It is important to explain risk stratification in terms that patients will understand and able to see how it benefits both their own health needs and those of the broader population.
Risk stratification for case-finding enables a GP to identify and manage their patients who are most likely to need hospital or other healthcare services. This means those patients can be approached and offered suitable care packages designed to their specific requirements and reduce or avoid the likelihood of experiencing adverse events.
Risk stratification for commissioning enables the CCG to obtain a picture of the health and needs of their local population, which enables:
- priorities to be determined in the management and use of resources;
- planning services; cover the range of potential questions, and issues they may need to consider, and
- to support and evidence decisions.
Combining personal data from different sources to create a risk-based profile of an individual’s health is likely to be an unexpected use and has the potential to be considered overly intrusive. A patient may take exception to this and decide to exercise their right to opt-out, and prevent their personal data being used for non-direct care purposes.
Risk stratification is not a direct care purpose. However it may lead to an individual being offered a tailored care package to manage the health risks identified during the process. The NHS Constitution, in providing the right to object, is clear that this should not impact on an individual’s care and treatment.
A patient’s objection to data sharing for non-direct care purposes should not automatically exclude their data from being used for risk stratification purposes. Neither should their preference to be included in risk stratification processes compromise their choice to prevent their data being used for other non-care purposes such as care.data.
The purpose of the risk stratification programme and the choices available to the patient need to be clearly explained so they understand their options. Patients must be informed of the possible consequences when making their decision.
It is important to be open and transparent and explain the role of the GP, CCG, CSU or other risk stratification service providers and their access to the data, especially where their personal data is handled by staff who are not a part of the GP Practice.
It is also important to include details about automated processes so that patients are aware that, while their data may be handled by others, technology is used to prevent it from being seen in a way that will identify them as an individual and so breach their confidentiality.
Assurances that data is carefully managed, and steps are taken to protect confidentially helps to install confidence in patients to better understand why their data is used, the personal benefits, and benefits to the wider community, when making an informed choice
Meeting the conditions for fair processing set out in the first principle of the Data Protection Act is fundamental to complying with all duties under the DPA. If those conditions are not met it is unlawful to process personal data.
Fairness is about:
- Using personal information in a way that people would reasonably expect and in a way that is fair; and
- Ensuring people know how their information will be used.
Patients will know that their GP and other healthcare professionals they come into contact with during the course of their care and treatment will have access to confidential data held in their medical records, but it is wrong to assume they will also know about other uses that are not so obvious to them.
The Information Commissioner’s guidance on this subject says that the duty to inform is strongest when the information is likely to be used in an unexpected, objectionable or controversial way, or when the information is confidential or particularly sensitive
It is also important to make sure that where people have a choice, they are informed about it and given a genuine opportunity to apply it. A good example of this is an opportunity to object to their confidential personal data to be used for purposes other than their direct care, which includes risk stratification.
Under the Section 251 conditions for approval, the Confidentiality Advisory Group of the Health Research Authority asked for assurance that fair processing information would be provided to ensure patients understand:
- risk stratification and its purposes;
- data controller and data processor identities and responsibilities;
- the type of information used;
- individual rights to access personal data and object to it being used for non-direct care purposes;
- who to contact to exercise those rights;
- the impact if that decision on their health and care (i.e. what to expect if they are excluded from the risk stratification process), and
- their right to complain to the Information Commissioner’s Office if there is a problem.
The first Data Protection Act principle says:
Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless
(a) at least one of the condition in schedule 2 is met, and
(b) in the case of sensitive personal data, at least one condition in Schedule 3 is also met.
In practice this means that you must:
- Have a basis in law for collecting and using personal data;
- Be open and transparent about how you intend to use the data and who you will share it with;
- Handle personal data only in ways that individuals would reasonably expect;
- Not use data in ways that are unfair (e.g., in ways they have not been told about and would not expect; where they have a choice but have not had an opportunity or been told how to exercise it; or where the use has an unjustified adverse effect);
- Not do anything unlawful with the data.
‘Processing’ means collecting, using, sharing (disclosing), retaining and disposing of personal data, and if any aspect of processing is unfair, there will be a breach of the first principle and violation of the Act even if the other conditions are met.
Although risk stratification for case finding can lead to an interventional care package being offered to a patient, the process of collection, use and analysis of personal data through a risk stratification tool is not considered to be a direct care purpose. A GP cannot therefore rely on a patient’s implied consent to use their confidential personal data in this way and must therefore justify the processing under another lawful basis, such as explicit patient consent or legal gateway.
GPs or GP Practices are “data controllers” and have a legal duty to ensure all processing of personal data of their registered patients complies with all eight data protection principles of the Data Protection Act, Failure to do so carries significant risks.
A data controller may assign some or all of the responsibility for data processing to another person, but their overall legal responsibility cannot be delegated or contracted out.
One part of the first DPA principle is the obligation to ensure personal data is processed fairly, which means that patients must be told how and why their personal data is being used and, where they have a right to choose, their options to object to their data being used in that way.
