SPIRE is the Scottish Primary Care Information Resource, a service which has been developed to help GPs, the NHS in Scotland and researchers to learn from information held at GP practices and so improve the care, health and wellbeing of the Scottish population.
What is SPIRE?
The aim of SPIRE is to provide a single national system to extract data from General Practice clinical IT systems in Scotland. SPIRE will analyse and report on the data extracted for specific and approved purposes whilst ensuring the highest standards of patient confidentiality and privacy are maintained.
What will the data extracted by SPIRE be used for?
Data extracted through SPIRE will be analysed to better understand and monitor the health of the Scottish population and to plan and manage health and social care services accordingly. The new service will also be available to those carrying out research into health and social care, including research on potential new treatments for particular illnesses. Some data analysis will generate national statistics aimed at informing the public on treatment and care provision. It also planned to use SPIRE to support any new contractual arrangements with GPs through the provision of data and business intelligence.
How will SPIRE support the Quality and Outcomes Framework (QOF)?
QOF was introduced in April 2004 as part of the GP contractual arrangements and was phased out in 2017. It is being replaced by TQA (Transitional Quality Arrangements) which will extract anonymised datasets to support maintenance of disease registers and help practices monitor the quality of their data. Current extractions will be used for TQA until SPIRE takes over in the third quarter of 2017.
Longer term SPIRE will also provide the ability to adapt to any new reporting requirements that may be a consequence of changes to future contractual arrangements with GPs.
When will SPIRE start?
SPIRE software is being rolled out across Scotland in a phased process and will complete in 2017. Following the Public Information Campaign in March 2017, additional local communications are being planned to take place in all NHS Boards. The aim of the additional communications is to ensure all patients who would want to be given the opportunity to opt out, extraction of patient level data will not begin until 1 month after the completion of any additional local communications in a Board area. The additional communications will be aligned with software installation and training. Practices, once training is completed will also be able to use SPIRE to run local reports, for example on flu vaccinations, without data extraction.
How do I request a SPIRE report or extract?
To request SPIRE development of a local report (populated on site with each GP Practice’s own data) or an extract to NSS, please contact the SPIRE analytical team by completing this Customer Request Service form.
All requests for data extraction will be scrutinized by an independent Steering Group.
The service is being developed and centrally managed on behalf of the NHS in Scotland by NHS National Services Scotland (NSS) with the sponsorship and support of the Scottish Government.
The Farr Institute Scotland, a collaboration between six Scottish Universities and NHS National Services Scotland, is also providing some sponsorship. For more information about the Farr Institute please see www.farrinstitute.org.
What is NHS National Services Scotland (NSS)?
Accountable to the Scottish Government, NSS works at the very heart of the health service, providing national strategic support services and expert advice to the whole of NHSScotland. These services include IT consulting and solutions, statistical information and analysis, national payment processing and public health surveillance.
NSS has the experience gained from many years of handling data from all parts of NHSScotland. NSS has well-developed procedures to deliver high standards of privacy and confidentiality to ensure that personal information is protected at all times. Access to information is strictly controlled with the minimum number of users having controlled access, and only to the data they require for an approved purpose.
Who is providing the IT system?
NHS National Services Scotland (NSS) is working closely with the Health Boards to set up the IT infrastructure required to support the SPIRE service. MSD Informatics (MSDi) are contracted by NSS to provide some parts of this infrastructure, particularly the software that will be deployed to general practices to facilitate data extraction and reporting at practices. They were awarded the contract after a rigorous procurement process conducted by NSS following Official Journal of the European Union (OJEU) procedures. SPIRE will use existing secure communication links which are controlled by NSS to ensure any data extracted from practices are transferred securely to NSS. New data handling facilities have been developed by NSS to receive and manage this information.
MSD Informatics (MSDi) are contracted by NSS to provide some parts of this infrastructure, particularly the software that will be deployed to general practices to facilitate data extraction and reporting at practices.
Does MSDi have experience working with sensitive information in public sector contracts?
Yes. MSDi has been serving NHSScotland Health Boards since 1998 when they became the first informatics provider to extract data from the General Practice Administration System for Scotland (GPASS). In addition, MSDi currently provides the extraction mechanism which calculated Quality and Outcomes Framework (QOF) payments for GP practices across Scotland. MSDi also provide the data extraction system used by NHS Greater Glasgow & Clyde which has been operating since 2004. MSDi already supplies software to the NHS in England and in Wales and have a excellent track record with no major privacy breaches.
MSDi is a private company. How can I be confident that patients’ personal information is secure?
