The 139 page
Information: To Share Or Not To Share? Independent review of how information about patients is shared across the health and care system report [
PDF] of the UK Information Governance Review - aka the Caldicott Report - released on Friday considers "whether there is an appropriate balance between the protection of patient information and the use and sharing of information to improve patient care".
Release comes amid claims that only 61 out of 6,200 GP surgeries offer online access by patients to medical records and that "a culture of anxiety permeates" many UK health organisations "from the boardroom to frontline staff" and "results from instructions issued by managers in an attempt to protect their organisations from fines for breaching data protection laws. This anxiety must be changed to trust, in order to facilitate sharing on the front line". In response practitioners and administrators should recognise that a "duty to share information" can be "as important as the duty to protect patient confidentiality".
The executive summary of the report is as follows
Introduction
People using health and social care services are entitled to expect that their personal
information will remain confidential. They must feel able to discuss sensitive matters with
a doctor, nurse or social worker without fear that the information may be improperly
disclosed. These services cannot work effectively without trust and trust depends on
confidentiality.
However, people also expect professionals to share information with other members of the
care team, who need to co-operate to provide a seamless, integrated service. So good
sharing of information, when sharing is appropriate, is as important as maintaining
confidentiality. All organisations providing health or social care services must succeed in
both respects if they are not to fail the people that they exist to serve.
The term used to describe how organisations and individuals manage the way information
is handled within the health and social care system in England is ‘information governance’.
In 1997 the Review of the Uses of Patient-Identifiable Information, chaired by Dame Fiona
Caldicott, devised six general principles of information governance that could be used by
all NHS organisations with access to patient information.
The chapter sets out those
principles, which have stood the test of time. It explains why the 1997 review gave priority
to discouraging the uploading of personal information on to information technology systems
outside clinical control. The issue of whether professionals shared information effectively
and safely was not regarded as a problem at the time.
NHS organisations responded by appointing ‘Caldicott Guardians’ to ensure that information
governance was effective. The practice spread to other public bodies, including local
authorities and social care services, and the remit of the guardians was extended to provide
oversight of information sharing among clinicians.
Over recent years, there has been a growing perception that information governance was
being cited as an impediment to sharing information, even when sharing would have been
in the patient’s best interests. In January 2012 the NHS Future Forum work stream on
information identified this as an issue and recommended a review “to ensure that there is
an appropriate balance between the protection of patient information and the use and
sharing of information to improve patient care”. The Government accepted this
recommendation and asked Dame Fiona to lead the work, which became known as the
Caldicott2 review.
The introduction sets out how the review has been conducted and puts it in the context
of the Government’s Information Strategy, the Health & Social Care Act 2012, the Open
Data White Paper, the review of the NHS Constitution and other relevant initiatives.
People’s right to access information about themselves
The Review Panel heard evidence that people’s lack of access to their own records causes
great frustration. We were told that patients who attempt to become involved in decisions
about their care are often thwarted by ‘information governance rules’ that ignore their
express wishes. Examples included patients being charged a fee for access and patients
being denied the opportunity to receive information in a form that suits them, such as by
email, or in an audio format that can be accessed by blind people.
Problems mainly originated from local information governance policies, which vary
between organisations. The chapter gives examples of good practice. It recommends that
all communications between different health and social care teams should be copied to
the patient or service user. There should be ‘no surprises’ for the patient about who has
had access.
Chapter 2 notes that the The Power of Information, the Department of Health’s
Information Strategy, said people’s access to their care records should be improved, with
individuals gaining electronic access to their own care records where they request it,
starting with GP records by 2015 and social care records as soon as IT systems allow.
The Review Panel thinks this right of access should cover hospital records, community
records and personal confidential data held by all organisations within the health and
social care system. It believes that access should become available within the next decade.
This will not automatically happen unless there is a clear plan for implementation.
The chapter further recommends that an audit trail of everyone who has accessed a
patient’s personal confidential data should be made available in a suitable form to patients
via their health and social care records.
Direct care of individuals
When it comes to sharing information, a culture of anxiety permeates the health and social
care sector. Managers, who are fearful that their organisations may be fined for breaching
data protection laws, are inclined to set unduly restrictive rules for information
governance. Front-line professionals, who are fearful of breaking those rules, do not
co-operate with each other as much as they would like by sharing information in the
interests of patients and service users. There is also a lack of trust between the NHS and
local authorities and between public and private providers due to perceived and actual
differences in information governance practice. This state of affairs is profoundly
unsatisfactory and needs to change.
