By continuing to use the site you agree to our Privacy & Cookies policy

Your browser seems to have cookies disabled. For the best experience of this website, please enable cookies in your browser.


Your browser is no longer supported

For the best possible experience using our website we recommend you upgrade to a newer version or another browser.


Caldicott report highlights 'anxiety' and disagreement over record sharing

The cultural and practical challenges faced by the NHS in sharing patient records between health and social care agencies are outlined in a major review published today.

Dame Fiona Caldicott’s government-commissioned review of information governance highlighted “a lack of consensus” on information sharing and said “a culture of anxiety permeates many organisations from the boardroom to front line staff”.

The review also warned that government plans for patients to access their records across the health and social care system could be in jeopardy without “a clear plan for implantation” .

The report, Information: To share or not to share? The Information Governance Review (see attached), said: The review panel found the anxiety results from instructions issued by managers in an attempt to protect their organisations from fines for breaching data protection laws.

“This anxiety must be changed to trust, in order to facilitate sharing on the front line.

“The constant message from caring and committed staff was that there should be a presumption in favour of sharing for an individual’s direct care and that the exceptions should be thoroughly explained, not vice versa.”

As revealed by HSJ last month, the report recommended a new duty to promote sharing but with a framework to protect confidential information (see box below for more recommendations).

The report said: “The duty to share information can be as important as the duty to protect patient confidentiality”.

However, the authors found “a lack of consensus on the need for identifiable data to be used for commissioning purposes”.

The report said: “[NHS England] suggested that the use of personal confidential data for commissioning purposes would be legitimate because it would form part of a ‘consent deal’ between the NHS and service users.

“The review panel does not support such a proposition.

“There is no evidence that the public is more likely to trust commissioners to handle personal confidential data than other groups of professionals who have learned how to work within the existing law.”

Last month Dame Fiona told HSJ the six information governance principles she formulated in her first review in 1997 were still relevant today.

The first review led to the introduction of “Caldicott guardians” responsible for data security in each organisation.


Speaking at the launch of the report this morning, health secretary Jeremy Hunt said it was “excellent”.

He said a fuller government response would follow but that he “welcomed the spirit” of the review. 

Questioned on whether the issue of patient consent to the sharing of their records, he said the NHS would not “cancel” existing agreements with patients who wish to opt out of but that there may be a case for “re-contacting people to explain the new arrangements”.

Patients will have a “veto” on their information being shared.

He said: “GPs will not share information with the Health and Social Care Information Centre if people object.

“There will be some overrides and very clear situations, a public health emergency, a life and death situation child abuse, these are the kind of overrides that people would expect.”

A summary of the review’s 26 recommendations and findings

  • The Information Commissioner’s Office and Care Quality Commission should work together in “ensuring the health and social care system is properly monitored”
  • Commissioners do not need dispensation from confidentiality, human rights and data protection law “since, with little effort, they can operate perfectly well within it”.
  • Every proposed use of personal confidential data should be reviewed by an appropriate guardian
  • Personal confidential data should only be used if is absolutely necessary
  • The minimum necessary amount of personal confidential data should be used
  • Everyone with access to personal confidential data should be aware of their responsibilities
  • The duty to share information can be as important as the duty to protect patient confidentiality

Readers' comments (16)

  • Doesn't recognise that commissioners need access to limited identifiable data (given that the appendix 5 includes admission date and discharge date as identifiers) to commission well, and that health is different. If Tesco can't access all the identifiable data they'd like to use for marketing, promotions etc, then they'll lose money, if an unsafe pathway is maintained because it is harder to link episodes of care, then people's health will suffer.

    Unsuitable or offensive?

  • Whilst I concur with the caveat of appropriate use of PCD data I take acception that NHS number and other material record fields to support commissioning are deemed to be not necessary in planning and managing patient services.

    Modern technology enables roll access security to ensure only appropriate staff view only relevant PCD data.

    How can you modernise a service and enagage clinical leadership behind a cloak of outdated data constrictions? The trust Fiona advocates should extend to CCGs to empower them to deliver what is needed by allowing them to locally manage their patient IG.

    Re-appoint Caldicott guardians within the CCGs to ensure appropriate use on the case by case basis and trust CCGs to manage what is in the best interest of their patients. Afterall that is what the legislation was intended to do wasn't it?

    Unsuitable or offensive?

  • It is perfectly possible to pseudonymise data at source in a way that allows linkage, and reidentification back in the practice or trust. It is the reluctance by organisations to explore and use this new technology that is worrying. see

    Unsuitable or offensive?

