National Data Guardian for

Health and Care

Review of Data Security,
Consent and Opt-Outs

National
Data
Guardian
 

Contents

Foreword by Dame Fiona Caldicott 2

1. Overview 3
2. Data security standards for health and social care 11
2.1.  Summary of evidence and analysis 11
2.2.  Existing standards 13
2.3.  New data security standards 14
2.4.  People: Ensuring staff are equipped to handle information respectfully and safely, according to
the Caldicott Principles 15
2.5.  Processes: Proactively preventing data security breaches 17
2.6.  Technology: Secure and up-to-date technology 18
2.7.  Embedding the standards 20
3. Consent/opt-out of information sharing in health and social care 23
3.1.  Summary of evidence and analysis 23
3.2.  Developing an opt-out model 24
3.3.  Implementing the new opt-out model 36
3.4.  National Data Guardian’s proposed consent/opt-out model 38
4. Next steps and implementation 42
4.1.  Public consultation 42
4.2. Implementation 42
4.3. Conclusion 44
Annex A. National Data Guardian’s Review Terms of Reference 45
Annex B. Members of the National Data Guardian’s Panel 46
Annex C. Organisations consulted during the Review 47
Annex D. The seven Caldicott Principles 49
Annex E. Analysis of existing standards 50
Annex F. Evidence and analysis 54
Annex G. Summary of terms used in the report 56

1
National Data Guardian for Health and Care  |  Review of Data Security, Consent and Opt-Outs

Foreword by
Dame Fiona Caldicott
Everyone who uses health report. The data security standards are intended to be
and care services should applied across all health and social care organisations.
be able to trust that their Further work will be needed to establish the validity
personal confidential data is of the new data security standards for organisations
protected. People should be providing social care, as this was not included in the
assured that those involved in CQC review.
their care, and in running and
Data security is also integral to the second part of this
improving services, are using
Review: designing a model for information-sharing.
such information appropriately
The trust needed for effective information-sharing
and only when absolutely
cannot be ensured without secure systems and easily
necessary. Unfortunately trust in the use of personal
understood explanations of how information and
confidential data has been eroded and steps need to
privacy are protected. I have proposed a new consent/
be taken to demonstrate trustworthiness and ensure
opt-out model that describes clearly when information
that the public can have confidence in the system.
is used, and when patients have a choice to opt out
At the beginning of September 2015, the Secretary of their personal confidential data being used. The
of State for Health asked me, as the National Data model does not supersede any of the existing Caldicott
Guardian, to work alongside the Care Quality principles. Patients and service users should not be
Commission (CQC), and carry out an intensive Review surprised that an appropriate professional has access
to recommend: new data security standards, a method to information about them when they seek care, and
for testing compliance against these standards, and should be confident that only the minimum amount of
a new consent or opt-out model for data sharing in information needed to provide that is shared.
relation to patient confidential data.
I submitted this Review to the Government in March
This Review follows two previous reviews. In 1996-7, 2016. Since then I have taken the opportunity to
I chaired a Review on the use of patient identifiable update some references, but have not made any
data where we recommended six principles for the changes of substance.
protection of people’s confidentiality, which became
It was a short Review and significant work will need
known as the ‘Caldicott principles’. In 2013, I led the
to be undertaken to implement the recommendations,
Information Governance Review and we recommended
which should include a full and comprehensive
an additional ‘Caldicott principle’ setting out that the
public consultation. A key aspect of this work must
duty to share information can be as important as the
be a dialogue with the public. We owe it to citizens
duty to protect patient confidentiality.
to enable them to understand data usage as fully
I agreed to undertake this third Review for two reasons. as they wish, and ensure that information about how
Firstly, there has been little positive change in the data is accessed, by whom, and for what purposes,
use of data across health and social care since the is available. This work is part of a wider dialogue that
2013 Review and this has been frustrating to see. should be conducted on data use across different
Secondly, because I believe we have a very significant sectors. Health and social care data, although unique,
opportunity now to improve the use of data in people’s cannot be isolated from that discussion.
interests, and ensure transparency for the public about
when their data will be used and when they can opt
out of such usage.
I have worked alongside CQC, which was asked to
review the current approaches to data security in NHS Dame Fiona Caldicott, MA FRCP FRCPsych
organisations that provide services. Its work has been National Data Guardian
invaluable in developing an evidence base for the
June 2016
new data security standards which are set out in this

2
 Overview

1. Overview

1.1  This is a report about trust. It addresses the progress in the arrangements for patients to access
question of what more can be done to build trust in and add to their own electronic health records.
how the NHS and social care services look after Technology will also permit health and social care
people’s confidential data and use it appropriately. professionals across England to share life-saving
information about individuals, whenever and wherever
1.2  Health and social care services have always
they need attention. The Secretary of State said:
depended on trust. People must feel able to discuss
‘Exciting though this all is, we will throw away these
sensitive matters with a doctor, nurse or social worker
opportunities if the public do not believe they can trust
without fear that their information may be improperly
us to look after their personal medical data securely.
disclosed. People also expect that this confidential
The NHS has not yet won the public’s trust in an area
information will be shared with other professionals in
that is vital for the future of patient care’1.
the care teams supporting them. Now, as health and
social care become increasingly integrated, and as 1.5  To address this issue, he commissioned a Review
more data is held on computers (and computers are of data security and consent and asked for the Review
becoming more powerful), it is becoming ever more to report in January 2016. Firstly, he asked the Care
important that people understand when and how Quality Commission (CQC) to review current
information is shared, how privacy is protected, and approaches to data security across the NHS to prevent
how sharing information benefits them and others. personal confidential data falling into the wrong hands.
Secondly, he asked Dame Fiona Caldicott, the National
1.3  This report focuses particularly on two aspects of
Data Guardian (NDG), to develop data security
people’s trust. Firstly, it looks at whether data security
standards that can be applied to the whole health and
is good enough. Are there adequate systems in place
social care system and, with CQC, devise a method of
to prevent people’s confidential information falling into
testing compliance with the new standards. Thirdly, he
the wrong hands? Can those systems be made strong
asked Dame Fiona to propose a new consent/opt-out
enough to protect against known and potential
model for data sharing to enable people to make an
dangers without being so restrictive that information
informed decision about how their personal
cannot be shared appropriately among staff providing
confidential data will be used2.
care? Secondly, the report looks at the basis upon
which information is shared. Do people understand 1.6  This report provides the results of the two pieces
who will have legitimate access to their personal of work undertaken by the NDG. It provides details of
confidential data? When is the individual’s specific the evidence found by the NDG’s Review, sets out new
consent required? When can people consent to or opt data security standards and recommendations for
out from information being used and when may this be embedding those in organisations, and proposes a
overruled? Are the current arrangements protecting new opt-out for information sharing. The
people’s confidentiality adequately upheld, and do recommendations are being made to the Secretary of
they allow for appropriate information sharing to benefit State for Health, and the NDG recommends that the
patients, service users and the entire health and care Department of Health conducts a comprehensive
system? formal consultation on the proposed standards and
consent/opt-out model. The Review has been
Origin of the Review conducted within a tight schedule. Because of this,
1.4  In a speech to the NHS Innovation Expo in work will be needed to sufficiently prepare and explain
Manchester on 2 September 2015, the Secretary of the recommendations to the public and professionals
State for Health challenged the NHS to make better before implementation. Even so, the Review team has
use of technology. His proposals included rapid been mindful of the importance of getting the

1. Secretary of State for Health Speech at NHS Innovation Expo,

September 2015
2. Annex A National Data Guardian’s Review Terms of Reference

3
National Data Guardian for Health and Care  |  Review of Data Security, Consent and Opt-Outs

recommendations as right as possible in the time the use of unencrypted laptops. As the health and
available. social care system becomes increasingly paperless
and digital, many of these issues will be addressed
Evidence and analysis automatically.
1.7  The Review conducted a series of evidence 1.12  Leadership is crucial. Where the Senior
sessions and interviews with key organisations and Information Risk Owner’s (SIRO) responsibility is only
stakeholders, including patient representative groups, one part of someone’s job, and not prioritised, data
GPs and other clinicians, commissioners and providers security can suffer. As patient data becomes
of health and social care services, researchers and the increasingly digital and computers become the sole
Information Commissioner’s Office (ICO). Written means of obtaining critical information (such as that
evidence was also accepted. relating to allergies or blood types), the integrity and
1.8  In relation to security, the Review met with the availability of data are increasingly linked to the quality
providers of IT systems to GP surgeries and social and safety of care. People’s confidential data should
care, and data security experts. Alongside this, CQC be treated with the same respect as their care.
commissioned 120 days of fieldwork in 60 GP 1.13  Personal confidential data is valuable to those
practices, NHS Trusts, and dental surgeries, and in with malicious intent, and health and social care
total interviewed over 200 NHS staff. systems will continue to be at risk of external threats
1.9  Specifically in relation to information sharing and and potential breaches. However, internally, data
consent, the Review carried out eight focus groups breaches are often caused by people who are finding
with members of the public across the country and an workarounds to burdensome processes and outdated
online survey of over 400 patients and service users. technology, and may have a lack of awareness of their
Recognising that the interests of patients and service responsibilities. A strong SIRO and an engaged board
users are at the heart of the Review, an analysis of can make a significant difference, and where properly
existing evidence on public opinion was undertaken supported the appointment of Caldicott Guardians has
and compared to the findings from the eight public had a positive impact. GPs and social care
focus groups. The Review used the evidence to professionals want a simple explanation of what they
develop its recommendations and model. These were should and should not be doing and reassurance that
explored with patients, service users and health and partner organisations are protecting personal
social care professionals in Lancaster, Leeds, London confidential data. Better technology, and the move to a
and Hampshire. Workshops were also held with local paper-free NHS, are seen as important in helping
Healthwatch representatives and with members of the people to do the right thing. There is widespread
public (including jointly with the Cabinet Office Policy appreciation of the need for digital systems, but
Lab) to test and refine the model. concern that the move to digitally stored personal
confidential data will increase the impact on
Data security organisations and individuals of any breaches.

1.10  The evidence shows that people trust the NHS to Data security standards
protect information. However, there are cases where
that trust has been eroded by data breaches, such as 1.14  Data security frameworks, assurance schemes
when emails containing sensitive information have and standards already exist. They include: the
been sent to the wrong address, data is shared without Information Governance Toolkit (IG Toolkit), the Cyber
consent, or people experience their records being Essentials Scheme, the 10 Steps to Cyber Security,
misplaced or lost. and the ISO/IEC27000 series. The IG Toolkit has often
been seen as a tick-box exercise, while the Cyber
1.11  Whilst there are examples of good practice and Essentials scheme is not yet widely used in health and
most organisations are concerned about data security, social care. Meanwhile, the ISO standards are
there are problems involving people, processes and generally regarded as too expensive and time-
technology. Data is not always adequately protected consuming to be applied broadly in this sector.
and individuals and organisations are not consistently
held to account. Examples of poor practice include 1.15  The NDG recommends new data security
confidential papers being stored in unlockable standards for every organisation handling health and
cabinets, faxes being sent to the wrong number and social care information. These have been designed to

4
 Overview

be simple for people to understand and follow. They Consent and opt-outs
should apply across the entire health and social care
system and are intended to support rather than inhibit 1.18  When commissioning this Review, the Secretary
data sharing. These standards have also been of State said: ‘I would like you to develop a single
designed to be fit for the future, where personal question consent model which makes it absolutely
confidential data will be stored digitally rather than in clear to patients/users of care when health and care
filing cabinets, and health and social care will be information about them will be used and in what
integrated. The standards are designed to address the circumstances they can opt out.’ The Review started
principal root cause of existing breaches to security of this aspect of its work by considering what lay behind
paper-based and digital data, and to protect systems the Secretary of State’s request for greater clarity.
against potential future breaches to digital data. 1.19  Data sharing is essential for high quality health
and care services. It is integral to identifying poor care;
Embedding the data security it is clear that more effective data sharing could have
standards enabled some of the recent failures to provide proper
care to patients to be identified and tackled earlier.
1.16  Properly trained and well-motivated staff are
People provide the professionals who are caring for
essential. The Information Governance Toolkit should
them with their personal confidential information,
be updated to support and underpin the new
without which the care would not be effective or safe.
standards. Annual role-appropriate training should be
There can be no doubt that such information, drawn
mandatory for all who work in health and social care,
from millions of people, can be extremely useful for
with bespoke additional training for people in
other purposes, such as medical research, planning
leadership roles, such as Caldicott Guardians,
better services and ensuring that NHS and social care
SIROs and board members. Trusts and Clinical
organisations invoice each other for the correct
Commissioning Groups (CCGs) should use
amounts when necessary. But when patients and
appropriate tools to identify unused and dormant
service users provide their information to a care
accounts, unsupported systems and software, poorly
professional, they cannot be expected to know all the
maintained access permissions or default passwords.
other uses to which it may be put. There are laws to
To support risk assessment activities, organisational
prevent improper disclosure and procedures to ensure
leaders should refer to central sources such as
that permission for such ‘secondary use’ is limited,
CareCERT, the Health and Social Care Information
ethical and secure. However, the laws and procedures
Centre (HSCIC)3 and the National Technical Authority
are difficult for the experts to understand, let alone the
for Information Assurance (CESG) for information about
patients and service users. It is hard to argue that
potential threats. Action should be taken immediately
patients and service users have consented to uses of
following a data breach or near miss, with a report to
their personal confidential information that they cannot
senior management within 12 hours. There must be
anticipate, according to procedures that they cannot
a culture of learning from, and not blaming over
understand. This issue is particularly troubling for
security breaches.
individuals who have strong views about how their
1.17  The new standards should be embedded in the information may be used.
health and social care system with organisations
1.20  Patients and service users who are concerned
providing objective assurance about how they have
about this problem are given reassurance in the NHS
complied with them. CQC should amend its inspection
Constitution, which says: ‘You have the right to request
framework and inspection approach for providers of
that your confidential information is not used beyond
registered health and care services to include
your own care and treatment and to have your
assurance that appropriate internal and external
objections considered, and where your wishes cannot
validation against the new data security standards
be followed, to be told the reasons including the legal
have been carried out, and make sure that inspectors
basis.’ However, the NHS Constitution does not
involved are appropriately trained. HSCIC should use
provide an absolute right to stop confidential
the redesigned IG Toolkit to inform CQC of ‘at risk’
information flowing and it does not apply to social care.
organisations, and CQC should use this information
to prioritise action. Finally, there should be much 1.21  On 26 April 2013, the Secretary of State for
tougher sanctions for malicious or intentional data Health gave a stronger form of reassurance. In a
security breaches. statement of policy, he said that any patient who did

3. On 20 April 2016, George Freeman, Minister for Life

Sciences, announced that the Health and Social Care Information Centre
would change its name to NHS Digital. The name change is to take effect
from 1 August 2016. This decision chimes well with Recommendation 12
of this Report in paragraph 3.2.31. However, the Review makes frequent
reference to work done by the HSCIC before the renaming. To avoid
confusion, this report refers to HSCIC throughout.

5
National Data Guardian for Health and Care  |  Review of Data Security, Consent and Opt-Outs

not want personal data held in their GP record to be explained, but people think that anonymised
shared with the Health and Social Care Information information should be used wherever possible. The
Centre (HSCIC) would have their objection respected. Review also heard very strong views from providers,
On 12 September 2013, he added: ‘All they have to do commissioners, researchers and public bodies that
in that case is speak to their GP and their information high quality person-level data is needed to run the
won’t leave the GP surgery’. This became known as a health and social care system, and to support
‘Type 1’ objection. The Secretary of State was research.
speaking at the launch of the HSCIC publication, ‘A
1.24  It is clear that people do not fully understand
guide to confidentiality in health and social care’ which
what options they have in relation to the use of their
gave patients further assurance. As well as objecting
information, and find the current system difficult to
to confidential information about them being sent from
understand. Likewise many health and social care
a GP practice, patients would be able to tell their GP
professionals lack confidence in what they are allowed
if they objected to any confidential information about
to do with personal confidential data and what can be
them leaving the HSCIC in identifiable form. This
shared with whom. As health and social care services
applied to personal confidential data received by
move towards greater integration and collaboration,
HSCIC from all sources, not just GPs. It became known
this uncertainty is creating barriers to the improvement
as a ‘Type 2’ objection.
of services.
1.22  These new rights to object were communicated
to patients in a leaflet from NHS England for every The new consent/opt-out model
household in January 2014. The leaflet4 explained that 1.25  The National Data Guardian recommends a new
the NHS would extract data from GP records and consent/opt-out model to give people a clear choice
combine it with other data from hospital records. about how their personal confidential data is used for
It described how this information would be used to purposes beyond their direct care. This has been
improve patient care, and explained the choices developed through close working with professionals,
available to patients. The care.data programme, which including the Royal College of General Practitioners
was due to start extraction in spring 2014, was paused (GPs), the British Medical Association, the Information
on 18 February 2014 after criticism from the Royal Commissioner’s Office, the Local Government
College of General Practitioners, the British Medical Association, research organisations and charities.
Association, Healthwatch England and others. It is Input was also provided on iterative versions of the
against the background of this complexity that the model by GPs, social care professionals, as well as
Secretary of State asked for the Review to develop a patients and service user groups in Lancaster, Leeds,
simple consent/opt-out model that people could more West Hampshire and London.
easily understand.
1.26  Information is essential for high quality health and
Public views care, to support the provision of excellent care and for
the running of the health and social care system. It is
1.23  On data sharing and opt-outs, public views have
also essential to improve the safety of care, including
not changed very much since the 2013 Information
through research, to protect public health, and support
Governance Review5, known as Caldicott2. People
innovation. It can be beneficial to join health data with
accept that their information will be used to support
other types of information, to provide better services to
their own care and find it frustrating when they have to
people. However, the case for data sharing still needs
repeat their information to different health and social
to be made to the public. All health and social care,
care professionals. However, people hold mixed views
research and public organisations should share
about their information being used for purposes
responsibility for making that case.
beyond direct care. Some are concerned primarily with
privacy and are suspicious that information might be 1.27  The Review considered the personal confidential
used by commercial companies for marketing or data needed for commissioning, public health,
insurance. Others prioritise the sharing of information research and monitoring services. Strong cases can
to improve health and social care, and for research be made for sharing information, e.g. in planning
into new treatments. There is broad support for data healthcare, and for medical research. The Review
being used in running the health and social care heard that personal confidential data is essential to
system when the benefits of doing so are clearly some specific purposes. It also heard differing views

4. https://www.england.nhs.uk/wp-content/uploads/2014/01/cd-
leaflet-01-14.pdf
5. “To Share Or Not To Share? The Information Governance Review”
https://www.gov.uk/government/publications/the-information-governance-
review

6
 Overview

about whether people should be given an opt-out from particular piece of information with others involved in
these purposes. Because of the importance of earning providing their care and should be asked for their
public trust, the Review concluded that people should explicit consent before access to their whole record is
be able to opt out of their personal confidential data given. Similarly, health and social care integration has
being used for purposes beyond their direct care been driving local innovation in services which rely on
unless there is a mandatory legal requirement or an (appropriate and legal) sharing of personal confidential
overriding public interest. data. Different parts of the country have already put
arrangements in place to help people to understand
1.28  The Review proposes that people should be
how their data is being used to support care such as
able to opt out from personal confidential data
the Leeds Care Record, and the North West London
being used beyond their own direct care.
Integrated Care Pioneer. In recognition of the value of
1.29  The proposed consent/opt-out model would these local innovations, the Review has sought to
apply to purposes other than direct care. Data should develop a solution that complements rather than
only be used where there is a clear legal basis. An conflicts with what is being achieved locally.
individual choosing to opt out would stop access to her
1.33  The new model will also not change the current
or his data for those purposes. The Review considered
system with regard to people’s ability to give specific
whether people should have a single choice about
explicit consent to participate in research projects.
whether to opt out, or whether their choice should be
People have always been able to choose to participate
split into two parts. The two-part approach would allow
in research studies, such as UK Biobank, in which
an individual to opt out of her or his data being used
500,000 people have chosen to help researchers
for purposes connected with providing local services
discover why some people develop particular diseases
and running the NHS and social care system. In a
and other people do not.
separate decision, the individual would be able to opt
out of her or his data being used to support research 1.34  The Review heard that de-identified6 data is of
and improve treatment and care. Individuals should be considerable benefit to commissioners, planners and
able to give their consent for defined uses such as a researchers and that the public is broadly content for
specific research project, as they do now. such information to be used for health and social care
purposes. The Review strongly encourages
1.30  The Review recommends that the proposed
organisations to continue exploring where de-identified
consent/opt-out model should be put out to
and anonymised data that meets the Information
consultation. It is recommended that alongside the
Commissioner’s Office Anonymisation Code of Practice
consultation there should be further testing to find
may be used rather than personal confidential data.
out whether people would prefer to have more than
The Review proposes that data should be passed to
one choice, and to develop the wording of the
the HSCIC, as the statutory safe haven of the health
question.
and social care system, to de-identify or anonymise
1.31  The new model should be implemented by all and share it with those that need to use it. The Review
organisations that use health and social care notes the Government’s decision to change the name
information. Ultimately, a patient should be able to of HSCIC to NHS Digital. This will provide that
state their preference once (online or in person), organisation with a good opportunity to use the NHS
confident in the knowledge that this will be applied brand to make it clear to everyone that it is part of the
across the health and social care system. They should NHS ‘family’.
be able to change their minds if they wish, and this
1.35  The Review considered whether people choosing
new preference should be honoured. This would mark
to opt out should have their data withheld from this
a significant step forward in allowing patients to
de-identification process. However, NHS and social
understand and shape the use of their health and
care organisations are more likely to use de-identified
social care information.
and anonymised data if they can be confident that it is
1.32  The new model will not change the current of high quality and provides the complete dataset.
system with regard to sharing for direct care. Relevant For that reason the Review recommends that, in due
information about a patient should continue to be course, the opt-out should not apply to all flows of
shared between health professionals in support of their information into the HSCIC. This requires careful
care. An individual will still be able to ask their doctor consideration with the primary care community,
or other healthcare professional not to share a

6. See Annex G. Summary of Terms

7
National Data Guardian for Health and Care  |  Review of Data Security, Consent and Opt-Outs

which largely holds its responsibility as data controller This should include criminal penalties for deliberate
dear, and with the public. It would, however, enable and negligent re-identification of individuals.
commissioners, for example, to fulfil many
1.39 At the moment, there are a number of different
duties currently subject to Confidentiality Advisory
opt-outs, including Type 1 and Type 2 opt-outs and
Group (CAG) recommendations, without requiring
other objections and opt-outs housed in national and
access to personal confidential data. For the time
local computer systems. The Review is not
being the status quo should prevail.
recommending any changes to the existing
1.36  The Review considers that the Secretary of State’s arrangements until there has been a full consultation
objective of creating a trustworthy system with the on the proposed new consent/opt-out model. People
minimum use of people’s personal confidential data have told the review they want a simple explanation
would be better achieved by allowing all data to flow and choices that are clearer to understand. The
into the HSCIC. This would allow the HSCIC to link and Review is proposing a new model that has been
then de-identify personal confidential data to create designed to provide that simpler and less complex
comprehensive de-identified data sets. For example, approach. The HSCIC, as the statutory safe haven of
the Review heard evidence that information identifying the health and social care system, can share data
individuals is currently used to look at groups of patients securely, and the public can have confidence in a
to show patterns where certain treatments are effective. simpler model. Once the consultation is complete, and
However, if commissioners were provided with high- the new model is in place, the existing arrangements
quality linked and de-identified data for such indirect should be replaced. As part of managing this
care purposes, this could enable them to move away transition, the Department of Health should make sure
from using personal confidential data for these tasks. it considers how to manage the objections already
registered by patients both locally and nationally.
1.37  The Review would like to see the good practice
advice in the ICO’s Anonymisation Code used as the 1.40 This Review was not asked to look at care.data,
minimum standard to safeguard all de-identified data although the pathfinder areas have been involved in
which is to be used for health and social care shaping and testing the proposed consent/opt-out
purposes. The code explains the implications of model, as have vanguards and health and social care
anonymising personal data in accordance with the integration pioneers. The consent and opt-out models
Data Protection Act (DPA)7. It contains, in full, the proposed by the Review go further than the approach
Information Commissioner’s recommendations about that was planned for the pathfinder areas, and should
anonymising personal data and assessing the risks replace the approach that had been developed for
associated with producing, and particularly publishing, those areas. In the light of the Review, the Government
anonymised data. The Code provides advice on how should consider the future of the care.data programme.
to anonymise personal data so that individuals’ privacy
is not compromised by an inappropriate disclosure of Next steps
personal data through re-identification. The ICO has 1.41  This has been a short Review, which has made
the powers to issue monetary penalty notices of up to significant efforts to take account of relevant evidence
£500,000 for serious breaches of the DPA. and involve as many people and organisations as
1.38  The combination of recognised national guidance possible. It has not been possible to address every
for anonymisation alongside severe penalties for issue in detail. For that reason the Review
serious breaches of the DPA enable the Review to recommends that the Department of Health conducts a
propose that data that has been de-identified formal, full and comprehensive public consultation on
according to the ICO’s anonymisation code should not the draft standards and the proposed consent/opt-out
be subject to the opt-out. In addition, it is clear that model, with testing alongside consultation of whether
there is considerable public support for use of there should be one or two questions, and that specific
anonymised data and that this will provide an work is done to look at the application of the data
impetus for organisations to move away from using security standards in social care. There should be
personal confidential data. The Review recommends ongoing work under the National Information Board’s
that the Government should consider introducing leadership to look at the outcome of this consultation,
stronger sanctions to protect anonymised data. how to continue to build public trust and how the
consent/opt-out model can be implemented in a way
which enables all those involved in health and social

7. ICO’s Anonymisation Code https://ico.org.uk/media/for-organisations/

documents/1061/anonymisation-code.pdf

8
 Overview

care to collectively support understanding of how Recommendation 3: Trusts and CCGs should use an
information is shared, and the increasing benefit that it appropriate tool to identify vulnerabilities such as
can bring to citizens. Professional bodies and patient dormant accounts, default passwords and multiple
representative groups should be further involved in logins from the same account. These tools could also
testing and refining the potential opt-out. be also used by the IT companies that provide IT
systems to GPs and social care providers.
1.42  Alongside this important engagement with
patients and services users, it is also imperative that Recommendation 4: All health and social care
organisations whose work would be affected by the organisations should provide evidence that they are
Review’s proposals have the chance to respond to the taking action to improve cyber security, for example
recommendations during the consultation and are through the ‘Cyber Essentials’ scheme. The ‘Cyber
supported to prepare for implementation. Such groups Essentials’ scheme should be tested in a wider number
include GPs and other care providers, NHS and Local of GP practices, Trusts and social care settings.
Authority commissioners, and researchers.
Recommendation 5: NHS England should change its
Recommendations standard financial contracts to require organisations to
take account of the data security standards. Local
1.43  The 2013 Information Governance Review, known government should also include this requirement in
as Caldicott2, made a series of recommendations contracts with the independent and voluntary sectors.
which still hold good today. These included the need Where a provider does not meet the standards over a
for boards and leaders to actively ensure that their reasonable period of time, a contract should not be
organisation is competent in information governance extended.
practice, the inclusion of information governance as a
core part of training and continuous professional Recommendation 6: Arrangements for internal data
development, and recommended actions to ensure the security audit and external validation should be
effective regulation of organisations’ use of personal reviewed and strengthened to a level similar to those
confidential data. The 2013 Review also recommended assuring financial integrity and accountability.
a list of actions to set out how redress for mistakes Recommendation 7: CQC should amend its
should be managed by every organisation in the health inspection framework and inspection approach for
and social care system in England. providers of registered health and care services to
1.44  In January 2015, Dame Fiona Caldicott and her include assurance that appropriate internal and
advisory panel published a report8 examining the first external validation against the new data security
year of implementation of the 2013 recommendations. standards have been carried out, and make sure that
This report recommended that individuals must be inspectors involved are appropriately trained. HSCIC
able to opt out of data sharing arrangements and be should use the redesigned IG Toolkit to inform CQC of
confident that their wishes are being respected ‘at risk’ organisations, and CQC should use this
consistently across the system. With respect to data information to prioritise action.
security and consent, the Review builds on these two Recommendation 8: HSCIC should work with the
reports and makes the following recommendations: primary care community to ensure that the redesigned
IG Toolkit provides sufficient support to help them to
Data security work towards the standards. HSCIC should use the
Recommendation 1: The leadership of every new toolkit to identify organisations for additional
organisation should demonstrate clear ownership and support, and to enable peer support. HSCIC should
responsibility for data security, just as it does for work with regulators to ensure that there is coherent
clinical and financial management and accountability. oversight of data security across the health and care
system.
Recommendation 2: A redesigned IG Toolkit should
embed the new standards, identify exemplar Recommendation 9: Where malicious or intentional
organisations to enable peer support and cascade data security breaches occur, the Department of
lessons learned. Leaders should use the IG Toolkit to Health should put harsher sanctions in place and
engage staff and build professional capability, with ensure the actions to redress breaches proposed in
support from national workforce organisations and the 2013 Review are implemented effectively.
professional bodies.

