Release comes amid claims that only 61 out of 6,200 GP surgeries offer online access by patients to medical records and that "a culture of anxiety permeates" many UK health organisations "from the boardroom to frontline staff" and "results from instructions issued by managers in an attempt to protect their organisations from fines for breaching data protection laws. This anxiety must be changed to trust, in order to facilitate sharing on the front line". In response practitioners and administrators should recognise that a "duty to share information" can be "as important as the duty to protect patient confidentiality".
The executive summary of the report is as follows
People using health and social care services are entitled to expect that their personal information will remain confidential. They must feel able to discuss sensitive matters with a doctor, nurse or social worker without fear that the information may be improperly disclosed. These services cannot work effectively without trust and trust depends on confidentiality. However, people also expect professionals to share information with other members of the care team, who need to co-operate to provide a seamless, integrated service. So good sharing of information, when sharing is appropriate, is as important as maintaining confidentiality. All organisations providing health or social care services must succeed in both respects if they are not to fail the people that they exist to serve. The term used to describe how organisations and individuals manage the way information is handled within the health and social care system in England is ‘information governance’. In 1997 the Review of the Uses of Patient-Identifiable Information, chaired by Dame Fiona Caldicott, devised six general principles of information governance that could be used by all NHS organisations with access to patient information.
The chapter sets out those principles, which have stood the test of time. It explains why the 1997 review gave priority to discouraging the uploading of personal information on to information technology systems outside clinical control. The issue of whether professionals shared information effectively and safely was not regarded as a problem at the time. NHS organisations responded by appointing ‘Caldicott Guardians’ to ensure that information governance was effective. The practice spread to other public bodies, including local authorities and social care services, and the remit of the guardians was extended to provide oversight of information sharing among clinicians.
Over recent years, there has been a growing perception that information governance was being cited as an impediment to sharing information, even when sharing would have been in the patient’s best interests. In January 2012 the NHS Future Forum work stream on information identified this as an issue and recommended a review “to ensure that there is an appropriate balance between the protection of patient information and the use and sharing of information to improve patient care”. The Government accepted this recommendation and asked Dame Fiona to lead the work, which became known as the Caldicott2 review. The introduction sets out how the review has been conducted and puts it in the context of the Government’s Information Strategy, the Health & Social Care Act 2012, the Open Data White Paper, the review of the NHS Constitution and other relevant initiatives.
People’s right to access information about themselves
The Review Panel heard evidence that people’s lack of access to their own records causes great frustration. We were told that patients who attempt to become involved in decisions about their care are often thwarted by ‘information governance rules’ that ignore their express wishes. Examples included patients being charged a fee for access and patients being denied the opportunity to receive information in a form that suits them, such as by email, or in an audio format that can be accessed by blind people. Problems mainly originated from local information governance policies, which vary between organisations. The chapter gives examples of good practice. It recommends that all communications between different health and social care teams should be copied to the patient or service user. There should be ‘no surprises’ for the patient about who has had access. Chapter 2 notes that the The Power of Information, the Department of Health’s Information Strategy, said people’s access to their care records should be improved, with individuals gaining electronic access to their own care records where they request it, starting with GP records by 2015 and social care records as soon as IT systems allow.
The Review Panel thinks this right of access should cover hospital records, community records and personal confidential data held by all organisations within the health and social care system. It believes that access should become available within the next decade. This will not automatically happen unless there is a clear plan for implementation. The chapter further recommends that an audit trail of everyone who has accessed a patient’s personal confidential data should be made available in a suitable form to patients via their health and social care records.
Direct care of individuals
When it comes to sharing information, a culture of anxiety permeates the health and social care sector. Managers, who are fearful that their organisations may be fined for breaching data protection laws, are inclined to set unduly restrictive rules for information governance. Front-line professionals, who are fearful of breaking those rules, do not co-operate with each other as much as they would like by sharing information in the interests of patients and service users. There is also a lack of trust between the NHS and local authorities and between public and private providers due to perceived and actual differences in information governance practice. This state of affairs is profoundly unsatisfactory and needs to change.
