Out-Law News 3 min. read

Caldicott review: unlawful personal data processing and sharing should be reported as 'data breach'


Health and social care bodies should be required to publish details of cases where they have processed or shared patients' personal data without having a legal basis to do so, Dame Fiona Caldicott has recommended.

Dame Fiona said unlawful data processing and sharing should be treated as being a 'data breach' (139-page / 795KB PDF) and be reported openly by both NHS and non-NHS bodies in the health and social care sectors. The recommendation was contained in a Government-commissioned report authored by Dame Fiona into information governance practices in the sectors.

"The processing of data without a legal basis, where one is required, must be reported to the board, or equivalent body of the health or social care organisation involved and dealt with as a data breach," Dame Fiona said in her Caldicott review report. "There should be a standard severity scale for breaches agreed across the whole of the health and social care system. The board or equivalent body of each organisation in the health and social care system must publish all such data breaches. This should be in the quality report of NHS organisations, or as part of the annual report or performance report for non-NHS organisations."

A 'data breach' should be defined as "any failure to meet the requirements of the Data Protection Act", she said. "This includes unlawful disclosure or misuse of confidential data, recording or sharing of inaccurate data and inappropriate invasion of people’s privacy."

Dame Fiona said that there is a "culture of anxiety" that exists within the health and social care sectors and that therefore personal information is not shared as readily between professionals as it could be. She said "safe and appropriate sharing in the interests of the individual’s direct care should be the rule, not the exception".

Organisations in the health and social care sectors should explain to patients how personal data collected about them could be used, in an anonymised form, for "research, audit, public health and other purposes" and recognise their right to withhold their consent. Individuals should be able to change their decision on consenting to the sharing of their personal data and organisations should keep a record of "any explicit decision of consent, including withdrawal of consent previously given". Patients should also be informed of the consequences of not providing consent, Dame Fiona said.

If personal data is fully anonymised then the information can be "freely processed and publicly disclosed", however, if the information has only been "de-identified by the use of pseudonyms or coded references" then it is still to be treated as being personal data, she added.

The linking of de-identified personal data with other potentially identifying information should only be undertaken "in specialist, well-governed, independently scrutinised environments known as ‘accredited safe havens’", Dame Fiona said

The newly established Health and Social Care Information Centre is such a 'safe haven'. The Centre should set out in its code for processing confidential information what "attributes" an accredited safe haven should have, Dame Fiona said.

"Data sets containing personal confidential data, or data that can potentially identify individuals (de-identified data for limited disclosure or limited access), are only disclosed for linkage in secure environments, known as ‘accredited safe havens’," she said. "The purposes for such linkage should be expanded to cover audit, surveillance and service improvement. Within the accredited safe haven, de-identified data for limited disclosure or access must not be linked to personal confidential data unless there is a clear legal basis to do so, and contracts must forbid this. This would re-identify the de-identified data for limited access, and be a data breach."

The 'safe havens' should be governed by national minimum standards on "data stewardship", the report said. Dame Fiona suggested that the standards could outline responsibilities within the bodies for anonymising data as well as mandating the use of "privacy enhancing technologies". The standards could also ensure "robust governance arrangements" are in place and set "clear conditions for hosting researchers and other investigators who wish to use the safe haven", she added.

Dame Fiona also recommended that patients are given better access to information about how their data is used and shared, and that details of who has accessed their confidential information should also be made available to them "in a suitable form".

"The Caldicott review has been about striking the right balance between sharing people’s health and care information to improve services and develop new treatments while respecting the privacy and wishes of the patient," Health Secretary Jeremy Hunt said in a statement. "If patients are to see the benefits of these changes we must respect the wishes of the small number of people who would prefer not to share this information. I firmly believe that technology can transform the quality of healthcare in this country, but we must always respect the fact that this is very personal information about an individual."

Hunt has previously outlined his vision for a 'paperless' NHS by 2018. He said that NHS patients should each have a digital medical record that public health providers can access "when necessary" and where individuals' "permission" has been granted.

Accountancy firm PricewaterhouseCoopers (PwC) reported earlier this year that up to £4.4 billion of savings could be made in the NHS if information and technology were better utilised.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.