According to the National Cancer Control Programme (NCCP), information provided to geneticists by patients on whether there is a history of cancer in their family is often inaccurate, which impacts on the reliability of the clinical judgement being made and the resulting decisions.
It has been standard practice to seek verification, where possible, of the conditions reported in relatives, such as through the Cancer Registry and/or death certificates.
However, in light of the new EU data protection regulations, the NCRI has revised its policy with regards to this verification of diagnoses.
Relatives who are reported as having had cancer are now required to return a data request form to the Registry themselves, complete with proof of identity and an official document showing proof of address.
At a meeting of the NCCP Executive Committee in March, the minutes of which were seen by <strong><em>MI</em></strong> through a Freedom of Information request, Dr David Gallagher, who is a consultant oncologist and specialist in cancer genetics, raised serious concerns about the change in policy.
Dr Gallagher considered the new NCRI rules “a very restrictive document and could be a risk to the running of a genetics service”.
A spokesperson for the NCCP told <strong><em>MI</em></strong>: “The concern is that this will be viewed as too cumbersome by many relatives and that the ability to verify such diagnoses will be greatly impacted upon. The ability of a cancer genetics service to accurately assess the person’s likelihood of carrying an inherited predisposition to cancer based on their family history could therefore be affected.”
The spokesperson confirmed that the issue has been raised with the NCRI.
The Programme is also seeking to identify how genetics services in other EU countries will address this issue in light of the new regulations.
A spokesperson from the NCRI told this newspaper that preparing for GDPR requirements has had a significant impact on the Registry’s practices across the organisation.
“NCRI’s legislation allowing collection of cancer-related data without consent has no bearing on the necessity for us to require patient consent and proper identification to release the data we hold. Under GDPR, we are obliged to verify that all data being released is done so appropriately,” according to the spokesperson.
“Because the information we record is highly confidential, we need to properly verify the identity of persons making such requests. The data being requested as part of genetics requests are indeed highly confidential medical records, which are categorised as ‘special category data’ under the GDPR. NCRI acknowledges that seeking consent for their disclosure is already part of the hospital’s standard procedure. However, neither the hospitals nor the NCRI has a direct prior relationship with the patients whose records are being sought, so given the confidentiality of the data, NCRI requires robust measures in place to verify their identity.”
The Data Sharing and Governance Bill 2018 was recently published, following approval by Government.