The responsibility for telling patients falls on the GP as the data controller. This is usually achieved by issuing a fair processing notice.
Where a Clinical Commissioning Group (CCG) or Commissioning Support Unit (CSU) is supporting GPs with their risk stratification programme, they should also be helping with the development and active communication of local fair processing information.
It is important that GPs are sufficiently engaged in those arrangements so they can ensure their legal obligations are adequately covered.
When deciding what extra information needs to be included in the interest of fairness, it is recommended good practice to put yourself in the position of the patients you are collecting information about and ask:
- What do our patients’ know or can reasonably be expected to know how their personal data is used and do we need to include this in our fair processing notice? (You do not need to tell them what they already know but a short explanation is advisable to add context);
- Will our patients understand what risk stratification is and that we operate a programme for case finding and commissioning purposes?
- Will they know that data about their hospital attendances is obtained from the Health and Social Care Information Centre (HSCIC) and matched to our data to create a risk profile about them and how we manage the outcomes?
- What do we need to say to explain how their personal data is handled out of the GP Practice by the risk stratification service provider and who has access to it?
- What assurances can we give them that it will be handled confidentially and kept secure?
- What do we need to tell them about their choices in that respect – do they understand they have a right to object; what purposes they can object to; what they need to do to tell us and how we will manage their dissent?
- Do they know that we will respect their decision but is some circumstances we may still be legally required to disclose their data?
- Will they understand the likely personal consequences to their care if they decide to opt-out?
- Do they know they can access their personal information and who they should ask?
- Is it clear who they should contact if they have any concerns, wish to ask questions or make a complaint?
- How can we make this information widely available to our patient audience?
Practices may wish to involve their local Patient Participation Group in the development of fair processing notices to ensure they cover all possible questions and test understanding.
The potential to work with other Practices to develop local fair processing communications should be explored with the CCG.
The NHS Constitution sets out the Secretary of Health’s offer to give people a right to object to their confidential personal data being used for purposes beyond their own care and treatment and to have those objections considered.
A patient can object to their confidential personal information from being disclosed out of the GP Practice and/or from being shared onwards by the HSCIC for non-direct care purposes (secondary purposes).
However, the choice not to share data for non-direct care purposes must not affect the individual’s care.
Being excluded from a risk stratification for case finding programme could prevent a patient in a risk category from being identified and offered direct care. This can be managed by setting the data extraction process to override the opt-out codes to allow data to flow for risk stratification purposes. However, this should be made absolutely clear to the patient because, having made the choice not to allow their data to be disclosed out of the GP Practice they would expect that decision to be upheld. If they still object, their decision should be respected.
Because of the complexity, it is advisable to consider providing this information in stages, for example by using a layered approach starting with a basic explanation, with signposts, to more detailed information for those who wish to pursue it.
Information provided on the fair processing notice should include an explanation of the NHS Constitution rights and what a patient needs to do if they decide to opt-out.
Further information can then be targeted at patients who have chosen the opt-out option to explain the consequence of their decision and how you will manage their personal data to ensure it is not used for the purposes they have objected to.
Where their decision raises specific clinical concerns, then it may be appropriate to meet with the patient to discuss their position and for a clinician to ensure they are fully aware of the consequences to their personal health, how the decision may limit the ability to offer health care and that the final decision is made with a full understanding and capacity.
The important point is to ensure the patient has been provided with enough information in to make an informed choice.
An example of good practice can be found in the NHS Care Records information, which provides an explanation of what opting-out will mean to the patient on the Opt-Out Form.
View further information about patient objections management.
When designing a fair processing notice, consideration must be given to its readability and language. Fair processing notices should be clear and understandable by the audience it is intended for. Avoid using technical or legalistic language – keeping it simple is the best approach.
You do not have to call it a “Fair Processing Notice”. A more user friendly title that is meaningful to patients is advisable as they are more likely to attract attention, for example “How we use your information” or “Protecting your confidentiality”.
As it is unlikely that people will read the small print on very detailed notices, it is recommended that information is broken down into smaller more user friendly sections by using a layered approach.
Basic information provided as a high level summary (e.g., printed in a leaflet or on a website front page) is often enough for people to understand and decide whether or not that explanation is sufficient for them. Directions or links to more detailed information can then be provided for people to follow if they wish to know more.
Links to information held on other website, such as NHS Patient Choices, the CCG’s website, NHS England, the Health and Social Care Information Centre (HSCIC), and the Information Commissioner’s Office. can also be helpful to provide further details and avoids the need to duplicate information adequately explained elsewhere.
It is not be practicable for the GP Practice to produce fair processing notices in a range of languages and accessible formats, but consideration must be given to addressing diversity and equality needs. Usually, the CCG or CSU can offer assistance in this matter.
Engaging Patient Participation Group members will enable the Practice to test their fair processing notice for clarity, completeness and understanding prior to publication.