8. To share or not to share – The Independent Information Governance

Oversight Panel’s report to the Secretary of State for Health

9
National Data Guardian for Health and Care  |  Review of Data Security, Consent and Opt-Outs

Consent/opt-out Next steps

Recommendation 10: The case for data sharing still Recommendation 19: The Department of Health
needs to be made to the public, and all health, social should conduct a full and comprehensive formal public
care, research and public organisations should share consultation on the proposed standards and opt-out
responsibility for making that case. model. Alongside this consultation, the opt-out
questions should be fully tested with the public and
Recommendation 11: There should be a new consent/
professionals.
opt-out model to allow people to opt out of their
personal confidential data being used for purposes Recommendation 20: There should be ongoing work
beyond their direct care. This would apply unless there under the National Information Board looking at the
is a mandatory legal requirement or an overriding outcomes proposed by this consultation, and how to
public interest. build greater public trust in data sharing for health and
social care.
Recommendation 12: HSCIC should take advantage
of changing its name to NHS Digital to emphasise to
the public that it is part of the NHS ‘family’, while
continuing to serve the social care and health system
as a whole.
Recommendation 13: The Government should
consider introducing stronger sanctions to protect
anonymised data. This should include criminal
penalties for deliberate and negligent re-identification
of individuals.
Recommendation 14: The forthcoming Information
Governance Alliance’s guidance on disseminating
health and social care data should explicitly refer to
the potential legal, financial, and reputational
consequences of organisations failing to have regard
to the ICO’s Anonymisation Code of Practice by
re-identifying individuals.
Recommendation 15: People should continue to be
able to give their explicit consent, for example to be
involved in research.
Recommendation 16: The Department of Health
should look at clarifying the legal framework so that
health and social care organisations can access the
information they need to validate invoices, only using
personal confidential data when that is essential.
Recommendation 17: The Health Research Authority
should provide the public with an easily digestible
explanation of the projects that use personal
confidential data and have been approved following
advice from the Confidentiality Advisory Group.
Recommendation 18: The Health and Social Care
Information Centre (HSCIC) should develop a tool to
help people understand how sharing their data has
benefited other people. This tool should show when
personal confidential data collected by HSCIC has
been used and for what purposes.

10
 Data security standards for health and social care

2. Data security standards for

health and social care
handling their personal confidential data if harsher
2.1. Summary of evidence sanctions were in place for those found to have
intentionally or maliciously breached data security14.
and analysis
The professional view
The public view 2.1.4  The Review also took evidence from providers
and commissioners, the Information Commissioner’s
2.1.1 The evidence shows that there is a high
Office, frontline care staff, industry experts and
degree of public trust in the NHS’s safeguarding of
professionals. Strong leadership was considered
people’s data9, although that trust has been eroded
essential to effective data security15 – a strong SIRO,
by data breaches10. Such breaches include the
an engaged Board and an effective Caldicott Guardian
accidental disclosure of the clinic list of email
were cited as being essential to the success of the most
addresses at a HIV clinic11, and by data sharing
well-governed organisations. However, the Review
without consent, such as the Pharmacy 2U incident12.
heard that there was concern that some board
2.1.2 The patient focus groups found that the public members would assume that data security was dealt
needs reassurance about data security when data is with exclusively by the Caldicott Guardian or SIRO and
moving outside the NHS. The Review heard that therefore did not see data security as a collective board
members of the public would also be reassured by responsibility16. GPs and social care professionals
implementation of secure measures such as a system wanted a simple explanation of what they should
that conforms to the highest independent standards and should not be doing and reassurance that
of data security. The public would be reassured if partner organisations with whom they share data
organisations were assessed regularly for compliance are protecting people’s confidential data17.
against standards and if they comply with all legal
requirements, with compliance processes strictly Breaches
enforced13.
2.1.5  The Information Commissioner’s Office led an
2.1.3 There was a view expressed that some people evidence session as part of the Review to look at
would feel more confident about organisations reported data breaches.

Information Commissioner’s Office record of breaches

• In 2014/15, 41% of all breaches reported to the • Technological issues also lead to breaches,
ICO were from the health sector. such as unencrypted devices or information in
supposedly anonymised data sets not being
• The number of breaches is rising, although the
properly anonymised.
reasons for this are unclear.
• The use of unencrypted devices is a concern
• Breaches largely happened due to human
across health and social care, resulting in a fine
behaviour.
of £325,000 to a single NHS Trust.
• In 2014/15, 48% of data breaches in the health
• Across the health sector the ICO has issued 11
sector affected fewer than 10 data subjects, with
fines amounting to £1.4 million between April
only 9% affecting more than 1,000 data subjects
2010 and November 2015.
(usually relating to spreadsheets).

9. Evidence heard at eight Patient Focus Groups which were held throughout 14. Patients, Service Users and Carers Evidence Session, 24 November 2015
October and November 2015 at different geographical locations 15. Information Commissioner’s Office evidence session on security
throughout England (Referred to as ‘Patient Focus Groups’ hereafter) breaches, 6 November 2015
10. Patients, Service Users and Carers Evidence Session, 24 November 2015 16. Interview with the Chief Executive & Deputy Director of Nursing,
11. http://www.bbc.co.uk/news/uk-england-london-34127740 Royal College of Nursing, 25 November 2015
12. https://ico.org.uk/action-weve-taken/enforcement/pharmacy2u-ltd 17. Information Commissioner’s Office evidence session on security
13. Patient Focus Groups breaches, 6 November 2015

11
National Data Guardian for Health and Care  |  Review of Data Security, Consent and Opt-Outs

2.1.6  The Review heard firsthand accounts of cases The threat

where public trust has been eroded by data breaches,
such as misplaced, lost or incomplete records18. 2.1.8  The Review heard that in most cases,
Particular issues included the use of unencrypted breaches or cyber-attacks are unwittingly facilitated
devices, faxes being sent to incorrect numbers, ward by the behaviour of employees who can be classed
handover sheets missing, and confidential papers as ‘non-malicious insiders’, primarily motivated to
being left on desks or stored in unlockable cabinets19. get their job done and often working with
ineffective technologies or processes20. In an
Technology evidence session held with providers, the Review
heard examples of agency nursing staff being unable
2.1.7  Many of the information breaches historically to access the system unless the permanent staff
reported by the health and social care sectors logged in and left the application open for the use of
related to patient information on paper, or to the agency staff. This avoidance of correct processes
technologies such as faxes. As the health and was the only way they could treat patients in a timely
social care sector moves towards a paperless manner using the technologies available to them21.
digital future, many of these issues will be
addressed automatically. Technology brings huge 2.1.9  The Review heard that the external cyber
benefits: reducing the process burden on users, threat was becoming a bigger consideration as
speeding up services and connecting disparate systems become more digital22. Beyond human error,
information to enable better quality of care. It also the Review found that the main threat to the public and
makes it possible to record every time that people’s private sectors is from basic cyber-attacks, which use
personal confidential data is accessed and used, hacking tools that can be purchased readily and
allowing for audit so that correct processes can be cheaply online and exploit publicly known
enforced. However, technological advance has the vulnerabilities23. Recent observations report significant
effect of making the potential impact of breaches increases in the volumes and sophistication of
greater, both in terms of the quantity of people’s data unsolicited emails in global circulation, many
affected and the amount of information at risk. It is containing ‘malware’ or hidden software, designed to
essential that the security benefits of technology are cause harm, by exploiting unmanaged technical
used to counteract the security risks that technology weaknesses and/or human naivety:
can bring. ‘Email traffic in Q1 2015 saw a considerable
increase in the number of… spam… emails.
For example, emails sent from the .work domains
contained offers to carry out various types of work
such as household maintenance, construction or
equipment installation. Many of the messages from
the .science domains were advertising schools that
offer distance learning, colleges to train nurses,
criminal lawyers and other professionals’ 24.
2.1.10  The HSCIC provided the following example
report as evidence, detailing the number of different
types of threats that were identified and blocked by
their security systems over a number of weeks in Q3
2015-6.

18. Patients, Service Users and Carers Evidence Session, 24 November 22. Interview with the Director of the Institute of Global Health Innovation at
2015 Imperial College London, 10 November 2015
19. Information Commissioner’s Office evidence session on security 23. https://www.gov.uk/government/uploads/system/uploads/attachment_
breaches, 6 November 2015 data/file/400106/Common_Cyber_Attacks-Reducing_The_Impact.pdf
20. Interview with the Former Chairman of the Medical Ethics Committee & 24. https://securelist.com/analysis/quarterly-spam-reports/69932/spam-and-
colleagues, British Medical Association, 23 November 2015 phishing-in-the-first-quarter-of-2015/
21. Provider Evidence Session, 27 November 2015

12
 Data security standards for health and social care

Figure 1: Evidence of the threat of cyber-attacks submitted by the HSCIC

Week number
Threat type by calendar week 43 44 45 46 47 48 49 50 51 Total
2 6 2 2 3 1 46 7 20 89

251 123 47 25 39 44 41 38 162 770

Total 253 129 49 27 42 45 87 45 182 859

2.2.3  To understand the merits of and gaps within

2.2. Existing standards existing standards and assess whether they were
2.2.1  A number of data security frameworks, appropriate, the Review Team carried out an analysis
assurance schemes and standards already exist and of existing data security standards (see Annex E for
some aim to mitigate the threats outlined above. It was the full analysis). These included the IG Toolkit and
evident that there is no lack of guidance on good Information Governance Statement of Compliance
security processes – in fact, the Review heard that (IGSoC), CESG’s Cyber Essentials, Cyber Essentials
there may be too many pieces of guidance25. ‘PLUS’,10 Steps to Cyber Security, Cyber Streetwise
There was a call for standards to be simplified, with website, and the Public Services Network – Code of
good practice championed so others can learn26. Connection (PSN CoCo) operated by Government
Digital Services (GDS). Commercially available
2.2.2  The Review heard that data controllers were standards operating within the wider public and
often confused by the plethora of data standards private sectors were also considered, including the
and good practice principles and unsure which internationally recognised ISO/IEC27000:2013 series
guidance they should follow. There was also of Information Security Management standards and
confusion about how legislation fits together and the Information Security Forum’s Standards of Good
what takes precedence27. The Review heard that the Practice (ISF SoGP). The boxes below highlight some
self-assessment nature of existing compliance of the key standards.
mechanisms such as the IG Toolkit was a concern28,
whilst audit and inspections were largely welcomed 2.2.4  The analysis of current standards operating
as an enforcement mechanism29 to provide some within the health and social care sector suggested that
‘teeth’ in enforcement30. whilst ISO/IEC 27001 and the ISF’s Standards of Good

The Information Governance Toolkit: The mandatory policy delivery tool

for data security
Use of the Information Governance Toolkit (IG Toolkit) is mandatory for NHS organisations and network
service providers wishing to operate over the N3 network. The IG Toolkit is commonly used in health
organisations, but uptake in social care is lower. The Review found that the IG Toolkit is well understood and
well embedded across the health sector, but the Review heard evidence, in particular at the evidence session
held for providers, that the self-assessment nature of the IG Toolkit causes some to doubt its reliability. It can
be seen as a lengthy tick-box exercise.