MSDi will not access personal information belonging to patients except on very rare occasions when they may be required to access personal information as part of their contract to supply and maintain some of the software required by SPIRE. When this is the case they are bound by strict contractual rules in relation to safe and secure handling of information, as set out in the circular . This guidance ensures that all access to, and handling of, person-identifiable information by contractors is properly regulated under a set of clearly understood principles.
An example of when MSDi may be required to access personal information as part of their contract to maintain SPIRE is if a practice notice an anomaly in the patient list provided by SPIRE and the support call is triaged to MSDi then MSDi would in this example, with the practice’s consent, access the relevant SPIRE screens to investigate. Some of the SPIRE screens could contain patient information pertaining to the support call.
All access is at the practice (remote or in person) and no data, or screenshots, containing patient identifiable information would be removed from the practice. The number of staff at MSDi with potential to access the practice would not exceed 28 individuals in total and would not be more than 2 individuals at any given time. MSDi implemented an Information Governance framework that meets the requirements of the NHS IG Toolkit. All staff with access to customer systems receive information governance training and ensure that the equipment, network and remote connections is secure.
Is SPIRE the same as the private Spire Healthcare?
No. SPIRE is a service provided for GP practices in Scotland and is a joint initiative between NHS National Services Scotland (the NHSScotland organisation responsible for Scotland’s health information and statistics) and the Scottish Government.
SPIRE is not associated with Spire Healthcare or any private sector healthcare provider.
Although the potential for confusion with Spire Healthcare has previously been raised with the Project Team, this has not happened on a regular basis. However, as it was brought to our attention, we took two actions:
Work was carried out with patients and the public with regard to the name chosen for the project. This indicated that there were very few who were aware of Spire Healthcare and the decision was taken that SPIRE should remain as the name.
To mitigate any risk of any potential copyright infringement, we have a trade mark licence agreement in place with Spire Healthcare that allows us to use the acronym SPIRE.
SPIRE is not a national database. It helps GP practices use their data, and also helps with specific, approved requests of information from practices, for example for research. SPIRE will not routinely collect patient information or extract information unless it is needed for a specific, approved purpose. SPIRE will not use information for longer than necessary, and any information is safely destroyed after use. SPIRE will not produce one big database of patients from all over Scotland.
What types of data will be able to be extracted from general practices through SPIRE?
Only information that can be used within approved data analysis will be extracted through SPIRE. This could include data on family history, vaccinations received, diagnoses, referrals, biological values (such as blood pressure, BMI and cholesterol level) and prescribed medication. When the data being extracted are person-identifiable, SPIRE includes a number of measures to ensure data is transported and held securely and that access is controlled and monitored. See 'What safeguards are in place to ensure patient information is kept safe and secure?'.
What are the specific details on identifiable patient information that will be included in Spire?
The type of information extracted depends on the question each extract is designed to answer. The full medical record will never be extracted; the only information that is extracted will be what is strictly required for the request. Only coded data will be extracted, but no notes in text, for instance of discussions between a patient and their doctor or nurse. All requests will be scrutinised by the independent SPIRE Steering Group.
For most requests, no person-identifiable details will need to be extracted, for example, the number of patients in Scotland with a certain illness.
For other requests, a limited amount of patient personally identifiable information is required, for example the number of patients in Scotland with a certain illness by age group (extraction of date of birth to derive the age) or by a certain Scottish index multiple of deprivation area (extraction of postcode to derive the deprivation area).
In these cases, the information will first be split into two parts, the medical information (diagnosis, prescription etc) and the person-identifiable information, which is encrypted (date of birth, post code for example). The two parts of the information will be encrypted again in separate transfers to NHS NSS for processing.
The encrypted personal information will be translated into a non-identifiable dataset such as an age group by one group of analysts, who have no access to the medical information, and the personally identifiable information deleted. This group then supplies the age group back to the group with access to the medical information, so that no one analyst has access to both medical information and personally identifiable information.
SPIRE will not give a researcher direct access to personally identifiable patient data (for example, for research on individual patients, or identifying patients by name to contact for interviews). This kind of research currently requires explicit consent from each patient before a researcher can contact them, and will continue to do so.
Was SPIRE affected by the international cyber attack on 15 May 2017?
All SPIRE systems had been updated prior to the cyber attack on 15 May 2017, and were unaffected.
How will SPIRE protect the confidentiality of patient data?
To provide assurances that any data extracted will be safely and securely handled, and that the confidentiality of information in patient records is safeguarded, an Information Governance Framework has been developed. This describes principles and arrangements that will underpin SPIRE and to which the service will adhere to ensure patient confidentiality is always maintained.
The Framework is intended to reassure the GP community and their patients that the community benefits of gathering and using information are realised with minimum personal privacy and security risks. It has been approved by a number of key stakeholders including the Scottish General Practitioners Committee (SGPC) of the British Medical Association and the Royal College of GPs (RCGP).
