Legal requirements for the submission of data to SUS

There are 2 areas where NHS Digital and the providers of data to SUS have specific legal duties of care regarding the protection of the patient’s identity

• NHS Digital has a duty of care to ensure that the patient’s confidentiality is protected and is only known to those with a legal basis to access it
• certain legislation requires that additional safeguards are implemented to protect the identity of patients who receive treatments regarded as legally restricted

Some organisations that receive data from SUS do not have a legal right to know who the patient is. In fulfilling its duty of care to protect the patient’s identity, NHS Digital regards that certain fields present a risk of identifying the patient. These fields are known collectively as Person Confidential Data (PCD) and are listed in Appendix A.

When sharing submitted data with users or other systems who are not authorised to know the identity of individual patients, NHS Digital either pseudonymises or removes the contents of the PCD fields. This allows NHS Digital to share the data without divulging the identity of the patient.

If PCD data is included in fields other than the fields specified to contain it there is a risk that these are identifiers could be accidentally released by NHS Digital. This section describes the steps that NHS Digital takes to ensure that PCD is not included in other data fields and inadvertently shared. The presence of PCD in unexpected fields is referred to as PCD Leakage.

Submitters of data to SUS+ are advised that they must not introduce personal confidential data (PCD) into any field other than the one identified to contain that data. The presence of PCD in a field that is not identified to contain that PCD is considered leaked PCD. NHS Digital may redact fields containing leaked PCD.

For example, NHS number should only appear in the NHS number field. If NHS number is introduced into another field, such as CDS Unique Id, then this would put NHS Digital at risk of inadvertently disseminating PCD in the clear and illegally identifying the patient.

Similarly, the PCD of one type (e.g. NHS Number) should not be used to form all or part of other PCD fields, for instance the patient pathway identifier. This is because some data recipients are permitted to see some PCD fields but not others. In these cases, leaked PCD could be released illegally.

SUS+ has introduced a data interchange scanning capability that will screen CDS interchanges before data is accepted into SUS+. Should SUS+ detect PCD data items in fields not intended for that data then the data item will be redacted, and the data provider notified. The scanning will allow for small numbers of false positives. False positives will not be shown on the interchange feedback or data quality reports.

Commissioners and other recipients of SUS data will only have access to the redacted version of any fields identified as containing leaked PCD. Redaction will only occur on records where PCD is leaked.

This facility is initially implemented in ‘warn only’ mode but will be switched to ‘redact’ mode. Further communications will be made via the What’s New page on the SUS website as progress is made with this development.

It is important that data providers raise a call with the National Service Desk if they feel that data is being identified as PCD leakage incorrectly. This will allow the team to review and fine tune the algorithm appropriately before data is redacted.

Summary details of inappropriate use of PCD data are available in the interchange feedback report. This report details the processing status of interchanges submitted to SUS and can be requested via the SR1 form. Instructions for completing the SR1 form and requesting the interchange report are available in the sender registration section of the SUS webpages.

Details of the section of the report related to the inappropriate use of PCD data are included in Appendix B

Details of all records in an interchange that are identified as having leaked PCD are available in the interchange data quality report. 

‘Legally restricted records’ were previously referred to as ‘sensitive records’. The change is in response to a review of terminology in relation to the data protection act.

To ensure that the SUS+ service is processing CDS data in accordance with the law it uses a list of legally restricted codes.

The list of codes regarded by SUS+ as being legally restricted is published separately on the SUS website. Any amendments to the current list will be updated in that document and communicated to the user community through a release note and what’s new announcements as well as through the user group and User show and tells.

On submission of records containing legally restricted codes, or where a patient has submitted a withdrawal of consent request, providers must anonymise the record by removing the following PCD items before submitting data to SUS

• NHS Number
• patient name and address (if present) 
• local patient identifier
• date of birth
• postcode

Other data items in the PCD list are used by SUS in its processing and are removed by the SUS system before being disseminated.

Any patient withdrawing consent must have their identity verified by the provider in line with the Data Protection Act 1998 and local information governance policy. It may be appropriate for this to be managed by the information governance department where applicable.

Organisations sending anonymised records must populate NHS Number Status Indicator with the value 07 (NHS number not present and trace not required) for these records.

Withheld Identity Reason

Organisations sending anonymised records are also advised to populate Withheld Identity Reason with the appropriate value for these records in line with the NHS Data Dictionary.

SUS anonymises records that contain legally restricted diagnosis codes and procedure codes (OPCS, ICD-10, SNOMED or READ) or where a patient has registered a withdrawal of consent with NHS Digital. This processing removes the values from the PCD fields listed in Appendix A.

The processing performed by SUS does not reduce the responsibility of the provider to anonymise records before transmission.

SUS+ does not anonymise delivery date, even if it is the same as the baby’s birth date.

For PbR spells that contain one or more episodes that are legally restricted, all episodes in the spell will be linked and processed/priced then all PCD data will be removed from all episodes in the spell. This processing is also carried out where a ‘Withdrawal of consent’ has been recorded by the patient with NHS Digital.

Processed SUS records contain a derived ‘Confidentiality Category’ data item, which is applied as follows

[blank] Not marked as confidential.

2/3 Legally restricted record. Record contains procedures or diagnoses that are restricted. PCD set to NULL. 

4 Withdrawal of consent record any data related to a patient has withdrawn their consent and registered that fact with NHS Digital.

NHS number status

Legally restricted records are also assigned an NHS Number Status of 91 which indicates that SUS has anonymised the data.