On 6th July, the UK Government published two independent reviews concerning data security and data sharing in the health and care system in England. At the same time the UK Government launched a public consultation on proposals resulting from these reviews. The public consultation will be of interest to organisations that regularly interact with the public health sector in the UK and in particular to those organisations that rely on access to health data from the NHS for research purposes.
The two independent reviews are the:

  • Care Quality Commission review of data security in the NHS; and
  • Dame Fiona Caldicott’s (who is the National Data Guardian for Health and Care) review of data security, consent and opt-outs (the ‘Caldicott Report’).

The Care Quality Commission is the independent regulator of health and social care in England and is responsible for ensuring health and social care services are safe and effective through its monitoring and inspection activities. In its report examining data handling within the health sector, the CQC’s findings indicated that the main areas of concern are leadership, behaviours and systems. Accordingly, the CQC recommendations focus on senior leadership, staff training and support, patient-designed IT systems, audits and external validations as well as ensuring that the proposed new data security standards come within the CQC’s monitoring remit.

The Caldicott Report is a valuable contribution to the development of data security and data sharing frameworks in the health sector and takes account of the CQC’s recommendations. The Caldicott Report’s proposals are rightly focussed on how to prevent the types of data breaches the UK has frequently seen in the health sector over recent years as well as to explore an approach to data sharing which individuals understand and trust. While the Caldicott Report finds that the public does broadly trust the NHS with their personal confidential data, it recognises there is a need for improvement and the 10 proposed data security standards are an attempt to put in place mechanisms that reduce the likelihood of data breaches. A number of the standards focus on staff handling personal confidential data which reflects the fact that a substantial number of data breaches in the health sector have been caused by direct human error.

The Caldicott Report acknowledges that the public still finds the data sharing model within the health sector confusing and that the case for data sharing still needs to be made to the public. At the heart of the proposals for data sharing are the principles of transparency and control. In other words, giving individuals clearer information on how their personal data can be used and a greater degree of control through a new consent/opt-out model.

But the Caldicott Report also accepts that there may be circumstances where mandatory legal requirements or overriding public interests require the use of a patient’s data regardless of the preferences of the patient – in those circumstances the opt-out would not apply. Additionally the Caldicott Report proposes that the use of anonymised or de-identified data should not be subject to the opt-out while recommending stronger sanctions to deter the re-identification of individuals.

The public consultation seeks views on the proposed data security standards and consent/opt-out model proposed in the Caldicott Report. Interested parties should respond to the consultation before 7 September 2016.