Dame Fiona Caldicott: Data security in the NHS

This content relates to the following topics:

Article information

  • Posted:Wednesday 06 July 2016

Speaking at our Digital Health and Care Congress on 6 July 2016, Dame Fiona Caldicott discusses the Review of data security, consent and opt-outs and the recommendations that it makes for keeping health and care data secure, building trust, and ensuring that the public is informed about how their confidential information is used.


I’m really grateful to The King’s Fund for hosting this session. As many of you will know, we began work on this back in September and the Secretary of State was very enthusiastic about a report to be in his hands by the end of the last calendar year, i.e. by the end of December. We thought that was a rather short timeframe given the scale of what he asked us to do and I managed to argue for another month – so he gave us to the end of January. That slipped a little bit because it did prove to be quite an extensive piece of work covering both data security, but also a new simple model for consent and opt out and we didn’t actually give him the report until the end of February, early March, and then of course we were caught up in the purdah associated with the European Referendum. So it has been quite a lengthy process in the end, but we took full advantage of the pause, while we couldn’t put it into the public domain, to talk to some of the stakeholders, listen to more members of the public and take on board some of the suggestions that are I think going to emerge in the consultation.

This is the background to this review. So as some of you will know, I have been here before. I did a review back in the 90s when we’d just begun to think about using computers in the health system and people were already that there were risks to individual’s data and whether we were using identifiable information in the way that our data protection act and other legal requirements required. So at that point, we looked at some of the issues that were arising and recommended some principles attached to using people’s information and to protect their confidentiality and that led to the establishment called the Cop Guardians in each health organisation across the NHS – rather to our surprise because as we did the work, we came up to the General Election of 1997 and we thought that maybe it would get lost in the post-election changes, but it didn’t get lost.

So then in 2012/13, I was asked my Andrew Lansley to begin a review of information governance which was to do with the fact that technology has obviously moved on a huge amount and there was a certain amount of concern amongst the public and patients about how their information was being used but also that it wasn’t shared as much as it should be in the person’s interest for improvement of their care or for research, other purposes within the system. That review found that we really did need a culture change, that the use of technology was gradually growing but we weren't keeping pace with what the public knew about that and indeed, that’s something that’s become evident in relation to this review as well.

So what we’ve done on this occasion is what we’ve been asked to do by Secretary of State back in September which was to look both at data security – are organisations, practices, care homes across health and care looking after people’s data in a secure fashion, both in terms of safeguarding it from careless misuse but also with a growing awareness of the possibility of cyber security threats? And he asked us to do this work with the CQC but he added to the part of it that I was to do to try to come up with standards that could be applied across both health and social care, so we were looking really at the whole system and how we could put good systems of security in place across all of them.

It was quite evident to those of us looking at these issues that the technology had advanced a lot, even from that secondary view that I’ve just described, 2012 to 13, but actually we hadn’t had many conversations with the public about how their data/information was used in relation to technological advances. So that seemed to be a focus that we really had to attend to during the work that we were asked to do. The other part of the review that he asked me to do was to look at a new simple model for consent and opt out which was again relating to the fact that across the system, we had a large number of ways in which patients could opt out from their data being used. The HSCIC I think describes now that there are about 40 different opt outs across the service, that people don’t understand what their rights are in relation to those and it is a rather confusing picture and you will of course be aware that in 2013/14 there was quite a lot of controversy about the programme known as Care Dot Data.

So what we’ve done in the work since September is to work closely with the CQC on the joint programme which was first of all to look at what sort of standards we can ask the CQC to inspect against and hold people to account for and we’ve come up with these three broad themes which are on this slide. So we found problems with people, with people’s confidence about how they ensure security of data and that they have appropriate training going through their careers and that they do that respectfully in according to the principles from that early report. The second area which has led to some difficulty are processes where there isn’t sufficient care that the systems are kept up to date – if you take the example of new staff coming into an organisation, are they given the means to access the patient record if that is electronic? Not using work arounds by sharing passwords and taking the risk of breaches of data security and then the third one, to ensure the technology itself is up to date and if systems are not being supported with current software and so on, those are themselves updated and secure.

So those are the three areas that we, with the CQC, found that we really need to attend to, and this was all against the background of increased public awareness of the use of their data in the system, more anxiety if you like about that, but quite a strong public view that if they knew more about it, they might well want people to use the information to improve services and to do research. So again really we were faced with a cultural issue. How much had we made it clear to the public, to those who use the services, that there were certain things happening to their data that they might wish to know more about, to discuss with us indeed, and to put better systems in place. So one of the things that we did in setting up the work was to have a number of focus groups – members of the public, professionals, stakeholders, people with an interest in the area – to listen very carefully to what people saw as the problem or the problems and one of the things that was very striking in those conversations is that many members of the public don’t know as much about this area as we might think that they do.