The Review Panel found a strong consensus of support among professionals and the public that safe and appropriate sharing in the interests of the individual’s direct care should be the rule, not the exception. Direct care is provided by health and social care staff working in ‘care teams’, which may include doctors, nurses and a wide range of staff on regulated professional registers, including social workers. Relevant information should be shared with them, when they have a legitimate relationship with the patient or service user. Care teams may also contain members of staff, who are not registered with a regulatory authority, but who may need access to a proportion of someone’s personal data to provide care safely. Conditions and safeguards are discussed. The chapter considers the principles underpinning a professional’s right to receive personal confidential information about a patient and share it with other professionals to optimise the patient’s direct care. It finds the system works for the most part on the principle of ‘implied consent’. Examples of the use of implied consent include doctors and nurses sharing personal, confidential data during medical and nursing handovers without having to ask for the patient’s explicit consent. A fuller discussion of the law of consent is provided in chapter 5.
Chapter 3 goes on to discuss the sharing of information with care homes, carers, friends and family. It suggests that organisations should pay closer attention to the appropriate transfer of information when people move across institutional boundaries, such as leaving hospital, coming out of the army or prison, or changing their GP. The Review Panel looked at the problem confronting staff who have to distinguish between an individual such as a relative legitimately seeking information about a patient’s progress and a ‘blagger’; a person making improper inquiries. It recommends protocols to assist in good decision making and procedures for informing and helping people if mistakes are made. This chapter also explains how the use of personal confidential data for clinical audit can be managed within the law. It discusses arrangements for sharing information with geneticists to facilitate the direct care of patients with genetic problems.
Personal data breaches
In the 12 months to the end of June 2012, 186 serious data breaches were notified to the Department of Health. Most involved the loss or theft of data, but almost one-third concerned unauthorised disclosures. Many of the breaches were reported through strategic health authorities and not through the Information Commissioner’s Office (ICO), which has the power to impose financial penalties of up to £500,000. When strategic health authorities go out of existence, there will be a need for a new, consistent reporting channel to ensure that breaches of patients’ confidentiality do not escape the attention of senior managers, ministers and regulators of health and social care. The ICO told the Review Panel that no civil monetary penalties have been served for a breach of the Data Protection Act due to formal data sharing between data controllers in any organisation for any purpose. It says breaches of the Data Protection Act are usually the result of lack of due consideration. Yet it finds that organisations frequently shy away from data sharing and cite data protection as a reason. The data sharing code produced by the ICO in May 2011 helps organisations to share data in a secure and proper way. They should use it. There should be a standard severity scale for breaches agreed across the whole of the health and social care system. The board or equivalent body of every organisation in the health and social care system should publish all such data breaches, as part of the quality report in NHS organisations or as part of the annual report or performance report in non- NHS organisations. The chapter also considers the implication for data security of people’s increasing use of social media. This has not changed any principles of confidentiality. However, there may be a need for greater vigilance among health and social care professionals as they switch from the personal side of their lives to the professional side.
Information governance and the law
Every minute of every day, staff employed across health and social care services make lawful use of personal confidential data about patients and service users. For the most part, they do so on the legal basis of consent. They may have asked for the individual’s explicit consent for a particular treatment or course of action. Or they may rely on implied consent. For example, when a patient agrees to the GP referring her to a hospital consultant, she can expect the GP to pass on details of the medical condition that requires the consultant’s attention. The GP may legally assume she has given implied consent to the sharing of this information without having to ask her. These assumptions should only be made if it is reasonable to expect the patient understands how the information will be used. The Review Panel did not consider it necessary to challenge this long-established approach, although we think further effort is needed to increase patients’ understanding of how their personal confidential data is used.
Chapter 5 sets out the four legal bases that may provide an organisation with a justification for holding and using personal confidential data. It recommends that the use of data without a legal basis, when one is required, should be reported and dealt with as a data breach. Chapter 5 also makes a recommendation urging all organisations in the health and social care system to explain to patients and the public how the personal information they collect could be used in de-identified form for research and other purposes. Such explanations should mention what rights the individual may have to refuse to give their consent.When people give, refuse or withdraw explicit consent, these decisions should be traceable and communicated to others involved in the individual’s direct care. Patients can change their consent at any time. New rights and pledges were set out in the Government’s consultation on revisions to the NHS Constitution. The Review Panel proposes that these rights and pledges should be extended to cover the whole health and social care system.
