New Caldicott principles to inform decisions and discussion about data sharing in the wake of the pandemic
The National Data Guardian for Health and Social Care (NDG) is seeking views on revision and expansion of the seven existing Caldicott Principles in an open consultation which was launched on 25 June 2020. The NDG also proposes use of statutory powers to issue guidance about organisations appointing Caldicott Guardians to uphold the Caldicott Principles.
In 1997, Dame Fiona Caldicott chaired a committee which produced a report about confidentiality following a review of the transfer of ‘Patient-Identifiable Information’ in the NHS. The result was a set of standards that became known as the Caldicott Principles. The Caldicott Committee’s Report also recommended that a senior person, preferably a health professional, should be nominated in each health organisation to act as a guardian responsible for safeguarding the confidentiality of patient information. The senior individuals responsible for ensuring that the principles were upheld within their own organisations became known as Caldicott Guardians.
The Information Governance Review, published in 2013, reviewed the principles and found that they had become well-established and were considered a clear and simple guide to how confidential information should be handled. It also found that Caldicott Guardians still played an important role in helping their organisations to act ethically and legally and comply with the law. The 2013 review also introduced a new Caldicott Principle to encourage information sharing in the best interests of patients and service users and users of social care services: ‘The duty to share information can be as important as the duty to protect patient confidentiality’. The importance of applying this new principle to data sharing for individual care was later reflected in law in the Health and Social Care (Safety and Quality) Act 2015.
Dame Fiona Caldicott, who had held the non-statutory NDG role since 2014, became the first statutory post holder in April 2019 following the enactment of the Health and Social Care (National Data Guardian) Act 2018.
During work to consider the addition of a new principle, the NDG reviewed the wording of the existing principles. The proposed new set of eight Caldicott Principles is contained in Annex A of the Consultation background document. In Annex B the previous seven Caldicott Principles are marked up to show the proposed amendments.
The NDG is proposing to introduce a new principle, which emphasises the importance of there being no surprises for patients and service users with regard to the use of their confidential health and care data.
Discussions among the NDG panel and stakeholders have been informed by academic work led by two NDG panel members, Dr Mark Taylor and Professor James Wilson. This resulted in the publication of ‘Reasonable Expectations of Privacy and Disclosure of Health Data’. This article demonstrates that since the Human Rights Act 1998 came into force, courts have developed the significance of the concept of a ‘reasonable expectation of privacy’ within the law of confidence. It argues that one result of this is to provide an alternative route for the lawful disclosure of confidential patient information, where there is no reasonable expectation of privacy.
The NDG believes that several benefits would result from the introduction of a new principle clarifying that patient and service user expectations must be considered and informed when confidential information is used. The principle would:
- Be consistent with the direction that the courts have taken in making an individual’s reasonable expectations of privacy the touchstone of the duty of confidentiality
- Add an explicit reference to the NDG’s long-standing view that there should be ‘no surprises’ for the public as to how their confidential information is used
- Align with the General Data Protection Regulation’s (GDPR) emphasis on transparency and data subject rights
- Align with professional guidance such as the ‘General Medical Council’s Confidentiality: good practice in handling patient information’
- Reflect the welcome move away from a paternalistic ‘doctor knows best’ approach to care and towards a partnership approach between health and care professionals and those in their care.
The NDG’s power to issue statutory guidance comes from the Health and Social Care (National Data Guardian) Act 2018. The Act establishes a National Data Guardian for Health and Social Care, to promote the provision of advice and guidance about the processing of health and adult social care data in England. It outlines that the NDG may publish guidance and that organisations in scope must have regard to such guidance.
The range of organisations within the scope of this guidance are public bodies within the health and adult social care sector (and organisations which contract with such public bodies to deliver health or adult social care services) in England, where relevant to their functions. It is proposed that the guidance would apply to the full range of organisations which could be in the scope of the NDG powers to issue guidance.
The Consultation background document confirms that the proposals are not a response to the COVID-19 pandemic or the data sharing arrangements that it has prompted. It states that it is clear however that there will need to be careful consideration after the pandemic’s emergency response is over of which temporary data sharing arrangements should end; what is appropriate during a public health crisis to meet the overriding need to protect the public may not be appropriate when the danger recedes. Equally, some of the changes that have been introduced at speed to improve data sharing may be beneficial and should be maintained. The hope is that by conducting the consultation now the NDG can develop a new set of Caldicott Principles and guidance in time to inform decisions and discussions about data sharing after the pandemic is resolved.
The importance of data sharing has come squarely into the spotlight as the consultation progresses and with press reports suggesting that failures in the sharing of crucial testing data will lead to local outbreaks of Covid-19 growing undetected. This will no doubt inform opinions and concerns as we continue to deal with the pandemic.
The consultation runs until 3 September 2020.
This briefing is for guidance purposes only. RadcliffesLeBrasseur LLP accepts no responsibility or liability whatsoever for any action taken or not taken in relation to this note and recommends that appropriate legal advice be taken having regard to a client's own particular circumstances.