For instance, to take two rather contrasting aspects of that, people coming to the sort of hospital where I work – this is many people, I’m generalising in this talk obviously – but many people assume that that letter of referral form the GP into the consultants team means that wherever they go in the secondary care service, their information about their clinical problem is known, so they become very frustrated when they go from one department to another and are asked to repeat their history. Now there are good reasons for having to repeat your history because sometimes different things emerge and I, as a once practicing doctor, know that there are good reasons why you ask certain questions to hear the version that the patient’s experiencing at the time, but not the whole history of how they get to be sitting in your consulting room. So people find that actually quite frustrating.

On the other hand and in contrast to that, they do not largely know how much information moves around the health and care system about them. So if you take the example of commissioning and the fact that if a person goes on holiday to a different part of the country, the commissioner of the services where they receive treatment will want to invoice the commissioner from their home area where their care is part of the contract with the local provider. Most of the people we listen to in these really discussions had no idea about that. Now one of the features of those conversations was that when you explain things to members of the public, by and large, they consent to that happening. They’re surprised at the different ways in which we make sure that the health service is as good as it can be – how do we develop services, plan them, pick up developing problems in the local hospital or wherever? But people really are not very knowledgeable about those things. They want to know and I think that’s a change from when we did our last review, that the public has become more aware, particularly those who in that period have consulted the service, but they want to know what’s happening to their information and they want to be asked about that being used in their interest.

So that has been a very striking development for us and it has led to one of the strong recommendations in the report which is about a dialogue with the public and this is a listening dialogue. People often talk about talking treatments; I actually like the expression “listening treatments.” It’s about hearing what people want to say to us and we haven’t been nearly active enough in having an on-going dialogue with people and with the professionals – those people I referred to earlier who don’t feel very confident always about how to safeguard and share information. There needs to be a much stronger on-going process of talking with each other about what the public expects and wants and we found in those various focus groups and telephone surveys and so on that we did, what had been found by several other bodies like IPSOS, Moray, Welcome, Health Watch that when people are informed and asked, they are often very content for information to be used – particularly if it’s anonymised.

So they're not so concerned, the public, by and large about the security aspects of the review. They rather take for granted that we do look after their information – particularly the NHS. People have great confidence in the NHS to not only look after their information but to do the right thing and that leads me to touch on one of our other really important themes about this review which is that of trust. There has been quite a lot of suspicion, for reasons that you will as you’ll be familiar with, about why data is used when that goes beyond using it for the person’s direct care and one of the things that this report is calling for us is all of us, all of you in the room, all of the stakeholders, all of us working in the system, to develop more trust with the public, with patients, with care users, that their data is safe with us, we are looking after it through the ways that we’re describing in the recommendations and that we will only use it in ways that are lawful and to which they’re giving consent. Or where they’ve opted out of it being used and we won’t use it or it’s been anonymised and they will know that and be content with that. That was quite an interesting finding that if the data is anonymised, many people will then be content that it should be used.

So just looking at the model that we’ve developed, these are some of the points about it that we put up on this slide to reassure people that the law will be obeyed as far as their information is concerned. To reiterate the point which we’ve discussed with many of them that this health and care information is essential for high quality care – not just for the individual but to have more conversations with them about the benefits that come to the wider community if some of the information can be shared more broadly – both for running the service but also for doing research, to improve the treatments that we have to improve care and to help both individuals but also the wider community in relation to their illness and better treatments and so on.

So the theme of trust, the theme of more information available, not everybody in the community of course wants to know about these things. It isn’t immediately of great interest to everybody but some people do want to know and they are very knowledgeable. So part of the challenge for us in promoting this new consent opt out is to work with professionals with the people’s delivering the service in terms of how best to give information to people coming for care which will be immediately understandable and they can take decisions about whether they want to opt out under the model or not. When I use the term “public” “the public” I’m very aware that we’re talking about 60 million people which can be divided up into a huge number of different groups, and I think part of the challenge for us all is how we promote these conversations according to the people we’re working with, and this is going to vary geographically, with age, with very interesting views coming from young people about the use of social media, the difficult to reach groups who don’t always feel that we’re listening to them, I mean there’s a whole range of issues about how we get these conversations happening with different members of the community, and I do think we have to try really hard with that, taking on the advice that those who are used to having those sorts of conversations are able to do and it’s something that we’re already giving thought to in terms of the consultation on the report.

So it’s partly about communicating with people about the benefits of the wider use of information but also saying that under the NHS constitution, under this new model and certainly has been the wish of this Secretary of State that it should be made absolutely clear to people that they have a right to opt out of their information being used for purposes which are not their care. Now you will all immediately be thinking of areas where they don’t have that right if, for instance, we have an epidemic of some serious illness, there are various legal grounds on which they don’t have a right to opt out of information being used, but this is where those laws don’t apply that people will have a choice.

So categories of information that we’ve heard about and thought about, discussed with some people and are in the report are described as separate and to be considered both separately and together if that’s not too consuming. So here it gives you the two categories that we think broadly apply to information that is not direct care. There’s information that is used for running the service, to provide local services, to see if services are being improved when the outcomes are not as good as they could be – this applies to both health and care – but also the use of information in research and to find new treatments and again, to improve treatment and care. So one of the questions in the report, and I’d be interested in your views in a discussion is whether in the model we should be putting before people one question or two questions. You can make the case for saying the information associated with your direct care, you’ve already agreed to give that to the doctors, the nurses, the other people you’re seeing for care; that is there and agreed to be shared for your own care but all the other information and the purposes for which it might be used like running the service and/or research would be a single opt out that you could choose if you wish.