The Review Panel found a strong consensus of support among professionals and the public
that safe and appropriate sharing in the interests of the individual’s direct care should be
the rule, not the exception. Direct care is provided by health and social care staff working in ‘care teams’, which may
include doctors, nurses and a wide range of staff on regulated professional registers,
including social workers. Relevant information should be shared with them, when they
have a legitimate relationship with the patient or service user.
Care teams may also contain members of staff, who are not registered with a regulatory
authority, but who may need access to a proportion of someone’s personal data to provide
care safely. Conditions and safeguards are discussed.
The chapter considers the principles underpinning a professional’s right to receive personal
confidential information about a patient and share it with other professionals to optimise
the patient’s direct care. It finds the system works for the most part on the principle of
‘implied consent’. Examples of the use of implied consent include doctors and nurses
sharing personal, confidential data during medical and nursing handovers without having to
ask for the patient’s explicit consent. A fuller discussion of the law of consent is provided
in chapter 5.
Chapter 3 goes on to discuss the sharing of information with care homes, carers, friends
and family. It suggests that organisations should pay closer attention to the appropriate
transfer of information when people move across institutional boundaries, such as leaving
hospital, coming out of the army or prison, or changing their GP.
The Review Panel looked at the problem confronting staff who have to distinguish between
an individual such as a relative legitimately seeking information about a patient’s progress
and a ‘blagger’; a person making improper inquiries. It recommends protocols to assist in
good decision making and procedures for informing and helping people if mistakes are made.
This chapter also explains how the use of personal confidential data for clinical audit can
be managed within the law. It discusses arrangements for sharing information with
geneticists to facilitate the direct care of patients with genetic problems.
Personal data breaches
In the 12 months to the end of June 2012, 186 serious data breaches were notified to the
Department of Health. Most involved the loss or theft of data, but almost one-third
concerned unauthorised disclosures.
Many of the breaches were reported through strategic health authorities and not through
the Information Commissioner’s Office (ICO), which has the power to impose financial
penalties of up to £500,000. When strategic health authorities go out of existence, there
will be a need for a new, consistent reporting channel to ensure that breaches of patients’
confidentiality do not escape the attention of senior managers, ministers and regulators of
health and social care.
The ICO told the Review Panel that no civil monetary penalties have been served for a
breach of the Data Protection Act due to formal data sharing between data controllers in
any organisation for any purpose. It says breaches of the Data Protection Act are usually
the result of lack of due consideration. Yet it finds that organisations frequently shy away
from data sharing and cite data protection as a reason. The data sharing code produced by
the ICO in May 2011 helps organisations to share data in a secure and proper way. They
should use it.
There should be a standard severity scale for breaches agreed across the whole of the
health and social care system. The board or equivalent body of every organisation in the
health and social care system should publish all such data breaches, as part of the quality
report in NHS organisations or as part of the annual report or performance report in non-
NHS organisations.
The chapter also considers the implication for data security of people’s increasing use of
social media. This has not changed any principles of confidentiality. However, there may be
a need for greater vigilance among health and social care professionals as they switch from
the personal side of their lives to the professional side.
Information governance and the law
Every minute of every day, staff employed across health and social care services make
lawful use of personal confidential data about patients and service users. For the most
part, they do so on the legal basis of consent. They may have asked for the individual’s
explicit consent for a particular treatment or course of action. Or they may rely on implied
consent. For example, when a patient agrees to the GP referring her to a hospital
consultant, she can expect the GP to pass on details of the medical condition that requires
the consultant’s attention. The GP may legally assume she has given implied consent to the
sharing of this information without having to ask her.
These assumptions should only be made if it is reasonable to expect the patient
understands how the information will be used. The Review Panel did not consider it
necessary to challenge this long-established approach, although we think further effort is
needed to increase patients’ understanding of how their personal confidential data is used.
Chapter 5 sets out the four legal bases that may provide an organisation with a justification
for holding and using personal confidential data. It recommends that the use of data without
a legal basis, when one is required, should be reported and dealt with as a data breach.
Chapter 5 also makes a recommendation urging all organisations in the health and social
care system to explain to patients and the public how the personal information they collect
could be used in de-identified form for research and other purposes. Such explanations
should mention what rights the individual may have to refuse to give their consent.When people give, refuse or withdraw explicit consent, these decisions should be traceable
and communicated to others involved in the individual’s direct care. Patients can change
their consent at any time.
