What should be the relationship between the CCIO, the Data Controller and the Caldicott Guardian in the CCG?
The whole situation is complex, and still evolving. It is also made more difficult because of financial and workforce constraints on CCGs.
There seems to be increasing agreement that there is no conflict between the roles of CCIO and Data Controller. Therefore these two roles look as though they can be taken by one person — the CCIO.
The role of the Caldicott Guardian is more of a problem. Dr Mary Hawking’s comments encapsulate the situation neatly:
Some of the potential problems will come from where the CCIO sits in the organisation, and how the role of the Caldicott Guardian/privacy officer would relate to this.
So in a CCG (which is a small organisation with limited resources, human and otherwise), is the CCIO to be:-
1. Responsible for helping to develop strategy at a high level, including the approach to technology and technology enabled restructuring?
2. Responsible for developing the more detailed Information Strategy (i.e. an implementation strategy rather than the DH variety) needed to support the overall CCG Strategy?
3. Tasked with organising and researching the means of implementing the strategy and other demands (e.g. Patient Record Access and secure electronic communications with patients) including budgetary control?
4. In control of the IT team/resources which would allow him/her to deliver the systems and organisation to fulfil the needs of the CCG?
5. Able to work across CCG boundaries with other CCGs, Local Authorities, NHS Trusts and of course AQPs?
6. Simply there to advise the Governing Board on what is – and is unlikely to be – acceptable to the clinicians in the organisation? In this role the CCIO would be merely reporting to Finance or similar.
If Nos. 1-5 are the role (i.e. a Board member, which Andrew Lansley is quoted as saying the CCIO should be) then there needs to be another person with the role of ensuring that correct privacy and information governance is observed: the CCIO could not be regarded as impartial – and may not have the detailed knowledge of the ever-changing guidance and legislation involved.
The two roles are related, certainly, but they are not, as far as I can see, “the same job”.
* * *
Comments from other sources have been mixed. They can be summarised as:
1. If these roles are split then with two or even three people in control there are the risks of:
a. duties and responsibilities falling between them, with everyone thinking that a particular role was someone else’s responsibility
b. conflict of opinion, conflicting instructions, and an ultimate stagnation of action (or alternatively, strife, confusion, duplication and inefficiency)
2. ‘All power corrupts: absolute power corrupts absolutely.’ If all the roles are combined in one person (the CCIO) there is the possibility that the power to order searches and handle information may over time gradually overwhelm the attention to confidentiality arrangements “because it’s for the good of everyone”. This fear has been raised independently by all the individual IT-orientated clinicians whose advice I have sought.
I wonder if there is a way out of this dilemma which solves all the problems of data probity, financial efficiency, and the need for a unified, non-complex IT ‘command structure’ within the CCG? My suggestion is for two roles, one almost symbolic.
1. The CCIO should be given the responsibility for all normal data handling and confidentially issues, including being the Data Controller and the Caldicott Guardian …
2. …but that a second person should be formally appointed, reporting directly to the board/COO and not to the CCIO. This person should have the power formally to challenge the legality or ethics of the CCIO’s decisions. Action by this person should ideally be ‘an action of last resort’. I would hope that the role should in practice be largely symbolic: a check on the CCIO which is clearly available, to be used if necessary, but hopefully never needed. (In some ways, this is rather like the relationship between the doctor and the GMC – hopefully never used, but the threat of potential action from overstepping the mark is sufficient to keep most doctors on the straight and narrow.)
This CCG ‘overseeing’ role could perhaps be a formal, stated role of one of the clinical directors. It certainly needs to be a role performed by a clinician.
I should be grateful for other people’s thoughts on the validity and practicality of such a plan – and also, for a convenient name for the job title of this second person. ‘Caldicott supervisor’, perhaps?