To CAG or not to CAG? Difficulties in determining submission to the Confidentiality Advisory Group: a commentary

Confidential information can play an important role in generating new health research and, in turn, improving care. However, widely publicised breaches of patient data and the ease with which information can be shared have increased sensitivities around data protection policies in recent years. England’s Common Law Duty of Confidentiality and, more recently, the European-wide General Data Protection Regulation (GDPR), posit that confidential information provided in circumstances where it is expected that a duty of confidence applies, must not, in most cases, be shared without express consent from its owner (NHS Health Research Authority, 2018a). There are three specific circumstances in which a public authority can make a disclosure lawful, thus avoiding a breach of these regulations: (i) with the information provider’s explicit consent, (ii) when legally mandated (e.g. through court order) or (iii) when such disclosure safeguards an individual or is in the public interest (Department of Health, 2013; unknown). Although research more frequently involves the first of these criteria by means of informed consent, the subject of this commentary is the latter criterion, where confidential data is processed as a task of public interest under section 251 of the National Health Service Act 2006.

The disclosure of confidential information in the public interest can be justified in two scenarios. The first of these concerns circumstances where the benefits to or security of an individual or society are prioritised over the public or patient’s interest in keeping the information private (General Medical Council, 2019). This includes disclosures intended to lower the risk of serious harm or crime, for instance as seen in W v Egdell (1990). The second relates to circumstances in which disclosure is warranted for its important public benefits, such as the production of research contributing to the improvement of healthcare systems (General Medical Council, 2019).

The processing of confidential information for the purpose of producing health research requires formal ethical review and approval, unless performed under the auspices of audit. In England and Wales, for applications requesting access to confidential information without seeking informed consent from participants, section 251 of the NHS Act 2006 (Parliament of the United Kingdom, 2006) is invoked. Section 251 oversees all activities with a ‘medical purpose’, such as medical research that is approved by a Research Ethics Committee (REC) or activities pertaining to the management of health and social care services (NHS Health Research Authority, 2018a; Parliament of the United Kingdom, 2006). Such applications were previously assessed by the Patient Information Advisory Group (PIAG) and, subsequently, the National Information Governance Board’s Ethics and Confidentiality Committee (ECC). However, following substantial parliamentary and public debate, such applications are now exclusively reviewed by the Confidential Advisory Group (CAG) (NHS Health Research Authority, 2018b).

The CAG is an independent body set up through the Health and Social Care Act 2012 and tasked with reviewing such requests on behalf of the Health Research Authority (HRA) and the Secretary of State for Health (NHS Health Research Authority, 2018b). The Care Act 2014 expanded its remit slightly to provide advice to NHS Digital on aspects relating to its dissemination function. The CAG holds an advisory role whereby it counsels the HRA on whether access should or shouldn’t be granted for those seeking such permissions. Final permissions, nonetheless, remain the responsibility of the two aforementioned bodies. Their primary task is to safeguard patients’ confidential information whilst aiding the appropriate and protected use of such data. For an application to be considered by the CAG, researchers must assert that the data cannot be collected using informed consent, that other methods of collecting data are not viable and that those asking for approval do not normally have legitimate access to this information (NHS Health Research Authority, 2018b). Furthermore, permission can only be granted for data used for medical research purposes that has the aim of improving patient care or outcomes, and in cases where public interest and the potential benefit emerging from analysing this data outweigh the risk of breaching confidentiality.

The CAG prides itself in its transparency. Details regarding the frequency of its meetings, the minutes of each meeting and its members, both expert and lay, are available online. However, an ongoing difficulty that is less clear for researchers is whether their request for access to information fits within the CAG’s remit. In an effort to help researchers ascertain whether there is such a need, the CAG have uploaded a document to their website that they refer to as their ‘decision tool’ or pre-application checklist (NHS Health Research Authority, 2018b). This decision tool consists of fourteen questions which assist researchers in determining whether they need to process identifiable information without consent. These questions centre upon understanding the location from which the information would be generated from, whether the study complies with data protection legislation, whether patients and members of the public were involved and could object to the research, as well as whether the study fulfils the criteria outlined in the paragraph above. In addition to the decision tool, the CAG have created a precedent set review pathway with the goal of expediting the review process for applications that request access to data that are similar to previously submitted applications (NHS Health Research Authority, 2018c). Submissions to this pathway must closely resemble the categories outlined in their precedent set category guidelines. Examples of such categories pertain to requests for access to deceased persons’ data, data cleansing of historical studies, and mortality, cancer or GP data from NHS Digital (NHS Health Research Authority, 2018c).

Though these guidelines are vastly helpful in informing researchers and research organisations, they are not exhaustive. From the authors’ personal communication with the CAG, it is our understanding that deciding whether a prescribed activity involves a breach of confidentiality, which would require the establishment of a legal basis to legitimise its processing, is the responsibility of the applicant and data controller. The CAG does not advise as to whether a study may require their approval nor does it offer the option of rapidly reviewing an application to check whether it sits within their remit. Those who continue to be unsure of whether their study requires this review are asked to consult their local information governance team and/or sponsor.

This position, however, assumes that local bodies are significantly well-versed in research governance. It also leaves the researcher with no arbiter to adjudicate a course of action in the event of disagreements between local bodies. Furthermore, since the implementation of the General Data Protection Regulation (2016) and its significant economic penalties for breaches, NHS trusts and other government-funded bodies may be overcautious in directing researchers to submit applications to groups such as the CAG. Such cautiousness may lead to unwarranted applications to the CAG and result in substantial research delays. It may also disincentivise researchers from designing similar research studies in the future. Appreciating that the CAG is likely to be under pressure, both in terms of time and workload, the need for open discussion between the CAG, the HRA and health researchers to find a supportive solution for researchers remains. Such discussion could be developed with the NHS Digital’s Research Advisory Group, whose members include the HRA, by means of their ‘Streamlining Ethics and Approvals Subgroup’, a subgroup presently tasked with diminishing duplicate applications for approvals and clarifying possible interpretations of the law (NHS Digital, 2019). A second important step towards supporting researchers could be in ensuring that local information governance teams are well-versed in research ethics and available to research teams. Although such steps would not prevent all unnecessary applications from being submitted to the CAG, they may significantly guide research teams and reduce doubts regarding the need to submit to the CAG.