As the NHS has become more complex, concerns have grown over what is done with the information that it generates.

Dame Fiona Caldicott points out that when she was asked to conduct her eponymous review back in the late 1990s, it was against a background of concern about the confidentiality of the information that was being circulated to support the internal market.

Now, the information governance review that she is leading has not only run expert sessions on commissioning, but on adult social care, public health and research, and on new patient rights, including those being enshrined in European legislation.

It still has sessions planned on education, genomics, and emerging technologies. “The original report was more narrowly focused, because we were asked to look at the sharing of information not related to patient care,” Dame Fiona says. “It was [about information that was] more administrative than clinical.”

Caldicott 1

Dame Fiona studied medicine at St Hilda’s College in Oxford, and went on to become the first woman dean and then the president of the Royal College of Psychiatrists (among other distinguished posts – she has also been principal of Somerville College, Oxford).

She was asked to chair what became known as the Caldicott Committee by the then-chief medical officer for England, Sir Kenneth Calman.

The committee worked against a backdrop of “increasing concern about the ways in which patient information is being used in the NHS in England and Wales and the need to ensure that confidentiality is not undermined.”

And its findings, published in December 1997, included six key principles and 16 specific recommendations for handling patient identifiable information.

Some of the recommendations were very specific; quite a few related to the use of the NHS Number and other identifiers what were, at the time, new systems for reimbursing GPs within the emerging market.

But the principles were simple; don’t use patient identifiable information unless absolutely necessary, use the minimum when it is necessary, only give patient identifiable data to staff who really ‘need to know’ it, and make sure that each use is clearly defined and reviewed by an appropriate guardian.

Also, be aware of the law and make sure that everyone with access to patient identifiable information is aware of their responsibilities.

Caldicott Guardians now enforce these principles. Yet, over time, it seems that many people within the health and social care system have come to think of ‘information governance’ as something that prevents – rather than controls – information sharing.

When the government was forced to ‘pause’ its latest reforms of the NHS, one of the recommendations of its Future Forum was that another review should be held to see if the balance between maintaining privacy and sharing information was still in the right place.

Caldicott 2

The information governance review – or Caldicott2 as it is becoming known – is being led by a panel of experts. It has spent the summer visiting major English cities to take evidence from the public and interested professionals, while holding ‘information gathering days’ on specific issues.

The original intention was for the review to report this year, but this has been delayed by delays to the Francis inquiry into the scandal at Mid Staffordshire NHS Foundation Trust, and to the government’s promised public consultation on changes to the NHS Constitution.

The review is anxious to include questions in the consultation because, as Dame Fiona points out, “it is not easy to get a generality of public opinion” in a field in which a few, prominent individuals and organisations have very strong opinions and polling data is weak.

The consultation is now slated for December, and the review’s report – more tentatively – for February or March.

From principals to practice

Dame Fiona says now that she thinks the original Caldicott principles were correct, even if they were drawn up for more specific cases than they have been applied to. But she feels that other factors have led people to interpret them narrowly.

For example, she says that the arrival of the Information Commissioner’s Office, with powers to impose increasingly large penalties on data controllers who ‘wilfully or recklessly’ breach the Data Protection Act has made people “more aware” of data protection, but also “more cautious.”

“We want to ask if the principles are correct, and whether they need to be updated. But there is definitely an issue of other things impacting on them,” she says.

She adds that the review has already discovered that “people are anxious to do the right thing” and if they are not confident about the rules they will tend to react by not sharing information, even if this would be in the interest of a patient or service user.

As a result, she says the review is giving careful consideration to the kind of report that it should produce, because it wants to include some “simple rules” that will give people more confidence in the system.

“We have a consistent message from people that they want clarity about language,” she says. “If you talk about IG, then not a lot of people really understand it.

“That means we will need to compile a glossary. We will also need to produce something suitable for the person on the ward, if you like, and perhaps something more detailed for the people who have to deal with the difficult cases.

“So a question for the panel is whether we need two reports, written at different levels, or one, all encompassing report with more detail on where some difficult cases need it.”

Striking new balances

Dame Fiona adds that two issues in particular have come up in the review’s research. One – in a direct echo of Caldicott1 – is the impact of the NHS reforms on data flows, and the extent to which clinical commissioning groups, the NHS Commissioning Board, and the various regulators of the new system will need access to patient identifiable information.

This has been a hot issue on the EHI news pages this month, both when the NHS Information Centre launched its data linkage service, and when GP Dr Mary Hawking asked about the extent to which the CQC would be able to go through patient notes as part of its regulatory activities.

The other – more directly related to the present government’s determination to give the life sciences industry a kick as part of its bid to revive the languishing economy – is the extent to which data should be made available to researchers.

“I think there are concerns from the public about research, and how their data will be used for that,” Dame Fiona says. “And there is also concern about commissioning, and the extent to which all the new bodies will need patient data.”

Asking Caldicott2 to come up with a new set of general principles for dealing with such varied data flows seems like a tall order. But Dame Fiona is confident that the Future Forum’s question – where does the balance between privacy and sharing lie – is the right one.

“That was a very good recommendation of the Future Forum,” she says, “and we have kept it very much at the back of our minds.”

More in Feature
Carl Reynolds on procurement woes

Junior doctor and open source enthusiast Carl Reynolds compares buying a used car with buying an NHS IT system, and concludes that the NHS needs...