Matthew Gould tells PublicTechnology event that complex language around data standards had meant most staff were afraid to share patient data even in cases where it would aid delivery of care

Credit: Chokniti Khongchum from Pixabay 

Complex guidance on the sharing of patient data has been to blame for a culture of nervousness in the NHS, according to the chief exectuive of NHSX. 

During a talk at the PublicTechnology Cyber Security Summit on Wednesday Matthew Gould, spoke of how information governance guidance had become “too complex and convoluted”. This in turn had led to confusion and fear amongst NHS staff, who opted to take the less “risky” approach of not engaging in data sharing at all. 

“The system has got itself nervous about sharing data, even though the law allows sharing of data for the direct care of patients – indeed it’s an obligation to share for the benefit of patients,” said Gould.

Very quickly in the pandemic, the organisation, which is responsible for promoting digital transformation across the NHS, sought to help the flow of data, as it plays “a really key role” in managing the crisis. 

“Sharing data didn’t materially affect the risk to it, but reset people’s attitudes to when it was appropriate and safe and legal to share it”
Matthew Gould, NHSX

Gould told attendees that conversations were facilitated between NHSX, the Information Commissioner and the National Data Guardian. COPI (Control of Patient Information) notices were also issued – these required NHS Digital to share patient information with organisations for Covid-19 purposes. 

“The case for doing so is self-evident, and I’m absolutely confident we had the support of the public as well as the strong support of the professions,” Gould said. 

Most effective, however, was a single page of information issued by NHSX on how to approach patient data. 

“We put out one page of incredibly simple guidance on looking after patient data that basically said if you are a clinician and you’re looking after your patients, you’re doing it in good faith and you’re being sensible, then you’ll be fine and to get on with it,” Gould said. 

Simplified guidance issued by NHSX states: “The duty to share information for individual care is as important as the duty to protect confidentiality.”

Asked about whether increased sharing constituted an increased risk to the safety of health data, Gould responded that this was not necessarily the case. Instead, he stressed that the lack of data sharing previously was not an inherent indicator of sound cybersecurity practice. 

“Last year, we intentionally gave people more confidence to share data and more data was shared. I would like to think that the act of doing so didn’t actually dramatically increase the risk. Because where we had got to collectively wasn’t necessarily the right approach to keeping data secure and allowing it to flow at the same time,” he said. 

“I do believe what we did [in sharing it] didn’t materially affect the risk to the data, but reset people’s attitudes to when it was appropriate and safe and legal to share it.” 

Lessons learned
Like many organisations, NHSX is already thinking about how best to cement the positive lessons learned from its Covid-19 response.