Skip to the content

Caldicott advocates new NHS data security standards


Simplified opt-outs and ‘safe haven’ in NHS Digital also feature in measures deriving from new review of confidential healthcare

The Government has launched a consultation on proposals for new standards on data security and measures to strengthen patient consent for the sharing of data in England’s NHS.

Dame Fiona Caldicott, the national data guardian for the health service, outlined the plans at the King’s Fund Digital Health and Care Congress as the prime measures to emerge from her Review of Data Security, Consent and Opt-Outs, which was published yesterday.

She said the measures would promote trust in the NHS’s ability to handle patients’ personal data appropriately, while encouraging organisations to meet public expectations of when it will be shared to support care.

“New technology and big data offers potential for improvements to care which can benefit all of us,” Caldicott said. “And these advances have implications for how data must be safeguarded and used.

“But the dialogue with the public and its understanding have not grown at the same speed as the capacity of technology.

“We have an almost paradoxical situation where on the one hand people expect that the system shares their data when it doesn’t, like when they attend a hospital appointment. While on the other, many are not aware of some of the routine uses of health and care data for purposes beyond care.”

Three themes

The review has come up with 10 standards for data security clustered around three themes: ensuring staff are equipped to handle information respectfully and safely, in line with the Caldicott Principle form 1997; proactively preventing data security breaches and responding appropriately to incidents and near misses; and ensuring technology is secure and up-to-date.

Individual standards include: annual data security training for staff; ensuring confidential data is only accessible to those who need it for their current role; annual reviews of processes; and the need for continuity plans to respond to threats to data security.

Responses to any cyber attacks should be in line with the Health and Social Care Information Centre (HSCIC) CareCERT guidance, and a strategy to protect IT systems should be in place, based on a framework such as Cyber Essentials. In addition, no operating systems, software or internet browsers should be unsupported, and IT suppliers should be held accountable through their contracts for protecting any personal data they process.

Caldicott added that the HSCIC’s information governance toolkit will be redesigned to embed the standards, and that the secretary of state for health has asked the Care Quality Commission to carry out a review of data security in the NHS.

Scrutiny issue

“It is important that there is internal and external scrutiny of how well organisations are meeting these standards,” she said. “But we have also been at pains to ensure that compliance is assured in a way that is not burdensome and is appropriate to the different types of organisation.”

She said the new model for patients to opt out of their data being shared revolves around eight points, designed to make it simpler for patients and clinicians, and to give researchers scope for using information.

It tells people they are protected by law and they have the right to opt-out of data being used for purposes beyond their direct care, that it will be respected by all health and social care organisations, and that explicit consent can be given for data to be used in specific studies. But the opt-out will not apply to anonymised information or where there is a mandatory legal requirement or overriding public interest.

Caldicott said that HSCIC – soon to be renamed NHS Digital – should be a statutory ‘safe haven’ for confidential data to be used by the NHS. The organisation would be responsible for anonymising and sharing information among others that are authorised to use it.


“The review took the view that this will be an effective way of incentivising the use of anonymised data, minimising the unnecessary use of personal confidential information,” she said. “Under this model, NHS managers and researchers will have less need to use people’s personal confidential information and less justification for doing so.”

Her other recommendations were that the Government has been asked to consider introducing criminal sanctions for any deliberate and negligible re-identification of individuals; and there should be a new tool allowing people to see when and by whom their information had been accessed.

The Government has responded with the launch of a consultation on the main proposals. Minister for Life Sciences George Freeman told Parliament: “It is vital that a full consultation and dialogue with the public and professionals takes place before any implementation of the recommendations can take place.”

He also announced that NHS Digital will launch an initiative later in the year to support organisations in removing outdated IT systems to strengthen data security. Work has already begun with suppliers, with the minister saying Microsoft is among those involved.

Freeman highlighted the findings of another review, by the Care Quality Commission, into data security in the NHS.

Training problems

It found that despite a widespread commitment to keeping data safe, there are problems and that the quality of staff training varies widely. Day-to-day practices do not necessarily reflect policies and procedures, and benchmarking with other organisation is rare.

The review also found that data security systems and protocols are not always designed around the needs of frontline staff, which leads to them developing workarounds, and there is a need for improvements as integrated patient care develops.

Images from GOV.UK, Open Government Licence v3

Register For Alerts

Keep informed - Get the latest news about the use of technology, digital & data for the public good in your inbox from UKAuthority.