The principles will be used by an independent advisory body, the SPIRE Steering Group, to assess the appropriateness of all new requests for data from GP clinical systems. The Steering Group includes members of the public and representatives from general practice. If data extraction is approved, adherence to the Framework will also ensure that extracted data will be handled safely.
See also ‘How will data be extracted from the clinical systems of general practices?’ below.
How will data be extracted from the clinical IT systems of general practices?
Software supplied by MSDi will be used to extract data at each practice. It is capable of extracting data from all practices in Scotland and designed to have the minimum impact on the clinical systems. It is also designed to reduce the workload to practices in relation to dealing with data extraction requirements.
Data extracts are designed centrally at NSS before being used in practices. The software adheres to the Information Governance Framework agreed for SPIRE by including the following points:
Practices will have information about the purpose and content of each data extract before deciding whether to opt in.
Practices can choose to opt in or out of each data extract.
Any person-identifiable data will be pseudonymised before it leaves the practice.
Once extraction occurs the data will be transferred securely to NSS using existing secure communication links (eLinks) that are controlled by NSS, who will ensure any extracted data are managed securely and that access is controlled and monitored.
What is Encryption?
Encryption involves the replacement of any data items that may identify the person in a particular dataset, such as names, Community Health Index number (CHI) and postcode, using an "encryption key". This allows the data to be attributed to a particular person within data analysis without identification of the individual involved. Within the SPIRE service, any data to be extracted from a general practice that is potentially person-identifiable will be encrypted before it leaves the practice to ensure the data extracted and used at NSS is anonymous.
For some extracts, and only if it has been approved by the SPIRE Steering Group, it will be possible to reverse the encryption within NSS so that some of the original patient identifiers can be recovered. This will allow:
Data linkage - the creation of a new dataset formed by linking a patient's GP data with other data relating to them and held by NSS. For example patients with a particular condition recorded in general practice it may be useful to understand the care and treatment they have received in hospital by linking their GP data to national data relating to their hospital care.
The generation of person-identifiable data where its use can be justified and it is approved by the SPIRE Steering Group. For example, if researchers have the consent of the patients involved to use their person-identifiable data in a particular research study this could be made available to the researcher through SPIRE by extracting encrypted data, reversing the encryption at NSS and then providing controlled access to the researcher, on the basis that the data could only be used to support the research study and the patients have agreed for their data to be used.
How does SPIRE comply with the proposed GDPR (General Data Protection Regulation 2016/679) passed by the European Parliament in April 2016 (and due to be commenced on 25 May 2018)?
It is one of the main duties of the SPIRE Steering Group to ensure that SPIRE complies with all current and near future legislation and the group includes the Caldicott Guardian of NSS and other Caldicott Guardians from NHS Scotland. In addition the SPIRE Steering Group has consulted with, and received input from, the Information Commissioners Office . The SPIRE Steering Group is aware of the current consultation on the General Data Protection Regulation 2016/679 (GDPR), which will become operational in May 2018, and have received specific advice from the ICO on how it will affect SPIRE.
Like the requirements of the current Data Protection Act, the GDPR requires specific conditions for processing to be met. Legal processing of data through SPIRE relies on articles Article 9(2)(g), Article 9(2)(h) and Article 9(2)(i) of the GDPR (see Appendix 3 of the Privacy Impact Assessment for more detail). The GDPR's duty of confidentiality, equivalent to that which would arise if that person were a health professional, also applies to all users of identifiable SPIRE data, who must meet the training and other professional standards. The purpose of the public information campaign with the opportunity to ‘opt-out’ is to comply with the principle that processing should be fair and transparent, and to fulfil individuals’ rights
Yes. GP practices will be able to opt in or out of data extraction either completely or on a case-by-case basis. No single extraction will take place without the consent of the practice. In some cases practices will be asked to consent once to data extracts which are required to be repeated regularly, although they will still be able to opt out of these extracts later if they change their mind. Practices may also choose to consent to all extractions that do not involve person-identifiable data. This will avoid the requirement to consent to each extract of this nature.
The SPIRE application which will be available to practices provides an easy-to-use mechanism to inform practices about the nature and purpose of each extract and to allow them to opt in or out of extracts. Where no response is received from a practice about a particular extract request, SPIRE will assume the practice has opted out and no data will be extracted.
Can patients opt out of their data being extracted?
Yes, patients will be able to opt out of any data extraction being performed through SPIRE that may include information that could be used to identify them. Patients should contact practices to opt-out and they can complete an opt-out form which will be provided for practices. The practice will then insert a code into their record to prevent data being extracted. Patients who opt out may change their mind and opt in at a later date. Again, the patient should contact their practice in this instance.
