Paper to National Information Governance Board for Health and Social Care 22 September 2011 Group A PAPER

Version: 1 Issued: 12/09/2011

Title:

Proposal for Changes to Arrangements for the Hospital Episode Statistics Service

Submitted by: Governance, NHS Information Centre Executive Summary:

Clare Sanderson, Director of Information

The NHS Information Centre is seeking comments, advice and support from NIGB on the proposals for transitioning the Hospital Episode Statistics (HES) Service into the Health and Social Care Information Centre (NHS IC), and on how the NHS IC should continue to work with the NIGB. The Board is asked to provide input and guidance and to support the transition process.

Reason for Submission:

For consideration, advice and support

NIGB 220911 Group A Paper - NIGB_HES NHS IC presentation September 2011v2 Page 1 of 8

National Information Governance Board

Proposal for Changes to Arrangements for the Hospital Episode Statistics Service - August 2011 Request for Board Action
The NHS IC is seeking comments, advice and support from NIGB on the proposals for transitioning the Hospital Episode Statistics (HES) Service into the Health and Social Care Information Centre (NHS IC). Further we are seeking agreement on how we continue to work with the board, the NIGB secretariat and the Ethics and Confidentiality Committee (ECC) as we rationalise and improve our activities.

Introduction
The purpose of this paper is to inform the National Information Governance Board (NIGB) of proposed changes to the Hospital Episode Statistics (HES) service provided by the NHS IC. HES contains information about hospital admissions and outpatient and accident and emergency attendances in England. Although it contains personal identifiers such as NHS number and postcode HES does not include name and address details. The NHS IC currently has s251 support for the processing of HES data and meets the requirements of the Data Protection Act 1998 in relation to processing identifiable and sensitive information. The NHS IC processes data fairly and lawfully under Schedule 2 and 3 of the Act, and has procedures in place for the handling of Subject Access Requests and withdrawal of consent by patients The data in HES comes from the Secondary Uses Service (SUS) and is itself the data source for a wide range of healthcare analysis for the NHS, government and many other organisations such as Public Health Observatories, regulatory bodies (e.g. Care Quality Commission and the Audit Commission), academia and health information intermediaries. Such analysis has a major part to play in shaping and improving the quality of services received by patients including Assessment of equality of access to health care Production of comparative information for the patients, the NHS and wider groups Identification of potential improvements to the patient/carer experience Examination of health outcomes Assessment of the effectiveness of the delivery of care Identification of public health issues Monitoring improvements in public health Performance management of the NHS Support for public and parliamentary accountability

NIGB 220911 Group A Paper - NIGB_HES NHS IC presentation September 2011v2 Page 2 of 8

Management and planning of health services centrally and locally Resource acquisition and distribution General medical research and statistical functions Development, monitoring and evaluation of government policies

The NHS IC routinely uses HES data in the preparation of official national statistics, answers to Parliamentary Questions, and summary datasets which are made publicly available via the HES Online website HES data can be accessed through a variety of means: HESonline provides users with access to a range of HES data as downloadable tables. These do not include personal data, (small numbers are suppressed within any tables provided), and are publicly available. HESOnline also provides users the opportunity for self service. This is an interactive service that allows users to create their own tables from a selection of HES data. As above these tables do not include personal data and are publicly available. Users can also request tailor-made reports or extracts. These may be summary reports in aggregate tables or individual episode records. Where the user wishes to include sensitive data items or identifiable data in their reports or extracts they are required to obtain the appropriate approvals before the data will be supplied to them. In the absence of patient consent, for sensitive data approval is granted through the Data Access Advisory1 Group (DAAG) and for identifiable data through s251 support.

A limited number of users are granted direct access to the HES interrogation system, known locally as Business Objects. These users are able to manipulate and analyse the data within the business objects environment and download the resultant summary tables. As for tailor made reports where the user requires access to sensitive or identifiable data items appropriate approvals must be obtained before access is granted. The NHS IC is proposing changes to the way in which these services are delivered. The changes are necessary to deal with an enforced migration of the Northgate Information Systems (NIS) managed HES service into the NHS IC, and the increasing use of the NHS ICs Data Management Environment (DME) as a primary data handling and processing platform for all services. The NHS IC believes that the proposals outlined in this paper represent a pragmatic way forward for the immediate data handling and processing changes, and for ensuring that patient data is suitably protected throughout. This represents the start of a long process of rationalisation of NHS ICs services which will result in better

Sensitive data items include legal category of patient, referring General Practitioner code, Ordnance Survey grid. DAAG took over from DMsG and consider applications for extracts of HES data containing sensitive data items to ensure that the related benefits are understood and justify such processing and to advise on any additional safeguards required.

NIGB 220911 Group A Paper - NIGB_HES NHS IC presentation September 2011v2 Page 3 of 8

data handling, and even more robust governance mechanisms for identifiable / sensitive data in the longer term.

