CWNHSFT and Sensyne

The request was partially successful.

Dear Chelsea and Westminster Hospital NHS Foundation Trust,

I would like to make a request under the FOI Act.

For the purposes of the Act, please take the date of your receipt of this request as Monday 20th August 2018.

I note with interest the article in The Times newspaper on August 18th:
https://www.thetimes.co.uk/article/peer-...

and the fact that your organisation has a stake in that company (Sensyne).

The article's point was, of course, that the "capital" put up by you (and the other trusts) was not cash but data - access to consented, anonymised patient data.

In return for providing that data to Sensyne, the trust will share royalties every year worth 4% of Sensyne's revenues. The article describes how Sensyne will have access to the records of 400,000 patient, initially. Effectively, and ultimately, cash for data.

I am interested in the nature and process of providing medical data, sourced from confidential medical records, to Sensyne for (presumably) secondary processing.

Please could you kindly provide me with the following information:

• Please could you tell me the nature of the data that your organisation is providing, or intends to provide, to Sensyne? It is:
• Aggregate data
• Anonymised data (to the standard currently described by the ICO as "effectively anonymised")
• Record-level pseudonymised data
• Clearly Identifiable data
or some combination of the above?

• Please could you provide me with any assessment made as to the risk of reidentification of the data disclosed to Sensyne

• Please could you tell me the exact purpose, or purposes, for such processing
The article already makes clear that data will be passed onward to "pharmaceutical companies", and in the future that you will allow Sensyne to data mine medical records.

• Please could you provide me with the privacy notice available to patients regarding this processing (as required by GDPR)

• Unless detailed in the privacy notice, please could you provide me with the legal bases (from Articles 6 and 9) that your organisation is relying upon in order to process this data (i.e. to provide it to Sensyne)

• Is Sensyne acting as a data processor or a data controller?
If a data processor, please could you provide me with the data processing contract (as required by Article 28 of the GDPR) between you and Sensyne
If a data controller, please could you provide me with the data sharing agreement between you and Sensyne

• Please could you provide me with the basis by which this project satisfies the common law of confidentiality (e.g. consent, public interest, legal obligation, s251/HRA approval)

• The article states that disclosure of data to Sensyne will be "consented". Please could you confirm whether explicit consent will be, or already has been, obtained from patients (the data subjects) before disclosure of their data to Sensyne for secondary processing

• Please could you tell me whether patients can opt-out of (object to) the processing of their data in this way (i.e. the disclosure to Sensyne)? How do they object? And does this data-sharing project respect, or plan to respect, the National Data Opt Out (Type 2 objection)?

I would be grateful if you would kindly acknowledge receipt of this request as recommended by the ICO (“It would be good practice to acknowledge receipt of requests and to refer to the 20 working day time limit, so that applicants know their request is being dealt with”).

Thank you once again.

Yours sincerely,

Dr Neil Bhatia

Our ref: FOI 2018 500
Dear Sir/Madam
Thank you for your Freedom of Information request.  Please note that in September 2015 Chelsea and Westminster Hospital NHS Foundation Trust merged with West Middlesex University Hospital so our response will include information for both trusts. There is no need to send in a separate request.
This request is being handled under the Freedom of Information Act 2000. We are permitted up to 20 working days (commencing the first working day after receipt of a request) in which to either answer your request or explain why we are unable to answer it. 
For more information on Freedom of Information, please see our website at:
http://www.chelwest.nhs.uk/about-us/orga...  
We will answer your request as quickly as we can.
If you have any questions about your request please ensure you include our ref number above and send to [email address]
Regards
Jeff
The Information Governance team

show quoted sections

Dear FOI,

Just a polite reminder that you must respond to my request by the end of today, Monday 17th September.

Yours sincerely,

Dr Neil Bhatia

 

Our Ref: FOI 2018 500

Dear Requester

Thank you for your information request received by us on 20 August 2018

This request has been handled under the Freedom of Information Act 2000.

Please note that Chelsea and Westminster Hospital NHS Foundation Trust
merged with West Middlesex University Hospital in September 2015, for this
reason our response covers both sites.

 

Our response:

 

Question CWFT Response
Please could you The full detail of dataset submission is not yet concluded.
tell me the
nature of the  
data that your
organisation is The expectation is that this will be anonymised data and our objectives are
providing, or that:
intends to
provide, to 1)    We meet (or exceed) the ICO requirements
Sensyne? Is it:
2)    We meet the legal requirements
• Aggregate data
3)    That we are confident that no identifiable patient data is released from
• Anonymised the Trust
data (to the
standard  
currently
described by the
ICO as
"effectively
anonymised") •
Record-level
pseudonymised
data

• Clearly
Identifiable
data or some
combination of
the above?

 
Please could you A high level risk assessment has been undertaken to support the Strategic
provide me with Research Agreement. This was part of private (part 2) Board paper. The Board
any assessment was satisfied that one of our key tests re anonymisation was met and that a
made as to the principle underpinning the design of the anonymisation process is that the risk
risk of of re-identification of any data/dataset provided to Sensyne will be
reidentification sufficiently low in order to satisfy the applicable legal standards for
of the data anonymisation.
disclosed to
Sensyne  

  Test data will be used to test the system to ensure that no person identifiable
information is shared.

