I don’t know. You wait and wait for an important, much-delayed report to be published and then suddenly, like buses, two come along together.

Yet tempted as I am by the thought of reading and commenting on all seventeen sections and twelve volumes of Sir John Chilcot’s Iraq Inquiry report, I’m more taken by the latest offering from Dame Fiona Caldicott, our National Data Guardian for Health and Care.

In this context, the Review of Data Security, Consent and Opt-Outs has the compelling virtue of brevity, and unlike the work of the Iraq Inquiry touches only briefly on the errors of the past before bringing together a series of standards, recommendations and proposals which build a picture of what the future will be like. At least, that is, so far as the management of health and social care data is concerned.

Brief as it is, the new report, which will doubtless end up being known as Caldicott 3, actually examines two distinct aspects of secure data management. Like the last Harry Potter movie, it could easily have been published in two parts.

Caldicott 3a then, asks whether current health and social care data security is good enough and makes nine very sensible recommendations for improvement. These include recommendations on leadership and contractual arrangements; a revamped IG Toolkit; the use of tools to identify vulnerabilities such as dormant accounts and default passwords; changes to the CQC inspection regime; and the use of harsher sanctions regarding malicious or intentional data security breaches.

Alongside these recommendations are a series of basic Data Security Standards (such as Standard 8: “No unsupported operating systems, software or internet browsers are used within the IT estate.”)

However I think it is in Caldicott 3b where the real interest lies. This looks again at the basis upon which information is shared and asks a series of key questions:

  • Do people understand who will have legitimate access to their personal confidential data?
  • When is the individual’s specific consent required?
  • When can people consent to or opt out from information being used and when may this be overruled?
  • Are the current arrangements protecting people’s confidentiality adequately upheld?
  • Do they allow for appropriate information sharing to benefit patients, service users and the entire health and care system?

These are major questions, and while the Report considers them in some depth, and makes a series of recommendations, in this area in particular it urges the Department of Health to consult far more fully before adopting its views.

Even so, I suspect it will be surprising if the Department doesn’t adopt most of the Caldicott 3b suggestions. They include:

  • The continuing need for the service to make the case for data sharing to the public.
  • A revamp and a welcome, wholesale simplification of the current patient consent/opt-out model. Given the complexity and inconsistency of the current schemes for managing patient consent, this is long overdue.
  • A recommendation that patient opt-outs should not apply to the transfer of anonymised records.
  • Similarly, and perhaps more controversially, given the need for the NHS to ensure the money flows correctly, patient opt-outs should not apply to the use of identifiable data for non-contractual invoice validation.
  • Research uses should continue to require explicit consent.

There is also a focus on the role of HSCIC — or ‘NHS Digital’ following the organisation’s rebranding — as the provider of linked anonymised data sets, although again it may take some time for that service to be delivered.

But there is more. Away from these higher profile recommendations, Caldicott 3b suggests further adjustments to how current systems are seen:

The Review considers that risk stratification for case finding, where carried out by a provider involved in an individual’s care or by a data processor acting under contract with such a provider, should be treated as direct care for the purpose of the opt-out (and therefore should not be subject to the opt-out of personal confidential data being used for purposes beyond direct care).

This represents another welcome clarification. At the same time, the Review also notes that:

… some CCGs are using the same predictive tool for both risk stratification for case finding and risk stratification for planning. The Review suggests that these two functions are separated.

While this notion of ‘separation’ of functions may be a little vague at present, the intent is clear, even if the details remain to be worked out.

And finally there is a recommendation that could cause potentially significant adjustments to the current crop of integration projects:

The different successful approaches being taken at local level led the Review to conclude that an overarching, national, consent question should not be framed around direct care. A person can still ask for their health care professional not to share a particular piece of information with others involved in providing their care. This may be in relation to a local shared record programme.

(All quotations from p.26 of the Review.)

I feel I’ve barely scratched the surface, there is so much interesting material in the Review. Given that, I’m only too grateful that I decided not to look at the Iraq report instead.

This won’t all happen at once. As I noted, the Review recommends further consultation before going anywhere near implementing these proposals. But it is a good start.

Which just leaves one final question. Did the redoubtable Dame and her team find any WMDs? Perhaps it’s hard to say. But maybe, just maybe, the parallel announcement of the cancellation of the programme suggests it is possible that she did.


Review of Data Security, Consent and Opt-Outs:

Iraq Inquiry home page:

Guardian Report: NHS to scrap single database of patients’ medical details: