Caldicott 2: To share or not to share

Hospital iStock 000010501389XSmall 146x219Dame Fiona Caldicott's long awaited report on service user confidentiality in the health and social care system was published last week. Eleanor Tunnicliffe explains how the findings affect all organisations working in the health and social care sector.

Since its inception, the Coalition has promoted smarter and freer use of public sector information as a way of cutting costs and improving services. For example, readers may recall the publication of information from the COINS database (the database for UK government expenditure), which it was hoped would be scrutinised by an "army of armchair auditors".

In December 2011 the Government announced that it wanted to allow patients' records and other NHS data to be shared with private life science companies, to make it easier for them to develop and test new drugs and treatments. Concerns were raised about what that might mean for patient confidentiality. This and other issues prompted the instigation of Caldicott 2, in which Dame Fiona was asked to review information issues across the health and social care system.

Dame Fiona first investigated issues surrounding confidentiality when she chaired a similar review in 1996-7 on the use of patient data in the NHS. That review recommended that the NHS adopt six principles for the protection of confidentiality, which became known as the "Caldicott principles". The review also recommended that NHS organisations appoint someone to take responsibility for ensuring the security of confidential information. These people became known as "Caldicott Guardians".

The reach of Caldicott 2 – "Information: to share or not to share"  is far wider than the 1997 report. Its recommendations affect all organisations working in the health and social care sector – including local authorities. Its recommendations, if adopted, will have a significant impact on the way that local authorities operate.

On 26 April, the Secretary of State for Health, Jeremy Hunt, welcomed the report and announced that Dame Fiona will chair an independent panel to oversee and scrutinise the implementation of the recommendations in Caldicott 2. The Government will provide a full response to the Caldicott review in the summer.

Themes & key recommendations

"Paradoxically, criticism that the bureaucracy of information governance is standing in the way of sensible information sharing among professionals has gone hand-in-hand with equally vociferous criticism that the system is not doing enough to combat laxity in the protection of confidential data and information. There is a perception that too much information is being disclosed inadvertently as well as too little being shared deliberately. Furthermore there is uncertainty among many patients and users of services, who are unaware of how personal confidential data about them is collected and shared."

This quotation (see page 26) neatly captures three themes of the report; namely the need to:

  • Protect patient and service user confidential data from inappropriate use and disclosure.
  • Address the unhelpful "culture of anxiety" that surrounds sharing patient confidential data, that is often detrimental to care.
  • Improve service users' understanding of how their data is used.

The main areas of interest to local authorities are what the report says about:

  • Information governance within all organisations in the health & social care sector.
  • The way social workers share information with NHS colleagues.
  • Rights of service users to access their data.
  • How data is used to inform decisions about public health services.

The report's key recommendations under each of these headings are set out below.

In the spirit of the report this article adopts the terminology it suggests is adopted across the health and social care sector. "Personal confidential data" is defined in the report as "Personal information about identified or identifiable individuals, which should be kept private or secret". It includes information about the deceased.

Governance

  • Data breaches should be reported at Board level and in the annual report. Data breaches include not only incidents of data loss but also any use of personal confidential data – such as linking and sharing – which does not have a legal basis.
  • Local authorities must ensure that a Director at Board level is formally responsible for information governance and appoint a Caldicott Guardian to oversee the use of personal confidential data.
  • Local authorities should audit their data sharing arrangements against the NICE clinical guideline 138 
  • The report identifies particular issues around the increasing trend for "family records" following the Munro Review. These are records which use technology more efficiently to maintain both individual and family views of the data. Such records pose their own particular problems, in particular (1) the need to present a meaningful record for each individual family member without compromising the privacy of others; and (2) the need to deal differentially with information provided by third parties which may be shared with some agencies and not others, or some family members and not others. The report recommends that initiatives using such records (the recent troubled family initiative springs to mind) should be examined in detail to ensure compliance with the right to respect for family and private life under Article 8 of the European Convention on Human Rights.

Improving sharing between health and social care professionals

  • There is a new Caldicott principle, that the duty to share personal confidential data can be as important as the duty to respect service user confidentiality.
  • Registered social workers working with a patient should be considered to be part of the patient's care team. This means that the patient is taken has given their implied consent to relevant information being shared with the social worker for the purpose of their care.
  • Information can also be shared by the NHS with registered professionals working in care homes or providing care in a patient's home on the basis of implied consent, unless the patient has objected. The situation is more complicated where care is provided by unregistered staff and the report has a checklist that should be worked through in such circumstances.

Extending service user rights

  • The report recommends that the rights, pledges and duties in the NHS Constitution should be extended to cover social care.
  • People should have the "fullest possible" access to their own electronic social care records without charge (unless a full subject access request is made). This includes providing a service user with a copy of the audit trail of their records which sets out anyone and everyone who has accessed their information. From 2023, people should have full access to any of their social records held electronically. The report also provides guidance about providing service user information to carers.
  • Service users should be copied in when their information is moved between organisations or care settings.
  • While implied consent may be used to share relevant personal confidential data for a person's care, the report recommends that express consent should be sought from individuals before their entire care record is moved to a new organisation, even when this is for the purposes of direct care.

Public health

  • The report recognises that it may sometimes be necessary to use patient confidential data in order to carry out analyses necessary to drive improvements in public health. It suggests that such use should be treated as research and that local authorities learn from the rigorous processes that have been developed in the research community to gather and use information in such circumstances.
  • The reporters are less persuaded about the need to use patient confidential data to inform the commissioning of healthcare services. The report concludes that there is a need for greater clarity as to how the analysis of data for public health (outlined above) relates to the analysis of data for commissioning purposes. It appears that the authors were concerned about unnecessary duplication.
  • The linking of data for reasons other than direct care for an individual should be done in an accredited safe haven.
  • The Secretary of State should establish a "task and finish" group to examine whether the use of personal confidential data for public health functions should be covered by new regulations.

Speaking at the Electronic Patient Records Conference, Jeremy Hunt said that while effective sharing of patient information has enormous potential to improve patient care, services and treatments, this can only be done effectively if patients are given a say over how their personal information is used.

He announced that:

  • Any patient that does not want personal data held in their GP record to be shared with the Health and Social Care Information Centre will have their objection respected.
  • Where personal data has already been shared from a GP practice to the Information Centre, a patient will still be able to have the identifiable information removed.

Conclusion

One of the key themes of the report is the culture of anxiety that surrounds the sharing of patient confidential data. This culture is not surprising given the complexity and opaqueness of the legal issues that those on the ground need to navigate. Getting to grips with the law of confidentiality, the Data Protection Act and human rights considerations under Article 8, is not easy. In many cases there is no clear-cut answer to the question "To share or not to share?" and it is a case of balancing different interests against one another to arrive at a practical conclusion.

The Law Commission has announced that it is about to review the law on data sharing between public bodies. A consultation will be published later this year and it is intended that a report on the scope and scale of the legal issues involved will be published in May 2014. In the interim, Caldicott 2 is a valuable contribution to helping organisations, individuals and service users navigate around complex legal issues.

Eleanor Tunnicliffe is an Associate at DAC Beachcroft. She can be contacted on 0113 251 4732 or by This email address is being protected from spambots. You need JavaScript enabled to view it..