Will the Caldicott report, and the government’s response, deliver the urgently needed changes to patient data sharing, or will this be another opportunity lost, asks Stuart Knowles

This article was part of the Commissioning Legal Adviser channel, in association with Mills & Reeve. The channel is no longer being updated.

Dame Fiona Caldicott is right when she observes confusion and a lack of clarity when it comes to sharing information − often to the detriment of patients. A lack of clear systems and agreed processes hinder proper and lawful sharing, while health professionals can be overly concerned about protecting confidentiality.

Have we seen it all before?

Despite assurances from the Department of Health and the information commissioner, over the years we have seen ignorance and fear lead to inappropriate information sharing and, more often than not, a failure to share information even when it is required for the best patient care.

Sometimes it is the fault of the system and sometimes it is a lack of insight on the part of health professionals and managers. This is often driven by the fear of getting it wrong and incurring the wrath of the regulator.

In recent times, patient care pathways have been disrupted due to a seeming inability to share patient-identifiable information between acute providers, community providers and social services. More recently, a large acute trust was told by a local GP to destroy its database of vulnerable patients with learning disabilities as this was supposedly in breach of the Data Protection Act. This instruction was given despite the fact that no patient complained and they were grateful for the improved care and help such information enabled the trust to provide.

‘We need clear and practical processes, and guidance to permit proper sharing, data security and information governance on a day-to-day basis’

The Caldicott report is full of detailed and rigorous analysis of the problems in sharing information within the healthcare sector. The recommendations are sensible and offer broad brush solutions to the problems. We need clear and practical processes, and guidance to permit proper sharing, data security and information governance on a day to day basis. All parts of the health sector need to be able to confidently and consistently manage information governance.

The DH has promised its response during the summer. Hopefully it will sieze this opportunity to properly manage patient information in identifiable, de-identified and anonymous forms, and that clear, workable processes evolve, which all parts of the healthcare sector can apply with confidence.

Addressing the specifics

There is an urgent need to address the specifics. When to share and when not to share? How to share? When to anonymise and when to share identifiable information? What security arrangements should be put in place? What about third party contractors, private and third sector suppliers? The list goes on.

Dame Fiona tries to reconcile the need for patient confidentiality with the need to share patient information. The review clearly states that patients should not be put at risk by clinicians making treatment decisions from inadequate information.

Health secretary Jeremy Hunt said: “The Caldicott review has been about striking the right balance between sharing people’s health and care information to improve services and develop new treatments while respecting the privacy and wishes of the patient.

“The report calls on the NHS to share more effectively, but also for patient confidentiality to be respected. While the aim is to use technology to improve the quality of healthcare, the rights of individuals need to be recognised.”

He added: “While the report calls for unlawful data processing to be reported as a data breach, and a failure to meet the requirements of the Data Protection Act 1998, it is also clear that the act should not be seen as an impediment to proper and lawful sharing.

“The report identifies a need to tackle the culture of fear that means healthcare professionals do not share personal information as often as they should. Dangers to patients multiply if there is a poor handover of information between care teams. At the same time, the review is clear that there should also be better monitoring and control of who has access to records, and that what people can see should be limited to what is required to provide good care.”

‘Safe and appropriate sharing in the interests of the individual’s direct care should be the rule, not the exception’

Dame Fiona noted: “Safe and appropriate sharing in the interests of the individual’s direct care should be the rule, not the exception. Our conclusion is that the balance isn’t right… People have become overly concerned about protecting confidentiality.

“We certainly heard about situations where there was agreement about sharing across boundaries, but then somebody in a managerial position would decide that the systems were not giving enough protection of confidentiality and the agreement was stood down… People do not like that in relation to their own wellbeing and how they are looked after.

“We shall see what happens. The role of the information commissioner cannot be overlooked. His office is clear that the NHS is seen as a serial offender when it comes to data breaches. Is it any surprise that NHS managers and clinicians are cautious? Having said that, the report is clear in one other important aspect: between June 2011 and June 2012 there were 186 serious data breaches notified to the DH. However, these all related to data losses and security breaches and not to data sharing. In reality, the DPA should not be seen or used as an impediment to proper sharing of patient information.”

Caldicott principles

The review panel recommends that the revised Caldicott principles should be adopted and promulgated throughout the health and social care system. These are:

  • Justify the purpose(s) of every proposed use or transfer of personal confidential data within or from an organisation. These should be clearly defined, scrutinised and documented, with continuing uses regularly reviewed by an appropriate guardian
  • Don’t use personal confidential data unless it is absolutely necessary
  • The need for patients to be identified should be considered at each stage of satisfying the purpose.
  • Use the minimum necessary personal confidential data
  • Access to personal confidential data should be on a strict “need to know” basis
  • Everyone with access to personal confidential data should be aware of their responsibilities
  • Comply with the law. Someone in each organisation handling personal confidential data should be responsible for ensuring that the organisation complies with legal requirements
  • The new principle: the duty to share information can be as important as the duty to protect patient confidentiality.

Dame Fiona recognises a cultural issue here, but one that can be tackled from within by senior individuals looking carefully at how information governance affects their work.

There is also an emphasis on clear explanations to patients as to how their information could be used in an anonymised form, and a recognition that patents should be given an opportunity to object to sharing, though the consequences of refusing consent to sharing should be clearly set out. Patients should be given clear information as to how their data could be used and shared.

