Caldicott 2 and patient dataBMJ 2013; 346 doi: http://dx.doi.org/10.1136/bmj.f2260 (Published 24 April 2013) Cite this as: BMJ 2013;346:f2260
- Paul Taylor, reader in health informatics
- 1Centre for Health Informatics and Multiprofessional Education, University College London, London N19 5LW, UK
Sixteen years ago Fiona Caldicott was commissioned to review the use of patient data in the NHS.1 That review set out six principles for the protection of patient confidentiality and recommended the appointment of what became known as Caldicott guardians. A lot has changed since then—patient access to electronic records is a reality, clinical research increasingly uses routinely collected data, and the organisational and legislative framework of the NHS has been transformed. An updated “Information Governance Review” has just been published, again the work of a team led by Caldicott.2
The first review was exclusively concerned with the non-clinical use of patient data. The six principles resulting from the review aimed to preserve patients’ trust by restricting the flow of information out of patient records. The current review recognises that concerns about information governance have also affected the clinical use of information. A seventh principle has therefore been added to correct the overly cautious stance that some clinicians have adopted. This principle states that: “the duty to share information can be as important as the duty to protect patient confidentiality.”
The report makes 26 recommendations, including one that patients should have the fullest possible access to their electronic care records and the holders of these records should make available an audit trail of who has accessed that record. The detail of the report implies that this measure is aimed at allowing patients to have confidence that any carers or nominees given access to the record have made appropriate use of it. However, because a comprehensive audit trail is harder to compile for shared data, the effect may be to inhibit sharing.
Researchers who rely on access to medical data will have a particular interest in the new report. The section on research classifies data into three categories. The first is that of confidential data—that is, patient identifiable data that should be disclosed only with consent or under statute and accompanied by a contractual agreement. Equally straightforward is the category of data for publication, which are data from which patients could be identified only with unreasonable effort and which can be publicly disclosed.
Between these two clear categories is a grey area: “de-identified data for limited disclosure,” which it may be helpful to illustrate with an example. In 1997, a US agency sold data it believed to be anonymised that described the medical histories of 135 000 employees of the state of Massachusetts. The data included zip codes, sex, and date of birth. The voter registration list also contained those three items, but they were associated with names, so by linking the two datasets the medical histories of named individuals could be ascertained.3
Linked datasets are increasingly important for medical research. By linking data on exposure to risk factors to later data about outcomes, we can explore hypotheses that might previously have taken decades to test. The report proposes that data that are subject to a risk of re-identification should be disclosed only where there is a contractual agreement and “data stewardship functions” are in place. The recommendation is that such data be held in accredited “safe havens,” where researchers can carry out analyses under conditions that guarantee confidentiality. Researchers may have conflicting views about this, because privileged access to data undoubtedly confers a competitive advantage, which these proposals could serve to entrench for some and overturn for others.
The NHS Commissioning Board (now NHS England) presented evidence to the review panel arguing that it would require access to confidential data, and that patients could be assumed to have consented to this as part of the deal between the NHS and its users. The review is forthright in rejecting this view. Neither NHS England nor clinical commissioning groups are providers of care. Most of their requirements can be met by obtaining explicit consent, using anonymised data, or relying on providers to perform analyses.
There are, however, two residual problems. The Health and Social Care Information Centre will become a safe haven but will not be able to meet the needs of all commissioners. Some processing of confidential data will be done by the new commissioning support units, some of which will host what are termed data management integration units. The review notes that safeguards to ensure adequate information governance in these entities are not in place and, as things stand, we don’t have an appropriate legal framework for these entities to act as data processors.
A second difficulty is that some patients might reasonably object to their confidential data being submitted to the Health and Social Care Information Centre or released by it, and the law requires any reasonable objection to be respected. “Section 251”of the National Health Services Act 2006 could be invoked to allow the public interest to over-ride the duty of confidentiality,4 but there must still be due process, patients’ concerns must be considered, and the reasons for over-ruling their objections made public.
Cite this as: BMJ 2013;346:f2260
Competing interests: The author has completed the ICMJE uniform disclosure form at www.icmje.org/coi_disclosure.pdf (available on request from the corresponding author) and declares: no support from any organisation for the submitted work; no financial relationships with any organisations that might have an interest in the submitted work in the previous three years; no other relationships or activities that could appear to have influenced the submitted work.
Provenance and peer review: Commissioned; not externally peer reviewed.