Caldicott Review – The Bad…

In part 2 of this short series, we look at the “Bad” parts of the The Caldicott Review of Data Security, Consent, and Opt-Outs. (link to part 1)

A good part was the suggestion of a continuing conversation with professionals and the public. What will inform that continuing conversation?


Silence on transparency to patients

While the Review suggests a range of improvements, there is no recommendation that patients should be told what happens to data about them – ie whether their wishes have been honoured or ignored.

There is also nothing in the Review to require transparency, or prevent it; but nothing to change the status quo of secrecy. We will see in the next part of this series how the bureaucracy wishes to continue to do things to your data without your knowledge.  All future scandals, concerns, and catastrophes will flow from this decision, and it will also limit innovation and harm research for every patient who does wish their data used in new ways.

As part of the “paperless 2020” agenda, the Secretary of State has told the National Information Board to look at telling patients how data about them is used. But this Review has committed to nothing, beyond a recognition that there should be a “continuing conversation”. A conversation requires parties that are willing to listen and change based on what it’s heard…

Hospital Episode “statistics” – Privacy Impact Assessment

Also currently out for consultation, is a Privacy Impact Assessment on the Hospital Episode Statistics. The hospital episode statistics are patient level, unprotected, individual records covering hospitals in England over 25+ years. They are not statistics in the Office of National Statistics sense – it is the raw data on your treatments, linked over time.

The assessment was written in 2014 when public disquiet at how their hospital records were being used led 1.2 million people to opt out, the document has finally been published for consultation. What is most disappointing is how little has changed. Companies are still getting data for commercial re-use, and copies are still being sent outside of HSCIC’s control to be lost, stolen, or abused. According to HSCIC, it’s “anonymous”…

Whether those data are anonymous is covered by the UK Anonymisation Network, which says quite clearly on page 16:

“Anonymisation – refers to a process of ensuring that the risk of somebody being identified in the data is negligible. This invariably involves doing more than simply de-identifying the data, and often requires that data be further altered or masked in some way in order to prevent statistical linkage.27

We can highlight further the difference between anonymisation and de-identification (including pseudonymisation) by considering how re-identification might occur:


  • Directly from those data.
  • Indirectly from those data and other information which is in the possession, or is likely to come into the possession, of someone who has access to the data.28


The process of de-identification addresses no more than the first, i.e. the risk of identification arising directly from data. The process of anonymisation, on the other hand, should address both 1 and 2. Thus the purpose of anonymisation is to make re-identification difficult both directly and indirectly. In de-identification – because one is only removing direct identifiers – the process is unlikely to affect the risk of indirect re-identification from data in combination with other data.”

As such, claims in the Caldicott Review that the ongoing release of HES data is compliant with the ICO’s Anonymisation Code are deeply flawed. We have complained to the Information Commissioner, as, according to the PIA, this is the risk to patients of re-identification: “This may happen in future” (risk 7).

A Two box model – “NHS” vs “non-NHS”

This choice is fundamentally confusing.

This suggestion allows aggressively commercial entities to acquire a figleaf NHS contract, and reuse data for any purpose they wish, while legitimate and public spirited academics and not for profit researchers are stuck in the “non-NHS” box. For those worried about the privatisation of the NHS, this proposal should be of deep concern.

In a review with such limited time, it was never going to be possible to fully design a new consent model. However, due to the obstinacy of existing data projects who have no desire to improve their ways, and no political leadership to enforce such improvement, those who got to lobby at the table made sure their interests were protected; patients, not so much. This intentionally murky choice is the result – it is right that this was put to public consultation to demonstrate the problems with the approach of existing commercial data use.

It is right that the patients who choose to opt in to particular studies do not have their preferences overridden; yet the review doesn’t do the same for those who chose to opt out.

It gets worse in part 3