The Caldicott review into information governance in health and social care is likely to recommend a new duty to share information between agencies where it is in a patient’s best interests.

In an exclusive interview with HSJ Dame Fiona Caldicott, who has been leading the review for the past year, said the six information governance principles she formulated in 1997 were still relevant today.

Her previous review led to the introduction of “Caldicott guardians” responsible for data security in each organisation. However, she said her current review would propose two modifications to the rules.

“We’ve suggested a new principle which is about the duty to share information in the interests of the patients’ and clients’ care,” Dame Fiona said.

The move would balance a tendency towards caution over sensitive information, even where sharing it between health or care providers could lead to better care, she said.

Dame Fiona said NHS staff had “gone a little too far towards worrying about confidentiality in some instances, [rather than] thinking, ‘is it my duty in relation to this person in front of me to share some information about them, to discuss that with them so there are no surprises, but to make sure that what is necessary for their ongoing care is shared with the appropriate people?’”

The duty to share would apply to NHS and social care providers and commissioners.

However, she acknowledged that the IT systems in place in many trusts at the moment would be a barrier to information sharing. “I’m not suggesting for a moment that everything in this report could be achieved in the next few months,” she said.

IT systems “will need a lot more work going forward to achieve what we want for integrated care,” she said.

Dame Fiona also argued that more needed to be done to support staff in making decisions over when to keep information confidential and when to share it. Responsibility for that lies with trust leaders and with professional regulators such as the General Medical Council and Nursing and Midwifery Council, she said.

The current powers available to the Information Commissioner to fine NHS bodies for data security breaches as they currently stand are “sufficient”, said Dame Fiona.

Her inquiry has been looking at the affect those penalties have on individuals and organisations. One of the things that we’re interested in is whether there are less extensive penalties that could be more straightforwardly applied within organisations to make it clear to staff that they have to apply the rules.

“[It would be] much more about making staff aware of what the risks are if they don’t treat patients identifiable data very carefully, and then having a system within organisations which support them in order to achieve that.”

The Caldicott review is expected to report back to health secretary Jeremy Hunt by the end of March. It is currently expected to be published, along with the health secretary’s response, on April 17.

Restrictions on CSUs

Dame Fiona has confirmed commissioning support units will not have the legal status necessary for them to process patient identifiable data.

HSJ reported in December CSUs were not expected to be able to hold identifiable data – preventing them from providing important data storage, processing and analysis services to clinical commissioning groups.

Dame Fiona said this week that remained the case.

The issue was not one of main areas of focus for the Caldicott review. “We see it as a problem for others in the future,” Dame Fiona said.

Therefore the NHS Information Centre, which does have the required status, is likely to provide storage, cleansing and encryption services to CCGs.

CSUs will still be able to use encrypted patient data.