NHS England response to Sky News NHS security story
The suggestion by Sky News that it would be ‘easy’ to uniquely identify any one person through the data collected for care.data is incorrect.
Patient data security is a top priority for the NHS and is taken extremely seriously.
The likelihood of being able to identify an individual is negligible: GP records, including NHS numbers, dates of birth, postcodes, and cross referenced with publicly available data, (as suggested by Sky News) would not be accessible so therefore could not be linked to social media.
Credit rating agencies or health insurers would not be granted access to the NHS’ secure data facility where the information will be held.
Firstly, there is no database of information for the care.data programme yet as we are in a ‘pathfinder’ or testing phase. However, when data begins to be collected from GP Practices during this phase, were an individual to try to ‘hack’ the system this would be a criminal offence – as with the hacking of any system.
The networks and computer systems used by the NHS have strict controls in place to ensure patient details are protected. Infrastructure security is routinely and robustly tested and monitored to ensure it meets recognised international standards.
Secondly, however negligible, the risk of identification is something that we take very seriously and therefore all confidential data is held on secure servers in protected, independently assured data centres. Only a small number of authorised personnel can access.
All systems are supported by multiple security experts throughout design and implementation. Audits and spot checks are made to make sure that standards are being maintained and any deficiencies are dealt with promptly.
Confidential data is always encrypted whilst in transmission and the secure networks used to transfer data are regularly tested and monitored for any vulnerabilities (hacking and other types of attack)
To access the data collected as part of care.data, applicants will need to go through an approvals process and then, during the pathfinder stage, can only see it in a secure data facility (SDF). During pathfinder stage, access applications will only be accepted from select organisations and there is a robust security procedure in place when the applicant visits the SDF.
The SDF will only allow access to data which has had identifying details removed. It will enable approved applicants to use and analyse the data, but not to take the information away from site.
Data is de-identified and protected through something called pseudonymisation. This is a complex process of replacing identifiers in a record with alternate identifiers (pseudonyms) that are more than 100 characters long, from which identities of individuals cannot be inferred, for example replacing an NHS Number with another random number, or replacing an address with a location code.
Once a patient’s record has been matched, the information that could identify a patient is removed and the pseudonym is allocated to the record instead.
Pseudonyms can be converted back to the original identifier ONLY by using the specific encryption key that created the pseudonym. This encryption key is only ever disclosed in very exceptional circumstances.
In the extremely unlikely event an individual was able to ‘hack’ the system, they would need the encryption key to convert back the coding.
Care.data will help ensure the highest standards of care and clinical safety are met throughout the NHS and alert the NHS to where standards drop, so quick action can be taken.
It will help ensure the needs of patients, especially those with long term conditions, are consistently met by helping the NHS understand what happens to people cared for away from hospitals and provide vital information that is needed to support research into new medicines and the better treatment of disease. It’s about improving health outcomes and NHS services for all.
A statement and briefing were provided to Sky by NHS England ahead of broadcast.