New rights and pledges were set out in the Government’s consultation on revisions to the
NHS Constitution. The Review Panel proposes that these rights and pledges should be
extended to cover the whole health and social care system.
Our proposal is set out below:
- You have the right of access to your own personal records within the health and social
care system.
- You have the right to privacy and confidentiality and to expect the health and social
care system to keep your confidential information safe and secure.
- You have the right to be informed about how your information is used.
- You have the right to request that your confidential data is not used beyond your own
care and treatment and to have your objections considered, and where your wishes
cannot be followed, to be told the reasons including the legal basis.
The NHS and adult social services also commit:
- to ensure those involved in your care and treatment have access to your health and
social care data so they can care for you safely and effectively (pledge);
- to anonymise the data collected during the course of your care and treatment and use it
to support research and improve care for others (pledge);
- where identifiable data has to be used, to give you the chance to object wherever
possible (pledge);
- to inform you of research studies in which you may be eligible to participate (pledge);
and
- to share with you any correspondence sent between staff about your care (pledge).
This section also sets out the duties of staff to protect the confidentiality of personal
information and to provide access to a patient’s data to other relevant professionals,
always doing so securely.
Research
The existence of the NHS gives a big advantage to medical researchers in Britain. As a
universal service free at the point of use, the NHS has a deep well of data covering almost
all of the population, across the full spectrum of medical conditions. There is also
enormous untapped potential in the information captured in social care records to support
better research.
The Review Panel examined how these opportunities might be realised without weakening
confidentiality and trust. Researchers told us of their concern about the complexity,
confusion and lack of consistency in the interpretation of the requirements they have to
satisfy before research projects can proceed. However, we found there can be robust
solutions to these problems that permit access to detailed patient information without
compromising the confidentiality of individuals. If data clearly identifies individuals, it must not be processed without a clear legal basis. If
data is anonymised in line with the ICO’s anonymisation code, it can be freely processed
and publicly disclosed. However, there is a third class of data, which is of great interest to
researchers, that on its own does not identify individuals, but could do so if it were to be
linked to other information. This ‘grey area’ includes data that has been de-identified by
the use of pseudonyms or coded references, but could be re-identified when combined
with other data.
The Review Panel looked at solutions that allow such linkages to take place for the benefit
of science without putting individuals’ confidentiality at risk.
We recommend that the linkage of de-identified but still potentially identifiable
information from more than one organisation should be done in specialist, well-governed,
independently scrutinised environments known as ‘accredited safe havens’. Chapter 6
proposes national minimum standards for safe havens, supported by a system of external
independent audit and other requirements to give the public confidence.
The Health and Social Care Act 2012 provides for the Information Centre for Health and
Social Care (the Information Centre) to become a safe haven. Chapter 6 considers whether
it will have capacity to deal with the amount of data linkage that will be needed in the
new health and social care system, or whether other safe havens should be established.
The chapter also looks at how researchers can set about identifying people with particular
characteristics to invite them to take part in clinical trials.
Commissioning
Commissioners cannot organise the improvement of services unless they know quite a lot
about the people using them. For example, they may want to build new care pathways
that are better suited to people’s needs. However, knowing about service users need not
necessarily require commissioners to know their identities. The arrangements for NHS and
local authority commissioners to extract information were in a state of rapid, comprehensive
change during the period of this Review, as the NHS Commissioning Board, clinical
commissioning groups, Public Health England and local authorities prepared to take on the
responsibilities set out for them in the Health and Social Care Act 2012. The chapter
focuses primarily on the challenge facing NHS commissioners, however the Review Panel
conclude that commissioners in local authorities and Public Health England must adhere to
the same standards, guidance and good practice and be subject to the same penalties for
poor practice as the NHS when commissioning services.
The Review Panel found a lack of consensus on the need for identifiable data to be used
for commissioning purposes. However, after doing detailed work with primary care trusts,
clusters and the NHS Commissioning Board, the Review Panel concluded that all the
objectives set for commissioning over the years ahead can be achieved without compromising
patients’ confidentiality or the public’s trust in the health and social care system. The NHS Commissioning Board suggested that the use of personal confidential data for
commissioning purposes would be legitimate because it would form part of a ‘consent deal’
between the NHS and service users. The Review Panel does not support such a proposition.
There is no evidence that the public is more likely to trust commissioners to handle
personal confidential data than other groups of professionals who have learned how to
work within the existing law.
The Review Panel found that commissioners do not need dispensation from confidentiality,
human rights and data protection law since, with little effort, they can operate perfectly
well within it. For example, there are situations in which the commissioner will need
personal confidential data to help people deal with individual care problems. It might be to
help someone who is requesting NHS funding for ‘continuing care’ after leaving hospital, or
an ‘individual funding request’ for drugs that are not generally available on the NHS in that
area. In such cases it is entirely reasonable for the NHS to ask for the patient’s explicit
consent for NHS staff handling the case to be able to look at the patient’s personal
confidential data.
In other situations, local commissioners may be able to use safe havens, within which the
personal information they want to assess may be anonymised without risk of anyone’s
sensitive data being disclosed. For example a clinical commissioning group might want to
consider individual cases in order to monitor health inequalities, but it can do this using
anonymised information.
The Review Panel deliberated with the NHS Commissioning Board and other organisations
about a proposal for up to 10 Data Management Information Centres (DMICs) to act as safe
havens where confidential private data would be anonymised so that it could safely be
made available to local commissioners.
This chapter considers how staff in the DMICs might process data lawfully through
integration with the Information Centre to ensure that their activities are sanctioned by
statute and to maintain public trust in the security of personal information.
The Review Panel recommends that members of the NHS Commissioning Board, Clinical
Commissioning Groups and members and officers in local authorities, should ensure their
organisation complies with the legal and statutory framework for information governance,
with boards, or equivalent bodies being formally responsible for their organisation’s
standards and practice on information governance.
Public health
Healthcare professionals who are responsible for health protection sometimes need to know
personal confidential data about specific individuals. For example during an outbreak of an
infectious disease, public health staff may need to identify individuals who are at risk.
This side of public health resembles the direct care of patients and service users that was
considered in chapter 3. While engaged in this work, healthcare professionals can be
considered to have a legitimate relationship with people in the communities they serve. It would be impractical for them to ask everyone at risk from an infectious disease to give
specific consent for staff to provide appropriate information and care. Preventing the
spread of infection is in the public interest and therefore the use of personal confidential
data for this purpose has been provided with statutory support.
This justification for accessing personal confidential data does not apply to other aspects of
public health work. Health improvement programmes can provide value to the community
by contributing to longer life expectancy, healthier lifestyles and reduced inequalities in
health, but they cannot be considered equivalent to the direct care of patients.
Most health improvement activities in public health do not require personal confidential
data about individuals. However, understanding the complex relationships that exist
between the environment, personal behaviours and disease requires information that can
only be derived by linking data from several different sources. This side of public health
resembles research and the Review Panel considers that the rules and procedures that have
developed to provide the information governance for research can usefully be applied to
public health intelligence.
A third dimension of public health is to assist people planning healthcare services to
understand the health needs of the local population. This activity resembles
commissioning. Although some patient level detail is needed, patients themselves do not
need to be identified.
There is a lack of regulatory coherence across the public health arena. Some registries,
including cancer registries, have statutory regulatory powers; others operate on a basis of
consent. The Review Panel suggests detailed and consistent remedies.
Education and training
Across the health and social care system, most staff are required to undertake annual
training in information governance. The commitment to training is important and the
associated training budget is a welcome enabler. However, the Review Panel discovered that
the mandatory training is often a ‘tick-box exercise’. One nurse told us the experience was
equivalent to an annual ‘sheep dip’, which staff could go through without thinking.
There needs to be a fundamental cultural shift in the approach to learning about
information governance. Health and social care professionals should be educated and not
simply trained in effective policies and processes for sharing of information.
They should have formal information governance education focused on their roles, and this
should be at both undergraduate and postgraduate level. This education should include a
professional component explaining why there may be a duty to share information in the
interests of the patient, as well as the legal aspects of the common law of confidentiality,
the Data Protection Act and Human Rights Act.
Networks of information governance leads should be strengthened and extended to foster
greater mutual learning from experience across the health and social care system. In
addition to the standard training and education, Caldicott Guardians need to demonstrate
continuous professional development in information governance on an annual basis.
The chapter proposes education and training for non-registered staff and continuous
professional development for senior managers to ensure they understand the practical
information governance challenges their staff face.
It notes that information governance is often the responsibility of one person within an
organisation, who may feel isolated. In many cases, the role is filled by inexperienced or
relatively junior staff, or is one role among many that an individual must perform. The
Review Panel concluded that information governance specialists should work together to
establish a community of practice that could improve knowledge to solve practical
challenges, develop trust in the information governance function and remove isolation.
Children and families
The safeguarding of children is a well-established system, underpinned by legislation,
which requires professionals to share information about a child whenever there is cause
for concern.
Arrangements for sharing require constant vigilance by the relevant professionals. It has
become clear, however, that professionals dealing with children and families encounter
particular issues of information governance that are not covered elsewhere in this report.
This chapter deals with a series of dilemmas involving children.
It references work done by the Royal College of General Practitioners to address the vexed
issue of when automatic parental access to the child’s medical record should be turned off
and when the child’s automatic access should be activated upon their reaching sufficient
maturity.
Other dilemmas include the extent to which individual members of a family should have
access to the ‘family records’. These records have become an important dimension of
children’s social care following the Munro Review. The question is how to provide
information to each individual family member without compromising the confidentiality
of other family members.
In order to provide effective care for children, information often needs to be shared
beyond the normal boundaries of health and social care services, in particular taking in
organisations such as schools.
The Review Panel concludes that there would be clear
benefits if a single, common approach to sharing information for children and young people
could be adopted. The Department of Health should work with the Department for
Education to investigate jointly ways to improve the safe sharing of information between
health and social care services and schools and other services relevant to children and
young people, through the adoption of common standards and procedures for sharing
information. The departments should involve external regulators in this work including the
Care Quality Commission and Ofsted.
Government policy is increasingly seeking to use information to identify individuals or
groups of people, such as families, who may benefit from specific help or early
intervention. Generally, the aim of these interventions is to address problems these
individuals and groups may be facing before they can escalate, potentially causing harm to
themselves, their communities, or wider society. Identifying these people often requires
extensive sharing, linkage and analysis of personal confidential data.
The Review Panel concludes that significant lessons regarding data sharing might be
learned from public health and research communities. It suggests that the definitions of
‘prevention’ adopted in the influential study of public health by the Commission on Chronic
Illness could be adapted to cover social welfare interventions.
New and emerging technologies
Increasing numbers of patients are benefiting from new technologies that permit ‘virtual
consultations’ with a clinician, using the telephone, emails or video links. There is also a
rapidly expanding range of medical devices that use software or other technologies to
record data about a patient when a clinician or other professional is not present. These
devices then make the information available to the professional.
The Review Panel found a lack of clarity about a patient’s right to access the record of
virtual consultations and uncertainty about how long records would be kept.
It proposes
ground rules for ensuring patients have access to information about themselves. Providers
offering virtual consultation services should be able to share, when appropriate, relevant
digital information from the patient, with registered and regulated health or social care
professionals responsible for the patient’s care.
Medical devices permitting the monitoring of a patient’s condition from a remote location
present challenges, but do not raise new issues of information governance. The personal
confidential data gathered through these new processes and technologies must be treated
in exactly the same way as any other personal confidential data, and providers of these
services must adhere to the existing legislation and best practice.
The NHS Commissioning Board and clinical commissioning groups and local authorities
should ensure that services using these new technologies are conforming to best practice
with regard to information governance and will do so in the future.
Data management
There are many good reasons why organisations in health and social care need good quality
data. Patients are at risk if clinicians base their decisions on inadequate data. Dangers
multiply if there is poor handover of information between care teams or conflicting advice
to patients from professionals. The Review Panel welcomes the focus that professional
bodies for health and social care are placing on data quality.
The issue is particularly relevant to this review because poor data is so often cited as the
reason why people running services want to reach for the files of individuals. To find out the
truth, they want information about real people that includes personal confidential data.The best solution is not to give them dispensation to ignore or circumvent legal
requirements. It is to improve data quality standards. If data quality is sound, a pseudonym
may be used to link data and thus protect the identity of an individual.
The Review Panel endorses the First National Data Quality Report of the Quality
Information Committee of the National Quality Board, which seeks improvements in data
quality in the health and social care system.
The chapter summarises some important aspects of the Administrative Data Taskforce report
on improving access for research and policy published in 2012, with the Review Panel
endorsing a number of that report’s conclusions. It also examines the sharing of data to
safeguard children and adults and special considerations affecting data about ‘the unborn’.
