ASH data breaches to attract fines
- 4 December 2013
Accredited safe havens will be subject to significant fines if they breach their requirements for handling patient data under Health and Social Care Information Centre proposals.
The creation of ASHs was recommended in the 2013 Caldicott Review report – ‘To Share or not to Share’ – to handle "de-identified for limited access" data for some commissioning functions.
This so-called DID4LA data will contain a single identifier, probably the NHS Number, and so could be reidentified if linked to patient confidential data, creating a data breach.
A paper being presented to the HSCIC board this week recommends new regulations to ensure that a breach of ASH requirements would be seen as a breach of the Data Protection Act and therefore could attract a significant fine.
It explains that while data sharing contracts should be used to impose the necessary controls on an ASH, NHS contracts are not enforceable between NHS bodies.
New Section 251 regulations could be created to ensure legally binding controls are in place and should be applied to every ASH, the paper suggests.
“A breach of the ASH requirements would therefore be seen as a breach of the Data Protection Act, not just of the contract, and potentially attract a significant fine,” it says.
The HSCIC supports the development of additional regulations under s251 and says the process of submitting and approving them will be between six and twelve months.
All commissioning support units and some clinical commissioning groups have expressed an interest in becoming an ASH.
The issue is regarded as urgent by clinical commissioners, who have written to NHS England saying they cannot carry out essential functions such as invoice validation and risk stratification, because of issues around processing patient data.
However, the development of ASHs is a contentious issue because of the potential for reidentifying the data they will handle.
A paper presented to the HSCIC board in October said there were, “significant differences of opinion on where an Accredited Safe Haven should be considered as the solution for a data sharing requirement”.
A decision on their creation now appears to have been made, as the December board paper says the centre: “will be required to share potentially reidenfitiable data with ASHs once they have been defined and established”.
The HSCIC’s proposals will go to a subgroup of the Informatics Services Commissioning Group for consideration.