Drivers for Change

Continuity of Hospital Episode Statistics Service In 2011 the procurement of a replacement for the Hospital Episodes Statistics (HES) service was stopped due to a combination of factors: changes in national informatics strategy, Cabinet Office review of national IT projects, and major reductions in national funding. This presented the NHS IC with a major service continuity problem as the HES contract was already beyond legal extension, and with no viable procurement vehicle to re-provide the service in time for 2013 end-point. The NHS IC was left with limited choices but to transition the service in-house, and the NHS ICs Board confirmed that approach in March. To achieve this it is proposed that the NHS ICs Data Management Environment (DME) is utilised. DME was introduced into the NHS IC in 2010 as the NHS ICs primary data handling and processing platform, with the intention of replacing out-dated data handling mechanisms and to increase data handling capacity, capability, efficiency, and security / asset control methods. The NHS IC is now in the early stages of planning and executing that transition which brings with opportunities to improve and rationalise the services and data protection mechanisms that are currently operated across NIS and NHS IC, for example: reducing the need for frequent physical data transfers between organisations centralising security controls in fewer systems, improving overall control and management simplifying and improving data asset traceability and access logging making it easier to implement consent withdrawal requests, and ensuring consistent application across all relevant data assets improving technical and governance processes for linked data; affording greater patient data protection

Managing this transition will of course present a combination of technical, operational and delivery challenges, not least of which is ensuring that patient data is properly protected throughout. The NHS IC will ensure that there is strong Information Governance involvement throughout the planning execution and review of this transition. Strategic, Financial, and Operational Challenges The NHS IC, like all other NHS organisations, is facing substantial financial challenges requiring a year on year reduction in operational expenditure, whilst at the same time increasing service to a wider range of demanding customers, for example information intermediaries.

NIGB 220911 Group A Paper - NIGB_HES NHS IC presentation September 2011v2 Page 4 of 8

New policy initiatives such as transparency raise customer / public expectations of more open access to an increasing range of available data, and this presents new challenges for NHS IC both in terms of regularising the provision of data, and also in ensuring that patient confidentiality is protected in any such provision. Increasingly customers are linking data along clinical pathways for commissioning, effectiveness and efficiency purposes, driven in the main by the national Quality, Innovation, Productivity and Prevention initiative. Throughout 2010/11 the NHS IC has seen a steady growth in the number of requests for national available linked data, and for other data sources to be linked to national sources such as HES. The Health and Social Care Bill2 (H&SC Bill), and the prior Arms Length Body Review3 (ALB) set out key duties for the NHS IC, namely: i.) the central authorised collector of data, and chief assurer of collected data quality, ii.) a national repository for health and social care data, and iii.) the principal disseminator of data to a range of customers/audiences. Whilst these are all roles the NHS IC currently performs in some capacity, the scale envisaged in the H&SC Bill and ALB review is industrial in comparison to current operations. To respond to these diverse challenges, the NHS IC has embarked on a wholesale re-engineering of its data collection, processing and dissemination infrastructure to enable it to respond effectively and safely, and at the scale necessary for the likely future data volumes / customer demands. This reworking of NHS IC systems and processes affords a unique opportunity to re-design how the NHS IC handles data assets and applies the necessary governance controls at all stages throughout the enterprise. The transition of the HES service into NHS IC operations in 2011/12/13 will exploit this new platform, and the first stages of that journey feature in our proposals, as set out below.

Current Arrangements
Core HES Service The HES service has been in place in various forms for over 15 years, most recently the service has been managed under contract by NIS on behalf of the NHS IC. The service is operated from NISs data-centre in Hemel Hempstead. As outlined above, NHS IC customers are able to apply for access to data and analyses from the HES service team, based in Leeds, under an agreed protocol which properly considers the customers intended use of the data. Over time, the NHS IC has introduced additional data extract services including the Monthly Managed Extract Service (MMES) and Bespoke Extract Service (BES) to cater for different customer data extract needs. The MMES and BES services are operated on the NHS ICs behalf by NIS, with data being delivered directly to customers on encrypted DVD by secure courier.

2 3

HM Government, Health and Social Care Bill, 19 January 2011

Department of Health, Liberating the NHS: Report of the Arms Length Bodies Review, 26 July 2010

th

NIGB 220911 Group A Paper - NIGB_HES NHS IC presentation September 2011v2 Page 5 of 8

Arrangements between the NHS IC and NIS for secure access to the HES data for such purposes are well established and comply with agreed security and access protocols. Trusted Data Linkage Service In 2010, the NHS IC introduced the Trusted Data Linkage Service (TDLS) to meet the increasing demand for record-level linkage between different datasets primarily with HES data. The TDLS provides a secure way of linking and providing such data without unnecessarily exposing patient identifiable information to customers. Linked data sets are returned in pseudonymised or anonymised form as appropriate. Customers requiring identifiable information must either hold patient consent or must first apply to NIGB for s251 support to have this data included in their extract / linkage dataset. The demand for this service is steadily increasing as organisations recognise the value of linked data in the context of the importance of strong governance of patient identifiable information by a trusted NHS partner. TDLS uses the DME environment to process data linkage with HES data. This approach was considered in correspondence with NIGB: ECC 2-05 (a)/2010 Hospital Episode Statistics change to security arrangements (13th October 2010), Support was provided for the outlined approach.

