Dame Fiona Caldicott has warned that the “cultural change” that she called for in her second review of information governance in the NHS “has only emerged in parts of the system.”

In a report on the work of the first year of the Independent Information Governance Oversight Panel, which she chairs, Dame Fiona says her review called for “appropriate information sharing at every stage of the care pathway.”

While she acknowledges that “it was not realistic to expect that this would be achieved within a single year”, and that there are examples of information “being shared appropriately without compromising security and trust”, she also says too little is happening in too many places.

The report to health secretary Jeremy Hunt says some “core building blocks” must be put in place to change this, including clear definitions of who is included in a “direct care team” and “clear guidelines about when people must given explicit consent to information about them being shared and when consent can be implied.”

Dame Fiona says the NHS lost a lot of expertise on these issues when the Health and Social Care Act 2012 reorganised the health service and swept away primary care trusts and strategic health authorities.

She also criticises the disestablishment of the National Information Governance Board in March 2013, which, she says, “left the system in England without a statutory arbiter, to which organisations could turn for the authoritative resolution of difficult questions.”

But she also touches on the row about care.data, which came just as some healthcare communities were rolling out the Summary Care Record and their own information sharing projects.

“Consistency is also required in the arrangements for people to be able to object or opt-out of information being used for research or other purposes,” the report says.

On the positive side, Dame Fiona argues that “over the past year, the subject of information governance has moved from the backwaters of organisational management to the mainstream of public discussion”; not least because of the row over care.data.

And she suggests that some national bodies are starting to take on elements of the NIGB’s role. Overall, however, the report feels frustrated about the state of information governance in the NHS in England.

It notes that progress in resolving the issue of whether commissioners and business intelligence suppliers should have access to personal identifiable information for administration and commissioning has been “slow” – and the problems her review team identified in this area in 2012 are still unresolved.

Similarly, she notes that the 14 integration ‘pioneers’ chosen to explore new ways of joined up working between health and social care have run into problems with sharing information.  

In the conclusions to the report, Dame Fiona says “action is needed at the centre” to create a clear implementation plan for the recommendations of her review, that comes with a timescale for delivery.

She also says a new version of the Information Governance Toolkit should be drawn up, and then approved as an information standard. And that while this is happening, staff should receive training in information governance principles.

She also argues that the health service must be transparent about its use of data, and make sure that individuals can say if they want to opt out of particular data sharing arrangements.

“In summary, the goal should be a state of information governance in which the following proposition prevails: ‘organisations have no hiding places, the public have no surprises.”