Regulation 2 of the Statutory Instrument (SI) on confidentiality – No. 1438, The Health Service (Control of Patient Information) Regulations 2002 – permits cancer registries to receive patient identifiable data [note 1] without the need for informed consent and it permits registries to process said data for the medical purposes stipulated in regulation 2. The regulation was made under Section 60 of the Health and Social Care Act 2001 and continues to have effect under Section 251 of the NHS Act 2006. The approval has been subject to annual review by the Patient Information Advisory Group (PIAG). The functions of PIAG have now been taken over by the Ethics and Confidentiality Committee (ECC) of the National Information Governance Board (NIGB).
When dealing with requests for patient identifiable data registries must assess each request carefully and on merit, to ascertain whether or not patient identifiable data are really necessary. If not, anonymised data must be supplied, following the relevant UKACR guidelines. This is an important principle that registries must apply, even if patient identifiable data have been provided for similar requests in the past.
The UKACR guidance is informed by the Disclosure Review for Health Statistics (referred to as the Health Review) developed by the Office for National Statistics and approved by ministers as policy in England. The health review provides detailed guidance on how to decide whether or not data are identifiable, and is the standard reference for publishing health data.
Cancer registries in England and Wales can release patient identifiable data legally only to those organisations specified in items 1) a), 1) b), 1) c), 1)d) and 1) e. All other organisations or individuals need approval from the Ethics and Confidentiality Committee of the National Information Governance Board, unless they have informed consent from patients. This policy must be implemented by all organisations listed in Appendix 1. This policy will be subject to annual review.
All requests for patient identifiable data must be made using the UKACR request form for patient identifiable or potentially identifiable data or the registry’s host organisation’s standard request form for identifiable data [note 2].
Chris Carrigan, National Cancer Registration Co-ordinator, England
Monica Roche, Co Chair, United Kingdom Association of Cancer Registries
[note 1] Defined in the Health and Social Care Act 2001 as "For the purposes of this section, patient information is "confidential patient information" where:
(a) the identity of the individual in question is ascertainable:
(i) from that information, or
(ii) from that information and other information which is in the possession of, or is likely to come into the possession of, the person processing that information, and
(b) that information was obtained or generated by a person who, in the circumstances, owed an obligation of confidence to that individual.
Data will be regarded as identifiable if it includes any of the following data items: name, address, postcode, date of birth, date of death, NHS number, hospital number.
[note 2] Registry specific versions of the UKACR request form for patient identifiable or potentially identifiable data are available at: http://www.ukacr.org/content/data-confidentiality-and-security
Procedure: Release of identifiable information
Implementation date: 14 February 2012
UKACR Policy on disclosure of identifiable data by cancer registries – guidance on implementation within England and Wales
Patient identifiable data can be disclosed by cancer registries in England and Wales as listed in Appendix 1, if judged necessary by their Director, to:
1) Directors (or designated other named individuals, see Appendix 2) of legitimate third parties, these being:
a) Approved bodies in terms of Regulation 2 of the SI 2002 No. 1438, i.e. those organisations listed in Appendix 1 involved in the Cancer Registration Service in England and Wales, by virtue of being signatories to the UKACR application approved by the Patient Information Advisory Group.
b) Single organisations (NHS Trusts in this context) for internal audit, by virtue of class support agreed by PIAG at its meeting on 8 March 2002 (Minute 6.7)
c) Clinical Genetics Services, in terms of the UKACR Policy (informed consent for living individuals) and in terms of paragraph (1) (e) of Regulation 2 of the SI 2002 No. 1438 (for deceased individuals)
d) Organisations to which cancer registries currently disclose identifiable data, in terms of Regulation 5 and the Schedule of the SI 2002 No. 1438. They are:
i) Organisations listed in Appendix 3 providing care for the patient at any time point on the cancer pathway, including all suppliers of data to the registries. They may receive complete records.
ii) Organisations needing regular data exchange for audit, public health surveillance or monitoring (as detailed in Appendix 4) [note 3]:
e) Organisations needing occasional data exchange for public health surveillance (including investigation of clusters), monitoring of outcomes and to support planning /commissioning of services:
f) Regional Directors of Public Health of Public Health for the purpose of investigating specific public health concerns about service quality.
2) Other parties [note 4] or for other purposes, provided that they:
a) Can show evidence that all patients, about whom information is being requested, have consented to such disclosure, or
b) Have exemption from consent under the new regulations (Regulation 5 and the Schedule of the SI 2002 No. 1438).
[note 3] PIAG have given Secretary of State approval to Trusts for undertaking internal audit
[note 4] including Strategic Health Authorities, Department of Health.