Our proposal is set out below:
- You have the right of access to your own personal records within the health and social care system.
- You have the right to privacy and confidentiality and to expect the health and social care system to keep your confidential information safe and secure.
- You have the right to be informed about how your information is used.
- You have the right to request that your confidential data is not used beyond your own care and treatment and to have your objections considered, and where your wishes cannot be followed, to be told the reasons including the legal basis.
The NHS and adult social services also commit:
- to ensure those involved in your care and treatment have access to your health and social care data so they can care for you safely and effectively (pledge);
- to anonymise the data collected during the course of your care and treatment and use it to support research and improve care for others (pledge);
- where identifiable data has to be used, to give you the chance to object wherever possible (pledge);
- to inform you of research studies in which you may be eligible to participate (pledge); and
- to share with you any correspondence sent between staff about your care (pledge).
This section also sets out the duties of staff to protect the confidentiality of personal information and to provide access to a patient’s data to other relevant professionals, always doing so securely.
The existence of the NHS gives a big advantage to medical researchers in Britain. As a universal service free at the point of use, the NHS has a deep well of data covering almost all of the population, across the full spectrum of medical conditions. There is also enormous untapped potential in the information captured in social care records to support better research. The Review Panel examined how these opportunities might be realised without weakening confidentiality and trust. Researchers told us of their concern about the complexity, confusion and lack of consistency in the interpretation of the requirements they have to satisfy before research projects can proceed. However, we found there can be robust solutions to these problems that permit access to detailed patient information without compromising the confidentiality of individuals. If data clearly identifies individuals, it must not be processed without a clear legal basis. If data is anonymised in line with the ICO’s anonymisation code, it can be freely processed and publicly disclosed. However, there is a third class of data, which is of great interest to researchers, that on its own does not identify individuals, but could do so if it were to be linked to other information. This ‘grey area’ includes data that has been de-identified by the use of pseudonyms or coded references, but could be re-identified when combined with other data. The Review Panel looked at solutions that allow such linkages to take place for the benefit of science without putting individuals’ confidentiality at risk.
We recommend that the linkage of de-identified but still potentially identifiable information from more than one organisation should be done in specialist, well-governed, independently scrutinised environments known as ‘accredited safe havens’. Chapter 6 proposes national minimum standards for safe havens, supported by a system of external independent audit and other requirements to give the public confidence. The Health and Social Care Act 2012 provides for the Information Centre for Health and Social Care (the Information Centre) to become a safe haven. Chapter 6 considers whether it will have capacity to deal with the amount of data linkage that will be needed in the new health and social care system, or whether other safe havens should be established. The chapter also looks at how researchers can set about identifying people with particular characteristics to invite them to take part in clinical trials.
Commissioners cannot organise the improvement of services unless they know quite a lot about the people using them. For example, they may want to build new care pathways that are better suited to people’s needs. However, knowing about service users need not necessarily require commissioners to know their identities. The arrangements for NHS and local authority commissioners to extract information were in a state of rapid, comprehensive change during the period of this Review, as the NHS Commissioning Board, clinical commissioning groups, Public Health England and local authorities prepared to take on the responsibilities set out for them in the Health and Social Care Act 2012. The chapter focuses primarily on the challenge facing NHS commissioners, however the Review Panel conclude that commissioners in local authorities and Public Health England must adhere to the same standards, guidance and good practice and be subject to the same penalties for poor practice as the NHS when commissioning services.
