Caldicott: hints of latest report escape from purdah
- 7 June 2016
The debate over whether or not the UK should remain part of the European Union has been blamed for lots of things, from frightening off investors to clogging up the airwaves with rhetoric.
But one presumably unintended consequence of this month’s referendum has been a further delay in the publication of reports widely seen as crucial to promoting data security in the NHS, encouraging information sharing, and sorting out the mess around patient opt-outs from sharing initiatives.
Long-anticipated reports by the National Data Guardian and the Care Quality Commission have fallen victim to the Purdah convention that means that governments are banned from saying or publishing anything that might influence voters’ decisions in the four weeks leading up to a vote.
Whether publication now would make a vote for Bremain or Brexit more or less likely is moot; but what is clear is that we won’t have a definite idea of what’s in the reviews until the end of June at the very earliest. Or will we?
Perhaps frustrated by the delay, last month the office of the National Data Guardian and the CQC took the step of pre-empting publication by sending out a “dear colleague” letter to update trusts.
Signed by National Data Guardian Dame Fiona Caldicott and by CQC chief executive David Behan, it sets out some key principles; as well as actions that the authors say can be taken now. But before looking at the likely content of the reviews, it’s worth considering why they were set up in the first place.
The long shadow of care.data
Back in September 2015, health secretary Jeremy Hunt asked the CQC to undertake a review of data security in the NHS. Meanwhile, the National Data Guardian was tasked with developing new data security standards for the NHS and social care, as well as a method of testing compliance.
Dame Fiona was also asked to develop an opt-out model so that people who didn’t want their data to be shared could say so. This, of course, was against the background of the outcry in some quarters over care.data.
This is the controversial programme to expand the Hospital Episode Statistics, to link them with other data sources (including GP data), and to make the new datasets available to others, where others might include researchers but also commercial partners.
When it emerged that publication was to be delayed, concerns were expressed about the impact on a number of data collection projects, including care.data. After all, when the review was set up it meant that ongoing efforts to tackle the issues that had been raised were stalled. Projects affected included four care.data “pathfinder” trials to communicate risks and benefits to the public, and educate them on how to opt out.
Des Ward, the information governance director with Innopsis, an industry association for companies driving information sharing for public services, believes that the review is still valuable. “There’s quite a challenge, whether perceived or real, about sharing information,” he says. “Having a review where there are challenges is a good idea.”
For him, the issue isn’t so much about technology and security as about governance and risk – and he is optimistic that the reviews will recognise that. “The health and social care sector has been struggling about how to share information,” he says with masterly understatement.
‘We need to look at key areas: what information do you have, what format is it held in, where is it stored, and what are the handling and legal obligations? This sounds complex; but it’s actually not. The problem is that when we go down a purely technical approach, then you forego that. Understanding that governance is the most important thing is crucial.”
Dear colleague: start now
The “dear colleague” letter suggests that this has been taken on board. The letter is framed round three key themes fundamental to the secure handling of data: people, processes and technology.
It says that appointing leaders (in each organisation) who have responsibility and accountability for data security is as vital as it is for clinical and financial management and accountability. Interestingly, it encourages organisations to have individuals in the roles of senior information risk owner or SIRO and Caldicott Guardian at board level – something that was already supposed to be in place.
The letter also says that organisations should have processes to prevent or deal with breaches in data security, and that they should make sure their IT estate is supported to “mitigate the evolving cyber security threat”.
The new National Data Guardian standards have been designed around these themes, and are designed to be as relevant to GPs and smaller care providers as they are to larger NHS trusts.
A spokeswoman for the Office of the National Data Guardian says that while the letter has been sent to trusts the office is now engaging with other parts of the system ahead of the publication of the full report.
“We have been encouraged by the interest that there has been in our review and the new standards we have developed,” she says. “The letter highlights some of the key principles and actions that all organisations across the system can consider ahead of the publication of those standards to continue the important work of securing data.”
The update reveals little on the proposed opt-out model where data is shared for purposes beyond direct patient care, but does stress that organisations should ensure there’s a clear view of all data flows, and the purposes and legal basis for them.
Public opinion
This last point in particular chimes with the findings of research by the Wellcome Trust, published in March. The trust commissioned polling organisation Ipsos Mori to conduct a piece of social research based on a survey of more than 2,000 people across the UK and workshops with more than 200 participants.
The idea was to drill down into public understanding and attitudes to commercial access to health data – one of the main concerns raised about care.data.
The picture that emerged was far from clear-cut: only a narrow majority (53%) were happy for their data to be used by commercial organisations if it was for research – with that figure rising to 60% if lack of data put in jeopardy research that would have benefits to society.
But the survey showed that 17% were against private companies having access to their health data in any circumstances, and most people were extremely wary of insurance or marketing companies having access to data.
The research was timely, said Natalie Banner of the Wellcome Trust’s policy department because it should help the then on-going Caldicott review. Writing on the trust’s website, she said: “Overall, the findings from this research make a strong case for there being much more open, honest communication with patients about how their data is used.
“Research can bring some amazing benefits in terms of better patient care and improving health, but people want to know more about why data from their records is important to enable this research to happen.”
She said that the government and the NHS need to be really clear who can and can't have access to health data and what restrictions and safeguards are in place to protect it, including “red lines”, for example for insurance and marketing uses.
“It's also important for those who really don't want their data to be used by anyone beyond their care that there’s an option to opt out and a clear explanation of how this choice will be honoured.”
The Wellcome Trust has made six recommendations “to avoid making the mistakes of care.data” back in 2014 – and it’s unlikely that they are working along markedly different lines to the latest Caldicott review, particularly as they could be seen to cover the same themes, at least in terms of people and processes and trust and transparency.
It’s all about risk
According to Ward, trusts and other organisations actually have a financial motive for getting it right, in addition to the information governance imperative. “Estimates are that the cost of protecting and managing data that you don’t need to protect or manage because it’s either duplicate or unknown is running into millions of pounds,” he warns.
He believes the latest reviews will continue to reinforce processes that have been underway for more than a decade, pointing out that ironically, the UK government, and the NHS, was at the forefront of an approach that manages risk rather than concentrating on technology.
“They [people in the public sector] have to share, but the temptation is not to share,” he says. “You have to govern the information correctly, and manage it according to the obligations under law, which is exactly what the Caldicott review update letter is talking about in terms of people, processes, technology and governance.”
He warns against creating a system that sets up so many hurdles to information sharing that it prevents frontline care from doing its job. “It’s about risk, it’s about understanding risk, and getting it right. We don’t need more technology, we’ve got great technology. But we focus too much on the technical platforms that we’re using rather than the information itself.”
“Understand what you have, protect what you need to, behind strong controls, but then open up a safe (rather than secure) access, a risk-managed access to data across the piece.”
Indeed, he believes that the whole area has moved from a traditional security to a management issue; it will be interesting to see if the reviews agree – after 23 June, of course.