25. Information Commissioner’s Office evidence session on security 30. Interview with the Director of the Institute of Global Health Innovation at
breaches, 6 November 2015 Imperial College London, 10 November 2015
26. Commercial Providers Evidence Session, 18 November 2015
27. Information Commissioner’s Office evidence session on security
breaches, 6 November 2015
28. Commercial Providers Evidence Session, 18 November 2015
29. Provider Evidence session, 27 November 2015

13
National Data Guardian for Health and Care  |  Review of Data Security, Consent and Opt-Outs

‘Cyber Essentials’: Basic controls to mitigate the risk from common

internet-based threats
The CESG’s Cyber Essentials Scheme has been developed by Government and industry to provide a clear
statement of the basic controls all organisations should implement to mitigate the risk from common internet-
based threats, within the context of the Government’s 10 Steps to Cyber Security. It also offers a mechanism
for organisations to demonstrate to customers, investors, insurers and others that they have taken these
essential precautions. While we found evidence of the CESG’s Cyber Essentials Scheme being implemented
successfully within 20 health and social care organisations, it is not yet widely used in health and care.

ISO/IEC 27000 Series of standards: Internationally recognised

comprehensive standard
The ISO/IEC: 27000 series of standards are recognised internationally as an effective and comprehensive
standard. Most organisations using this standard seek accreditation of their implementations as a means of
demonstrating to customers, stakeholders, regulators and others that information security has been
independently assessed and validated. Whilst the properly implemented standard offers demonstrable
benefits, the associated costs appear prohibitive for its adoption by many within the sector.

Practice (SoGP) were undoubtedly the most

comprehensive and detailed available commercially, 2.3. New data security
such standards were likely to prove to be
overwhelming for those organisations lacking maturity standards
in their cyber security capabilities. Once the cost of 2.3.1  As illustrated above, the Review heard that
purchasing the licensed documentation and the data breaches are caused by people, processes
necessary consultancy required for most organisations and technology. Therefore it is upon these three
to successfully implement these standards are added themes that the Review has based its
to costs, the Review concluded that such standards recommendations and standards.
were unsuitable and unaffordable for sector-wide
implementation. 2.3.2  The overarching message is that strong
leadership is essential to all three themes. The
2.2.5  Conversely, the IG Toolkit, CESG’s Cyber Review heard that a strong Senior Information Risk
Essentials, and the 10 Steps to Cyber Security are Owner (SIRO) makes a significant difference, and that
available to use without expenditure on materials. Caldicott Guardians have had a positive impact where
They are deliberately focused upon organisations they have been properly supported. These established
lacking mature cyber security capabilities, but which positions are viewed positively and can help to ‘ensure
are willing to take steps towards creating and organisational buy-in’31. However, there was some
implementing controls to address the most prominent concern that other Board members would assume that
threats posed by network connectivity and internet- security was something dealt with exclusively by the
facing systems and services. By addressing these Caldicott Guardian or SIRO and therefore responsibility
basic vulnerabilities, organisations can dramatically was not spread more widely, particularly in large
improve their ability to defend against basic threats, organisations32. The board as a whole should take
and to subsequently build upon this capability as part responsibility.
of a longer term improvement strategy.
Recommendation 1: The leadership of every
organisation should demonstrate clear ownership and
responsibility for data security, just as it does for
clinical and financial management and accountability.

31. Information Commissioner’s Office, evidence session on security

breaches, 6 November 2015
32. Interview with the Chief Executive and Deputy Director of Nursing,
Royal College of Nursing, 25 November 2015

14
 Data security standards for health and social care

2.3.3  Due to this need for strong leadership in data 2.4.2  Staff behaviour was often cited as the
security, the Review has set out 10 data security unintentional cause of breaches, with ‘simple errors,
standards clustered under three leadership often compounded by heavy workloads, unclear or
obligations to address people, process and badly implemented policies and procedures. Mostly
technology issues: they can be described as naivety rather than
deliberate non-compliance’34. The human element is
• Leadership Obligation 1: People: Ensure staff
considered one of the most relevant threat factors35
are equipped to handle information respectfully
and should be mitigated through tailored training for
and safely, according to the Caldicott Principles.
all staff.
• Leadership Obligation 2: Process: Ensure the
2.4.3  However, there are some instances of
organisation proactively prevents data security
negligence which are indicative of a failure to detect
breaches and responds appropriately to
insecure behaviour or hold staff to account36. The
incidents or near misses.
Review heard that it was quite common for a letter to
• Leadership Obligation 3: Technology: Ensure be sent to a wrong address, or a consultant to conduct
technology is secure and up-to-date. a discussion with a patient in a busy ward where they
can be overheard37.
2.3.4  It is upon these obligations that the rest of this
chapter is structured. It is important to note that the 2.4.4  When considering what could help to address
obligations and standards must apply to all behavioural issues, consistent training, education and
organisations using health and care data, including awareness emerged as being vital. As also found in
commercial organisations. People are entitled to Caldicott2, this was considered essential to
expect that their data will be protected wherever it addressing the culture of risk aversion, often resulting
is held. from a lack of confidence in security capability by
senior management. Leaders should address cultural
barriers by proactively engaging staff and involving
national workforce organisations to support
2.4.  People: Ensuring staff professional capability in this area.
2.4.5  Training alignment across health and social care
are equipped to handle organisations was suggested so that training in one
organisation is recognised by another, to improve trust.
information respectfully The Review heard that the London Connect project has
looked at a training passport for Information
and safely, according to the Governance, which would be transferable to other
organisations38.
Caldicott Principles
2.4.6  As well as the proactive efforts made to train and
educate staff, the Review heard from former members
Culture of the aviation sector about the importance of
2.4.1  The Review heard that those who work within encouraging staff to speak up, and of listening to staff
the health and social care system are motivated to to derive valuable business intelligence to enable a
provide the best possible quality of care to their swift reaction to a potential threat39. The Review heard
service users and patients. They want to deliver this that near misses, hazards and insecure behaviours
care as quickly as possible using reliable information. must all be reported without fear of recrimination, and
When people are obliged to use technologies or people should be encouraged to provide this valuable
processes that hinder or prevent them from doing their intelligence. In the airline industry, spikes in incidents
job, alternative solutions may be sought to help ‘get the are seen as people follow the good example set by
job done’33. Depending on individual judgement, this staff speaking up about a threat, near miss or
may result in data not being shared when it is safe and incident40. Unfortunately, in health and social care,
beneficial to do so or, conversely, shared when it is not increased reporting has been perceived as an
safe to do so. indication of systemic issues and may prompt
questions around what is wrong and who is to blame41.

33. Provider Evidence Session, 27 November 2015 38. Social Care Evidence Session, 24 November 2015
34. Information Commissioner’s Office, evidence session on security 39. Chair of the Technology Assurance Committee, MONITOR, interview with
breaches, 6 November 2015 Non-Executive Directors, 9 December 2015 and Interview with Head of ICT
35. Interview with Honorary Secretary, Royal College of GPs Evidence, Operations, Imperial College Healthcare NHS Trust, 18 November 2015
19 November 2015 40. Chair of the Technology Assurance Committee, MONITOR, interview with
36. Information Commissioner’s Office, evidence session on security Non-Executive Directors, 9 December 2015 and Interview with Head of ICT
breaches, 6 November 2015 Operations, Imperial College Healthcare NHS Trust, 18 November 2015
37. Expert Provider Evidence Session, 9 December 2015 41. Commercial Provider Evidence Session, 18 November 2015

15
National Data Guardian for Health and Care  |  Review of Data Security, Consent and Opt-Outs

CASE STUDY 1: Bank of England – Helping staff to spot and report threats
The Bank of England provided the Review with an example of a simple way to help staff to spot and report
threats before they turn into incidents. Phishing involves an email that appears to be from an individual or
business that you know, but is from criminal hackers who want your credit card and bank account numbers,
passwords, and the financial information on your computer. At the Bank of England, if a member of staff thinks
they have had a phishing email, there is a custom button on Outlook for reporting it. Whether or not they open
up an email and click on a link/attachment, users can press the button if they think it looked suspicious.