The Review Panel found a lack of consensus on the need for identifiable data to be used for commissioning purposes. However, after doing detailed work with primary care trusts, clusters and the NHS Commissioning Board, the Review Panel concluded that all the objectives set for commissioning over the years ahead can be achieved without compromising patients’ confidentiality or the public’s trust in the health and social care system. The NHS Commissioning Board suggested that the use of personal confidential data for commissioning purposes would be legitimate because it would form part of a ‘consent deal’ between the NHS and service users. The Review Panel does not support such a proposition. There is no evidence that the public is more likely to trust commissioners to handle personal confidential data than other groups of professionals who have learned how to work within the existing law. The Review Panel found that commissioners do not need dispensation from confidentiality, human rights and data protection law since, with little effort, they can operate perfectly well within it. For example, there are situations in which the commissioner will need personal confidential data to help people deal with individual care problems. It might be to help someone who is requesting NHS funding for ‘continuing care’ after leaving hospital, or an ‘individual funding request’ for drugs that are not generally available on the NHS in that area. In such cases it is entirely reasonable for the NHS to ask for the patient’s explicit consent for NHS staff handling the case to be able to look at the patient’s personal confidential data. In other situations, local commissioners may be able to use safe havens, within which the personal information they want to assess may be anonymised without risk of anyone’s sensitive data being disclosed. For example a clinical commissioning group might want to consider individual cases in order to monitor health inequalities, but it can do this using anonymised information. The Review Panel deliberated with the NHS Commissioning Board and other organisations about a proposal for up to 10 Data Management Information Centres (DMICs) to act as safe havens where confidential private data would be anonymised so that it could safely be made available to local commissioners.
This chapter considers how staff in the DMICs might process data lawfully through integration with the Information Centre to ensure that their activities are sanctioned by statute and to maintain public trust in the security of personal information. The Review Panel recommends that members of the NHS Commissioning Board, Clinical Commissioning Groups and members and officers in local authorities, should ensure their organisation complies with the legal and statutory framework for information governance, with boards, or equivalent bodies being formally responsible for their organisation’s standards and practice on information governance.
Healthcare professionals who are responsible for health protection sometimes need to know personal confidential data about specific individuals. For example during an outbreak of an infectious disease, public health staff may need to identify individuals who are at risk. This side of public health resembles the direct care of patients and service users that was considered in chapter 3. While engaged in this work, healthcare professionals can be considered to have a legitimate relationship with people in the communities they serve. It would be impractical for them to ask everyone at risk from an infectious disease to give specific consent for staff to provide appropriate information and care. Preventing the spread of infection is in the public interest and therefore the use of personal confidential data for this purpose has been provided with statutory support. This justification for accessing personal confidential data does not apply to other aspects of public health work. Health improvement programmes can provide value to the community by contributing to longer life expectancy, healthier lifestyles and reduced inequalities in health, but they cannot be considered equivalent to the direct care of patients.
Most health improvement activities in public health do not require personal confidential data about individuals. However, understanding the complex relationships that exist between the environment, personal behaviours and disease requires information that can only be derived by linking data from several different sources. This side of public health resembles research and the Review Panel considers that the rules and procedures that have developed to provide the information governance for research can usefully be applied to public health intelligence. A third dimension of public health is to assist people planning healthcare services to understand the health needs of the local population. This activity resembles commissioning. Although some patient level detail is needed, patients themselves do not need to be identified. There is a lack of regulatory coherence across the public health arena. Some registries, including cancer registries, have statutory regulatory powers; others operate on a basis of consent. The Review Panel suggests detailed and consistent remedies.
Education and training
Across the health and social care system, most staff are required to undertake annual training in information governance. The commitment to training is important and the associated training budget is a welcome enabler. However, the Review Panel discovered that the mandatory training is often a ‘tick-box exercise’. One nurse told us the experience was equivalent to an annual ‘sheep dip’, which staff could go through without thinking. There needs to be a fundamental cultural shift in the approach to learning about information governance. Health and social care professionals should be educated and not simply trained in effective policies and processes for sharing of information. They should have formal information governance education focused on their roles, and this should be at both undergraduate and postgraduate level. This education should include a professional component explaining why there may be a duty to share information in the interests of the patient, as well as the legal aspects of the common law of confidentiality, the Data Protection Act and Human Rights Act.
Networks of information governance leads should be strengthened and extended to foster greater mutual learning from experience across the health and social care system. In addition to the standard training and education, Caldicott Guardians need to demonstrate continuous professional development in information governance on an annual basis. The chapter proposes education and training for non-registered staff and continuous professional development for senior managers to ensure they understand the practical information governance challenges their staff face. It notes that information governance is often the responsibility of one person within an organisation, who may feel isolated. In many cases, the role is filled by inexperienced or relatively junior staff, or is one role among many that an individual must perform. The Review Panel concluded that information governance specialists should work together to establish a community of practice that could improve knowledge to solve practical challenges, develop trust in the information governance function and remove isolation.