Proposed Arrangements
Migrating HES Data The NHS IC is exploring options for migrating the HES service from NIS to the NHS IC which will help ensure a smooth service transition and also unlock the potential of the shift to the DME platform. One option currently being considered is to start with the migration of historic data i.e. data from 1989 2010 which no longer changes on a monthly basis. It is possible to migrate historic data from NIS to the DME environment now and use that data to underpin all historical analyses, official statistics and linkage activities. Current approvals, allow the NHS IC to use the DME environment for data linkage activities; the System Level Security Policy for DME has been reviewed and approved by Connecting for Health. However, a requirement of the approval is that the identifiers have to be loaded-on-demand. The NHS IC have in place an Access to Clear Data process which is managed by the Information Governance team and ensures that only those staff for whom it is essential to have access to identifiable data, are given those access rights. If the historic data is migrated permanently from NIS to the DME platform as one of the first stages the data can be secured in the DME platform, and a restricted number of staff granted rights to access it for analysis purposes.

NIGB 220911 Group A Paper - NIGB_HES NHS IC presentation September 2011v2 Page 6 of 8

The logical extension is to migrate all HES data to the DME platform including monthly provisional data as it becomes available, and for this to be replaced on a rolling basis by subsequent monthly cumulative updates. This latter move enables an early migration of processes which support official publications and customer analyses, and therefore reduces the transitional risks of the overall HES migration. The NHS IC would obviously aim to do this as early as possible, to reduce overall transitional risks, but recognises that there are a number of issues with the suggested approach including: Appropriate s251 support will be required and the point at which this should be sought must be agreed with NIGB-ECC and considered within the context of the current situation and the overall direction of travel. Appropriate arrangements will need to be put in place for the destruction of the data within NIS An acceptable approach for the loading and deletion of data files will need to be agreed which can support the service to customers while continuing to meet legal and ethical requirements. NIGB-ECC will need assurance that System Level Security Policies developed at the start of the DME platform development remain applicable for any further development, and in particular relating to the migration of HES services.

Detailed plans are currently being established for the overall HES service migration, and NHS IC will share these with NIGB-ECC as soon as they have been agreed by the project team. Continuity of Data Linkage Services Using DME The process of linking data together ought to be straightforward task, but the current arrangements mean that it is not ideal for a number of reasons: HESIDs can only be generated on the NIS index server because of the platform specific encryption routines. This means that in order to remove identity information from the linkage task at the earliest opportunity (best practice approach) the customers data has to move to the NIS server, be matched with its HESID and then brought back into the controlled DME environment to complete the linkage task. Where customers require identifiable HES information to be returned in the linked dataset, and they have gained the necessary consents and/or approvals, the HES identifiable data must also be drawn from the NIS environment and placed into DME to complete the linkage task. As mentioned above, current approval requires that this HES identifiable data is removed after the linkage task is completed, however in practice the NHS IC has found that the linkage work requires a repeat of this process several times a month4, which means reloading large volumes of data for each occurrence; the

In May 2011, five customers required record level data linkage, four of which included patient identifiable information in their extract dataset, necessitating upload of the patient identifiable data into the DME environment, with subsequent destruction, post linkage.

NIGB 220911 Group A Paper - NIGB_HES NHS IC presentation September 2011v2 Page 7 of 8

process can take days rather than hours. Clearly this is inefficient, but it also increases the risks of errors in the process. The NHS IC is exploring ways to improve these arrangements and to make the process simpler and more efficient. These might include maintaining the HES identifiers within DME until such time as the customer has confirmed acceptance of the linked data set. We might also look to migrate of the HESID generation and pseudonymisation into the DME environment as early within the migration plans as possible. Both of these improvements are logical steps in the overall journey towards provision by NHS IC and we will seek IG input into how we achieve them throughout the planning process. Governance During Transition The HES migration presents a combination of technical, operational and delivery challenges, not least of which is ensuring that patient confidential data is properly protected throughout. The NHS IC seeks to ensure that the highest standards of information governance and control are applied, especially during the periods of major change, but also at the end-point where we envisage a much better information governance framework. The NHS ICs Information Governance team is routinely involved in all major projects, however, recognising the importance of this key project the NHS IC intend to go further in this instance. The NHS IC is proposing to put in place an IG Assurance Group throughout the migration of the HES service, and to advise on the wider NHS IC developments such as DME, TDLS, taking as a baseline, the Privacy Impact Assessment (PIA) approach to understanding risks to patient confidentiality. It is proposed that the IG Assurance Group would comprise patient, clinical, user and customer representation. Considering Our Proposals / Shared Road-Map The NHS IC has presented the proposals set out in this paper to the ECC who welcomed the early discussion of the issues and agree to work with the NHS IC to establish a mutual agreed position which deals with the current issues on a pragmatic basis and which ensures protection of patient confidentiality throughout the transition.

Clare Sanderson Executive Director of Information Governance

Andrew Frith Interim Director of Data Services

NIGB 220911 Group A Paper - NIGB_HES NHS IC presentation September 2011v2 Page 8 of 8