NHS England closes controversial patient data sharing programme

Written by Rebecca Hill on 7 July 2016 in News

The government has scrapped its heavily-criticised care.data scheme following the publication of the long-awaited Caldicott review of security standards for health and social care data.

Caldicott calls for updated consent processes for patient records - Photo credit: Flickr, Medill DC

The review, led by national data guardian for health and care Fiona Caldicott, looked at how to increase public trust in the government’s use of confidential information through better models for consent and improved data security.

It was commissioned by the health secretary in the aftermath of the 2014 launch of the care.data scheme, which would have taken GP records and stored them centrally on the national Health and Social Care Information Centre database.

Related content

Care.data pilots delayed until next year
Health and social care leadership about leadership as well as tech, say local government and NHS bodies

However, the scheme was poorly communicated to the public, with a lack of clarity about how data would be used or how people could opt-out, and was put on long-term hold before it began extracting any patient data.

Although the review did not directly assess care.data, it urged the government to reconsider its future. In response the life sciences minister George Freeman announced that the government had closed the programme.

In a statement, he said that the government remained “absolutely committed to realising the benefits of sharing information”. Further work on this will be carried out by the National Information Board, Freeman said.

This review comes after a two previous reviews by Caldicott, in 1996-7 and 2013, and in her forework, Caldicott says that she undertook the third because “there has been little positive change in the use of data across health and social care since the 2013 Review and this has been frustrating to see”.

In it, she makes a series of recommendations for government when creating any new data sharing programme, including better communications of the way data is used and what benefits have come from it, as well as stronger sanctions for those who fail to secure data.

Opt-out model

One of the review’s major proposals is for there to be a new, simplified model for consent and opt-out for patients.

The eight-point model aims to be much less complex than the existing system, and suggests that the NHS separates out the opt-out for data to be used for the running of the NHS and to support research and improve treatment.

The review says that there are a limited number of specific circumstances that would require an individuals’ opt-out to be overridden, but that these should be provided for – they might include situations when there is an overriding public interest, such as responding to an epidemic, or when it was required by a law or court order.

Before making any changes to the existing system, though, the government should conduct a “full and comprehensive” formal public consultation on these standards, and ensure that the opt-out questions are fully tested on the public.

This would help address public concerns, the review said, and would be in combination with a drive to demonstrate the benefits of data sharing, which might encourage more people to consider sharing their data.

“Communication with the public cannot be viewed as a single event,” the review states.

The review also says that the Health and Social Care Information Centre, which is changing its name to NHS Digital, should use this opportunity to emphasise to the public that it is part of “the NHS family”.

Data security

In addition, the review looked at security around data sharing and storage, finding that cyber security needed more consideration as systems become fully digital.

However, it notes that many historical information breaches related to paper-based information or old technologies such as faxes, and so might be addressed automatically when systems were digitised.

The review recommends stronger, but simpler and more understandable, data and cyber security standards, saying that data controllers were “confused by the plethora” of standards and good practice principles available.

It sets out 10 security standards for organisations handling personal confidential information based on people, processes and technology, all of which, the review says, demand strong leadership.

These include ensuring that all staff have proper data security training, that systems are properly certified and processes regularly reviewed, and that IT suppliers are held accountable for protecting data they process.

Share this page




Please login to post a comment or register for a free account.

Related Articles

NHS Digital boss hails ‘opportunity to put digital at the heart of the NHS’ as merger concludes
2 February 2023

Parliament signs off abolishment of technology unit and transfer of duties and data sets to overarching national body

PublicTechnology’s biggest stories of the year
29 December 2022

A reminder of the shocks, scandals and success stories that shaped the world of government technology in 2022

Number of virtual wards tops 100 as government aims to treat 50,000 patients a month at home
30 January 2023

A new plan to ease pressures on emergency care aims to ramp up the use of technology that can enable patients to be treated at home

Legislation finalising merger of NHS Digital aims to ‘ensure good practice continues’
23 January 2023

Duties are due to be formally transferred to NHS England in a week’s time