The announcement states
The National Data Guardian Review ... recommends that the government consider the future of the care.data programme, as the consent and opt-out model proposed by the review goes further than the approach that was planned for care.data and its pathfinder areas.
In light of Dame Fiona’s recommendations, NHS England has taken the decision to close the care.data programme. However, the government and the health and care system remain absolutely committed to realising the benefits of sharing information, as an essential part of improving outcomes for patients. Therefore this work will now be taken forward by the National Information Board, in close collaboration with the primary care community, in order to retain public confidence and to drive better care for patients.The decision reflects substantive criticisms by privacy activists such as medconfidential - highlighted in several of my conference papers over the past two years - and reports by the UK Care Quality Commission (on a review of data security in the NHS) and Dame Fiona Caldicott as National Data Guardian for Health and Care (on data security and consent).
The two reviews were launched late last year to develop new data security standards, devise a method of testing compliance with the new standards and - importantly - propose a new consent/opt-out model for data sharing in health and social care. Caldicott's criticisms are unsurprising, given findings in her 2013 report noted here.
The CQC report Safe data, safe care: Data security review report found
- There was evident widespread commitment to data security, but staff at all levels faced significant challenges in translating their commitment into reliable practice.
- Where patient data incidents occurred they were taken seriously. However, staff did not feel that lessons were always learned or shared across their organisations.
- The quality of staff training on data security was very varied at all levels, right up to Senior Information Risk Owners (SIROs) and Caldicott Guardians.
- Data security policies and procedures were in place at many sites, but day-to-day practice did not necessarily reflect them. Benchmarking with other organisations was all but absent.
- There was no consistent culture of learning from others, and we found little evidence of external checking or validation of data security arrangements.
- The use of technology for recording and storing patient information away from paper-based records is growing. This is solving many data security issues but, if left unimproved, increases the risk of more serious, large-scale data losses.
- Data security systems and protocols were not always designed around the needs of frontline staff. This leads to staff developing potentially insecure workarounds in order to deliver good timely care to patients – this issue was especially evident in emergency medicine settings.
- As integrated patient care develops, improvements must be made to the ease and safety of sharing data between services.
1. Leadership The leadership of every organisation should demonstrate clear ownership and responsibility for data security, just as it does for clinical and financial management and accountability.
2. Information, tools and training All staff should be provided with the right information, tools, training and support to allow them to do their jobs effectively while still being able to meet their responsibilities for handling and sharing data safely.
3. IT systems IT systems and all data security protocols should be designed around the needs of patient care and frontline staff to remove the need for workarounds, which in turn introduce risks into the system.
4. Outdated technology Computer hardware and software that can no longer be supported should be replaced as a matter of urgency.
5. Audit and validation Arrangements for internal data security audit and external validation should be reviewed and strengthened to a level similar to those assuring financial integrity and accountability.
6. CQC assessment We'll amend our assessment framework and inspection approach to include assurance that appropriate validation against the new data security standards have been carried out, and make sure inspectors are appropriately trained.The NDG Review of Data Security, Consent and Opt-Outs [PDF] comments
Everyone who uses health and care services should be able to trust that their personal confidential data is protected. People should be assured that those involved in their care, and in running and improving services, are using such information appropriately and only when absolutely necessary. Unfortunately trust in the use of personal confidential data has been eroded and steps need to be taken to demonstrate trustworthiness and ensure that the public can have confidence in the system.
At the beginning of September 2015, the Secretary of State for Health asked me, as the National Data Guardian, to work alongside the Care Quality Commission (CQC), and carry out an intensive Review to recommend: new data security standards, a method for testing compliance against these standards, and of their personal confidential data being used. The model does not supersede any of the existing Caldicott principles. Patients and service users should not be surprised that an appropriate professional has access to information about them when they seek care, and should be confident that only the minimum amount of information needed to provide that is shared. a new consent or opt-out model for data sharing in relation to patient confidential data.
This Review follows two previous reviews. In 1996-7, I chaired a Review on the use of patient identifiable data where we recommended six principles for the protection of people’s confidentiality, which became known as the ‘Caldicott principles’. In 2013, I led the Information Governance Review and we recommended an additional ‘Caldicott principle’ setting out that the duty to share information can be as important as the duty to protect patient confidentiality.
I agreed to undertake this third Review for two reasons. Firstly, there has been little positive change in the use of data across health and social care since the 2013 Review and this has been frustrating to see. Secondly, because I believe we have a very significant opportunity now to improve the use of data in people’s interests, and ensure transparency for the public about when their data will be used and when they can opt out of such usage.
I have worked alongside CQC, which was asked to review the current approaches to data security in NHS organisations that provide services. Its work has been invaluable in developing an evidence base for the new data security standards which are set out in this report. The data security standards are intended to be applied across all health and social care organisations. Further work will be needed to establish the validity of the new data security standards for organisations providing social care, as this was not included in the CQC review
Data security is also integral to the second part of this Review: designing a model for information-sharing. The trust needed for effective information-sharing cannot be ensured without secure systems and easily understood explanations of how information and privacy are protected. I have proposed a new consent/ opt-out model that describes clearly when information is used, and when patients have a choice to opt out of their personal confidential data being used. The model does not supersede any of the existing Caldicott principles. Patients and service users should not be surprised that an appropriate professional has access to information about them when they seek care, and should be confident that only the minimum amount of information needed to provide that is shared.
I submitted this Review to the Government in March 2016. Since then I have taken the opportunity to update some references, but have not made any changes of substance.
It was a short Review and significant work will need to be undertaken to implement the recommendations, which should include a full and comprehensive public consultation. A key aspect of this work must be a dialogue with the public. We owe it to citizens to enable them to understand data usage as fully as they wish, and ensure that information about how data is accessed, by whom, and for what purposes, is available. This work is part of a wider dialogue that should be conducted on data use across different sectors. Health and social care data, although unique, cannot be isolated from that discussion.Caldicott makes the following recommendations, which we might hope will be noted in Australia
R 1: The leadership of every organisation should demonstrate clear ownership and responsibility for data security, just as it does for clinical and nancial management and accountability.
R 2: A redesigned IG Toolkit should embed the new standards, identify exemplar organisations to enable peer support and cascade lessons learned. Leaders should use the IG Toolkit to engage staff and build professional capability, with support from national workforce organisations and professional bodies.
R 3: Trusts and CCGs should use an appropriate tool to identify vulnerabilities such as dormant accounts, default passwords and multiple logins from the same account. These tools could also be also used by the IT companies that provide IT systems to GPs and social care providers.
R 4: All health and social care organisations should provide evidence that they are taking action to improve cyber security, for example through the ‘Cyber Essentials’ scheme. The ‘Cyber Essentials’ scheme should be tested in a wider number of GP practices, Trusts and social care settings.
R 5: NHS England should change its standard nancial contracts to require organisations to take account of the data security standards. Local government should also include this requirement in contracts with the independent and voluntary sectors. Where a provider does not meet the standards over a reasonable period of time, a contract should not be extended.
R 6: Arrangements for internal data security audit and external validation should be reviewed and strengthened to a level similar to those assuring nancial integrity and accountability.
R 7: CQC should amend its inspection framework and inspection approach for providers of registered health and care services to include assurance that appropriate internal and external validation against the new data security standards have been carried out, and make sure that inspectors involved are appropriately trained. HSCIC should use the redesigned IG Toolkit to inform CQC of ‘at risk’ organisations, and CQC should use this information to prioritise action.
R 8: HSCIC should work with the primary care community to ensure that the redesigned IG Toolkit provides sufficient support to help them to work towards the standards. HSCIC should use the new toolkit to identify organisations for additional support, and to enable peer support. HSCIC should work with regulators to ensure that there is coherent oversight of data security across the health and care system.
R 9: Where malicious or intentional data security breaches occur, the Department of Health should put harsher sanctions in place and ensure the actions to redress breaches proposed in the 2013 Review are implemented effectively.
R 10: The case for data sharing still needs to be made to the public, and all health, social care, research and public organisations should share responsibility for making that case.
R 11: There should be a new consent/ opt-out model to allow people to opt out of their personal confidential data being used for purposes beyond their direct care. This would apply unless there is a mandatory legal requirement or an overriding public interest.
R 12: HSCIC should take advantage of changing its name to NHS Digital to emphasise to the public that it is part of the NHS ‘family’, while continuing to serve the social care and health system as a whole.
Recommendation 13: The Government should consider introducing stronger sanctions to protect anonymised data. This should include criminal penalties for deliberate and negligent re-identification of individuals.
R 14: The forthcoming Information Governance Alliance’s guidance on disseminating health and social care data should explicitly refer to the potential legal, financial, and reputational consequences of organisations failing to have regard to the ICO’s Anonymisation Code of Practice by re-identifying individuals.
R 15: People should continue to be able to give their explicit consent, for example to be involved in research.
R 16: The Department of Health should look at clarifying the legal framework so that health and social care organisations can access the information they need to validate invoices, only using personal confidential data when that is essential.
R 17: The Health Research Authority should provide the public with an easily digestible explanation of the projects that use personal confidential data and have been approved following advice from the Confidentiality Advisory Group.
R 18: The Health and Social Care Information Centre (HSCIC) should develop a tool to help people understand how sharing their data has bene ted other people. This tool should show when personal confidential data collected by HSCIC has been used and for what purposes.
R 19: The Department of Health should conduct a full and comprehensive formal public consultation on the proposed standards and opt-out model. Alongside this consultation, the opt-out questions should be fully tested with the public and professionals.
R 20: There should be ongoing work under the National Information Board looking at the outcomes proposed by this consultation, and how to build greater public trust in data sharing for health and social care.