Security Issues and Patient Confidentiality

Data senders are directly responsible for the integrity of the data they submit. This means that data senders must not flow legally restricted or identifiable information using data items that are not designed for this purpose.

• A. Removal of name and address where the NHS Number is present

• From 1 April 1999, PATIENT NAME and PATIENT USUAL ADDRESS (not POSTCODE OF USUAL ADDRESS) must be removed from all Commissioning Data Sets where a valid NHS NUMBER is present. This applies to all nationally defined Commissioning Data Set data and any additional locally agreed flows from service providers to commissioning bodies.

• A valid NHS NUMBER is one that has passed the check digit calculation on entry into the source system. If an NHS NUMBER is not valid (i.e. does not conform with the check digit algorithm) then PATIENT NAMES and PATIENT USUAL ADDRESSES should not be removed, as the reliability of the NHS NUMBER will not be known.

• The NHS NUMBER STATUS INDICATOR CODE is a mandatory part of the Commissioning Data Set. PATIENT NAME and PATIENT USUAL ADDRESS should be removed when a valid NHS NUMBER is present, even if the NHS NUMBER STATUS INDICATOR CODE does not have a status of 01, Number present and verified.

  B. Sensitive data

• The Human Fertilisation and Embryology Act 1990 as amended by the Human Fertilisation and Embryology (Disclosure of Information) Act 1992 imposes statutory restrictions on the disclosure of information about identifiable individuals in connection with certain infertility treatments.

• The latest approved list of codes which can be used to identify the relevant PATIENT  record in which the patient-identifiable data are to be omitted from the CDS Types can be accessed via the Secondary Uses Service  website.  In these cases the NHS NUMBER, LOCAL PATIENT IDENTIFIER/ LOCAL PATIENT IDENTIFIER (EXTENDED), PATIENT NAMES, POSTCODE OF USUAL ADDRESS and PERSON BIRTH DATE should be omitted from the Commissioning Data Set  submission.

• From Commissioning Data Set Version 6-2 onwards, records where the patient-identifiable data has been withheld should be submitted using the PATIENT IDENTITY - WITHHELD IDENTITY STRUCTURE data group in the Commissioning Data Set XML schema.  This data group allows only the NHS NUMBER STATUS INDICATOR CODE  (the actual value held on source systems should be used), ORGANISATION CODE (RESIDENCE RESPONSIBILITY)/ ORGANISATION IDENTIFIER (RESIDENCE RESPONSIBILITY)  and WITHHELD IDENTITY REASON  to flow.  The WITHHELD IDENTITY REASON  allows Health Care Providers  to inform their Commissioners why a record has been anonymised.  Note that the same rules apply to the additional PATIENT IDENTITY structures relating to Mother and Baby in the Delivery and Birth CDS types.

• Other statutory restrictions on the disclosure of PATIENT  information do not prohibit the disclosure to individuals involved with the treatment and prevention of certain specific diseases (HIV/AIDS and venereal diseases) in the population.

• All records containing patient identifiable information, other than those covered by the Sensitive Data section, should be treated as sensitive. ORGANISATIONS may continue to exchange records containing NHS NUMBER, POSTCODE OF USUAL ADDRESS and PERSON BIRTH DATE in these cases, but receiving ORGANISATIONS must ensure that only those staff with legitimate need have access to this information, e.g. public health departments, and strictly on a need to know basis. No-one should have unrestricted access unless fully justified in accordance with the Caldicott Principles.

• Where PATIENT level data is required for other purposes within an ORGANISATION, it should be anonymised/aggregated prior to disclosure by someone with legitimate access. If this is not practicable, local protocols defining which CDS Types are particularly sensitive (including, but not necessarily restricted to HIV/AIDS and venereal disease) agreed by the ORGANISATION  Caldicott Guardian, should be put in place and identifiers stripped from these records.

• Your Caldicott Guardian will be able to advise you further on all issues relating to patient confidentiality.

• Where appropriate, further information about confidentiality is contained within the notes for individual data items.