 

A detailed Data Privacy Impact Assessment is being undertaken and will be
reviewed each time a specific Data Protection Protocol is agreed and on any
submission of anonymised datasets

 
Please could you The Trust cannot comment on the accuracy of the article. We can, however,
tell me the unequivocally state that no external body (including Sensyne Health) will have
exact purpose, access to identifiable data and medical records.
or purposes, for
such processing  
The article
already makes The Trust is clear that our objectives are to:
clear that data
will be passed o Improve health outcomes for patients
onward to o Improve the Trust’s research capabilities
"pharmaceutical o Reduce costs to CWFT (and wider NHS); and
companies", and o Any return would be reutilised for the benefits of CWFT patients
in the future
that you will  
allow Sensyne to
data mine Achieving these objectives will be framed by the legal and regulatory
medical records. requirements.

   
Please could you Please find a link attached
provide me with
the privacy [1]http://www.chelwest.nhs.uk/about-us/orga...
notice available
to patients
regarding this
processing (as
required by
GDPR)

 
Unless detailed The data is anonymised.
in the privacy
notice, please  
could you
provide me with Article 6, 4(e) of GDPR provides sufficient legal basis for the provision
the legal bases
(from Articles 6 of this data. Please note that GDPR provides for the fact that as the data
and 9) that your provided is anonymised it is no longer considered “personal
organisation is
relying upon in  
order to process
this data (i.e.
to provide it to
Sensyne)

 
Is Sensyne The Trust is acting as the Data Controller.
acting as a data
processor or a  
data controller?
Please find copy of Data Processing Agreement attached (please note that as set
If a data out in s2.1 No data is processed directly under his but Is contingent on
processor, further and explicit Data Protection Protocols)
please could you
provide me with  
the data
processing
contract (as
required by
Article 28 of
the GDPR)
between you and
Sensyne If a
data controller,
please could you
provide me with
the data sharing
agreement
between you and
Sensyne

 
Please could you No patient’s confidence is being breached because no patient is being
provide me with identified and none of the data being disclosed can be traced back to an
the basis by individual patient. It is not personal data at the point when it is
which this transferred. 
project
satisfies the  
common law of
confidentiality There is duty of confidence in relation to information which does not identify
(e.g. consent, a patient - the ICO has dealt with this issue – and our processes will be
public interest, designed to comply with their requirements.
legal
obligation,  
s251/HRA
approval)

 
The article The Trust cannot comment on the accuracy of the article.
states that
disclosure of  
data to Sensyne
will be Our patients are also routinely consented by the Trust for use of their data
"consented". for specific purposes.
Please could you
confirm whether   
explicit consent
will be, or As a general principle, however, given all data will be anonymised
already has
been, obtained  
from patients
(the data
subjects) before
disclosure of
their data to
Sensyne for
secondary
processing

 
Please could you The Trust’s standard approach is planned to apply. Patients can write/contact
tell me whether the Data Protection Officer.
patients can
opt-out of  
(object to) the
processing of The DPO contacts are available on the Trust website as per link provided above
their data in
this way (i.e.
the disclosure
to Sensyne)? How
do they object?
And does this
data-sharing
project respect,
or plan to
respect, the
National Data
Opt Out (Type 2
objection)?

 

 

If you are not satisfied with how your request has been handled then
please either

1.    Respond to this email and we will review our answers and get back to
you or

2.    Write directly to:

The Chief Executive
Chelsea and Westminster Hospital NHS Foundation Trust
369 Fulham Road
London
SW10 9NH

If, after we have addressed your complaint, you remain dissatisfied with
how we have responded, you are entitled to appeal to the Information
Commissioner at:

The Information Commissioner's Office, Wycliffe House, Water Lane,
Wilmslow, Cheshire, SK9 5AF.

Telephone: 08456 306060 or 01625 545745

Website: [2]www.ico.org.uk

There is no charge for making an appeal.

Re-use of information and copyright

You are free to re-use the information contained in our response under the
terms of the Open Government Licence
[3]http://www.nationalarchives.gov.uk/doc/o...

You must take into account the exemptions and any other conditions such as
the non-endorsement condition below

This licence does not grant you any right to use the Information in a way
that suggests any official status or that Chelsea and Westminster Hospital
NHS Foundation Trust, the Information Provider and/or Licensor endorse you
or your use of the Information

Further information can be found at:

[4]http://www.opsi.gov.uk/advice/psi-regula...

Yours sincerely

Carol Conway

The Information Governance team

Chelsea and Westminster Hospital NHS Foundation Trust
Email: [5][email address]

 

show quoted sections

 

Please use this email address for all replies to this request:

[7][FOI #511262 email]

 

 

[email address]:

This e-mail is confidential and may well also be legally privileged. If
you have received it in error, you are on notice of its status.
Please notify us immediately by reply e-mail and then delete this message
from your system.
Please do not copy it or use it for any purposes, or disclose its contents
to any other person: to do so could be a breach of confidence.
Any views expressed in this message are those of the individual sender,
except where the sender specifically states them to be the views of the
Trust.
Thank you for your co-operation.

This footnote confirms that the message has been swept for computer
viruses: while every care is taken to avoid the transmission
of virus code, please ensure that you have up to date virus detection
software before opening any email messages or attachments.

Chelsea and Westminster Hospital NHS Foundation Trust

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

If you have received this email in error please notify the originator of
the message.

Any views expressed in this message are those of the individual sender.

References

Visible links
1. http://www.chelwest.nhs.uk/about-us/orga...
2. http://www.ico.org.uk/
3. http://www.nationalarchives.gov.uk/doc/o...
4. http://www.opsi.gov.uk/advice/psi-regula...
5. mailto:[Chelsea and Westminster Hospital NHS Foundation Trust request email]
6. https://www.thetimes.co.uk/article/peer-...
7. mailto:[FOI #511262 email]