The government has launched a formal consultation on two of the key proposals in Dame Fiona Caldicott’s latest review of data security and information governance in the NHS.
The consultation says the government wants views on ten proposed data security standards to be met by NHS trusts and other organisations and on an opt-out model for sharing data in NHS and social care. The consultation also asks for views on how to test compliance with the standards.
Dame Fiona’s review, launched this morning, calls for more national scrutiny of data security and for trusts to take the issue more seriously; putting it on the same footing and financial control.
It also calls for a new opt-out model for patients and stronger sanctions for data breaches and malicious or careless re-identification of individuals from anonymised data sets.
In passing, it has also put paid to the care.data programme, which a Department of Health statement said NHS England had decided to “close” following her review.
Life sciences minister George Freeman said he was grateful to Dame Fiona for her work, and also to the CQC for a second review of cyber security, which was published on Wednesday afternoon.
He said it was now “vital that full consultation and dialogue with the public and professionals takes place” before any of their ideas are implemented. But he indicated that the government was minded to back key ideas, including “the introduction of stronger criminal sanctions against those who use anonymised data to re-identify individuals.”
The latest Caldicott review sets out ten data security standards relating to leadership, people, processes and technology.
The consultation asks for views on the standards, an indication of whether respondents think their organisation already meets them, and what help they might need from the Health and Social Care Information Centre or other bodies to comply.
It also asks for views on a single opt-out for patients, and on stronger criminal penalties to protect data. The Caldicott review calls for a single, simple opt-out to be set up for patients who do not want their identifiable health or care data to be used for purposes beyond 'direct care.'
It suggests that this opt-out could cover both data required for running the health and care system and research, or that there could be two opt-outs for administrative and research data.
In either case, Caldicott told the King's Fund Digital Health and Care Congress that she only wanted a patient's views recorded once during the health and care journey; although they should be able to change their minds at any time.
The consultation will close on 7 September.