Risk assessment central to health data disclosure

At the NHS Information Centre, we can provide data on issues at both national and local level. For instance, we can help healthcare professionals isolate and identify particular health issues in their PCT or evaluate the quality of care in their local hospital and how it compares with others. We can assess the extent of smoking, alcohol and drug-related problems, and which groups of the population are most affected.

Because we are able to provide such localised data, the fact that we are often dealing with small numbers of people. This means that the risk of them being identified by those with a particular interest in them is higher.

Take for example data that is provided on childhood obesity in a small town. Because it might be likely this group of people will be small, there is an increased risk of them being identified out of the wider population and patient confidentiality compromised. We need to ensure we safeguard against these risks.

Because a group of people is small, there is a risk of them being identified.

All NHS organisations and those who supply or make use of the information have an obligation to ensure that there is adequate provision for the security management of the information resources that they own, control or use. Before we publish health statistics we must:

  1. Determine users’ requirements for the published statistics: It is vital to identify the main users of the statistics and understand why they need the figures and how they will use them in detail.
  2. Understand the key characteristics of the data: It is important to have a good understanding of the data that may require protection to assess any risk of disclosure.
  3. Assess circumstances where disclosure is likely to occur: We need to think of the views of patients or staff in each assessment we make and what the impact of potential identification could be.
  4. If required, select appropriate control methods to manage any risk
  5. Implement and disseminate the information: once all necessary checks have been made, data can be released.

Data encryption, digital signing, authentication and non-repudiation services are effective information security tools, which we actively use to ensure our data is reliable and secure. What is more, all individuals who work within, or under contract to an NHS organisation have a responsibility for the security of information that they create or use in the performance of their duties. Because a group of people is small, there is a risk of them being identified.