that has been summarised and presented in a table18 for the purposes of analysis. Information collected in support of direct care is of enormous value when assessing the quality and efficiency of health and social care services and identifying how they can be improved. Such work includes the use of anonymised information about individuals who have suffered from a particular disease or have undergone a particular treatment.

This information may also be of huge benefit to researchers trying to find new and better cures. The experiences of individuals on a particular care pathway may help commissioners to improve services for the benefit of future users. Public health specialists running health improvement programmes to increase life expectancy or reduce health inequalities may need to combine information from different sources to build up a picture of how people’s health outcomes relate to their individual lifestyles and environment.

Those using information should always ensure that they minimise the risk of identifying an individual. The guiding principles about the type of information which should be used for different purposes are considered below in the order in which they should be addressed

All health and social care organisations should clearly explain to patients, service users and the public how the confidential  information they collect could be used in de-identified form for research, audit, public health and other purposes.²⁰

Effectively anonymised information can be published

Removing the individual’s name, age, address and other personal identifiable information²¹ may not be sufficient o effectively anonymise the information. This is because it is sometimes possible to link pieces of information together which on their own would not identify an individual but when looked at together could re-identify an individual. For the same reason anonymisation is not always achieved through masking the individual’s identity by using pseudonyms or coded references.

When confidential information has been anonymised in line with the HSCIC Anonymisation Standard²² or equivalent, it can lawfully be published and used. This means it can be shared without breaching confidentiality.

Sometimes anonymised information is not adequate to support important activities. Occasionally it is important to have information at service user or patient level, which allows for a differentiation between individuals. Although the information is not  identifiable there is still a risk that an individual could be identifiable unless appropriate controls are put in place. The controls required will be based on the risk of re-identifiable of an individual.

The risk is deemed to be low where personal identifiable have been removed. This risk can be controlled by data sharing agreements or contracts with appropriate liabilities and penalties included.

Anonymisation within a ‘trusted’ environment

The risk is higher where, for example, a single personal identifiable is used and the controls required must be more robust. An example of this is where commissioners of integrated social care and health services for people with complex needs want to plan improved care pathways. They may need to know one identifying characteristic about the individuals concerned to ensure they are making best use of the services in the community. To achieve these benefits information about the same person needs to be linked together by the use of one identifying characteristic, but there is no need to know who the individual is.

Such linkage may only be performed within a trusted environment which applies strict controls. When this is done the information in the possession of that organisation or person can be considered to be anonymised. It would not be anonymised if it were shared outside of those controls or published.

The controls need to be sufficient to ensure the recipient has created a ‘trusted environment.'²³ Examples include

• signed contracts or agreements which stipulate how the information will be used, including restrictions on linking information to prevent the re-identifi of individuals. (See, for example, the HSCIC data sharing contract²⁴)

AND

• demonstration of meeting the required standards of security and privacy, for example the Information Governance Toolkit (IGT)²⁵

AND

• an independent auditor’s opinion of security and privacy measures

The information ceases to be confidential information and is considered ‘anonymised’ only by virtue of the controls in place.

Confidential information should only be used in those cases where it is not possible to use anonymised or de-identifiable information. This is only possible where:

• there is a legal obligation to share the confidential information for a particular purpose

OR

• fully informed consent has been gained from the individual

OR

• the law allows the sharing of confidential information for a particular purpose. This can be in the public interest or through legislation.

Each of these lawful methods is outlined below

Occasionally there is a legal obligation meaning that confidential information must be disclosed²⁶

In some rare circumstances the law says that confidential information has to be disclosed, for example for the safety of the community. Mechanisms for this include

• a court order, when a judge has ordered that specific and relevant information should be disclosed and to whom.
• legislation imposing a statutory duty to notify a ‘proper officer" of a local authority if staff know of or suspect that a patient is suffering from a notifiable disease²⁷
• legislation giving powers to the HSCIC to collect information from providers28. Although these are mandatory on providers, please see rule 4 which gives the individual the right to object to confidential information about them being shared

The possibility of gaining fully informed consent should be explored

Gaining an individual’s consent by asking their permission should always be considered as an option for providing a lawful basis for sharing confidential information. The consent must be informed and must not be open ended. The purpose of sharing the confidential information must be made clear to the individual as it is on that basis that they provide consent. If individuals are not informed about how confidential information about them is shared it may have serious consequences including complaints, legal action and significant  fines.  People are entitled to have their consent and objections reliably recorded so they are available to be shared and their wishes respected.

Where informed consent is not feasible, a legal basis allowing the sharing of confidential  information should be explored

There are a few limited examples where the individual’s right of confidentiality may be overruled for the ‘public interest’. These are generally cases relating to a single individual’s information and the public interest will almost never provide the basis for routine sharing arrangements. Confidential information can be disclosed to support the detection, investigation and punishment of serious crime and/or to prevent abuse or serious harm to others.

Decisions to disclose confidential information when legal permission is available are complex. The holder of the information must believe that the public good that would be served by sharing the information outweighs both the obligation of confidentiality owed to the individual and the public good of protecting trust in a confidential  service.

There are also regulations and legislation²⁹ which allow for the sharing of confidential information. For example, when applying for ‘section 251 support’³⁰  a high threshold   (but lower than the public interest test) must be met before the duty of confidential can be set aside for the purposes of research, audit and other medical purposes that are not directly associated with care.³¹

1. ​​​​​Individuals should be informed about how their confidential information may be shared or used³²

The law³³ says that any organisation holding confidential information should ensure there are no surprises for individuals about how it is used. There are some exceptions, for example where it would compromise a criminal investigation or where information is shared for safeguarding reasons.

As a minimum, individuals should be told:

• what confidential information is held about them
• who may access it and/or who it may be provided to
• the purpose it is being used for
• how they can raise an objection

Where confidential information passes through several organisations which are not directly involved in an individual’s care, it can become increasingly difficult to meet this requirement. Even where it is not pragmatic for an individual to be informed directly, each body in the chain must publish the information above in a prominent and accessible form (for example on a website).

2. Steps should be taken to use the minimum level of confidential information necessary to support the purpose

In all cases the minimum level of confidential information necessary to achieve the purpose should be used.³⁴

3. The law should be checked to ensure there are no legal restrictions to sharing particular pieces of confidential information

Information should always be shared in accordance with the law and organisations must abide by legal provisions which ban or limit the sharing of particular pieces of confidential information³⁵. One example is the law which makes the disclosure of information relating to assisted conception treatment (for example information about gamete donors and people receiving treatment) a criminal offence in most cases.³⁶