New safeguards and a public conversation about health and care information proposed

New measures are proposed to strengthen the security of health and care information and to help people make informed choices about how their data is used.

The recommendations are made to the Secretary of State for Health, Jeremy Hunt. He commissioned the Care Quality Commission (CQC) to review existing levels of data security across the NHS and asked the National Data Guardian (NDG), Dame Fiona Caldicott to recommend new data security standards for health and social care and to develop a new consent/opt-out.

Both reports describe their finding of strong commitment among staff and organisations to keep data secure and that the public largely trusts the NHS to do so, and both have also identified areas where more can be done.

The reviews make a number of complementary recommendations to ensure that the drive for improved patient safety and high quality services is supported by accurate information, available to the right people at the right time, while maintaining respect for confidentiality.

Both reports recommend:

• Leaders of every organisation should demonstrate clear accountability and responsibility for data security, just as they do for clinical and financial matters.
• Internal and external scrutiny of whether the new data standards are being implemented

The NDG also recommends:

• Ten new data security standards to apply to all organisations that hold health or care information.

For example, organisations should use identify and address risks such as default passwords, dormant accounts and unsupported operating systems.

• A much more extensive dialogue with the public about how their health and care information is used and the benefits of data sharing.

The review underlines that information is essential to support excellent care and for a range of beneficial purposes such as helping researchers to develop life-saving medicine or regulators to see when things are going wrong promptly. However, there is currently little public awareness of how information is used.

• A new opt-out to make it clear to patients how their health and care information can be used and in what circumstances they can opt out of it being shared for purposes other than their direct care.

The NDG Review found that people tend to support their health and care information being used where they can see the benefit, but want to be given a choice about that.

• Whether people opt out or not, they should be reassured that their health and care information will only ever be used if the law allows and never for marketing or insurance, unless they consent separately to this.

The Department of Health has today provisionally accepted the recommendations and confirmed that there will be a public consultation and further testing of the recommendations put forward by the NDG.

David Behan, Chief Executive of CQC, said “The ability of NHS organisations to access and share patient information is crucial to the delivery of safe, effective care. But without robust processes, there’s a risk that information may be compromised, may not be accessible when it’s needed, or may not be kept confidential.

"We worked with sixty NHS organisations for this review, and those which demonstrated good practice on data security shared common characteristics - senior leadership who took this issue seriously and demonstrated ownership and responsibility; staff who were provided with the right information, tools, training and support; and systems and protocols designed around the needs of frontline staff, reducing the need for them to develop shortcuts in order to deliver timely patient care. But too often, not all these elements were in place.

"CQC has set out six recommendations aimed at improving arrangements for protecting personal data, and assuring the new standards proposed by the National Data Guardian. These recommendations focus on three key themes that are fundamental to the secure handling of data: people, processes and technology. Ultimately, however, it is for NHS leaders to demonstrate clear ownership and responsibility for data security, just as they do for clinical and financial management and accountability."

National Data Guardian, Dame Fiona Caldicott, said: "My recommendations centre on trust. Building public trust for the use of health and care data means giving people confidence that their private information is kept secure and used in their interests.

"Citizens have a right to know how their data is safeguarded. They should be included in conversations about the potential benefits that responsible use of their information can bring. They must be offered a clear choice about whether they want to allow their information to be part of this. I would encourage everyone to get involved in the consultation about the proposals that I am putting to Government today."

Interim Chair of Healthwatch England, Jane Mordue, said: "People tell local Healthwatch they recognise the potential life-saving benefits of sharing their data, putting it in the same terms as giving blood or registering as an organ donor. At the same time they understandably want to know who will have access to their medical records and for what purposes.

"Dame Fiona’s work has helped set out the foundations for how the NHS should use data, but with the Government set to consult over the summer it’s now up to all of us to take part in a national conversation about how information is shared to help build a health service fit for the 21st century."

Katherine Murphy, chief executive of the Patients Association, said: "There must be clear processes in place to protect patient confidentiality. Patients and the public need to trust that their data is held securely and that confidentiality is protected.

"Data sharing can have real benefits for patients and we acknowledge the importance of the research that uses patient data safely. We welcome both the clear emphasis this report places on the importance of data security, and its recommendations for practical steps that organisations can take to ensure that patients’ personal information is being kept safe."

Professor Nigel Mathers, Honorary Secretary for the Royal College of GPs, said: "The NHS must be beyond reproach when it comes to the use of patient data for any purpose, so Dame Fiona is right to say that further steps must be taken to build public trust for the use of their information and we welcome her call for a much fuller conversation with the public.

