The government has scrapped its heavily-criticised care.data scheme following the publication of the long-awaited Caldicott review of security standards for health and social care data.
Caldicott calls for updated consent processes for patient records – Photo credit: Flickr, Medill DC
The review, led by national data guardian for health and care Fiona Caldicott, looked at how to increase public trust in the government’s use of confidential information through better models for consent and improved data security.
It was commissioned by the health secretary in the aftermath of the 2014 launch of the care.data scheme, which would have taken GP records and stored them centrally on the national Health and Social Care Information Centre database.
However, the scheme was poorly communicated to the public, with a lack of clarity about how data would be used or how people could opt-out, and was put on long-term hold before it began extracting any patient data.
Although the review did not directly assess care.data, it urged the government to reconsider its future. In response the life sciences minister George Freeman announced that the government had closed the programme.
In a statement, he said that the government remained “absolutely committed to realising the benefits of sharing information”. Further work on this will be carried out by the National Information Board, Freeman said.
This review comes after a two previous reviews by Caldicott, in 1996-7 and 2013, and in her forework, Caldicott says that she undertook the third because “there has been little positive change in the use of data across health and social care since the 2013 Review and this has been frustrating to see”.
In it, she makes a series of recommendations for government when creating any new data sharing programme, including better communications of the way data is used and what benefits have come from it, as well as stronger sanctions for those who fail to secure data.
One of the review’s major proposals is for there to be a new, simplified model for consent and opt-out for patients.
The eight-point model aims to be much less complex than the existing system, and suggests that the NHS separates out the opt-out for data to be used for the running of the NHS and to support research and improve treatment.
The review says that there are a limited number of specific circumstances that would require an individuals’ opt-out to be overridden, but that these should be provided for – they might include situations when there is an overriding public interest, such as responding to an epidemic, or when it was required by a law or court order.
Before making any changes to the existing system, though, the government should conduct a “full and comprehensive” formal public consultation on these standards, and ensure that the opt-out questions are fully tested on the public.
This would help address public concerns, the review said, and would be in combination with a drive to demonstrate the benefits of data sharing, which might encourage more people to consider sharing their data.
“Communication with the public cannot be viewed as a single event,” the review states.
The review also says that the Health and Social Care Information Centre, which is changing its name to NHS Digital, should use this opportunity to emphasise to the public that it is part of “the NHS family”.
In addition, the review looked at security around data sharing and storage, finding that cyber security needed more consideration as systems become fully digital.
However, it notes that many historical information breaches related to paper-based information or old technologies such as faxes, and so might be addressed automatically when systems were digitised.
The review recommends stronger, but simpler and more understandable, data and cyber security standards, saying that data controllers were “confused by the plethora” of standards and good practice principles available.
It sets out 10 security standards for organisations handling personal confidential information based on people, processes and technology, all of which, the review says, demand strong leadership.
These include ensuring that all staff have proper data security training, that systems are properly certified and processes regularly reviewed, and that IT suppliers are held accountable for protecting data they process.