Demanding your attention: Caldicott's Information Governance Review

Even its best friends will grudgingly admit that information governance is not a topic that grabs you by the lapels and demands your attention.

That is, however, until some brave soul attempts to tweak the laws and directives around the use of data in the UK, at which point the issue suddenly becomes extremely interesting.

The latest intervention in this area, the most important for some years, comes from an independent working party headed up by Dame Fiona Caldicott (of the original Caldicott principles and Caldicott Guardians).

The Review came about as the result of a recommendation by the NHS Future Forum, which asked for the Government to 'commission a review of the current information governance rules [around the use of NHS data], and of their application…to ensure there is an appropriate balance between the protection of patient information and the use and sharing of information to improve patient care.'

Calidcott2 makes a valiant attempt to strike this balance.

Admirably, much of the report is devoted to challenging what it describes as a 'culture of anxiety' about the sharing of information in the service of 'direct care', which has led to a 'risk-averse' approach that prevents front line staff from cooperating as they would like.

Regardless of any practical implications of their recommendations, there are important ethical concerns at play here, concerns which can tend to get lost in the stampede towards greater access

As well as emphasising situations in which one might legitimately share personal confidential data, the Review also notes several instances in which it would be inappropriate. The most significant is in the service of commissioning, say by NHS England or a clinical commissioning group (CCG).

Strictly speaking of course, CCGs never had access to personal confidential data. Under the 2012 Health and Social Care Act, CCGs were only ever given access to pseudonymous data about their service users.

However, many commissioners and commentators argued that use of personal confidential data by commissioners fell within a sort of social contract between the NHS and its service users: service users' 'implied consent' to the use of personal confidential data by those involved in 'direct care' also implicitly covered its use by NHS England and CCGs.

Caldicott2 represents the first quasi-official rejection of this argument. According to the review, such parties can only use identifiable data where there is 'a clear justification and legal basis for doing so' and it is 'made known to patients.'

In effect lumping commissioners together with researchers, public health practitioners and other purveyors of 'indirect care', and putting them outside the magic circle of 'direct care' professionals (e.g. doctors, nurses and social workers).

This rebuttal comes with a sting in its tail, for another of Caldicott's recommendations is that any linkage of personal confidential data from more than one organisation (i.e. before that data is pseudonymised) 'should only take place in specialist, well-governed, independently scrutinised accredited environments called 'accredited safe havens''.

Thus, if a CCG (or a researcher), wishes to link personal confidential data from say, primary and secondary care, for the purposes of risk-stratification or predictive risk analysis, it will have to go through an 'accredited safe haven'.

And, at present, there is only primary legislation for the creation of one accredited safe haven: the Health and Social Care Information Centre (HSCIC). Although the Review notes plans for the creation of 'at least 20' more, the worry is of a bottle-neck.

CCGs will be able to use pseudonymous data for predictive modelling/risk stratification once released by the HSCIC (with general practitioners still being free to re-identify patients at practice level) but commissioners (who, incidentally, will often be GPs) will not be able to pseudonymise and link personal confidential data themselves.

Regardless of how attractive this system might be, there is another worry here about how quickly it could be implemented. Even on conservative estimates, the HSCIC may not be in a position to provide the same information to CCGs that primary care trusts had access to in March, until early next year.

In response to these worries, the Caldicott Reviewers could argue that regardless of any practical implications of their recommendations, there are important ethical concerns at play here, concerns which can tend to get lost in the stampede towards greater access.

Indeed it is important to recognise the valuable contribution the Review makes in this area, providing an important touch-stone on matters of privacy and consent (for more on this, see a recent piece we did on the various social values lying behind information governance and the tensions therein).

Much will depend on precisely how Caldicott's various recommendations are implemented. The HSCIC have already released one response to Caldicott in the form of a new anonymisation standard.

Another place to keep an eye on is NHS England, who plan to issue guidance around the issue of risk stratification/predictive modelling by CCGs shortly. Then, of course, there’s the response by the Department of Health, who commissioned the report.

Still, who knew information governance could generate this much interest?

This blog was also posted on GPonline's Inside Commissioning blog.