Data sharing: demonstrating trust identify exemplar organisations that could help to
support others in peer-to-peer partnering
2.4.7  The Review also heard of cultural issues arrangements.
concerning a lack of understanding of security and
awareness, causing people to default to risk Recommendation 2: A redesigned IG Toolkit should
avoidance and an unwillingness to share42. embed the new standards, identify exemplar
Organisations and professionals stressed the need to organisations to enable peer support and cascade
ensure that the recipients of data have effective lessons learned. Leaders should use the Toolkit to
security in place. This is considered essential to engage staff and build professional capability, with
integration43. It was recognised that data must be support from national workforce organisations and
made available, but it was often felt that the potential professional bodies.
recipients of data cannot be trusted due to poor or
unknown security practices44.
2.4.11  The first leadership obligation and the three
2.4.8  To facilitate data sharing, the Review proposes data security standards supporting it are designed
that the current IG Toolkit be redesigned and to ensure staff are equipped through training and
enhanced to become a portal for training material, standards, to be able to handle personal
guidance materials, exemplar documentation and confidential data confidently. Leaders must take data
Cyber Essentials support for all organisations, across security seriously and support their staff in reaching
health and social care should be provided. these levels of competence.
2.4.9  A redesigned and enhanced IG Toolkit should Leadership Obligation 1: People: Ensure staff are
become a central supporting tool to help embed the equipped to handle information respectfully and
data security standards. The new toolkit should be safely, according to the Caldicott Principles.
enhanced to focus more on the common problems
Data Security Standard 1. All staff ensure that
which all organisations face from a digital environment.
personal confidential data is handled, stored and
It should enable organisations to learn from examples
transmitted securely, whether in electronic or paper
of good practice and measure themselves against a
form. Personal confidential data is only shared for
common set of criteria. The new toolkit must also be
lawful and appropriate purposes.
fully integrated with CareCERT and CERT-UK’s Cyber
Security Information Sharing Partnership (CiSP), both Data Security Standard 2. All staff understand their
of which provide a platform for alerting the community responsibilities under the National Data Guardian’s
to near misses and publicly known vulnerabilities in Data Security Standards including their obligation to
software packages. The new toolkit should also handle information responsibly and their personal
provide a mechanism through which to cascade accountability for deliberate or avoidable breaches.
lessons learned and intelligence gained from incident
Data Security Standard 3. All staff complete
reporting.
appropriate annual data security training and pass
2.4.10  An important requirement of the new toolkit a mandatory test, provided through the revised
would be to generate the business intelligence needed Information Governance Toolkit.
to measure capability across the sector – identifying
the strongest and those most in need of support. Such
business intelligence would allow the HSCIC to deploy
more support to organisations most in need, and

42. Executive Chair of Genomics England, interview 2 December 2015

43. Information Commissioner’s Office evidence session on security
breaches, 6 November 2015
44. Executive Chair of Genomics England, interview 2 December 2015

16
 Data security standards for health and social care

In some cases this may be hindered by ineffective

2.5.  Processes: Proactively communication with system administrators, whose role
is to ensure that users’ access to data is restricted to
preventing data security the requirements of their role. The Review received a
case study showing how a simple analysis tool can
breaches identify risks such as unnecessary user or ‘guest’
2.5.1  ‘Processes’ refer to the approved procedures accounts and the use of weak or default passwords.
which users are instructed to follow when performing This provides a good example of the use of enabling
business functions – either using technology, paper- technology to ensure that people follow the right
based information, or a combination of the two. The process, supported by systems designed to identify
Review heard that when processes are poorly and prevent inappropriate use. Transparent security
designed or communicated, users will often revert measures such as these can assist in building and
to doing something in the most convenient way45. maintaining the public trust.

2.5.2  The Review heard the suggestion that Recommendation 3: Trusts and CCGs should use
security needs to serve as an enabler, so as not to an appropriate tool to identify vulnerabilities such as
be perceived as a blocker. For example, the Review dormant accounts, default passwords and multiple
heard that in the NHS clinicians perceive that security logins from the same account. These tools could be
is an obstacle to introducing innovation and digital also used by the IT companies that provide IT
health care and that the present standards do not systems to GPs and social care providers.
reflect the obligations of the health workforce46.
2.5.3  Processes should effectively support the needs 2.5.6  Further examples were raised with the Review of
of staff, otherwise unsupported alternatives may be areas where technology can remove significant risks
sought in efforts to ‘get the job done,’ which could lead associated with burdensome processes. Restricting
to breaches47. Throughout analysis of the evidence, a the use of workplace technology for personal use of
clear tension emerged between attempts to follow the social media was supported, unless technology that
security processes, and the practicalities of needing to will mitigate the risks is in place51. Likewise, the use of
access information. The Review heard that multiple technology solutions to block all but the most
logins take time, despite use of a smartcard, and sophisticated forms of email phishing attacks was
access cuts out after a short period of inactivity48. raised as very effective52. More generally, it was
2.5.4  To further reinforce the need for proportionality, suggested that it has been helpful for smaller
simplicity and clarity, the Review heard strongly that ‘IT organisations to be guided towards ‘assured’ cloud
security need to walk in the shoes of a clinician for a solutions, which are approved for use by some
day’49 and poignant statements such as ‘the system Government departments53.
that is supposed to support staff, doesn’t’50. 2.5.7  The second leadership obligation, and the
2.5.5  The Review heard of various tools and initiatives four data security standards supporting it, are
designed to help organisations maintain important therefore designed to ensure that those in
processes. A key example is the efficient management leadership positions take responsibility for
of processes for ‘joiners, movers and leavers’. This proactively preventing data security breaches and
ensures that access to systems, data and premises is for responding appropriately to incidents or near
promptly granted and revoked, supporting the misses, by making sure that processes support
changing needs of the organisation and its employees. data security.

CASE STUDY 2: The Palantir Dashboard – vulnerability analysis tool

The Palantir dashboard tool applies numeric risk values to users or groups of users and answers simple questions
such as: ‘How many unused accounts are there?’ and ‘How many accounts still have a default password?’
The tool identifies irregular patterns of activity quickly and easily. This enables organisations to address simple
but important issues quickly, or what could be described as ‘low hanging fruit’ for would-be cyber attackers.
The tool supports the rule of thumb that 80% of cyber vulnerabilities can be addressed with 20% of your efforts.

45. Providers Evidence Session, 27 November 2015 50. Expert Provider Evidence Session, 9 December 2015
46. Interview with the Director of the Institute of Global Health Innovation at 51. Interview with Head of ICT Operations, Imperial College Healthcare NHS
Imperial College London, 10 November 2015 Trust, 18th November 2015 – the example was provided of playing
47. Interview with Chief Executive of NHS Improvement, interview, YouTube videos through sandboxing facility and separated from the
18 November 2015 corporate network.
48. Interview with the Chairman of the Medical Ethics Committee & 52. Validation session with GCHQ experts, 17 December 2015
colleagues, British Medical Association, 23 November 2015 53. Validation session with GCHQ experts, 17 December 2015
49. Expert Provider Evidence Session, 9 December 2015

17
National Data Guardian for Health and Care  |  Review of Data Security, Consent and Opt-Outs

CASE STUDY 3: Outsourced cloud services

Since the development of the Government Digital Marketplace and CESG’s Cloud Security Principles,
there are many approved providers of cloud services available to Government departments and agencies.
Organisations can now outsource the secure management of IT infrastructure to certified expert companies,
which operate at scale and rely on having a reputation for providing good security. Cloud services are
effectively used in Government by the Cabinet Office, but use is relatively low in health and social care.

Leadership Obligation 2: Process: Ensure the

organisation proactively prevents data security 2.6.  Technology: Secure
breaches and responds appropriately to incidents
or near misses. and up-to-date technology
Data Security Standard 4. Personal confidential 2.6.1  Technology can be a key enabler when it
data is only accessible to staff who need it for their proves to be effective in supporting staff to work
current role and access is removed as soon as it simply and safely. The Review heard that in
is no longer required. All access to personal contrast, technology can become a source of risk
confidential data on IT systems can be attributed when it is out of date and unsupported54.
to individuals. 2.6.2  The Review heard that some local IT systems in
Data Security Standard 5. Processes are reviewed the health and social care sector are ageing and
at least annually to identify and improve processes unsupported. These systems were not designed to
which have caused breaches or near misses, or feature modern security controls or to cope with large
which force staff to use workarounds which volumes of data and multiple users. When
compromise data security. organisations attempt to implement security controls in
outdated technologies, the resulting procedures can
Data Security Standard 6. Cyber-attacks against be counter-intuitive, inconvenient and easy to get
services are identified and resisted and CareCERT wrong – or even ignored altogether. The Review heard
security advice is responded to. Action is taken that, to ‘get the job done’, users may seek convenient
immediately following a data breach or a near miss, but less secure alternatives55.
with a report made to senior management within
12 hours of detection. 2.6.3  There is significant use of software within
the sector that is no longer supported by the
Data Security Standard 7. A continuity plan is in manufacturer. This means that security fixes are
place to respond to threats to data security, no longer produced, leaving systems exposed to
including significant data breaches or near misses, common types of cyber-attack.
and it is tested once a year as a minimum, with a
report to senior management. Cyber security
2.6.4  While the Review heard that outdated
technologies are perhaps one of the most pressing
issues facing IT infrastructure within the health and
social care system, they are by no means the sole
vulnerability. Technology must be properly configured
to realise its potential and to afford the best protections
possible. The extent to which health and social care
organisations are leveraging security solutions to best
effect is known to vary. The Review concludes that the
organisations facing most risk are those with lower
existing capabilities. Therefore the starting point in
addressing cyber security must be simplified as far as
possible to encourage full understanding, and be
achievable within already stretched budgets.

54. HSCIC Evidence, November 2015

55. Providers Evidence session, 27 November 2015

18
 Data security standards for health and social care

2.6.5  The CESG’s ‘10 Steps to Cyber Security’ seeks 2.6.7  The final leadership obligation and the three
to highlight the main areas of vulnerability for any data security standards underpinning it are
organisation wishing to tackle cyber security in therefore focused on ensuring that secure and
earnest. To support implementation of the 10 Steps up-to-date technology is in place, both through
to Cyber Security, the Cyber Essentials Scheme the procurement process and the lifecycle of the
was launched as a means of standardising the technology within the organisation.
implementation of affordable protections to the IT
Leadership Obligation 3: Technology: Ensure
infrastructure, to help protect from basic cyber-attacks
technology is secure and up-to-date.
originating from the Internet. A standardised approach
to implementing such protections enables compliance Data Security Standard 8. No unsupported
checking, comparison or benchmarking, and operating systems, software or internet browsers
accreditation or certification designed for small are used within the IT estate.
businesses.
Data Security Standard 9. A strategy is in place for
2.6.6  Use of the Cyber Essentials Scheme within the protecting IT systems from cyber threats which is
health and social care sector is limited to date, based on a proven cyber security framework such
however, the Review found evidence of approximately as Cyber Essentials. This is reviewed at least
20 organisations using Cyber Essentials56. The Review annually.
recommends further testing of the Cyber Essentials
Data Security Standard 10. IT suppliers are held
scheme to evaluate its applicability and scalability
accountable via contracts for protecting the
within the health and social care sector.
personal confidential data they process and
meeting the National Data Guardian’s Data
Recommendation 4: All health and social care Security Standard.
organisations should provide evidence that they are
taking action to improve cyber security, for example
through the ‘Cyber Essentials’ scheme. The ‘Cyber
Essentials’ scheme should be tested in a wider
number of GP practices, trusts and social care
settings.

