As the NHS has become more complex, concerns have grown over what is done with the information that it generates.
Dame Fiona Caldicott points out that when she was asked to conduct her eponymous review back in the late 1990s, it was against a background of concern about the confidentiality of the information that was being circulated to support the internal market.
Now, the information governance review that she is leading has not only run expert sessions on commissioning, but on adult social care, public health and research, and on new patient rights, including those being enshrined in European legislation.
It still has sessions planned on education, genomics, and emerging technologies. “The original report was more narrowly focused, because we were asked to look at the sharing of information not related to patient care,” Dame Fiona says. “It was [about information that was] more administrative than clinical.”
Dame Fiona studied medicine at St Hilda’s College in Oxford, and went on to become the first woman dean and then the president of the Royal College of Psychiatrists (among other distinguished posts – she has also been principal of Somerville College, Oxford).
She was asked to chair what became known as the Caldicott Committee by the then-chief medical officer for England, Sir Kenneth Calman.
The committee worked against a backdrop of “increasing concern about the ways in which patient information is being used in the NHS in England and Wales and the need to ensure that confidentiality is not undermined.”
And its findings, published in December 1997, included six key principles and 16 specific recommendations for handling patient identifiable information.
Some of the recommendations were very specific; quite a few related to the use of the NHS Number and other identifiers what were, at the time, new systems for reimbursing GPs within the emerging market.
But the principles were simple; don’t use patient identifiable information unless absolutely necessary, use the minimum when it is necessary, only give patient identifiable data to staff who really ‘need to know’ it, and make sure that each use is clearly defined and reviewed by an appropriate guardian.
Also, be aware of the law and make sure that everyone with access to patient identifiable information is aware of their responsibilities.
Caldicott Guardians now enforce these principles. Yet, over time, it seems that many people within the health and social care system have come to think of ‘information governance’ as something that prevents – rather than controls – information sharing.
When the government was forced to ‘pause’ its latest reforms of the NHS, one of the recommendations of its Future Forum was that another review should be held to see if the balance between maintaining privacy and sharing information was still in the right place.
The information governance review – or Caldicott2 as it is becoming known – is being led by a panel of experts. It has spent the summer visiting major English cities to take evidence from the public and interested professionals, while holding ‘information gathering days’ on specific issues.
The original intention was for the review to report this year, but this has been delayed by delays to the Francis inquiry into the scandal at Mid Staffordshire NHS Foundation Trust, and to the government’s promised public consultation on changes to the NHS Constitution.
The review is anxious to include questions in the consultation because, as Dame Fiona points out, “it is not easy to get a generality of public opinion” in a field in which a few, prominent individuals and organisations have very strong opinions and polling data is weak.
The consultation is now slated for December, and the review’s report – more tentatively – for February or March.
From principals to practice
Dame Fiona says now that she thinks the original Caldicott principles were correct, even if they were drawn up for more specific cases than they have been applied to. But she feels that other factors have led people to interpret them narrowly.
For example, she says that the arrival of the Information Commissioner’s Office, with powers to impose increasingly large penalties on data controllers who ‘wilfully or recklessly’ breach the Data Protection Act has made people “more aware” of data protection, but also “more cautious.”
“We want to ask if the principles are correct, and whether they need to be updated. But there is definitely an issue of other things impacting on them,” she says.
She adds that the review has already discovered that “people are anxious to do the right thing” and if they are not confident about the rules they will tend to react by not sharing information, even if this would be in the interest of a patient or service user.
As a result, she says the review is giving careful consideration to the kind of report that it should produce, because it wants to include some “simple rules” that will give people more confidence in the system.
“We have a consistent message from people that they want clarity about language,” she says. “If you talk about IG, then not a lot of people really understand it.
“That means we will need to compile a glossary. We will also need to produce something suitable for the person on the ward, if you like, and perhaps something more detailed for the people who have to deal with the difficult cases.
“So a question for the panel is whether we need two reports, written at different levels, or one, all encompassing report with more detail on where some difficult cases need it.”
Striking new balances
Dame Fiona adds that two issues in particular have come up in the review’s research. One – in a direct echo of Caldicott1 – is the impact of the NHS reforms on data flows, and the extent to which clinical commissioning groups, the NHS Commissioning Board, and the various regulators of the new system will need access to patient identifiable information.
