How much patient data do commissioners really need? HSJ reports on a raging debate, in association with Capsticks

According to Dame Fiona Caldicott, every citizen should feel confident that information about their health is securely safeguarded and shared appropriately when it is in their best interest.

In the introduction to the 2013 Information Governance Review (often dubbed “Caldicott2”, recognising her original 1997 review of the topic), she says that “everyone working in the health and social care system should see information governance as part of their responsibility”.

‘There’s polarisation between those who think they can use pseudonymised data to meet all their obligations and those who say, equally vehemently, that it’s impossible’

The new review was intended to ensure, primarily, that there is an “appropriate balance” between the protection of patient information, and the use and sharing of such information to improve care.

Thus a seventh Caldicott principle was born, stating that: “The duty to share information can be as important as the duty to protect patient confidentiality.”

According to Matthew Smith, a partner specialising in information law at legal firm Capsticks, the recent changes have, to an extent, turned some previously well held beliefs on their head.

“The legal framework hasn’t changed - information is still governed principally by the Data Protection Act,” he says. “But Caldicott2 has really shaken things up for the health sector.”

The new principle means, for example, that if someone’s health or life will be endangered without certain information, then the failure to disclose it may have bigger implications, whether legally or otherwise.

“It’s a shift in balance between the need to protect information and the benefits of disclosure,” explains Mr Smith. “Previously the default position was often ‘if in doubt, hold on to the information’ because it would mean you wouldn’t get into trouble. Caldicott2 spins that on its head, and you could get into trouble if you don’t share the information.”

Information access

But who should get access to information? Caldicott2 is, on the face of it, quite clear about that: if you’re a regulated professional involved in direct care of a patient then there is a presumption of implied consent and it is likely you will receive the information. If you’re involved in indirect care, however, the chances are you won’t without explicit consent, and there’s some debate over where the line should be.

This new information governance environment is particularly challenging for commissioners. For one thing, clinical commissioning groups do not receive the same level of personal confidential data as primary care trusts.

Although CCGs can apply for accredited safe haven (ASH) status, which means they can receive weakly pseudonymised data, there are some who say this isn’t enough.

“They are asking themselves if they can do what they are obliged to do without the same level of patient information,” says Mr Smith.

“There’s actually polarisation in the commissioning world, between those who think they can use pseudonymised data to meet all their obligations and those who say, equally vehemently, that it’s impossible.”

‘People are realising that they can’t adopt a defensive position in every situation; they’re looking for guidance on how to navigate the landscape’

At the moment it’s difficult to say with certainty which of these two opposing views will hold sway, but the greater the number of CCGs applying for ASH status, the less likely it is that the naysayers will have their way and gain access instead to the patient information previously available to PCTs.

At the time of writing, some 57 organisations have registered their intention to become ASHs, according to the Health and Social Care Information Centre (HSCIC), and around 45 have been approved, 21 of them CCGs.

An HSCIC spokeswoman says that the information government toolkit delivery team provides assistance with the application, and registered applicants are then asked to complete the IG toolkit which comprises 28 governance requirements.

“On registration, CCGs are provided with advice and guidance in completing the assessment. On completion the CCG publishes the assessment and each published assessment is reviewed,” she adds.

Each CCG is notified of the review findings regardless of whether their assessment is approved. CCGs that are not approved are provided with additional guidance and actions that they need to complete before resubmitting the assessment. Resubmitted assessments are reviewed again by the HSCIC.

NHS England, the secretary of state and the HSCIC have shown they are alive to the challenges, and have reacted to mitigate some concerns. “For example, there were difficulties with invoice validation,” explains Mr Smith. “That’s really important for commissioners because they have to make sure that the right people are being paid at the right time for providing the right services.”

Controlled environments for finance

The decision to allow ASHs to set up “controlled environments for finance” (CEfF) is a “short term fix” allowing commissioners to use personal confidential data for this purpose. Again, there are people who think this is the solution and those who don’t.

“It’s a raging debate and we don’t yet know the truth of it,” says Mr Smith. “But it’s something that people have to think about. The section 251 approval for invoice validation only runs until October of this year, so we don’t yet know what will happen after that.”

Commissioners are looking for guidance on how to manage their new responsibilities under Caldicott2, he says and, as is so often the case, it’s about changing habits and culture. “People are realising that they can’t adopt a defensive position in every situation; they’re looking for guidance on how to navigate the landscape.”

And there are other questions too. “Do people see the NHS as one big organisation, or as a number of small organisations working together? Where are the limits?” asks Mr Smith. “Do we need to be thinking of a wider care service rather than a health service?”

As well as addressing public perceptions of the health service, there is a job of work to be done to communicate the benefits and risks of sharing patient data more widely.

As last month’s decision to postpone the care.data project shows, there’s a long way to go before concerns about sharing of data are alleviated. “The care.data issue flagged up the need for a debate,” says Mr Smith. “But it needs to be quite a sophisticated debate, otherwise the default position for the public will be ‘you can’t have my data’.”

Mr Smith says the HSCIC is working constructively with NHS bodies to help them through. “They’re being helpful and proactive - they’re not waiting until someone does something wrong and then punishing them. Ultimately it’s all about using information to improve care, and that’s really everyone’s goal here.”

Matthew Smith: On Caldicott2

We are in the midst of a healthcare information revolution. While the law governing the use of patient data - principally the Data Protection Act 1998 and the common law duty of confidentiality - remains fundamentally the same, changes in the structure of the NHS, new guidance, the volume of information being recorded, and the ways in which people wish to use it, mean that the landscape has altered radically in the past year.

“Caldicott2” in particular recast thinking on when it is necessary to use patient identifiable data. The binary direct care/indirect care distinction has undoubtedly thrown up issues for commissioners, but it is possible to view this model through the prism of “need to know” - a concept familiar from the act, and the third data protection principle. Where commissioning can be done effectively without patient identifiable data, why should commissioners have access to it?

‘The direct/indirect care distinction has undoubtedly thrown up issues’

The acid test is likely to come with the development of the much vaunted, little understood, integrated care agenda. True integration will require real innovation, in new models of care but also in the use of data. It remains to be seen whether Caldicott2 got it right in drawing the line between direct and indirect care, and whether that analysis is sophisticated enough to measure the success of the integrated arrangements we expect, and need, to see emerging.

In developing those new arrangements, and building trust in existing ones, health - and social - care organisations must treat patients and service users fairly (and so comply with the first and second data protection principles).

They need to understand their data flows, the purposes for which information will be used, and the nature of the processes, safeguards and assurances they have in place to meet their legal obligations. Crucially, though, they must also explain - and explain clearly - the benefits of any proposed data use if they are to secure the necessary “customer” buy in. This needs to be planned carefully before any processing begins but should also be regularly reviewed.

The Information Commissioner’s Office’s new privacy impact assessment code of practice is helpful in this regard. The recent confusion over care.data - and outrage over hospital statistics being “sold” to an actuarial society - shows the heavy price to be paid for getting it wrong.

Exciting times, then, and Capsticks stands ready to help its clients meet the challenges which lie ahead.

Matthew Smith is a partner at Capsticks