CASE STUDY 4: Cyber Essentials successfully implemented at West

Midlands Ambulance Service NHS Foundation Trust
West Midlands Ambulance Service NHS Trust previously held the ISO27001 accreditation. However, due to
the associated resource requirements following an organisational restructure, a business decision was taken
not to retain it. In obtaining Cyber Essentials the trust is able to provide its staff, the Board, business partners
and service users with assurance regarding its overall cyber security posture, whilst maintaining resources
and organisational focus upon its core clinical services and service users. In the Trust’s opinion Cyber
Essentials allows a more practical and pragmatic approach to cyber accreditation which meets the needs of
flexible organisations whilst still addressing core security requirements. It also encourages buy-in from both
technical and non-technical staff and stakeholder groups, thereby increasing general security awareness
within the organisation.
‘We view the Cyber Essentials accreditation as an essential technical companion to the NHS Information
Governance Toolkit, which focuses upon less technical aspects of wider information security. We are aiming
to use the accreditation as a foundation upon which to further enhance our security controls, thereby ensuring
the ongoing confidentiality, integrity and availability of our systems and confidential data...’
Charles Knight, Head of Audit and Assurance Services & Gary Colman, Head of IT Audit an Assurance
Services, West Midlands Ambulance Service NHS Foundation Trust

56. Information kindly provided by IASME (information assurance for small

and medium sized enterprises) on 4 January 2016

19
National Data Guardian for Health and Care  |  Review of Data Security, Consent and Opt-Outs

2.7.3  The Review recommends that data security

2.7.  Embedding the should be integrated into inspection. The Review
recommends that CQC should integrate measures
standards for compliance with the data security standards
2.7.1  To be embedded fully and consistently, the into their ‘Well-Led Inspections’ regime. The Review
data security standards must be mandated via anticipates that there will be a strong and natural link
mechanisms such as contracts. The General between the objective assurance that an organisation
Medical Services Contracts and NHS Standard provides in respect of their compliance with the data
Contracts are the mechanisms by which central security standards and the ‘Well-Led Inspections’
government funds General Practitioners and NHS regime.
organisations respectively. This Review proposes that
a provision requiring adherence to the new data Recommendation 7: CQC should amend its
security standards is written into contracts to make this inspection framework and inspection approach for
a condition of full funding. providers of registered health and care services to
include assurance that appropriate internal and
Recommendation 5: NHS England should change external validation against the new data security
its standard financial contracts to require standards have been carried out, and make sure that
organisations to take account of the data security inspectors involved are appropriately trained. HSCIC
standards. Local government should also include this should use the redesigned IG Toolkit to inform CQC
requirement in contracts with the independent and of ‘at risk’ organisations, and CQC should use this
voluntary sectors. Where a provider does not meet information to prioritise action.
the standards over a reasonable period of time, a
contract should not be extended. 2.7.4  The Review heard from the primary care
community in particular that they would value support
2.7.2  The Review recommends that organisations to achieve the standards through a refreshed IG toolkit
should provide objective, third party assurance of and expertise from the HSCIC. HSCIC could use the
their compliance with the standards, for example as new toolkit to identify organisations that would benefit
part of their internal audit mechanisms, and should from additional support as well as exemplary
build this into their routine mechanisms for organisations, and to put organisations in touch with
reporting to senior management. Objective each other for peer support. HSCIC should work with
assurance should be part of regular business regulators to ensure that there is coherent oversight of
procedures. For those organisations that are required data security across the health and care system.
to prepare statutory accounts, this should be delivered 2.7.5  Effective ongoing support from regulators and
by a combination of the internal and external audit those supporting ongoing improvements in care is also
processes. For other organisations that are not essential. In July 2015, the Secretary of State for Health
required to prepare statutory accounts, this assurance announced the formation of NHS Improvement to drive
may be delivered by some mechanism of peer review and support both urgent improvements at the frontline
or interaction with HSCIC, for example through and the long term sustainability of the healthcare
CareCERT, as agreed with the Department of Health system. In social care, the Association of Directors of
and the relevant regulators. Adult Social Services in England (ADASS) furthers the
interests of people in need of social care by promoting
Recommendation 6: Arrangements for internal data high standards of social care services and influencing
security audit and external validation should be the development of social care legislation and policy.
reviewed and strengthened to a level similar to those
assuring financial integrity and accountability. 2.7.6 The Review heard of the need to foster a culture
of ‘learning not blaming’57 where staff at all levels
should be encouraged to highlight insecure
behaviours, and alert management to their breaches or
near misses. The evidence suggests that such
knowledge constitutes powerful business intelligence58,
allowing organisations to target their security efforts at

57. Provider Evidence Session, 27 November 2015

58. Expert Provider Evidence Session, 9 December 2015

20
 Data security standards for health and social care

those people, processes or technologies which

present the greatest risk to their information.

Recommendation 8: HSCIC should work with the

primary care community to ensure that the
redesigned IG Toolkit provides sufficient support to
help them to work towards the standards. HSCIC
should use the new toolkit to identify organisations
for additional support, and to enable peer support.
HSCIC should work with regulators to ensure that
there is coherent oversight of data security across
the health and care system.

2.7.7  Harsher sanctions should be put in place

where there are malicious or intentional data
security breaches. This would ensure that there were
clear consequences for deliberate security breaches,
and give the public confidence that action can be
taken where necessary to protect their information.

Recommendation 9: Where malicious or intentional

data security breaches occur, the Department of
Health should put harsher sanctions in place and
ensure the actions to redress breaches proposed in
the 2013 Review are implemented effectively.

2.7.8  The Review also believes it is important that

there are more severe consequences when an
organisation consistently fails to remedy a situation
which, if left unresolved, may lead to a data security
breach or data loss. This would include instances
where a breach was not remediated in a timely
manner.

21
National Data Guardian for Health and Care  |  Review of Data Security, Consent and Opt-Outs

The National Data Guardian’s data security standards

These standards are intended to apply to every organisation handling health and social care information, although
the way that they apply will vary according to the type and size of organisation. For example, GPs may want
support from their system suppliers to identify and respond to cyber alerts in the first instance, and many social
care organisations will want that from their Local Authority. Commissioners should take account of the standards
when commissioning services.
Leaders of all health and social care organisations should commit to the following data security standards.
They should demonstrate this through audit or objective assurance, and ensure that audit enables
inspection by the relevant regulator.

Leadership Obligation 1: People: Ensure staff are equipped to handle information respectfully and safely,
according to the Caldicott Principles.
Data Security Standard 1. All staff ensure that personal confidential data is handled, stored and transmitted
securely, whether in electronic or paper form. Personal confidential data is only shared for lawful and appropriate
purposes
Data Security Standard 2. All staff understand their responsibilities under the National Data Guardian’s Data
Security Standards, including their obligation to handle information responsibly and their personal accountability
for deliberate or avoidable breaches.
Data Security Standard 3. All staff complete appropriate annual data security training and pass a mandatory test,
provided through the revised Information Governance Toolkit.

Leadership Obligation 2: Process: Ensure the organisation proactively prevents data security breaches and
responds appropriately to incidents or near misses.
Data Security Standard 4. Personal confidential data is only accessible to staff who need it for their current role
and access is removed as soon as it is no longer required. All access to personal confidential data on IT systems
can be attributed to individuals.
Data Security Standard 5. Processes are reviewed at least annually to identify and improve processes which have
caused breaches or near misses, or which force staff to use workarounds which compromise data security.
Data Security Standard 6. Cyber-attacks against services are identified and resisted and CareCERT security
advice is responded to. Action is taken immediately following a data breach or a near miss, with a report made to
senior management within 12 hours of detection.
Data Security Standard 7. A continuity plan is in place to respond to threats to data security, including significant
data breaches or near misses, and it is tested once a year as a minimum, with a report to senior management.

Leadership Obligation 3: Technology: Ensure technology is secure and up-to-date.

Data Security Standard 8. No unsupported operating systems, software or internet browsers are used within the
IT estate.
Data Security Standard 9. A strategy is in place for protecting IT systems from cyber threats which is based on a
proven cyber security framework such as Cyber Essentials. This is reviewed at least annually.
Data Security Standard 10. IT suppliers are held accountable via contracts for protecting the personal confidential
data they process and meeting the National Data Guardian’s Data Security Standards.