This has been a hot issue on the EHI news pages this month, both when the NHS Information Centre launched its data linkage service, and when GP Dr Mary Hawking asked about the extent to which the CQC would be able to go through patient notes as part of its regulatory activities.
The other – more directly related to the present government’s determination to give the life sciences industry a kick as part of its bid to revive the languishing economy – is the extent to which data should be made available to researchers.
“I think there are concerns from the public about research, and how their data will be used for that,” Dame Fiona says. “And there is also concern about commissioning, and the extent to which all the new bodies will need patient data.”
Asking Caldicott2 to come up with a new set of general principles for dealing with such varied data flows seems like a tall order. But Dame Fiona is confident that the Future Forum’s question – where does the balance between privacy and sharing lie – is the right one.
“That was a very good recommendation of the Future Forum,” she says, “and we have kept it very much at the back of our minds.”
Dame Fiona Caldicott will be speaking at EHI Live 2012, on the subject of ‘To share or not to share – the information governance review.’Tweet #ehilive
If something seems to good to be true, it probably isRossJAnderson 101 weeks ago
It's simply not true that we can eat our cake and have it too. It is really hard to anonymise clinical records, because they tend to have a lot more than the 33 bits of information that it takes to identify a human. If I can ask a national system questions like "show me the records of all 44-year-old women who have a 12-year old daughter where both mother and daughter have psoriasis" then I can fish out one record from 50 million. If I can't, it's not much use as a research tool.
There are some specialised applications where anonymisation does work, such as systems for analysing doctors' drug prescribing patterns; there, the input is individual prescriptions. (Even so, it's not entirely straightforward; see http://www.fi.muni.cz/usr/matyas/XTR_HIJ_draft.pdf for details.)
Where individual care episodes are linked into a longitudonal patient history, though, the risks of reidentification become extremely high; they are discussed here:
For more political background, see the top few articles on the FIPR website at http://www.fipr.org/, and for a more complete technical background, see this book chapter on inference control
Finally, although we computer scientists have known for thirty years that anonymisation doesn't work, the lawyers and policy people have ignored this because they preferred to believe that they could eat their cake and have it too. Recently, a US law professor has set out the problem in lawyers' language, and this removes the excuse
The tragedy is that all medical professors now seem to believe they have the fundamental human right to have, on their laptops, the lightly de-identified records of everyone in England who suffers from the condition in which they're interested. We've already seen a laptop with over 8 million records go missing; with any luck it was just sold for a wrap of heroin and reformatted. But eventually there will be a disaster. What do you do when a laptop containing all the records of everyone in Britain with a diagnosis for depression gets stolen and the database ends up on pastebin? What do you do when an enterprising journalist pulls out the 127 MPs from that sample? You've got another Alder Hey on your hands, that,s what, and medical research will take a huge hit.
This comment is:
We can "Have our cake and eat it"Ewan Davis 103 weeks ago
The Dame seems not to have taken on board the extent to which appropriate use of privacy enhancing technologies (PETs) can, to a significant degree, avoid the need to sacrifice privacy to facilitate laudable research and other secondary uses of patient data.
For too long the research community has capriciously tried to ignore PETs Dismissing them as impractical and too onerous.
I very happy to donate my data for a range of secondary purposes (including identifiable data where this is really needed) BUT:
I want to be asked and have my wishes respected
I want all reasonable steps taken to hold only the data really needed and protect this using PETs.
That the residual risks of re-identification, breach and potential harm are acknowledged and appropriately managed.
Work like that of http://www.miconsent.org and the growth of PHRs and patient record access means that it is increasingly practical to put patients in control of their data as Government have pledged.
We need to apply 21st century solutions to this problem - Patient engagement and control, transparency and PETs - Not paternalistic 20th century ones as Fiona seems to be suggesting. After all we all want the health and economic benefits that can flow from utilising OUR data in new and exciting ways.
If you want to know how PETs can help read Rob Navarro blog:
And for a balanced and evidence based view the PHCSG Paper "Fair Shares for All"
This comment is: