Today, the Office of the National Data Guardian published its long-awaited report on Data Security, Consent and Opt-Outs in the health and social care sector. Its publication had been delayed by the EU referendum. Whilst there is a strong public trust in the NHS and its use of data, I have identified 10 key themes which run through each of the areas of the report and which the NHS and the wider health and social care sector and its providers will need to consider. The report also envisages greater public involvement and awareness of this important area.
The next steps are for the Department of Health to launch a public consultation on the proposals and findings, and open up this area to public debate.
The key themes I identified are therefore:
- the importance of good governance and responsibility – senior representatives in any organisation need to be seen to be responsible for data use and pro-actively manage it;
- the report proposes 10 new data security standards, a consent / opt-out model proposal for any identifiable data use beyond direct care and 7 Caldicott Principles for appropriate data use;
- it is vital that good governance, policies and procedures are turned into achievable everyday operational practice – many breaches at present are caused by avoidable human error, inappropriate workarounds or lack of knowledge or training;
- the health and social care system generally takes data breaches seriously, but could do more to share knowledge and good practice, and learn from issues and near misses so that these findings can be applied to reduce the risk of future occurrence;
- good data management, use and sharing is critical to good patient care – clear explanations and guidance should reduce risk aversion;
- there is a need for public engagement particularly around the use of data other than for direct care and in relation to data sharing and the reasons for this, and then a significant piece of work will be needed to undertake the findings once agreed – this is all definitely worthwhile to improve the status quo;
- simplification and a single source of guidance is critical to allow patients, care professionals and managers to understand their respective roles in dealing with data – and to explain how the different laws and guidance work together;
- a redesigned IG Toolkit will assist in benchmarking standards to a greater degree than at present, with standards embedded into contracts (within the NHS and outside it, e.g. with IT system suppliers) and then the CQC will audit compliance;
- digitisation will reduce manual risks (e.g. paper data being lost or accessed / sensitive information being sent to the wrong fax numbers etc.) but will increase the risk of cyber attacks and larger scale breaches; and
- there is strong support for higher sanctions for intentional/negligent breaches e.g. inappropriate use of data.
The publication of this report is another step change in the strong will to improve data standards in the health and social care field, and one which (whilst delayed due to the referendum) is very welcome.
The report and accompanying letter to the Secretary of State can be accessed at https://www.gov.uk/government/publications/review-of-data-security-consent-and-opt-outs