Dame Fiona Caldicott has recommended that all health and social care bodies should publish details of cases where they have processed or shared patients’ personal data without legal basis. This recommendation formed part of her report, commissioned by the Government, into the health and social care sectors practices involving information governance.
Her report further states that “The processing of data without a legal basis, where one is required, must be reported to the board, or equivalent body of the health or social care organisation involved and dealt with as a data breach,” and she continued by saying, “There should be a standard severity scale for breaches agreed across the whole of the health and social care system. The board or equivalent body of each organisation in the health and social care system must publish all such data breaches. This should be in the quality report of NHS organisations, or as part of the annual report or performance report for non-NHS organisations. A ‘data breach’ should be defined as any failure to meet the requirements of the Data Protection Act. This includes unlawful disclosure or misuse of confidential data, recording or sharing of inaccurate data and inappropriate invasion of people’s privacy.”
She has identified that there is a “culture of anxiety” existing within these sectors and has found that personal information is not shared as often as it could easily be done, between professionals. She went on to say that “safe and appropriate sharing in the interests of the individual’s direct care should be the rule, not the exception”.
There should be no difference between the health and social care sectors and any other sector who captures and processes personal and sensitive personal data. They should be explaining to patients how their personal data that they are collecting and processing might be used, for example, in anonymised structure for “research, audit, public health and other purposes”. They must also recognise their patient’s rights when collecting this data and explain that they are able to withhold their consent from this type of processing. In line with the rest of the data gathering industry a they should also be told that they can change their decision on consent to sharing their personal data and these sectors should be maintaining records of “any explicit decision of consent, including withdrawal of consent previously given”. Dame Fiona also said that patients should also be informed of the consequences of not providing consent.
She further clarified this bay saying that, if personal data is fully anonymised the information is available to be “freely processed and publicly disclosed”, however, if the information has only been “de-identified by the use of pseudonyms or coded references” it is personal data and must be treated as such.
Dame Fiona further said that linking of de-identified personal data with other information that contains identifiers should only happen “in specialist, well-governed, independently scrutinised environments known as ‘accredited safe havens’” The Health and Social Care Information Centre should have it set out, in the code for processing confidential information, what the “attributes” are for an accredited safe haven. “Data sets containing personal confidential data, or data that can potentially identify individuals (de-identified data for limited disclosure or limited access), are only disclosed for linkage in secure environments, known as ‘accredited safe havens’,” she continuedd. “The purposes for such linkage should be expanded to cover audit, surveillance and service improvement. Within the accredited safe haven, de-identified data for limited disclosure or access must not be linked to personal confidential data unless there is a clear legal basis to do so, and contracts must forbid this. This would re-identify the de-identified data for limited access, and be a data breach.”
Her report identifies that there needs to be national minimum standards on “data stewardship” that govern how the ‘safe havens’ operate. These standards should outline the bodies responsibilities for anonymising data as well as mandating the use of “privacy enhancing technologies”. They should also ensure “robust governance arrangements” are in place and that there are “clear conditions for hosting researchers and other investigators who wish to use the safe haven”. Dame Fiona also recommends that patients are given information about how their data is used and shared and details of who has had access to their sensitive personal information should also be made available to them “in a suitable form”.
Health Secretary Jeremy Hunt responded in a statement saying. “The Caldicott review has been about striking the right balance between sharing people’s health and care information to improve services and develop new treatments while respecting the privacy and wishes of the patient….. If patients are to see the benefits of these changes we must respect the wishes of the small number of people who would prefer not to share this information. I firmly believe that technology can transform the quality of healthcare in this country, but we must always respect the fact that this is very personal information about an individual.”
Jeremy Hunt previously outlined his vision for a ‘paperless’ NHS by 2018. He said that “NHS patients should each have a digital medical record that public health providers can access “when necessary” and where individuals’ “permission” has been granted.” To my mind this produces further possibilities for breach given the NHS’ record on data loss…