The content of this website is intended for healthcare professionals only

Use of confidential data should be rebalanced in patients’ favour

And tough penalties imposed for breaches, says Caldicott Review

Caroline White

Friday, 26 April 2013

The use of confidential health information in the NHS needs to be “rebalanced” in favour of patients and service users, with tough penalties for breaches, says a government commissioned review looking at how best to get the right balance between data protection and sharing to improve care.

The government asked Dame Fiona Caldicott to carry out a review of information governance in health and social care, following the publication of The Future Forum’s report in January 2012.

This concluded that data sharing is vital for patient safety, quality, and integrated care, and recommended that the government review information governance in health and social care.

“A re-balancing of sharing and protecting information is urgently needed in the patients’ and service users’ interests, which is supported by those citizens with whom we discussed these issues,” writes Dame Caldicott in the introduction to the review.

But the new commissioning arrangements have highlighted concerns about identifiable information being sought excessively and used inappropriately, she says.

“We have been struck by the loss of confidence of many clinicians with whom we spoke, about when it is safe to share information and the safeguards that are required for sharing,” writes Dame Caldicott.

“There is clearly an urgent and ongoing need for education and training in this area for staff, and also for patients and service users,” she notes. “Given the imperative to meet the needs of an ageing population, particularly at the boundary between health and social care, it is crucial that systems for principled sharing of information are well understood,” she insists.

Among the raft of recommendations, the review says that healthcare organisations should implement a much tougher and more transparent system of redress for data breaches, to restore confidence in the use of personal healthcare information.

Those affected by a breach must be told what happened, how it happened, what will be done to put matters right, and be given an apology, it recommends, with penalties meted out by the Information Commissioner’s Office (ICO) of up to £500,000 and criminal prosecution for serious breaches of the Data Protection Act.

And even when the ICO decides not to prosecute, the health or social care organisation concerned must take remedial action and the Care Quality Commission must assure itself that the action has been taken and is fit for purpose.

All data breaches should be reported to the organisation’s full senior management board, with remedial actions detailed in annual reports.

Failure to inform the public properly on how their personal confidential data is being shared should be actively monitored by the Care Quality Commission, says the review.

Speaking at the Electronic Patient Records Conference today, health secretary Jeremy Hunt said that while effective sharing of patient information has enormous potential to improve patient care, services and treatments, this can only be done effectively if patients are given a say over how their personal information is used.

He announced that any patient that does not want personal data held in their GP record to be shared with the Health and Social Care Information Centre will have their objection respected.

Where personal data has already been shared from a GP practice to the Information Centre, a patient will still be able to have the identifiable information removed, he said.

“If patients are to see the benefits of these changes we must respect the wishes of the small number of people who would prefer not to share this information. I firmly believe that technology can transform the quality of healthcare in this country, but we must always respect the fact that this is very personal information about an individual,” he said.

Jeremy Hunt also announced that Dame Fiona will chair an independent panel to oversee and scrutinise implementation of the review’s recommendations and to provide advice on information governance issues. A full response to the review will follow in the summer.

Chair of the BMA’s Medical Ethics Committee, Dr Tony Calland, welcomed the commitment to respecting patients’ objections to the sharing of confidential data.

“This is something the BMA has worked hard to reach agreement on. Confidentiality is the cornerstone of the doctor/patient partnership and we must do all we can to safeguard it,” he said. 

But he added that the BMA had some outstanding concerns about how “safe havens” will be implemented.

These are areas where researchers and commissioners can carry out analyses under secure conditions and should be kept to a minimum, says the BMA. The use of any information that could identify individuals, such as the NHS number, could increase a risk to confidentiality, unless robust safeguards are in place.

“While health data is vital to improve health services and medical research, it is essential that the strict controls described in the Review for safe havens are scrupulously adhered to and regularly audited by an independent body,” said Dr Calland.

Information: To Share Or Not To Share? The Information Governance Review

Registered in England and Wales. Reg No. 2530185. c/o Wilmington plc, 5th Floor, 10 Whitechapel High Street, London E1 8QS. Reg No. 30158470