interviews

07.07.16

Dame Fiona Caldicott: We’re not quite ready for sharing back-office function on data security

Source: NHE Jul/Aug 16

NHE’s David Stevenson talks to Dame Fiona Caldicott following her much-awaited Review of Data Security, Consent and Opt-Outs.

In the foreword to the National Data Guardian’s (NDG’s) Review of Data Security, Consent and Opt-Outs, Dame Fiona Caldicott said she agreed to undertake her third review into this area for two reasons. Firstly, there had been “little positive change” in the use of data across health and social care since her 2013 report, and secondly, because she believes “we have a very significant opportunity now to improve the use of data in people’s interests, and ensure transparency”. 

New standards

The latest report certainly packs a punch. The NDG has proposed 10 new data security standards for the NHS and social care, with a requirement for trusts and CCGs to identify and address risks such as default passwords, dormant accounts and unsupported operating systems. 

She also set out a method for testing compliance against the standards, and a new opt-out model to make clear how people’s health and care information will be used and in what circumstances they can opt out. Dame Fiona added that during the review she heard that, more often than not, data breaches are caused by people, processes and technology, which is what she based the recommendations and standards on. 

The NDG also said that data security should be reviewed and strengthened by organisation leaders and put on a similar level to those assuring financial integrity and accountability. There is also a call for NHS England to change its standard financial contracts to require organisations to take account of the data security standards. 

The review, which was conducted in parallel to the CQC reviewing data security in the NHS, recommends that the CQC should integrate measures for compliance with the data security standards into their ‘Well-Led Inspections’ regime. 

Dame Fiona added that her report has focused on trust, and that the case for data sharing still needs to be made to the public. 

Immediate impact 

Within 24 hours of the report’s release it had major ramifications, with NHS England closing down the controversial care.data programme . Although Dame Fiona was not asked to look at the care.data programme, she said the consent and opt-out models proposed by the review go further than the approach that was planned for the pathfinder areas, “and should replace the approach that had been developed for those areas”. In light of the work, she said the government should consider the future of the care.data programme. 

The NDG also said that there needed to be a consultation on her proposals. Only hours after the report’s release George Freeman, the life sciences minister, who commissioned the Caldicott and CQC reviews, launched the consultation which is open until September – a link to it is provided at the bottom of the article. 

Consolidations and the new standards 

Before the launch of Dame Fiona’s review, NHS Improvement boss Jim Mackey wrote to CEOs at trusts and FTs saying that in order to reduce the provider deficit from £550m to £250m this year, efforts would be made to reduce paybill growth in selected providers, and savings could delivered through back-office, pathology and elective service consolidations. 

His letter said that “there is still a significant potential saving if back-office services and pathology services are consolidated on a regional basis”. 

NHE asked Dame Fiona how the data standards would fit in with this work: “I could talk for rather a long time about that. Essentially, trusts have to have people who are responsible for data security. So, whether that is something that can be shared between organisations that are currently independent of each other, I think, would have to be looked at carefully. 

“In the end, if a board is going to be accountable for patient data security, they have to know that the people to whom they delegate the actual operation of that are trustworthy and fulfilling their contracts. 

“I think it is something for consideration, but, at the moment, I would think that is a step where sharing so-called back-office function on data security – we are probably not quite ready for that. Let’s get data security standards in place across the whole of the health and social care system, seeing if we can do it as economically and efficiently as possible.” 

Not marking your own homework 

Another key thing Dame Fiona wants to see is annual role-appropriate training being mandatory for all who work in health and social care, with extra bespoke training for people in leadership roles, such as Caldicott Guardians, Senior Information Risk Owners and board members. 

She said that the review heard that the self-assessment nature of existing compliance mechanisms such as the Information Governance (IG) Toolkit “was a concern”, whilst audit and inspections were largely welcomed as an enforcement mechanism to provide some ‘teeth’. 

Therefore, she said there is a need for a redesigned IG Toolkit to embed the new standards, identify exemplar organisations to enable peer support and cascade lessons learned. 

