The Department of Health been asking for feedback on the document 'Protecting Health and Care Information: A consultation on proposals to introduce new Regulations.’

In part, this document is a response to the problems that clinical commissioners have encountered in obtaining patient data since the latest Health and Social Care Act was passed, and Dame Fiona Caldicott issued her second review of information governance.

In other words, it’s all about the vexed and continuing question of Section 251; and whether commissioners access the information they need, in the face of official insistence that non-identifiable data should do. Here’s a truncated version of my response:

The whole process of moving personal confidential data has become unbelievably and unnecessarily complicated.

This gets in the way of the delivery of high-quality patient care, costs the NHS large amounts of money, takes administrators away from more useful activities, and makes it almost impossible for the NHS to process administrative information efficiently.

Had the Department of Health wanted to make the process more intrusive and difficult to operate, it could hardly have done better! There is a clear need for the NHS to have:

  • Appropriate clinical data –  at the individual level, as a patient passes through primary, secondary, and community care, and so on, and at the group level (in order to find patients in need, under risk stratification)
  • Appropriate managerial data, to check invoices, to commission services, to prove/disprove the benefits of treatment pathways, and for research and forward planning.

Most patients assume that information about them, once it has been given to an NHS member of staff, will automatically be shared appropriately within whatever arm of the NHS has need of it.

This sharing also applies to non-clinical staff. As a GP, my staff need access to my patients' records to scan in letters, take messages, give out results (under instruction, of course), type letters from dictation, pull off lists of patients with various illnesses, and issue pre-prepared prescriptions.

They do this as a matter of course: much of it requires access to PCD; and I doubt if any of our patients have any objection to this happening. (We have certainly never had any complaints or enquiries from them about this.)

All our staff know and understand that patient confidentiality is of utmost importance, and that a single breach may lead to instant dismissal.

Exactly the same attitude to the sharing of their information applies to patients attending the private sector: private patients also assume that their administration and billing will be performed by non-clinical staff, who will keep this information confidential as a matter of course.

Start by assuming data should be shared:

The NHS would do well to take these principles as its starting-point. The law needs to be changed so that information given to one part of the NHS is assumed to be available to all those within or connected to the NHS who have a clinical need to see it.

Under this principle, information passed to independent providers and GPs would still be considered as 'within the NHS' when those providers were working to an NHS contract.

This legal change also needs to include administrative functions and to recognise that there is also a clear 'management/administrative need to see data'.

Clearly the principle of 'management need' has to ensure that clinicians, managers and administrators who have no need to see certain sorts of information shouldn't be able to do so.

But this may be better handled at the level of 'professional duty and professional standards' rather than a mechanistic approach that intrusively, physically prevents staff seeing the information.

In other words, anyone who accesses PCD needs to be able to justify their actions, should they be asked. This is how it works in general practice — and it works well.

I suspect that the secret is to have clinicians in ultimate charge of data access. Historical experience suggests that of all of us clinicians are likely to have the strictest views on confidentiality.

We can therefore be relied upon to take over the important role of overseeing managerial confidentiality without the need to impose complex, legalistic mechanisms such as ASHs and DSCROs [accredited safe havens and data services for commissioning regional organisations – or the national and local holding centres to which everybody would have to apply for access to data].

It will also mean that judgments about data sharing can be made locally, and with subtlety — which is often simply not possible with nation-wide rules.


As far as the level of fines for misdemeanour is concerned, the judgement over whether PCD should be viewed is often finely balanced.

If a fine of half a million pounds comes into the equation (as currently exists in some areas in relation to the Information Commissioner’s Office) then this is likely to stop any question of access to information where there is even the remotest chance of a legal problem occurring.

A personal or corporate fine of this magnitude simply stops access dead, whether or not the proposed access is actually legal and/or beneficial for the patient.

Things become even worse when there is no official source of information and no rulings about individual cases.

If large fines may be handed out, but the authorities won't give a ruling on whether a particular course of action is acceptable, then again, no-one will want to risk it.

Even the new proposed civil penalty of £5,000 in the consultation paper seems draconian in circumstances where a fine call of judgement is required.

Decisions like these are often not black and white: and any penalty imposed needs to be assessed in relationship to the degree of deliberate negligence that may have occurred.

It will not help to penalise staff who were acting in good faith and with the interests of the patient at heart: it will serve only to inhibit access unnecessarily, even where that access might actually have been entirely legal and in the patient's interests.

Things much change

I cannot emphasise enough that there is a widespread view among front-line and CCG staff that the current regulations present massive difficulties to using NHS and patient data for ethical purposes in the delivery of healthcare, and serve only to increase costs and minimise the usability of this data.

As a result patients lose out, the NHS loses out, the costs of processing NHS data rise astronomically, and we end up with the very worst of all worlds: high expense, wasted time, fearful staff and minimal information.

The present system, even with its proposed refinements, is simply not fit for purpose, and should be abandoned as soon as possible. One way forward would be to replace it with a system that:

  1. Considers the entire NHS to be a single body for information governance purposes;
  2. Recognises that access by non-clinicians to PCD is necessary for the design and monitoring of healthcare pathways and standards
  3. Creates the principle of only sharing data with those who have a true 'need to know' (but this should include non-clinical staff, and data needed for administrative and management purposes)
  4. Puts clinicians in charge of monitoring such a system locally. This would allow for security of decision-making, and subtlety of the decisions themselves, because local needs and conditions can be brought into the equation.

Penalties should only apply when there is clear evidence of deliberate leaking of information; gross negligence in allowing information to leak; or deliberately transgressing clear advice given from on high. In clear-cut cases such as these, heavy fines or dismissal could be considered.

However, inadvertent transgressions, or where there is genuine doubt about whether information should or should not be shared, should be treated graciously and tactfully, with the emphasis on advice rather than on punishment.