Data Security and Caldicott Guardianship

Protection of confidentiality of patient information and enabling safe and appropriate information sharing has long been one of the principles of good medical practice laid down by the General Medical Council (GMC).^[1]The Caldicott Report in 1997 reviewed use of patient-identifiable information and, subsequently, Caldicott Guardians were appointed to safeguard information sharing. However, keeping NHS patient data secure has become ever more complex with evolution of electronic records and with the recent advent of contractual data sharing. In England, the Summary Care Record and Care.data programmes, along with the Patient Online programme, have made the understanding of data security issues increasingly important and increasingly complex for GPs. Despite the now mandatory nature of these data sharing programmes, the accountability for security and confidentiality remains inevitably with the GP, making it vital to understand the risks and responsibilities and to develop robust practice protocols to protect both patient and practice.

The Caldicott Report and Caldicott Guardians

The 1997 report of the Review of Patient-identifiable Information, chaired by Dame Fiona Caldicott (the Caldicott Report), made a number of recommendations for regulating the use and transfer of patient-identifiable information between NHS organisations in England and to non-NHS bodies.^{[2, 3]}It set out six principles to consider when any patient-identifiable data are accessed or passed on.

• Justify the purpose(s) for using confidential information.
• Only use it when absolutely necessary.
• Use the minimum that is required.
• Access should be on a strict need-to-know basis.
• Everyone must understand his or her responsibilities.
• Understand and comply with the law.

Larger NHS organisations (and non-NHS organisations using the data) need to nominate an appropriate Caldicott Guardian to act as the 'conscience' of the organisation, who then helps to enable appropriate information sharing whilst ensuring the application of the principles above, and advises on options for lawful and ethical processing of information as required.

Individual general medical and dental practices, pharmacists and opticians do not need to appoint a Caldicott Guardian but do need to have an Information Governance lead who should be a lead clinician or high-level manager, with the knowledge and authority to provide the same role.^[4]

In 2014, Dame Fiona Caldicott became the first National Data Guardian for Health and Social Care. She provides guidance and challenge to the government on data issues such as patient confidentiality, information sharing and avoiding abuse of public trust in how health and care data are used.^[5]

The Data Protection Act

The Data Protection Act of 1998 further legalises the responsibility of healthcare professionals to keep data secure and private, and ensure it is only used for the purpose of providing good healthcare. It also gives individuals the right to view information an organisation holds about them, so for a fee people can view their medical records from the date of the Act.

In GP surgeries, the responsibility for making decisions about disclosure ultimately rests with the GP.^[6]Data Protection officers may be available to advise on subject access requests by members of the public, and guidance on dealing with such requests is available on the Department of Health website.

Contractual data sharing

Sharing information between professionals in the interests of providing care to the patient has long since been a duty of doctors. Sharing of information in circumstances such as child safeguarding also comes with its own set of guidance from the GMC, as does disclosure of information in the interests of public safety.^[7]In England, newer wholesale sharing comes in the form of the following programmes:

• Summary Care Record (SCR)
• Care.data^[9]
• Patient Online^[10]

The central principle of disclosure with the person's consent remains, however, and patients are able to opt out of these schemes. They must, however, be fully informed to do so; another responsibility which rests with their GP.

The SCR contains essential medical information (allergies, prescribed medication, NHS number) and is for use between healthcare settings. It allows, for example, out of hours providers to have access to this information in order to provide safer care.

Care.data is a data sharing programme which was to be rolled out in 2014 but was deferred following a public outcry and is currently in a trial phase. GP surgeries are to be required by law to allow transfer of information to the Health and Social Care Information Centre (HSCIC), from where it may be used in a number of ways, for a number of different goals. This includes healthcare planning, charity work and commercial gain.

Patient Online, giving patients access to their healthcare records online, became mandatory for NHS GPs in England in 2016 under the terms of GP contracts.

In Scotland, Wales and Northern Ireland, GP practices have the option to opt out of data sharing.^[11]Information is anonymised differently and different laws apply to the need for patient consent.

Patient Online^{[10, 12]}

From April 2016, NHS practices in England are required to promote and offer their registered patients online access to all coded data in their GP records under the terms of General Medical Services (GMS) and Personal Medical Services (PMS) contracts.

The information which must be available to patients includes:

• Demographic data Investigation results including numerical values and normal ranges.
• Problems/diagnoses.
• Procedure codes (medical and surgical) and codes in consultations (symptoms and signs).
• Biological values (eg, BP and PEFR).
• Immunisations.
• Medication.
• Allergies and adverse reactions.
• Codes showing referrals made or letters received.
• Other codes (ethnicity, Quality and Outcomes Framework (QOF)).

It is not necessary to include the free text of consultation, letter attachments and administrative items.

Practices have a responsibility to:

• Ensure the quality of the data.
• Ensure records contain no third party information (ie information about other patients).
• Ensure records contain no harmful data or sensitive information. (This includes checking each individual record before releasing for online access but also having systems in place to ensure that going forward unexpected results or "bad news" diagnoses are not accessible to the patient before these have been explained or discussed.)
• Verify the ID of each person requesting access to their online record. This must be by documentation where at least one identification document contains a photo, or by vouching by practice staff or through interview confirming information held in the applicant's records.
• Verify the ID of any proxy appointed by the patient to view their record on line, and ensure there is no coercion involved. (Patients have the right to request that certain parts of their record cannot be seen by their proxy.)
• Ensure each person understands the potential implications of having online access to book appointments, request repeat prescriptions or view their record. This includes the patient's responsibility to maintain the safety and security of the information in their record. (There are a number of patient information leaflets available on both NHS England and the Royal College of General Practitioners (RCGP) websites.)

This involves an enormous amount of administrative work; checking records individually, verifying ID, setting up practice protocols, etc. Protocols are needed for the process of checking records and establishing ID and also for dealing with situations where patients see something in their records they do not understand, disagree with or think is incorrect. NHS England and the RCGP have resources available to help practices through this process and to ensure information governance remains at a high standard. It is not necessary to be a member of the RCGP to access these resources.