“I would like to see it being much more user-friendly, not to be a self-assessment toolkit,” Dame Fiona told NHE. “We’ve already had some conversations in HSCIC about this, so that it is quite clear about what an organisation is achieving through that training of its staff which fits with the greater security across that organisation. 

“It is about making it more friendly to the staff working in the organisation, easier to do, but actually can be tested by audit processes, rather than the organisation testing themselves. You can’t mark you own homework in our view.” 

Consent and opt-out model 

The review heard that trust is essential and should underpin any opt-out model. Dame Fiona said that building public trust for the use of health and care data means giving people confidence that their private information is kept secure and is used in their interests. 

“Citizens have a right to know how their data is safeguarded,” she added. “They should be included in conversations about the potential benefits that responsible use of their information can bring.” 

The report has recommended that there should be a new consent/opt-out model to allow people to opt out of their personal confidential data being used for purposes beyond their direct care. This would apply unless there is a mandatory legal requirement or an overriding public interest. Alongside the consultation into the new model, Dame Fiona said there should be further testing of both a two-question and a single question model with patients and professionals to see if people would prefer to have more than one choice. 

“We were asked to come up with a simple model that could be explained to the public, and indeed the professionals who often advise the public in terms of what their choices are,” said Dame Fiona. “We have come up with a model that is simple. It gives people the option to have any of their information being used for purposes beyond care to opt out of that, as a simple choice. 

“However, we’ve made it slightly more complicated by saying it was worth putting to the public the choice of having two separate groups of information to opt out of: research on the one hand, or that which was used for running the health service. We think that if you put all the possible uses of data currently in the system together and ask people to opt in or opt out, that it is actually asking them to make a choice about a very big collection of information. They may want to have the possibility of their data being used for research, but not for running the health service.” 

The review’s remit did not cover the existing opt outs people have in relation to their data, but Dame Fiona said that if the proposed model was accepted there would then have to be a piece of work that addresses the existing opt outs in the system, like the Summary Care Record. 

“This would be to see how they fit in with the new model, and whether they can be replaced or not. It is not something we’ve recommended, but it is an implication of the acceptance of our model,” she explained. 

“What I hope is that this [opt-out] model can be seen, if it is agreed in the consultation, as something that can be put in place. I would encourage everyone to get involved in the consultation about the proposals that I am putting to government.”

The National Data Guardian’s data security standards

Leaders of all health and social care organisations should commit to the following data security standards. They should demonstrate this through audit or objective assurance, and ensure that audit enables inspection by the relevant regulator.

Leadership Obligation 1: People: Ensure staff are equipped to handle information respectfully and safely, according to the Caldicott Principles. 

Data Security Standard 1. All staff ensure that personal confidential data is handled, stored and transmitted securely, whether in electronic or paper form. Personal confidential data is only shared for lawful and appropriate purposes. 

Data Security Standard 2. All staff understand their responsibilities under the National Data Guardian’s Data Security Standards, including their obligation to handle information responsibly and their personal accountability for deliberate or avoidable breaches. 

Data Security Standard 3. All staff complete appropriate annual data security training and pass a mandatory test, provided through the revised Information Governance Toolkit. 

Leadership Obligation 2: Process: Ensure the organisation proactively prevents data security breaches and responds appropriately to incidents or near misses. 

Data Security Standard 4. Personal confidential data is only accessible to staff who need it for their current role and access is removed as soon as it is no longer required. All access to personal confidential data on IT systems can be attributed to individuals. 

Data Security Standard 5. Processes are reviewed at least annually to identify and improve processes which have caused breaches or near misses, or which force staff to use workarounds which compromise data security. 

Data Security Standard 6. Cyber-attacks against services are identified and resisted and CareCERT security advice is responded to. Action is taken immediately following a data breach or a near miss, with a report made to senior management within 12 hours of detection. 

Data Security Standard 7. A continuity plan is in place to respond to threats to data security, including significant  data breaches or near misses, and it is tested once a year as a minimum, with a report to senior management. 

