Reflections on 30 years of protecting patient data

It all began around 1996. I was working as Medical Director at an NHS organisation in Wales, my background being in general surgery with interest in vascular surgery.

At the time, we were on the advent of a digital revolution; it was around the beginning of publicly accessible internet and the integration of computers into our daily lives. There was the premise of a new, national database being set up, which would store the data of patients secondary care treatment across England for the very first time, called the NHS Wide Clearing service. Its aim was actually related to contracting and to make sure purchasers could ensure the providers were doing what they were contracted to do.

There was mass scepticism – myself included – at this idea. We doctors were trained in the absolute confidentiality of personal data and this presented what seemed a breach. The British Medical Association (BMA) led a campaign raising concerns about this new technology, voicing worries about patient data being available to those not directly responsible for care, and their lobbying efforts were supported by the Royal College of Nursing.

It was decided a committee must be established to advise on this. It was called the Security and Confidentiality Advisory Group (SCAG). It sat within the Chief Medical Officer for England’s department. They needed someone to represent Wales so I was approached. The original chair had to step down after a couple of years, so I stepped up and held this position for almost four years.

During that time, I learnt a lot about how the safe use of data and this developing technology could really progress medical care. My views began to change. We began to see that this could help, rather than hinder.

Over subsequent years, we had to balance how the use of confidential patient data could benefit public health whilst complying with the law.

The Common Law Duty of Confidentiality stated that you can’t release confidential patient data without patient consent unless there was a legal basis to do so.

The Security and Confidentiality Group (SCAG) monitored the situation for the release of data from the initial national databases but did not make that release compliant with the common law. It became clear that there needed to be new law giving a legal basis to the use of identifiable data without consent. The General Medical Council was very concerned about the legality of Cancer Registries. New law was passed in 2000 to deal with this situation which involved setting up the Patient Information Advisory Group (PIAG), which was the first CAG predecessor. As chair of SCAG, I attended all the meetings of PIAG and eventually became a member.

The new law allowed the common law to be set aside by the Secretary of State with very strict criteria, and only upon the recommendation of the PIAG.

Establishing the criteria for data release was not a simple process and it was a very interesting few years, as we reviewed the proposals to use data on a case-by-case basis. The great value of analysis of data in these large databases and how it could develop and improve patient care became ever more apparent.

So, in 2006 further law was enacted that built on the 2000 law and more clearly set out a legal basis for national databases.

The function of PIAG, its first successor the Ethics and Confidentiality Committee (ECC) and later CAG was to recommend support to cover breaches of confidence using section 60 of the 2000 legislation and section 251 of the 2006 act, and this way of operating continues today.

There needs to be a mass public education exercise to show that it is possible to protect the confidentiality of patient data and use it to research and manage improvements in care. Lack of transparency and misconceptions in the past, along with wariness of cyber attacks, has affected public trust.

There can always be improvements to our digital infrastructure, and if there was continued investment in this area, coupled with the education and reassurance of how using confidential data can progress research and health care, that would be very beneficial.

The request for researchers to access biobanks required a huge amount of analysis and was a real turning point, due to its scale and size.

Biobanks play a crucial role in facilitating valuable research, providing access to crucial tissue, blood samples, DNA and data that help scientists improve our understanding of health and disease.

CAG reviewed how researchers could be given access to biobanks, to accelerate research without compromising trust – and it worked.

A year after we reviewed the application, a public dialogue commissioned by the HRA and the HumanTissue Authority (HTA) found that patients would be happy to share personal data alongside tissue that they have donated to biobanks – if they are given a clear explanation of how their data would be used and the opportunity to opt out.

I think nowadays, the research community has become much more conscious about protecting data and the need to be rigorous in applications to assure us they have thought about confidentiality and security.

As a result we are seeing better and more thorough applications coming through to CAG.

Of course artificial intelligence (AI) is becoming engrained in our daily lives, and I think we can draw some parallels to 30 years ago, when there were mixed but mainly sceptical reactions to such rapid digital change.

Now I know that that was the fear of the unknown, and having seen the advancements possible, I am sure AI will be a huge advantage to patient care and research.

The role of the CAG will be as important as ever, to ensure its safe and appropriate use.

It’s been a hugely fulfilling experience. Some of the best sessions have been the more difficult applications to review, where we have felt challenged but been so focused on the purpose.

I’ve met some great intellects and immensely enjoyed working through these applications with the group. It has been one of the great joys and privileges of my life.

"Really great contributions to any committee are the ones that happen quietly. The concise pearls of wisdom, generated by experience, the detailed knowledge of the subject, and the confident authority which has been earned over years. Patrick's contributions were rich in all of these qualities.

"I have had the honour of working with Patrick in England and Wales. He chaired the Welsh Information Governance Board where we both worked to advise the Welsh NHS and Government on the importance of safe and good governance of confidential data.

"He has given me great support in my role as Chair of the CAG, sound common sense and a realistic appraisal of the possible and the not so possible. The CAG committee, the HRA and the data governance world owe a real debt to him, and I have no doubt that he will be missed on the committee."

“Patrick has been central, not only to the work of the Confidentiality Advisory Group for the past 11 years, but also to the groups before CAG.

"Patrick has quietly volunteered his time to this cause since the 1990s and has made a significant contribution to the HRA and to shaping national research landscape in relation to the use of data.

"We are incredibly sad to be losing Patrick’s knowledge and insight, but are forever grateful for the time he has volunteered and wish him well for the future.”