Dame Fiona Caldicott is right when she observes confusion and a lack of clarity when it comes to sharing information – often to the detriment of patients. There is a lack of clear systems and agreed processes to facilitate proper and lawful sharing. Health professionals may be over-concerned about protecting confidentiality. Will this report, and the government’s response, deliver the urgently needed changes? Or will this be another opportunity lost?
Have we seen it all before?
Despite assurances from the Department of Health and the Information Commissioner, over the years we have seen ignorance and fear lead to inappropriate sharing of information and, more often than not, a failure to share information even when required for patient care. Sometimes it is the fault of the system and sometimes it is a lack of insight on the part of health professionals and managers - often driven by the fear of getting it wrong and incurring the wrath of the regulator.
In recent times I have seen patient care pathways disrupted due to an ‘inability’ to share patient identifiable information between acute providers, community providers and social services. More recently a large acute trust was ‘told’ by a local GP to destroy its database of vulnerable patients with learning disabilities as this was in ‘breach’ of the Data Protection Act 1998. This instruction was given despite the fact that no patient complained and they were grateful for the improved care and help such information enabled the trust to provide.
The Caldicott Report is full of detailed and rigorous analysis of the problems in sharing information within the health care sector. The recommendations are sensible and offer ‘broad brush’ solutions to the problems. What is needed now is clear and practical processes, and guidance to permit proper sharing, data security and information governance on a day-to-day basis. All parts of the health sector need to be able to manage information governance with confidence and with a consistent approach.
The Department of Health has promised its response during the summer. It is to be hoped that, whenever the response is forthcoming, this opportunity to properly manage patient information (identifiable, de-identified and anonymous) is grasped and that clear, workable processes evolve which all parts of the sector can apply with confidence. There is an urgent need to address the specifics. When to share and when not to share? How to share? When to anonymise and when to share identifiable information? What security arrangements should be put in place? What about third party contractors, private and ‘third-sector suppliers’? The list goes on.
Dame Fiona tries to untie the ‘Gordian knot’ of reconciling patient confidentiality with the need to share patient information within the health care system. The review is clear that patients should not be put at risk by clinicians making treatment decisions from inadequate information.
Health Secretary Jeremy Hunt defined the issue as:
The Caldicott review has been about striking the right balance between sharing people’s health and care information to improve services and develop new treatments while respecting the privacy and wishes of the patient.
The report calls on the NHS to share more effectively but also for patient confidentiality to be respected. While the aim is to use technology to improve the quality of health care, the rights of individuals need to be recognised.
While the report calls for unlawful data processing to be reported as a data breach, and a failure to meet the requirements of the Data Protection Act 1998 (DPA), it is also clear that the Act should not be seen as an impediment to proper and lawful sharing. The report identifies a need to tackle the ‘culture of fear’ that means health care professionals do not share personal information as often as they should. Dangers to patients multiply if there is a poor handover of information between care teams. At the same time, the review is clear that there should also be better monitoring and control of who has access to records, and that what people can see should be limited to what is required to provide good care.
Dame Fiona notes:
safe and appropriate sharing in the interests of the individual’s direct care should be the rule, not the exception
Our conclusion is that the balance isn’t right…People have become overly-concerned about protecting confidentiality.
We certainly heard about situations where there was agreement about sharing across boundaries, but then somebody in a managerial position would decide that the systems were not giving enough protection of confidentiality and the agreement was stood down… people do not like that in relation to their own wellbeing and how they are looked after.
We shall see what happens.
The role of the Information Commissioner cannot be overlooked. His office is clear that the NHS is seen as a ‘serial’ offender when it comes to data breaches. Is it any surprise that NHS managers and clinicians are cautious? Having said that, the report is clear in one other important aspect: between June 2011 and June 2012 there were 186 serious data breaches notified to the Department of Health. However, these all related to data losses and security breaches and not to data sharing. In reality the DPA should not be seen or used as an impediment to proper sharing of patient information.
Dame Fiona recognises a cultural issue here, but one that can be tackled from within by senior individuals looking carefully at how information governance affects their work.
There is also an emphasis on clear explanations to patients as to how their information could be used in an anonymised form, and a recognition that patents should be given an opportunity to object to sharing, though the consequences of refusing consent to sharing should be clearly set out. Patients should be given clear information as to how their data could be used and shared.
The report makes an importation distinction between:
- fully anonymised information (which can be freely disclosed), and
- de-identified information, where pseudonyms or coded references are used and where identity could be ‘pieced together again’ (which should still be treated as personal data).
De-identified information should be handled in clearly defined ‘safe-havens’ only. The Health and Social Care Information Centre (HSCIC) is to be set up as a safe-haven and should also set out a clear code for accrediting safe-havens. Even in these safe-havens, de-identified information should not be linked to personal confidential information unless there is a clear legal basis. Contracts and process need to be clearly established to permit lawful processing of this information. It is envisaged that the use of such information, for example for research, audit and public health purposes, should make maximum use of privacy enhancing technologies and ‘robust governance arrangements’.