Children and families
The safeguarding of children is a well-established system, underpinned by legislation, which requires professionals to share information about a child whenever there is cause for concern. Arrangements for sharing require constant vigilance by the relevant professionals. It has become clear, however, that professionals dealing with children and families encounter particular issues of information governance that are not covered elsewhere in this report. This chapter deals with a series of dilemmas involving children. It references work done by the Royal College of General Practitioners to address the vexed issue of when automatic parental access to the child’s medical record should be turned off and when the child’s automatic access should be activated upon their reaching sufficient maturity. Other dilemmas include the extent to which individual members of a family should have access to the ‘family records’. These records have become an important dimension of children’s social care following the Munro Review. The question is how to provide information to each individual family member without compromising the confidentiality of other family members. In order to provide effective care for children, information often needs to be shared beyond the normal boundaries of health and social care services, in particular taking in organisations such as schools.
The Review Panel concludes that there would be clear benefits if a single, common approach to sharing information for children and young people could be adopted. The Department of Health should work with the Department for Education to investigate jointly ways to improve the safe sharing of information between health and social care services and schools and other services relevant to children and young people, through the adoption of common standards and procedures for sharing information. The departments should involve external regulators in this work including the Care Quality Commission and Ofsted. Government policy is increasingly seeking to use information to identify individuals or groups of people, such as families, who may benefit from specific help or early intervention. Generally, the aim of these interventions is to address problems these individuals and groups may be facing before they can escalate, potentially causing harm to themselves, their communities, or wider society. Identifying these people often requires extensive sharing, linkage and analysis of personal confidential data. The Review Panel concludes that significant lessons regarding data sharing might be learned from public health and research communities. It suggests that the definitions of ‘prevention’ adopted in the influential study of public health by the Commission on Chronic Illness could be adapted to cover social welfare interventions.
New and emerging technologies
Increasing numbers of patients are benefiting from new technologies that permit ‘virtual consultations’ with a clinician, using the telephone, emails or video links. There is also a rapidly expanding range of medical devices that use software or other technologies to record data about a patient when a clinician or other professional is not present. These devices then make the information available to the professional. The Review Panel found a lack of clarity about a patient’s right to access the record of virtual consultations and uncertainty about how long records would be kept.
It proposes ground rules for ensuring patients have access to information about themselves. Providers offering virtual consultation services should be able to share, when appropriate, relevant digital information from the patient, with registered and regulated health or social care professionals responsible for the patient’s care. Medical devices permitting the monitoring of a patient’s condition from a remote location present challenges, but do not raise new issues of information governance. The personal confidential data gathered through these new processes and technologies must be treated in exactly the same way as any other personal confidential data, and providers of these services must adhere to the existing legislation and best practice. The NHS Commissioning Board and clinical commissioning groups and local authorities should ensure that services using these new technologies are conforming to best practice with regard to information governance and will do so in the future.
There are many good reasons why organisations in health and social care need good quality data. Patients are at risk if clinicians base their decisions on inadequate data. Dangers multiply if there is poor handover of information between care teams or conflicting advice to patients from professionals. The Review Panel welcomes the focus that professional bodies for health and social care are placing on data quality. The issue is particularly relevant to this review because poor data is so often cited as the reason why people running services want to reach for the files of individuals. To find out the truth, they want information about real people that includes personal confidential data.The best solution is not to give them dispensation to ignore or circumvent legal requirements. It is to improve data quality standards. If data quality is sound, a pseudonym may be used to link data and thus protect the identity of an individual.