But of course, if we put that before members of the public, that actually encompasses a huge amount of health and care information and one of the things that we heard from people – both professionals and the public – was that actually they would like a little more choice if you like within that collection of information. So what we have suggested in the document is that people might have two choices. So if you think about the different sorts of information, they might wish to opt out of having their information used for running the health service or the care service, but they might wish to be part of research and indeed many patients do choose to opt in to research projects. So would it be better to put before the public a single choice, direct care good, all other purposes I want to opt out or does that actually encompass too much for some people who would want to make a more subtle distinction that they could opt out of having their data used for research but not for running the health service?

Because we tried to base this report on evidence and what we’ve actually heard from people and discussed with people, we didn’t hear enough about what the views were of one question or two questions. Some people have raised the question of why we don’t have more opt outs, more questions. The difficulty with that is you immediately get into a model which is not simple. So as soon as you start adding different possibilities to the two that I’ve described, we came to the view that that is not a simple model and it wouldn’t work for many members of the public which is what we heard from them. So this is the alternative if you like which is in the document to go in the consultation – do people think that we should have one general purpose which is secondary uses or other purposes than the direct care or should we have two?

So the other aspects of the opt out, the model, the two which are there are that this should be across the whole of the health and care system and should be respected by all the organisations providing care. Explicit consent which of course applies in coming to a health professional, a care professional for care is already in the system. That will still be there for research. So if people want to opt in to a research project because they’re interested in a particular illness which someone in their family has that they will be able to say, “I really want to be part of this clinical trial.” And what we’ve tried to do in the report and the work is not undo things that work really well at the moment like many members of the public choosing to be part of research projects. So that will continue and the things that are working well will continue. What we’re trying to do with the model is replace the system that we currently have of a number of opt outs which confuse people, they don’t know what their rights are, and we’re giving them a simple choice.

We do think as we have more conversations with the public and they become more aware of some of these issues, they may well tell us in due course that they would like more choices, but that is for the future. We didn’t think that this was the point at which we could do that, given what we were learning and hearing about the extent to which people know how information is used at the moment. So this will be respected across the entire system and it will not apply to anonymised information which is something that we did discuss again in our sessions and with stakeholders. What we want to say about anonymised information, so that the person’s identity is not made known in the sharing of the information is that this will be subject to the code which has been developed by the ICO and which sets a really important and good standard for anonymisation. It’s quite a long document and I think we’re probably going to need to have a more simple users guide to it but interestingly enough, when we talked to the members of the public who we saw about an anonymisation, explained that this meant they wouldn’t be known as an individual, they had no difficulty – most of them – in that information being shared without being subject to the opting out that I’ve just described to you. So it is going to be part of what we have to talk to professionals and people about in terms of the possibilities in relation to the model.

Here are a huge number of thanks that I wanted to make on this occasion. One of the things about doing this work is that we have had a great deal of interest in it – both from the public who’ve been invited to sessions and to discussions with us but also from all of these bodies and individuals who have been willing to give up the time at relatively short notice, given that we weren’t given a lengthy timeframe and people have worked really hard and we’ve heard from a lot of bodies, individuals representing bodies and that has been extremely helpful and makes us feel that the report and the recommendations are based on evidence rather than something that we thought might work.

So I’m aware that I’ve probably given a bit less to you as a more formal presentation, but I think it would be good to have a discussion and that’s what I’m here for really to do. Here’s the reference but you can pick up the report as you leave, and I hope you find it of interest. We have recommended really strongly to the Department of Health and to Government that there should be an active consultation on this. We want to hear much more from professionals and the public about what we’ve suggested and I understand that a Ministerial Statement was published just a few hours ago and that has been accepted, so I’m really pleased about that because we do want to hear more. As I say, we’re beginning a dialogue with the public. This is not the end of a process. This is about more information being exchanged and hearing and listening to what people think and what they want the system to do for them and I think we’ve produced a document which I hope you will agree goes some way towards beginning that process and we can now continue to reassure the public that the health and care system is to be trusted with their data and that we can put previous things that eroded that to some extent behind us.

Thank you.


Mary Hawking

retired GP,
Comment date
14 July 2016
Included in the report - but not in either this presentation nor, more importantly, in the Public Consultation (closing date 7th September) is the abolition of Type 1 objections, i.e. the option of not allowing personal data to leave the GP surgery.
The replacement appears to be that the HSCIC - as the statutory safe haven - will receive all the GP medical records*, and de-identify or anonymise them - regardless of the assurance from the Secretary of State for Health (Jeremy Hunt)'s assurance that patients could prevent this - and the patient can only chose between not allowing use for running/improving the NHS and/or not allowing use for "research".
What happens to previous committments - or to those who simply don't trust the HSCIC? after all, this desire for government control of the contents of GP records goes back to 1995 - or earlier...

Add your comment