Today, two independent reviews have been published which make recommendations about data security in the health and care system in England and a new consent/opt-out model for data sharing.
In September 2015, I commissioned the Care Quality Commission (CQC) to undertake a review of data security in the NHS and, in parallel, commissioned Dame Fiona Caldicott, the National Data Guardian for Health and Care (NDG), to undertake an independent review of data security and consent, with the purpose of:
- Developing new data security standards;
- Devising a method of testing compliance with the new standards; and
- Proposing a new consent/opt-out model for data sharing in health and social care.
Both independent reviews have now completed, and the full reports are attached.
Healthcare, like all areas of modern life, is rapidly going digital. New technology and innovative approaches to the delivery of health and care have already driven significant progress, resulting in more people surviving the devastating effects of life-threatening and debilitating illnesses. If we are to deliver on our ambition to deliver the safest, most efficient healthcare possible for NHS patients, we must make the most of this digital information revolution, moving away from reliance on paper record keeping towards a 21st century, fully digital NHS, in which GP, pharmacy and hospital records, as well as diagnosis and condition monitoring are all based on digital platforms.
As the health and social care system becomes increasingly paperless and digital it also becomes ever more important that there are adequate and robust protections in place to protect the data and information held within it. All health and care organisations that handle sensitive information should be working towards giving patients the highest levels of trust and confidence and reducing the risk of external threats and potential breaches. It is vital that we do all that we can to ensure that health and care staff have access to the safeguards, knowledge and capability to handle such information securely.
The technological revolution in health and care has benefited individuals, their families, friends and the country at large. But it would not have happened without a significant change in the availability and quality of digital health and care data and greater innovation in how that information is used. To achieve our ambition of a fully digital NHS, it is vital that the public trusts health and care staff to keep their personal data safe and secure.
Dame Fiona’s review found that, broadly, the public does trust the NHS with confidential data. However, we cannot be complacent. That’s why we want to do more to realise the benefits that come from sharing information safely and consistently across the health and care system where there is a legitimate reason for doing so. For example, by giving patients more access to, and control over, the use of their personal confidential information, by improving the way that the NHS uses information to check the quality of care, or by researchers being able to use data to improve treatment and care.
Dame Fiona Caldicott has proposed 10 security standards to be applied in every health and care organisation that handles personal confidential information. These include measures which will protect systems against data breaches, ensuring that NHS leadership takes ownership and responsibility for data security and ensuring that organisations are as prepared as they can be to meet the challenges of the digital age. Dame Fiona has also emphasised the vital importance of data sharing and is proposing a new consent/opt-out model, which will give people a less complex choice about how their personal confidential information is used.
I am grateful to Dame Fiona and the CQC for their work on this important agenda. I am today publishing a consultation on two main aspects of Dame Fiona’s independent review, namely the new data security standards and proposed consent / opt-out model. It is vital that a full consultation and dialogue with the public and professionals takes place before any implementation of the recommendations can take place.
I am also publishing today the Government response to the consultation carried out late last year into the role of the National Data Guardian for Health and Care. The response sets out the Government’s key decisions in relation to the proposed functions for the role, and we remain committed to placing the role on a statutory footing at the next available opportunity.
In her review, Dame Fiona emphasises the importance of protecting anonymised data to give the public the assurances they need that they will not be re-identified. I can confirm today that the Government is supportive of the introduction of stronger criminal sanctions against those who use anonymised data to re-identify individuals.
On data security, both reviews highlight the importance of removing outdated IT systems. We are working with suppliers, including Microsoft, to help health and care organisations update their systems to make sure they are safe to use and store data. The Health and Social Care Information Centre will launch an initiative to support this work later this year.
The National Data Guardian Review also recommends that the Government consider the future of the care.data programme, as the consent and opt-out model proposed by the review goes further than the approach that was planned for care.data and its pathfinder areas.
In light of Dame Fiona’s recommendations, NHS England has taken the decision to close the care.data programme. However, the government and the health and care system remain absolutely committed to realising the benefits of sharing information, as an essential part of improving outcomes for patients. Therefore this work will now be overseen by the National Information Board, in close collaboration with the primary care community, in order to retain public confidence and to drive better care for patients.
This statement has also been made in the House of Lords