The Review Panel calls for consistency in the information governance requirements for
providers. It recommends that every health and social care organisation should be required
to publish a declaration signed by the board or equivalent body, describing what personal
confidential data it discloses and to whom and for what purpose.
The chapter seeks to clarify the legal framework for sharing personal confidential data.
The Review Panel concludes that individuals should have the same level of protection
under the law whether personal confidential data is shared between health service bodies,
or whether the sharing is between a health service body and a non-health service body.
The Review Panel also recommends that the Department of Health commission a standard
template common across the health and social care system for setting up data sharing
agreements, to prevent unnecessary duplication of effort.
The chapter also suggests practical arrangements to secure the safety of records when a
provider’s contract comes to an end and sets out the protections and safeguards which
exist to prevent inappropriate sharing of patient’s information with organisations such
as insurers.
System regulation and leadership
From an information governance perspective, there is currently no method of regulating
the health and social care system as a whole. The Review Panel saw an opportunity for the
Information Commissioner’s Office and the Care Quality Commission to work together in
ensuring the health and social care system is properly monitored and regulated in this
regard. The process should be balanced, proportionate and utilise the existing and
proposed duties within the health and social care system in England. This chapter sets out
three minimum components.
The Review Panel calls on professional regulators to be involved more often in dealing with
cases of poor information sharing that disadvantage patients.
The Information Centre is to become responsible for producing and maintaining a code of
practice on collecting, analysing, publishing or disclosing confidential information. It
should adopt the standards and good practice guidance contained within the green-boxed
sections of this report.
The Informatics Services Commissioning Group (ISCG) is responsible for providing advice on
commissioning informatics services across the health and social care system. It is proposed
that a sub-group of the ISCG is established to provide specialist expertise, advice and
support on information governance. The Review Panel welcomes this proposal.
The health and social care system should adopt an agreed set of terms and definitions for
information sharing that everyone, including the public, should be able to use and
understand.
Conclusions and recommendations
In addition to the findings of individual chapters, the Review Panel reaches some
overarching conclusions. After consideration of what safeguards exist to protect people’s
confidential information and what means of redress are available if mistakes are made, the
final chapter sets out how redress should be managed by every organisation in the health
and social care system in England.
There was widespread support for the original Caldicott principles, which are as relevant
and appropriate for the health and social care system today as they were for the NHS in
1997. However, evidence received during the Review persuaded the Panel of the need for
some updating, and inclusion of an additional principle.
The revised list of Caldicott
principles therefore reads:
1. Justify the purpose(s)
Every proposed use or transfer of personal confidential data within or from an organisation
should be clearly defined, scrutinised and documented, with continuing uses regularly
reviewed, by an appropriate guardian.
2. Don’t use personal confidential data unless it is absolutely necessary
Personal confidential data items should not be included unless it is essential for the
specified purpose(s) of that flow. The need for patients to be identified should be
considered at each stage of satisfying the purpose(s).
3. Use the minimum necessary personal confidential data
Where use of personal confidential data is considered to be essential, the inclusion of each
individual item of data should be considered and justified so that the minimum amount of
personal confidential data is transferred or accessible as is necessary for a given function
to be carried out.
4. Access to personal confidential data should be on a strict need-to-know basis
Only those individuals who need access to personal confidential data should have access to
it, and they should only have access to the data items that they need to see. This may
mean introducing access controls or splitting data flows where one data flow is used for
several purposes.
5. Everyone with access to personal confidential data should be aware of their
responsibilities
Action should be taken to ensure that those handling personal confidential data — both
clinical and non-clinical staff — are made fully aware of their responsibilities and
obligations to respect patient confidentiality.
6. Comply with the law
Every use of personal confidential data must be lawful. Someone in each organisation
handling personal confidential data should be responsible for ensuring that the organisation
complies with legal requirements.
7. The duty to share information can be as important as the duty to protect
patient confidentiality.
Health and social care professionals should have the confidence to share information in the
best interests of their patients within the framework set out by these principles. They
should be supported by the policies of their employers, regulators and professional bodies.
These principles should underpin information governance across the health and social care
services.
The Review Panel also concludes that the Secretary of State and the Department of Health
should oversee the implementation of the recommendations of this review, and report on
the progress made.
This section finishes by listing the full set of recommendations from the Information
Governance Review.
