Dame Fiona Caldicott is National Data Guardian for health and care.
Ahead of her speaking at our Digital Health and Care Congress in July, we talk about her recent review, data-sharing and the security of data in the health and care sector.
Would you be able to give us an update on your review into the security of health and care data and your work on a single consent model for data sharing?
The Review is now complete and I have provided it and the recommendations to the government. I look forward to the report being published in due course and to working with government and health and care organisations on the implementation of the recommendations.
I was pleased that during the course of our work we were able to engage with a wide range of stakeholders including: patient and service user groups; members of the public, through focus groups and an online survey; clinicians; medical royal colleges; the BMA; the Information Commissioner's Office; service providers; commissioners; researchers; providers of IT systems and data security experts.
Their input was vital to our work in developing new data security standards to be applied across all organisations using health and care information, and a new opt-out.
What do you hope the impact of both elements of the review will be?
My report and its recommendations are about trust.
If the public is willing to trust health and care services with its data, there can be huge benefits for everyone. ‘Information about me’ can be combined to create ‘knowledge about us,’ which is vital for a wide range of uses, from researchers finding breakthroughs in life-saving medicine to regulators realising promptly when things go wrong.
But there is little public awareness of the way that information is shared, and that trust has not yet been earned. There must be an honest and ongoing conversation with the public and professionals about how data is used and about the choices that people should have and how they can make them.
The Review proposes new data security standards and a new way in which individuals can opt out of their information being used for reasons other than their individual care. I am very clear that the publication of our report is not the end of a process. The Review should continue a dialogue that has begun, with the public; professionals such as doctors, social workers and nurses; the government; medical researchers; health care planners; suppliers, and others.
Have you uncovered any new issues around data security in the NHS in the course of your current review?
The Review team found a lot of good practice. However, there are inconsistencies across the system, which is why clear, agreed standards are needed.
It is essential that we build a robust data security system that protects patients from malicious threats or common human errors, as far as it is possible to do so.
It is vitally important that we are never complacent about protection of the precious health and care information of patients and service users. I am optimistic that if the recommendations of the Review are accepted we will be moving to an even more reliable and trustworthy system.
We're really looking forward to hearing your keynote at our Digital Health and Care Congress in July. What do you plan to speak about at the conference?
I'm very much looking forward to the event and to discussing the part that I hope the audience will be able to play in advancing the areas for progress identified by the Review.
I'm clear that the benefits that can be achieved by data-sharing still need to be communicated to the public, and that all health, social care, research and public organisations should share responsibility for making that case. I would also like to hear whether those attending believe that our thinking on data security is identifying the right areas for action and the most effective approaches.
Those attending your congress include leaders and participants in the system who will be essential in bringing about these changes and so I am looking forward to engaging with them about this.
Are there quick wins for data-sharing throughout the NHS that are being held back at the moment?
When we undertook the Information Governance Review, which was published in 2013, we identified a culture of anxiety around the sharing of data for direct care. This was felt by managers and frontline professionals, and particularly when information needed to be shared across organisations and/or between the NHS and local authorities or private sector organisations. This is why we introduced the new and seventh Caldicott principle, which is that the duty to share information can be as important as the duty to protect patient confidentiality.
I think that we are still a long way from changing this culture of anxiety. If we could remove that fear, it would lift many of the frustrations around information-sharing experienced by professionals, patients and service users.
Do you feel it's within your remit to argue the case publicly for the linking of personal and potentially sensitive data across multiple datasets, both within health and social care, but also for secondary use in research?
I am in no doubt that information is essential for the provision of high-quality health and care and for the running of the health and social care system. It is also essential to improve the safety and quality of care, including through research, to protect public health, and to support innovation. However, the case for data-sharing still needs to be made to the public, and I think everyone across the system shares responsibility for making that case.
It is the case that we are all protected by the law - whether we opt out or not. In engaging with the public for the Review we found that people tend to support their personal confidential data being used where they can see the benefit, but they want to be given a choice. For those who do not support the use of their data for these purposes, there should be an opt-out.