  • Apologies Anon 12:37 but I think that "pseudonymisation" is possibly one of the most flawed and potentially dangerous concepts that the NHS has ever come up.

    Because of the complexity of its implementation, many people have skirted around it by using things like the "Hospital Number". This is not a unique identifier and the same number can be potentially be issued to many difference patients with disastrous consequences.

    The NHS Number is a unique identifier that can be used safely to link data together without revealing a patient's actual identity.

    After all, if you left a piece of paper with your NHS number without any other identifying detail on a train no-one would be any the wiser as to whom it referred.

    Unsuitable or offensive?

  • "Every proposed use of personal confidential data (still not tightly defined) should be reviewed by an appropriate guardian".....

    NHS, you are paper-based and you are going to remain paper based. Caldicott, you are the new 'elf n safety

    Unsuitable or offensive?

  • So much for “Liberating the NHS”

    Unsuitable or offensive?

  • Deeply deeply disappointing. The tail wagging the dog, and the abstract concept of potential unspecified harm from privacy being used to outweigh real harm from commisisoning blind, and failing to deliver the much needed informaiton revolution- in fact going BACKWARDS. This approach to shackling information will cost more lives than mid staffs did, and more lost financial opportunity than any other pressure on the system. I despair. Fiona and review group - shame on you.

    Unsuitable or offensive?

  • If a statutory body cannot verify that a patient is one of their patients, they are acting ultra vires in funding care. Denying access to this information is the NHS going way further than the data protection act and is unworkable and silly.

    Unsuitable or offensive?

  • Opting out of sharing your data is a bit like opting out of getting your child vaccinated. Ultimately selfish, impacting on the health of others, and a disproportionate response to flawed fears about harm. Unbelievable that a certain section of the NHS not only puts up with it but almost seems to encourage it

    Unsuitable or offensive?

  • Spot on Annon 4.13. This is one of the worst reports of its type. Caldicott’s woolly principles, catch-all 'definitions' and unpaid and under qualified 'Guardians' have hobbled the NHS technology-wise for a decade. This latest report is equally amateur. Compare it to the US HIPAA legislation and weep. It would be funny if there was not so much a stake.

    Unsuitable or offensive?

  • Not a single technologist, security expert, database architect or consumer information professional on the panel...

    Unsuitable or offensive?

  • Make it a part of the duty for the NHS to consult widely and publicly when selling the data sets for commercial use. I am, as a citizen, not aware of my data being sold to Dr Foster, but it sure enough has access to all my HES data on a named basis. That data was sold without my consent. I have no objections to my data being used, by commissioners to progress my care and pay for it. But I object strongly to it being sold without my permission.

    Unsuitable or offensive?

  • What an excellent idea. The world will end if a blood sucking share obsessed capitalist right wing greedy corporate got hold of my terribly secret health info. Or my credit history. Or what I buy in a supermarket. Or what I buy in the High Street. Or whatever I write on social media. It would be much better if my terribly secret health info was kept by public sector organisations funded by my taxes but in silos so that health couldn't talk to social services or the voluntary sector or a social enterprise or a CIC. Because that would improve my health outcomes no end. And of course public sector organisations never lose data. Or sell laptops with confidential info on eBay. Or drop a USB stick. Or leave a stack of CDs on a train. But thank God no evil greedy business has my terribly secret health info. And I do look forward to an enormous public consultation every time any of those nasty organisations dares to dream of buying my terribly secret health info because I think that is an excellent use of my taxes in these austere times. God forbid that we should spend it on more nursing staff at my local hospital.

    Unsuitable or offensive?

  • Francis recommends that Information be “accessible and useable by all”
    Where’s the joined up thinking ?

    Unsuitable or offensive?

  • Aaggh, bangs head on desk. No end in sight then to pretty much insurmountable barriers to health and social care readily sharing information about patients in order to offer safer/more joined up care.
    The one pilot project of this nature that I was involved in required the clinical team to run through a three-page consent document with every patient to get individual consent to health and social care data sharing. Heaven forbid that we could just adopt a common sense attitude here and free up clinical time for important tasks like treating and caring for patients. What a bloody farce!

    Unsuitable or offensive?

  • In a modern world where people hand over personal details every day in order to buy goods the NHS makes it ever HARDER to share information in order to aid patient care. As someone else pointed out - the fact that the panel was devoid of technologists, security experts or consumer information professionals says volumes.

    Unsuitable or offensive?

Have your say

You must sign in to make a comment.

Sign up to get the latest health policy news direct to your inbox