The Review Panel endorses the First National Data Quality Report of the Quality Information Committee of the National Quality Board, which seeks improvements in data quality in the health and social care system. The chapter summarises some important aspects of the Administrative Data Taskforce report on improving access for research and policy published in 2012, with the Review Panel endorsing a number of that report’s conclusions. It also examines the sharing of data to safeguard children and adults and special considerations affecting data about ‘the unborn’. The Review Panel calls for consistency in the information governance requirements for providers. It recommends that every health and social care organisation should be required to publish a declaration signed by the board or equivalent body, describing what personal confidential data it discloses and to whom and for what purpose. The chapter seeks to clarify the legal framework for sharing personal confidential data.
The Review Panel concludes that individuals should have the same level of protection under the law whether personal confidential data is shared between health service bodies, or whether the sharing is between a health service body and a non-health service body. The Review Panel also recommends that the Department of Health commission a standard template common across the health and social care system for setting up data sharing agreements, to prevent unnecessary duplication of effort. The chapter also suggests practical arrangements to secure the safety of records when a provider’s contract comes to an end and sets out the protections and safeguards which exist to prevent inappropriate sharing of patient’s information with organisations such as insurers.
System regulation and leadership
From an information governance perspective, there is currently no method of regulating the health and social care system as a whole. The Review Panel saw an opportunity for the Information Commissioner’s Office and the Care Quality Commission to work together in ensuring the health and social care system is properly monitored and regulated in this regard. The process should be balanced, proportionate and utilise the existing and proposed duties within the health and social care system in England. This chapter sets out three minimum components.
The Review Panel calls on professional regulators to be involved more often in dealing with cases of poor information sharing that disadvantage patients. The Information Centre is to become responsible for producing and maintaining a code of practice on collecting, analysing, publishing or disclosing confidential information. It should adopt the standards and good practice guidance contained within the green-boxed sections of this report. The Informatics Services Commissioning Group (ISCG) is responsible for providing advice on commissioning informatics services across the health and social care system. It is proposed that a sub-group of the ISCG is established to provide specialist expertise, advice and support on information governance. The Review Panel welcomes this proposal. The health and social care system should adopt an agreed set of terms and definitions for information sharing that everyone, including the public, should be able to use and understand.
Conclusions and recommendations
In addition to the findings of individual chapters, the Review Panel reaches some overarching conclusions. After consideration of what safeguards exist to protect people’s confidential information and what means of redress are available if mistakes are made, the final chapter sets out how redress should be managed by every organisation in the health and social care system in England. There was widespread support for the original Caldicott principles, which are as relevant and appropriate for the health and social care system today as they were for the NHS in 1997. However, evidence received during the Review persuaded the Panel of the need for some updating, and inclusion of an additional principle.
The revised list of Caldicott principles therefore reads:
1. Justify the purpose(s) Every proposed use or transfer of personal confidential data within or from an organisation should be clearly defined, scrutinised and documented, with continuing uses regularly reviewed, by an appropriate guardian.
2. Don’t use personal confidential data unless it is absolutely necessary Personal confidential data items should not be included unless it is essential for the specified purpose(s) of that flow. The need for patients to be identified should be considered at each stage of satisfying the purpose(s).
3. Use the minimum necessary personal confidential data Where use of personal confidential data is considered to be essential, the inclusion of each individual item of data should be considered and justified so that the minimum amount of personal confidential data is transferred or accessible as is necessary for a given function to be carried out.
4. Access to personal confidential data should be on a strict need-to-know basis Only those individuals who need access to personal confidential data should have access to it, and they should only have access to the data items that they need to see. This may mean introducing access controls or splitting data flows where one data flow is used for several purposes.
5. Everyone with access to personal confidential data should be aware of their responsibilities Action should be taken to ensure that those handling personal confidential data — both clinical and non-clinical staff — are made fully aware of their responsibilities and obligations to respect patient confidentiality.
6. Comply with the law Every use of personal confidential data must be lawful. Someone in each organisation handling personal confidential data should be responsible for ensuring that the organisation complies with legal requirements.
7. The duty to share information can be as important as the duty to protect patient confidentiality. Health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by these principles. They should be supported by the policies of their employers, regulators and professional bodies. These principles should underpin information governance across the health and social care services.
The Review Panel also concludes that the Secretary of State and the Department of Health should oversee the implementation of the recommendations of this review, and report on the progress made. This section finishes by listing the full set of recommendations from the Information Governance Review.