"GPs are the most trusted healthcare professionals in the NHS, and it is important that this trust extends to the way in which we use information about our patients’ health.

"The sharing of patient data between healthcare professionals can result in better and more integrated care – there are also significant benefits, particularly for medical research, to sharing anonymised patient data.

"What is essential is that patients understand how and when information about their health - anonymised or not - is being used, and that they are confident it will be kept secure. This way, the trust patients have in their GP will be maintained."

Donna Kinnair, Director of Nursing, Policy and Practice at the Royal College of Nursing, said: "This review is an important step towards developing stronger data security in the NHS.

"Data is essential for providing excellent patient care. Many patients are happy to allow their data to be used when given the choice, which is why providing clear information and implementing an ‘opt-out’ option will be so beneficial.

"Nurses and other health care staff will be at the forefront of putting these recommendations into action. The review found that staff equipped with the right tools are able to deliver the best practice – so training needs to be a key priority for the future."

Jeremy Farrar, Director of Wellcome, said: "We will only unlock the immense value of patient data if we have open and honest discussions about how and why data can be used for care and research, what’s allowed and not allowed, and how personal information is safeguarded. We welcome Dame Fiona’s call for a full conversation with the public and are very pleased to announce that we are setting up a new Independent Taskforce to explore the most effective ways to have discussions about uses of data."

Professor John Newton, Interim Chair of the National Information Board, said: "This is a very important report. The NHS must achieve the highest possible standards of data security: additional expert guidance on this is needed as new technologies and ways of using data are introduced. Public trust in how health data are used also needs to be secured. The report highlights the need for clear explanations of the benefits of data sharing and the National Information Board will be pleased to oversee further work in this area."

Graham Silk, Co-founder of Empower: Data4Health, said: "The Empower: Data4Health campaign welcomes the release of Dame Caldicott’s report and hopes that it will put the issue of health data firmly on the political agenda. For too long there has been a lack of clarity around the use of patient data and the sector’s obligations concerning privacy and protection.

"I was given three years to live in 2001 and I’m still here today because of medical research facilitated by the patient data of the leukaemia community. I want everyone else to benefit in the same way – which means wider and more practical use of our data.

"We need a revolution in patient data if the NHS is to take advantage of 21st century medicine. Empower: Data4Health wants to see the focus turn to the huge potential that our data has so that we can start improving drugs and treatments for the patients who are most in need. This needs to happen today, not in a few years."

More detail: CQC review

CQC's review of 60 hospitals, GP surgeries and dental practices focused on the availability, integrity and confidentiality of data systems in the NHS. It found that there was widespread commitment to data security, but staff at all levels faced significant challenges in translating this commitment into reliable practice.

Data security policies and procedures were in place at many sites, but day-to-day practice did not necessarily reflect them, while the quality of staff training was very varied at all levels, including up to Senior Information Risk Owners (SIROs) and Caldicott Guardians. Where data incidents occurred they were taken seriously. However, staff did not feel that lessons were always learned or shared across their organisations. Data security systems and protocols were not always designed around the needs of frontline staff – which often led to staff developing potentially insecure workarounds in order to deliver good, timely care to patients. This issue was especially evident in emergency medicine settings.

Alongside its review, CQC has published a policy statement which sets out how it carries out its regulatory role in regard to the secure use of information by health and adult social care providers, and how CQC itself handles data securely. The policy statement also provides a response to the recommendations from the National Information Governance Committee, which gave independent and objective advice on development and delivery of CQC’s information governance monitoring functions. CQC has accepted these recommendations and will continue to identify how the use of information can be strengthened in its future regulatory approach.

More detail: NDG review

In developing new data security standards for health and social care, the NDG found that health and social care staff want clear explanations of what they should and should not be doing regarding data security. A common cause of breaches is where staff are developing ‘workarounds’ to burdensome processes or outmoded technology.

The ten new data security standards have been designed to be as relevant to GPs and smaller care providers as they are to large NHS trusts. They are based around three key themes that are fundamental to the secure handling of data: people, processes and technology.

In developing the proposed new opt-out model, the NDG review found that information is essential to run the health and social care system and for research, while for most purposes high quality anonymised data – rather than personal confidential data - is sufficient.

The proposed opt-out would prevent people’s confidential health and care information being used for running the NHS and social care system and for research, except where there is a legal requirement or overriding public interest. The opt-out would be respected by all organisations using health and care information, encouraging more use of anonymised information. People would still be able to choose to take part in individual research studies.