The report makes an importation distinction between:

  • fully anonymised information, which can be freely disclosed; and
  • de-identified information, where pseudonyms or coded references are used and where identity could be pieced together again, which should still be treated as personal data.

De-identified information should be handled only in clearly defined safe havens. The Health and Social Care Information Centre is to be set up as such a safe haven and should also set out a clear code for accrediting other safe havens. Even here, de-identified information should not be linked to personal confidential information unless there is a clear legal basis. Contracts and processes need to be clearly established to permit lawful processing of this information. It is envisaged that such data, for example for research, audit and public health purposes, should make maximum use of privacy-enhancing technologies and “robust governance arrangements”.

On a related point, the report also makes clear that there is a need for education and training within the health sector. Hopefully this can come as part of the guidance issued, and decisions taken, in the coming months. Dame Fiona noted: “Everyone working in the health and social care system should see information governance as part of their responsibility. Unfortunately, this is not currently the case.”

The recommendations

On balance, it seems the main thrust of the report is that there should be greater information sharing and an improved quality of the data held as part of the drive to a paperless NHS. All this needs to be done in a careful way. Dame Fiona restates the Caldicott principles revised for the 21st century. An important seventh principle is set out in the report:

The duty to share information can be as important as the duty to protect patient confidentiality. Health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by these principles. They should be supported by the policies of their employers, regulators and professional bodies.

For ease of reference, here is a summary of some of the main recommendations as they are likely to affect healthcare providers. Dame Fiona puts greater sharing at the forefront of her recommendations, provided, of course, it is in the interests of the patient. The full set of recommendations with explanations is set out in the report.


People must have the fullest possible access to all the electronic care records about them, across the whole health and social care system, without charge. An audit trail that details anyone and everyone who has accessed a patient’s record should be made available in a suitable form to patients via their personal health and social care records. The DH and NHS England should drive a clear plan for implementation to ensure this happens as soon as possible.

For the purposes of direct care, relevant personal confidential data should be shared among the registered and regulated health and social care professionals who have a legitimate relationship with the individual. Health and social care providers should audit their services against NICE clinical guideline 138.

The professional regulators must agree upon and publish the conditions under which regulated and registered professionals can rely on implied consent to share personal confidential data for direct care. Working in multidisciplinary care teams the review recommends that registered and regulated social workers be considered a part of the care team. Relevant information should be shared with members of the care team when they have a legitimate relationship with the patient or service user. Providers must ensure that sharing is effective and safe. Commissioners must assure themselves on providers’ performance.

The processing of data without a legal basis, where one is required, must be reported to the board, or equivalent body of the health or social care organisation involved and dealt with as a data breach.

‘Health and social care professionals should have the confidence to share information in the best interests of their patients’

All organisations should clearly explain to patients and the public how the personal information they collect could be used in de-identified form for research, audit, public health and other purposes. All organisations must also make clear what rights the individual has open to them, including any ability to withhold consent. People are entitled to have their consent decisions reliably recorded and available to be shared whenever appropriate, so their wishes can be respected. Guidance on recording consent decisions and a strategy on sharing should be developed.

The linkage of personal confidential data, or data that has been de-identified, but still carries a high risk that it could be re-identified with reasonable effort, from more than one organisation for any purpose other than direct care should only be done in specialist, well governed, independently scrutinised and accredited environments called “accredited safe havens”.

The information centre must detail the attributes of an accredited safe haven in their code for processing confidential information.

The boards or equivalent bodies in NHS England, CCGs, Public Health England and local authorities must ensure they have due regard for information governance and adherence to its legal and statutory framework. An executive director at board level should be formally responsible for the organisation’s standards of practice in information governance. Performance should be described in the annual report or equivalent document and boards should ensure that the organisation is competent in information governance practice, and assured of that through its risk management.

The DH should recommend that all organisations within the health and social care system appoint a Caldicott guardian.

All health and social care organisations must publish in a prominent and accessible form a description of the personal confidential data they disclose, a description of the de-identified data they disclose on a limited basis, who the disclosure is to and the purpose of the disclosure.

‘I think that most NHS patients would be astonished to know that their information doesn’t flow around the system’

The Department of Health should lead the development and implementation of a standard template that all health and social care organisations can use when creating controller to controller data sharing agreements. The information governance advisory board should also ensure that the health and social care system adopts a single set of terms and definitions relating to information governance that both staff and the public can understand.

Health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by these principles. They should be supported by the policies of their employers, regulators and professional bodies.

This is not going to be easy. It could easily be an opportunity lost. There is a clear need for a shift in culture, both in sharing information appropriately and to properly and lawfully manage data sets for purposes other than direct patient healthcare.

However, in the final analysis a recent quote from Jeremy Hunt springs to mind: ”I think that most NHS patients would be astonished to know that their information doesn’t flow around the system.”

The government accepts the spirit of the recommendations. We shall see what happens when it sets out its full response. The government is also expected to accept that patients should have the right to opt out of the NHS data-sharing plans. Urgent, clear and practical guidance and systems are needed. They need to be agreed by all stakeholders.

Stuart Knowles is consultant for Mills and Reeve