Dame Fiona Caldicott’s latest review of information governance and security in the NHS says trusts should make security control as high a priority as financial control, and recommends a tougher IG Toolkit for trusts.

The national data guardian’s long awaited report was released on Wednesday morning, after the ‘purdah’ restrictions that prevent civil servants from making politically controversial statements was lifted following the EU referendum.

“The leadership of every organisation should demonstrate clear ownership and responsibility for data security, just as it does for clinical and financial management and accountability,” the report says. “People’s confidential data should be treated with the same respect as their care.”

This would include using a “redesigned” IG Toolkit and giving the Health and Social Care Information Centre the ability to report organisations with poor data controls to the Care Quality Commission.

Currently the toolkit can be treated as a “tick box exercise”, the review says. The proposed changes should make it both more accessible for staff training and more externally measurable and accountable.

Speaking a briefing after the report’s release, Dame Fiona said the toolkit needed to be “much more user friendly, and not just a self assessment toolkit.” She added: “It can then be audited, rather than the organisation testing themselves. You can’t mark your own homework in our view.”

Oher recommendations include improved cyber security, embedding data protection in financial contracts. and harsher sanctions for malicious data breaches.

This could include changing the law to include “stronger sanctions to protect anonymised data”, the report says. “This should include criminal penalties for deliberate and negligent re-identification of individuals.”

While the report revealed some trusts had highly deleveloped data security others lagged far behind. Examples of poor practice included “confidential papers being stored in unlockable cabinets, faxes being sent to the wrong number and  the use of unencrypted laptops.”

On the patient side, the report recommends a new consent/opt-out model for patient health records, in order to “to give people a clear choice about how their personal confidential data is used for purposes beyond their direct care.”

Dame Fiona has a long association with information governance in the NHS. She was first asked to conduct a review by the chief medical officer in response to concerns that administrative and clinical systems were being developed without an appropriate framework for safeguarding data being in place.

Her first report, published in December 1997, laid out six key data protection principles and made 26 further recommendations, including the establishment of ‘Caldicott Guardians’ at data handlers. These have underpinned information governance in the NHS ever since.

Dame Fiona was then asked to conduct a second review in 2012, amid concerns that her principles were being used to restrict information sharing, even when this was not in the patient’s interest.

Her second review reached similar conclusions to the first, but added a seventh principle that “the duty to share information can be as important as the duty to protect patient confidentiality.”

However, her second report has had relatively little impact to date, because it was overtaken by the care.data row, and health secretary Jeremy Hunt asking her to conduct her third review, published today.

For news on implications for care.data read here. Digital Health New’s coverage of the Caldicott report will continue with the government’s response and Dame Fiona speaking at the King’s Fund Digital Health and Care Congress on Wednesday afternoon.