Government advised to keep tight controls on CCG data access

The long awaited review by Dame Fiona Caldicott called on ministers to “consider” the controversial Care.data programme, in what could represent another serious blow for the embattled programme.

The national data guardian’s review of data security, consent and opt-outs was due to be published this morning.

The review was commissioned by health secretary Jeremy Hunt in the wake of the Care.data debacle, which sparked significant concerns around how patients’ confidential data is used and shared. Care.data is currently on pause after it was accepted that sufficient care had not been taken over patient consent for sharing their data.

Dame Fiona’s review will propose a new model for how patients are able to opt out of their data being shared for purposes beyond direct care.

She recommended that opt outs should apply to use of patient identifiable data for commissioning, apart from for invoice validation, and certain other limited circumstances.

Clinical commissioning groups have consistently raised concerns that they cannot carry out their statutory duties without full access to patient identifiable data, which primary care trusts had before they were abolished in 2013.

Invoice validation has been one of the most crucial areas – so Dame Fiona’s recommendation of full access for this purpose will be welcome. However, the potential blocks on data for other purposes may be viewed by commissioners as a blow.

Dame Fiona’s report recommended the Department of Health should “clarify” the legal framework for commissioner access to patient identifiable data.

However, she is still largely of the view expressed in her 2013 information governance review, that data flows should be organised so commissioners can carry out their duties without patient identifiable data.

As of May, around 1.5 million people had registered to opt out of the Care.data programme, requesting their records do not leave their GP practices except for direct care or in “exceptional circumstances”.

Dame Fiona did not go as far to call for Care.data to be axed, but her recommendation that ministers “consider” the project will be viewed as ominous.

The review is due to advise on the “wording for a new model of consents and opt-outs, to enable patients to make an informed decision about how their data will be shared”.

HSJ understands the review team was keen to make the options as simple as possible, because there was a high level of confusion about the issue among both patients and health care professionals.

However, patients told Dame Fiona’s team they preferred to have more than one choice, so the review leaves open the option of a two-choice opt outs.

These would be: an opt out for patients not wanting their data shared for NHS and social care purposes; and a second opt out for those not wanting it shared for research purposes.

The report will recommend no patient identifiable data should be used for marketing or health insurance, unless the patient has given explicit consent, it is understood.

However, there are times when private providers are working to provide NHS services, so whatever consent model is put in place, it will need to ensure that such data flows are not blocked.

The review will call for a public consultation to trial different wordings with patient groups and professionals.

Dame Fiona’s review will emphasise that significant work needs to be done on public awareness and education, which is likely to take time.

The report will also:

• Set out new data standards which every NHS organisation will need to adhere to.
• Raise concerns about the significant use of NHS of outdated software systems, such as Windows XP, which are now susceptible to a range of computer viruses, Trojans, spyware and malware.

Dame Fiona finished her review in May but its publication has been delayed by the EU referendum. A letter sent she sent to NHS organisations in May said they should identify “the appropriate leaders in your organisation with responsibility and accountability for data security is vital, just as it is for clinical and financial management and accountability”.

It added: “We would encourage you to ensure you have individuals in the roles of the senior information risk owner and the Caldicott Guardian at board or equivalent level, and that they are registered with the Health and Social Care Information Centre [now NHS Digital].”