Note that patient opt-out will not prevent a patient’s data being included in a data extract where there is no risk of identification when the data is analysed. An example would be a data extract including aggregated data about the total number of patients in the practice with a disease that is highly prevalent such as diabetes (as opposed to rare disease that may apply to only one or two individuals in the practice). In this example, if the patient had the disease of interest they would be included in the count of the number of patients but no other personal information would be included.
How do I opt patients out of SPIRE, or back into SPIRE?
To opt a patient out of SPIRE, or back in to SPIRE, a Read code needs to be added to the patient record.
To opt a patient out of SPIRE, enter the following Read codes to their patient record:
EMIS: 9NuD – Dissent from secondary use GP patient identifiable data for SPIRE
Vision: #9NuD – 00 Dissent from secondary use GP patient identifiable data for SPIRE
To opt a patient back into SPIRE if they change their mind after opt out, enter the following Read codes to their patient record:
EMIS: 9NuF – Dissent withdrawn for secondary use of GP patient identifiable data for SPIRE
Vision: #9NuF – Dissent withdrawn for secondary use of GP patient identifiable data for SPIRE
A Practice Toolkit has been sent to every practice in Scotland containing step by step instructions for both EMIS and Vision practice management systems.
Once the code is added to the patient record, the patient will be opted out of SPIRE. Patients can be opted out even if the practice does not have SPIRE installed yet. In that case, the code will ensure that once the software is installed, the patient will be opted out from the start.
What happens if a patient has opted out of having an Emergency Care Summary (ECS)?
The ECS and SPIRE are quite different, and therefore neither patient nor GP can assume that an objection to one might automatically apply to the other.
GPs may also be aware of certain patients who are likely to have concerns about privacy, so may choose to manage this proactively such as by correspondence with patients about SPIRE and data sharing, or opportunistically as it occasionally arises in clinical practice.
How does SPIRE relate to consented projects such as SHARE and UK Biobank? If a patient opts out from SPIRE, will their consent to take part in SHARE / Biobank be affected?
SPIRE is separate from SHARE and from UK Biobank. If a patient opts out from SPIRE, it will not affect their consent to take part in SHARE or UK Biobank.
Do I need to keep or submit patients’ opt out forms?
There is no need to submit patients’ opt out forms to NHS National Services Scotland. Once a patient has been opted out, we recommend keeping completed opt out forms in their files.
MSD Informatics is owned by MSD (Merck, Sharp & Dohme), a well-known pharmaceutical company. Will they be able to see, use or share a patient’s personal information?
No. MSD Informatics involvement in SPIRE does not facilitate their parent company having access to any data extracted from general practices through SPIRE. MSD Informatics only provide some of the software which forms part of the IT infrastructure supporting SPIRE.
What happens to the information of patients living in England but attending a Scottish practice?
If a patient is registered at a Scottish GP practice, their information will be treated like that of patients living in Scotland who attend the same GP practice. This means that SPIRE can use their information unless you choose to opt out.
What happens to the information of patients living in Scotland but attending an English practice?
SPIRE is only installed in GP practices in Scotland, so if a patient is attending an English GP practice, their information will not be used in SPIRE.
Does SPIRE’s use of a private company mean that this part of the NHS is being privatised?
No. Since computers were first used in the NHS, private companies have been contracted to develop and provide IT solutions and services in all parts of the UK. This has always been done under strict contractual conditions that safeguard the security of the information. The contract with MSDi is no different: it does not involve direct care/treatment provision and MSDi will not have access to any data for their own commercial purposes.
MSDi were awarded the contract as a result of a competitive tender with standard governance and due diligence processes. SPIRE is managed overall by the National Health Service in Scotland.
How are patient interests represented in SPIRE?
Governance of the project to implement SPIRE is managed by a Project Board (for the development phase) chaired by Richard Foggo. The SPIRE Steering Group (SSG) which scrutinises and approves any data extraction is chaired by Dr Frances Elliot (Medical Director, NHS Fife). Both committees include patient representatives as well as representatives from the Scottish General Practitioners Committee of the British Medical Association, the Royal College of GPs, and GP Practices. Additionally the SSG includes representatives from the Information Commissioner's Office and NHS Board Caldicott Guardians.
Is SPIRE part of care.data?
No. care.data was a separate service proposed for England. SPIRE will operate only in Scotland and has been developed in conjunction with patient representatives, the Royal College of General Practitioners and the British Medical Association.
Is the GP the data controller once the data have been extracted by SPIRE?
No. The GP is the data controller for the information in their practice system but once data is extracted through SPIRE NSS will take on responsibility of being data controller and complying with the principles of the Data Protection Act.