The Caldicott Review of Data Security, Consent, and Opt-Outs was published a few weeks ago. Commissioned by the Secretary of State after Tim Kelsey lied to the Care.Data Advisory Group, it was tasked with solving the outstanding problems of care.data.
In this series of blog posts, we’ll look at the outcomes, and other related issues. The Caldicott Review was a look at a large set of concerns, without enough time for consideration of implementation. The Review was finished before it emerged that Google DeepMind wasn’t entirely accurate about what it was doing.
Page 40 of the Review offers an example “Restricted setting – information about me can only be used by the people directly providing my care”. It seems like a water tight opt out of all other uses, but it is potentially undermined by other parts. What will turn out to be accurate?
After all, if the nuances of the review have to be relied upon, that means all the political promises and systematic improvements have failed. The system should be so good that no patient has unaddressed concerns, and the opt out is there, but that personal circumstances aside, you shouldn’t need to use it. Will the implementation of the Review fall short?
All data flows in the NHS should be consensual, safe, and transparent. Let’s see how this measures up…
Professional continuing education
The long term solution to all these issues has to be education. This is fundamentally a human problem.
Professionals understand what a duty of confidence is, they understand Direct Care, and they are trusted by patients in ways few others are. That may be undermined.
The seventh Caldicott principle is “The duty to share information can be as important as the duty to protect patient confidentiality” – and knowing the difference requires knowing what the words involved mean. There are many examples of past failures on this topic.
Education of non-Professionals
Everyone in the NHS is committed to improving the health of the nation; not everyone does direct care.
Direct care can be described as an Identified Patient receiving Individual Care from an Identified Clinical Professional. Many other people are necessary to support Direct Care by providing tools, but they do not provide it themselves.
Providing a working computer system, or electricity, or cleaning services is a necessary task, it is improving the health of the nation, but it is not providing direct care. To summarise our presentation on the topic – not everyone gets to be an astronaut.
Other clinical professionals in an organisation, while they are doctors, are not your doctor. Someone can be a father and doing childcare, but that’s not the same as being your child’s father. That they provide care to some, does not necessarily mean they provide care to you. The only reason to others argue that there is “gray area” here, is to justify the ignorance behind decisions already made.
Opt-Out coverage should be NHS wide
Because HSCIC were not involved in giving 5+ years of hospital data to DeepMind, the opt out didn’t apply – and couldn’t apply because the hospital didn’t know who had opted out. The review recommends that, just as when you walk into any part of the NHS, they can find out who you are; every part of the NHS should know and respect your objection to data about you being used beyond your direct care.
This is important, and means other problems can be solved.
We welcome that clinicians, doctors, should be partially responsible for explaining how data is used to patients. However, that requires doctors to be told how the bureuacracy uses data, and to have control over it.
The situation where Doctors are responsible for explaining the decisions of the Secretary of State is unlikely to turn out well for patients, for Doctors, or the Secretary of State. What Doctors tell patients has to be true, and those promises have to be kept into the future, otherwise patient trust will suffer.
It is the majority of the work, and so the majority of the review looked at data security, working with other bodies to ensure that standards are followed. Patients, rightly, just assume that this happens, in the same way no patient should need to check that the surgeon is using a sterile scalpel.
The review found that there was good practice but not everywhere. It’s the CQC’s job to assess and improve. The CQC have broad powers to assess GPs, and also look at medical records in the practices they are inspecting. A high standard of safe data practices is necessary, it is important, but inspectors should not be able to rummage through medical records without those patients knowing it happened and why. Transparency protects all sides.
Handling of Patient data, and Information Governance as the NHS terms it, must improve, and the Review is a necessary step in that process.
It is highly welcome that the review has patient agency as a key theme throughout. But the accountability back to those patients: will those benefits be seen to be done, or is it all in secret?