06.07.16
Case for data sharing ‘still needs to be made to the public’, says Caldicott
NHS data security should be reviewed and strengthened by organisation leaders to a level similar to those assuring financial integrity and accountability, and much more must be done to improve public trust with regards to data sharing, Dame Fiona Caldicott has said.
In her third review into Data Security, the National Data Guardian (NDG) has recommended 10 new data security standards for health and social care organisations, as well as a new consent/opt-out model for patient data.
Dame Fiona said that one of the reasons she decided to undertake the review was that there has been little positive change in the use of data across health and social care since her 2013 Review “and this has been frustrating to see”.
Dame Fiona said that a redesigned Information Governance (IG) toolkit should be developed to embed the new standards, and NHS England should change its standard financial contracts to require organisations to take account of the data security standards.
Additionally, annual role-appropriate training should be mandatory for all who work in health and social care, with bespoke additional training for people in leadership roles, such as Caldicott Guardians, SIROs and board members.
Trusts and CCGs should use appropriate tools to identify unused and dormant accounts, unsupported systems and software, poorly maintained access permissions or default passwords.
Case for data sharing still needs to be made
With regards to data sharing, Dame Fiona said the case “still needs to be made to the public”. She added that there should be a new consent/opt-out model to allow people to opt out of their personal confidential data being used for purposes beyond their direct care. This would apply unless there is a mandatory legal requirement or an overriding public interest.
The NDG also said the government should consider introducing stronger sanctions to protect anonymised data. This should include criminal penalties for deliberate and negligent re-identification of individuals.
Although the report’s remit does not cover the implementation of the standards, Dame Fiona said there should be a full and comprehensive public consultation, and a key “aspect of this work must be a dialogue with the public”.
She added: “My recommendations centre on trust. Building public trust for the use of health and care data means giving people confidence that their private information is kept secure and used in their interests.
“Citizens have a right to know how their data is safeguarded. They should be included in conversations about the potential benefits that responsible use of their information can bring.
“They must be offered a clear choice about whether they want to allow their information to be part of this. I would encourage everyone to get involved in the consultation about the proposals that I am putting to government today.”
The Department of Health has provisionally accepted the recommendations and confirmed that there will be a public consultation and further testing of the recommendations put forward by Dame Fiona.
The NDG, who carried out the work alongside the CQC – which was asked to review the current approaches to data security in NHS organisations that provide services – added the regulator should amend its inspection framework to include assurance that appropriate internal and external validation against the new data security standards have been carried out, and make sure that inspectors involved are appropriately trained.
Additionally, HSCIC should use the redesigned IG Toolkit to inform CQC of ‘at risk’ organisations, and the CQC should use this information to prioritise action.
Both Dame Fiona’s and the CQC reports describe their finding of strong commitment among staff and organisations to keep data secure and that the public largely trusts the NHS to do so, and have made a number of complementary recommendations to ensure that the drive for improved patient safety and high-quality services.
David Behan, chief executive of the CQC, said: “CQC has set out six recommendations aimed at improving arrangements for protecting personal data, and assuring the new standards proposed by the National Data Guardian.
“These recommendations focus on three key themes that are fundamental to the secure handling of data: people, processes and technology. Ultimately, however, it is for NHS leaders to demonstrate clear ownership and responsibility for data security, just as they do for clinical and financial management and accountability.”