Leadership Obligation 3: Technology: Ensure technology is secure and up-to-date. 

Data Security Standard 8. No unsupported operating systems, software or internet browsers are used within the IT estate. 

Data Security Standard 9. A strategy is in place for protecting IT systems from cyber threats which is based on a proven cyber security framework such as Cyber Essentials. This is reviewed at least annually. 

Data Security Standard 10. IT suppliers are held accountable via contracts for protecting the personal confidential data they process and meeting the National Data Guardian’s Data Security Standards.

Tell us what you think – have your say below or email opinion@nationalhealthexecutive.com

Comments

There are no comments. Why not be the first?

Add your comment

 

national health executive tv

more videos >

latest healthcare news

Taxes must rise by at least 4% to prevent NHS deterioration as ‘no savings left to make’

24/05/2018Taxes must rise by at least 4% to prevent NHS deterioration as ‘no savings left to make’

A taxation increase of at least 4% a year is necessary to prevent “unnecessary costs, inefficiencies and uncertainty” and improve qua... more >
Harding plans volunteering scheme for NHSI staff to ‘serve on the frontline’ during winter

24/05/2018Harding plans volunteering scheme for NHSI staff to ‘serve on the frontline’ during winter

The chair of NHS Improvement (NHSI) has announced that she wants to open a volunteering scheme for the organisation’s staff to experience t... more >
Hawking-backed fight against ‘unlawful’ NHS privatisation reaches High Court

23/05/2018Hawking-backed fight against ‘unlawful’ NHS privatisation reaches High Court

Legal proceedings will begin today at the High Court with a campaign group challenging the government over plans to implement accountable care or... more >
681 149x260 NHE Subscribe button

the scalpel's daily blog

Data sharing to improve care: the GP potential

18/05/2018Data sharing to improve care: the GP potential

As sharing data across organisations becomes the norm in the NHS, will general practice embrace its potential to improve the care we deliver to patients? Rebecca Fisher, a GP and policy fellow at the Health Foundation, investigates. “I just assumed your computers talked to each other” is a phrase not infrequently heard in my g... more >
read more blog posts from 'the scalpel' >

comment

The NHS is at a crossroads, on a precarious path to a future yet unknown

11/05/2018The NHS is at a crossroads, on a precarious path to a future yet unknown

Niall Dickson CBE, chief executive of the NHS Confederation, gives NHE readers an exclusive preview of what to expect at this year’s editio... more >
A different kind of medicine

02/05/2018A different kind of medicine

Could literature improve the quality of life of those with mental health conditions? According to Jane Davis, founder and director of The Reader,... more >
Is the NHS ready for another WannaCry?

02/05/2018Is the NHS ready for another WannaCry?

NHE’s Seamus McDonnell on the plans put in place to protect trusts and other NHS organisations from potential future cyber-attacks. In... more >
Janet Davies: Our future workforce

02/05/2018Janet Davies: Our future workforce

Janet Davies, chief executive and general secretary of the Royal College of Nursing (RCN), says ministers must accelerate progress to make nursin... more >

last word

Hard to be optimistic

Hard to be optimistic

Rachel Power, chief executive of the Patients Association, warns that we must be realistic about the very real effects of continued underfunding ... more > more last word articles >

editor's comment

25/09/2017A hotbed of innovation

This edition of NHE comes hot on the heels of this year’s NHS Expo which, once again, proved to be a huge success at Manchester Central. A number of announcements were made during the event, with the health secretary naming the second wave of NHS digital pioneers, or ‘fast followers’, which follow the initial global digital e... read more >

health service focus

Isosec launches first Virtual Smartcard to revolutionise NHS authentication

12/02/2018Isosec launches first Virtual Smartcard to revolutionise NHS authentication

ADVERTISEMENT FEATURE A new virtual smartc... more >
Health creation is here to stay

09/02/2018Health creation is here to stay

NHE’s Sacha Rowlands speaks to Michael ... more >