On a related point, the report makes clear that there is a need for education and training within the health sector. Hopefully this can come as part of the guidance issued, and decisions taken, in the coming months. Dame Fiona notes “Everyone working in the health and social care system should see IG as part of their responsibility. Unfortunately this is not currently the case.”
On balance, it seems the main thrust of the report is that there should be greater sharing of information and an improved quality of the data held. Part of the drive to a ‘paperless’ NHS. All this needs to be done in a careful way. Dame Fiona restates the ‘Caldicott principles’ revised for the 21st century (see below). An important seventh principle is set out in the report:
The duty to share information can be as important as the duty to protect patient confidentiality. Health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by these principles. They should be supported by the policies of their employers, regulators and professional bodies.
For ease of reference, here is a summary of 14 of the main recommendations as they are likely to affect health care providers. Dame Fiona puts greater sharing at the forefront of her recommendations, provided, of course, it is in the interests of the patient. The full set of recommendations with explanations is set out in the report.
- People must have the fullest possible access to all the electronic care records about them, across the whole health and social care system, without charge.
An audit trail that details anyone and everyone who has accessed a patient’s record should be made available in a suitable form to patients via their personal health and social care records. The Department of Health and NHS England should drive a clear plan for implementation to ensure this happens as soon as possible.
- For the purposes of direct care, relevant personal confidential data should be shared among the registered and regulated health and social care professionals who have a legitimate relationship with the individual.
Health and social care providers should audit their services against NICE Clinical Guideline 138.
- The health and social care professional regulators must agree upon and publish the conditions under which regulated and registered professionals can rely on implied consent to share personal confidential data for direct care.
- Working in multi-disciplinary ‘care teams’ the Review recommends that registered and regulated social workers be considered a part of the care team.
Relevant information should be shared with members of the care team when they have a legitimate relationship with the patient or service user. Providers must ensure that sharing is effective and safe. Commissioners must assure themselves on providers’ performance.
- The processing of data without a legal basis, where one is required, must be reported to the board, or equivalent body of the health or social care organisation involved and dealt with as a data breach.
- All organisations should clearly explain to patients and the public how the personal information they collect could be used in de-identified form for research, audit, public health and other purposes.
All organisations must also make clear what rights the individual has open to them, including any ability to withhold consent.
- People are entitled to have their consent decisions reliably recorded and available to be shared whenever appropriate, so their wishes can be respected.
Guidance on recording consent decisions and a strategy on sharing to be developed.
- The linkage of personal confidential data, or data that has been de-identified, but still carries a high risk that it could be re-identified with reasonable effort, from more than one organisation for any purpose other than direct care should only be done in specialist, well-governed, independently scrutinised and accredited environments called ‘accredited safe havens’.
HSCIC must detail the attributes of an accredited safe haven in their code for processing confidential information.
The boards or equivalent bodies in NHS England, CCGs, Public Health England and local authorities must ensure they have due regard for information governance and adherence to its legal and statutory framework:
- An executive director at board level should be formally responsible for the organisation’s standards of practice in information governance.
- Performance should be described in the annual report or equivalent document.
- Boards should ensure that the organisation is competent in information governance practice, and assured of that through its risk management.
- The Department of Health should recommend that all organisations within the health and social care system.... appoint a Caldicott Guardian.
All health and social care organisations must publish in a prominent and accessible form:
- a description of the personal confidential data they disclose
- a description of the de-identified data they disclose on a limited basis
- who the disclosure is to
- the purpose of the disclosure
- The Department of Health should lead the development and implementation of a standard template that all health and social care organisations can use when creating data controller to data controller data sharing agreements.
- The information governance advisory board…should ensure that the health and social care system adopts a single set of terms and definitions relating to information governance that both staff and the public can understand.
- The Review Panel recommends that the revised Caldicott principles should be adopted and promulgated throughout the health and social care system.
- Justify the purpose(s)
Every proposed use or transfer of personal confidential data within or from an organisation should be clearly defined, scrutinised and documented, with continuing uses regularly reviewed, by an appropriate guardian.
- Don’t use personal confidential data unless it is absolutely necessary
The need for patients to be identified should be considered at each stage of satisfying the purpose(s).
- Use the minimum necessary personal confidential data
- Access to personal confidential data should be on a strict need-to-know basis
- Everyone with access to personal confidential data should be aware of their responsibilities
- Comply with the law
Someone in each organisation handling personal confidential data should be responsible for ensuring that the organisation complies with legal requirements.
- The new principle: The duty to share information can be as important as the duty to protect patient confidentiality.
Health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by these principles. They should be supported by the policies of their employers, regulators and professional bodies.
This is not going to be easy.
It could easily be an opportunity lost. There is a clear need for a shift in culture both in sharing information appropriately and to properly and lawfully manage data sets for purposes other than direct patient health care.
However, in the final analysis a recent quote from Jeremy Hunt does spring to mind:"I think that most NHS patients would be astonished to know that their information doesn't flow around the system".
The government accepts the spirit of the recommendations. We shall see what happens when the government sets out its full response. The government is also expected to accept that patients should have the right to opt out of the NHS data sharing plans. Urgent, clear and practical guidance and systems are needed. They need to be agreed by all stakeholders.