News story

New safeguards and public conversation about health and care data proposed

New measures are proposed to strengthen security of health and care information and help people make informed choices about how their data is used.

The recommendations are made to the Secretary of State for Health, Jeremy Hunt. He commissioned the Care Quality Commission (CQC) to review existing levels of data security across the NHS and asked the National Data Guardian (NDG), Dame Fiona Caldicott, to recommend new data security standards for health and social care and to develop a new consent/opt-out data sharing model.

Both reports found strong commitment among staff and organisations to keep data secure and that the public largely trusts the NHS to do so, and both have also identified areas where more can be done.

The reviews make a number of complementary recommendations to ensure that the drive for improved patient safety and high quality services is supported by accurate information, available to the right people at the right time, while maintaining respect for confidentiality.

Both reports recommend:

  • leaders of every organisation should demonstrate clear accountability and responsibility for data security, just as they do for clinical and financial matters
  • internal and external scrutiny of whether the new data standards are being implemented

The NDG also recommends:

  • 10 new data security standards to apply to all organisations that hold health or care information – for example, organisations should use identify and address risks such as default passwords, dormant accounts and unsupported operating systems
  • a much more extensive dialogue with the public about how their health and care information is used and the benefits of data sharing. The review underlines that information is essential to support excellent care and for a range of beneficial purposes such as helping researchers to develop life-saving medicine or regulators to see when things are going wrong promptly. However, there is currently little public awareness of how information is used
  • a new opt-out to make it clear to patients how their health and care information can be used and in what circumstances they can opt out of it being shared for purposes other than their direct care. The NDG Review found that people tend to support their health and care information being used where they can see the benefit, but want to be given a choice about that
  • whether people opt out or not, they should be reassured that their health and care information will only ever be used if the law allows and never for marketing or insurance, unless they consent separately to this

See NDG Review of Data Security Consent and Opt-outs

The Department of Health has today provisionally accepted the recommendations and confirmed that there will be a public consultation and further testing of the recommendations put forward by the NDG.

National Data Guardian, Dame Fiona Caldicott, said:

My recommendations centre on trust. Building public trust for the use of health and care data means giving people confidence that their private information is kept secure and used in their interests.

Citizens have a right to know how their data is safeguarded. They should be included in conversations about the potential benefits that responsible use of their information can bring. They must be offered a clear choice about whether they want to allow their information to be part of this. I would encourage everyone to get involved in the consultation about the proposals that I am putting to government today.

David Behan, Chief Executive of the CQC, said:

The ability of NHS organisations to access and share patient information is crucial to the delivery of safe, effective care. But without robust processes, there’s a risk that information may be compromised, may not be accessible when it’s needed, or may not be kept confidential.

We worked with 60 NHS organisations for this review, and those which demonstrated good practice on data security shared common characteristics – senior leadership who took this issue seriously and demonstrated ownership and responsibility; staff who were provided with the right information, tools, training and support; and systems and protocols designed around the needs of frontline staff, reducing the need for them to develop shortcuts in order to deliver timely patient care. But too often, not all these elements were in place.

CQC has set out 6 recommendations aimed at improving arrangements for protecting personal data, and assuring the new standards proposed by the National Data Guardian. These recommendations focus on 3 main themes that are fundamental to the secure handling of data: people, processes and technology. Ultimately, however, it is for NHS leaders to demonstrate clear ownership and responsibility for data security, just as they do for clinical and financial management and accountability.

See the CQC data security review, Safe data, safe care.