22
 Consent/opt-out of information sharing in health and social care

3. Consent/opt-out of
information sharing in health
and social care
used for insurance or marketing purposes. The Review
3.1.  Summary of evidence tested different models, and concluded that the
opt-out model should be based on purposes that
and analysis are communicated simply so that people can make
3.1.1  The evidence from the Review emphasised the an informed choice.
importance of trust, clarity and purpose. The Review 3.1.4  In general, people were content with their
heard that trust is essential and should underpin any personal confidential data being used for the care
opt-out model. ‘Most people do not feel the need to they received. However, people hold contrasting views
know what is happening with their data, and people about information being used for purposes beyond
want to be able to trust the system and know that direct care and some people become concerned when
everything is okay’59. Public views have not changed data is shared outside the NHS ‘family’. The Review
much since the 2013 Information Governance Review. heard convincing evidence on the need for information
There is still limited public knowledge about how data is sharing between health and social care to facilitate
used in health and social care. The NHS is trusted to integration of direct care and commissioning, and
collect, store and safeguard data and people expect evidence about how different integrated care projects
information to be used for direct care. Some people are were meeting the challenge. The public sector, and
concerned primarily with privacy and the Review heard specifically the NHS, is seen as more trustworthy than
that data should be anonymised wherever possible60. profit-making organisations63. In evidence sessions,
Where data is anonymised, people tended to be much individuals stated that people would need to be
more comfortable with it being shared. assured that ‘the government is able to safeguard and
3.1.2  Both patients and professionals emphasised regulate the use of data in private companies if there
the need for clarity and clear communications on is not an opt-out for this’64. However, there is little
when and what information professionals can and awareness that private companies carry out NHS work
should share. The Review heard that ‘there is a lack of or how those working for the NHS may carry out private
clarity on the current rights of individuals in relation to work. For example, a hospital may contract with a
their data and the responsibilities of organisations [and private provider for direct care, health records are
individuals] in processing data61. The Review also heard held by commercial IT system suppliers on behalf of
from GPs in particular that they would welcome clear providers, and Commissioning Support Units (which
guidance on their role as data controllers of their support CCGs to plan services) may be commercial
patients’ GP records. National and local organisations. The Review did not have the opportunity
communications were cited as important both to to explore this in depth with focus group participants.
educate the public about their rights and also to provide The Review took the view that the model should be set
clarity to professionals about the legal framework and around the purpose to which data is put and its
how they should act within the boundaries of the law62. potential benefit to patients and service users, and that
dividing up NHS and ‘non-NHS organisations’ without
3.1.3  The Review heard that people’s opinions on their reference to purpose can be artificial and misleading.
personal confidential data being shared for reasons
beyond their direct care were influenced by the 3.1.5  The differing opinions presented to the Review
purpose for which it would be used; for example, there from both professionals and the public demonstrates
was concern about personal confidential data being that there is no easy answer to opt-outs that will
please everyone.

59. Interview with representative from national patient representative charity 62. Research evidence session 18 November 2015, RCGP 19 November
National Voices 1 December 2015 2015, ICO evidence session 6 November 2015
60. Testing sessions showed different interpretations of what is meant by 63. Focus groups and Stevenson, F., Lloyd, N., Harrington, L., Wallace, P.,
anonymised data. For example some members of the public referred to (2013) Use of electronic patient records for research: views of patients
removing a name whereas others suggested an understanding of and staff in general practice. Family Practice Vol 30 (2) pp. 227-232
protections e.g. ‘classifying the data differently’. 64. Interview with representative from national campaign group 23 November
61. Patients, service users and carers evidence session, 24 November 2015 2015

23
National Data Guardian for Health and Care  |  Review of Data Security, Consent and Opt-Outs

social care system to support its management is

3.2. Developing an opt-out complex and has evolved over time. There are multiple
systems and organisations involved in processing data
model for a range of purposes. This means that explaining
3.2.1  The Secretary of State for Health asked the benefits can be lost in the complexity.
National Data Guardian to develop a consent/ 3.2.4  During the Review some people expressed the
opt-out model which makes it absolutely clear to view that receiving NHS care was a type of ‘social
patients/users of care when health and social care contract’ and patients should not be able to opt out of
information about them will be used and in what their information being used for direct care or for
circumstances they can opt out. running the NHS66. In return the system should protect
3.2.2  The Review considered whether patients and data and if the trust is broken, through a breach,
service users should be able to opt out of their repercussions should be expected. However, the
personal confidential data being used for purposes Review found that many people did not hold this view.
beyond care or whether they should be asked for their In some instances this was because they held strong
consent to opt in. Some evidence indicates that people concerns about who might see the information and
would like to be asked, but our focus groups found that what might be done with it. Some argued that this
participants were generally supportive of data being could be countered by more being done to explain the
used to run the health and social care system and for benefits of data sharing. The recently published report
research. During testing people categorised as ‘well’ from the House of Commons Science and Technology
were generally less in the know and some admitted committee also recognises the importance of
they had ‘never really thought about it all’. Others explaining the benefits of data sharing to individuals
‘didn’t care about their data being used’65. Whilst many and society and giving citizens greater control over
people may not actively engage in the use of their data how their data is used.
they do expect medications to be safe, threats to
public health such as Ebola to be monitored, and to Recommendation 10: The case for data sharing still
have appropriate local services available to them. needs to be made to the public, and all health, social
These rely on high quality data, which covers a care, research and public organisations should share
significant proportion of the population. The Review responsibility for making that case.
was persuaded that the best balance between meeting
these expectations and providing a choice to those
who have concerns is achieved by providing an
Direct care purposes
opt-out model. The review concluded that people 3.2.5  There continues to be a low level of public
should be made aware of the use of their data and awareness and understanding of how health and
the benefits; an opt-out model allows data to be social care information is used, but an expectation
used whilst allowing those who have concerns to that information is shared for direct care67. Since the
opt out. last review, new legislation has been introduced which
places a legal duty on health and adult social care
The need for information organisations to share information when it will facilitate
care for an individual68. This reinforces Caldicott
3.2.3  Information is essential for high quality health
principle seven, which sets out that ‘the duty to share
and social care – to support the running of the
information can be as important as the duty to protect
health and social care system; to improve the
patient confidentiality’. The Review heard examples
safety and quality of care, including through
where information was not being shared for direct
research; to protect public health; and to support
care. A patient dying of lung cancer was visited by his
innovation. Data sharing is essential to identifying
GP, community nurse and hospice nurse in one day
poor care. It is clear that more effective data
each asking the same questions, because information
sharing could have enabled some of the recent
was kept separately and not shared within the team
failures to provide proper care to patients to be
caring for the patient. The patient’s wife subsequently
identified and tackled earlier. It can also be
complained about the lack of communication between
beneficial to join health data up with other types of
those caring for her husband at a very stressful time.
information, to provide better services to people. The
way that information is shared across the health and

65. Evidence from public focus groups 67. The Review’s patient focus groups found that beyond an understanding of
66. Representatives NHS England; Public Health England; and some GPs patient records being used to help deliver care, knowledge about how
involved in commissioning expressed views around this e.g. particularly data is collected and used was extremely limited. This was also found by
where commissioners are working closely with providers of care Ipsos MORI. Ipsos MORI (2007) The Use of Personal Health Information in
Medical Research General Public Consultation. Medical Research Council.
Ipsos MORI, (2014) Public attitudes to the use and sharing of their data.
Royal Statistical Society.
68. The Health and Social Care (Safety and Quality) Act 2015, which inserted
sections 251A, B and C into the Health and Social Care Act 2012:
(http://www.legislation.gov.uk/ukpga/2015/28/contents/enacted)

24
 Consent/opt-out of information sharing in health and social care

3.2.6  The Review heard that patients may have step change in the relationship and trust between
elements of their record that they do not want to be different health and social care commissioners,
shared and felt that sharing their whole record was not providers and professionals: ‘Social care providers
necessary for direct care69. In line with the Caldicott can be seen as outsiders and not trusted with data’.
principles and the last review, only relevant In particular, the Review heard that there are still
information about a patient should be shared barriers to information being shared with un-regulated
between health professionals in support of their social care staff: ‘People are afraid to share at the
care. Explicit consent should be obtained before moment because there’s no reassurance that other
accessing someone’s whole record. professions meet the same standards’ 72. However,
there is increasing recognition that these behaviours
3.2.7  In focus groups of members of the public, the
are unhelpful and outdated: ‘If a future health and
Review heard that people were comfortable with data
social care service is based on integrated care, it will
being shared with care professionals for their care, but
rely on data sharing’ 73.
not anywhere else within the local authority. There was
a concern that social care departments might share 3.2.9  It is important that the public are made aware of
data with the rest of the council e.g. housing or these changes, and as set out in the last Review, there
finance70. The Review also heard that people may be should be ‘no surprises’ for the individual about
surprised that information was shared across health who has had access to information about them.
and social care: ‘If a social worker say wants to access All organisations processing information, e.g.
your medical records, I think you should sign a form providers, CCGs and Local Authorities, should ensure
giving your consent’. The Review heard that in social that fair processing information is available. It is also
care it is common for people to be asked explicitly important that information is shared where appropriate
about what information may be shared, and with to support care. In areas pioneering integrated care
whom – for example, in Hampshire County Council and new models of care, the Review found evidence
social care users are asked for their explicit consent of successful approaches to meeting people’s
about how their personal confidential information can expectations and making sure that professionals had
be used. the information they need. The Review recognises the
need to make appropriate data sharing easier in order
3.2.8  Changes in the delivery of care and information
to support integrated health and social care.
sharing, driven by the Five Year Forward View71 and
local imperatives, are breaking down traditional divides 3.2.10  The Review considered risk stratification for
between primary care, hospitals, community, mental case finding which involves health professionals
health and social care services. Services are identifying individuals who may benefit from targeted
increasingly being planned across organisational inventions. Personal confidential data is needed so that
boundaries and extended teams may be involved in the health professional, e.g. the GP, can offer an
providing care to an individual including from voluntary individual preventative care; this would be part of
sector organisations. In some instances this requires a direct care. Patients would expect that health

CASE STUDY 5: Leeds Care Record

Patients in Leeds are benefiting from healthcare professionals directly involved in their care having access to
their relevant health information. By logging on to the Leeds care record and simply clicking on the relevant
organisational tab, healthcare professionals can see the latest information about their patient. Information from
GP practices, hospitals and mental health is live on the record and a pilot of community services is under way,
with social care to follow.
Those working in hospital clicked on the GP ‘tab’ 4,000 times in a month, which could represent a significant
saving in terms of time that would otherwise have been spent phoning the GP practice. Local engagement
has taken place with professionals and patients to define the data which is made available on the care record.
Patients have been informed about the Leeds care record using a variety of techniques including leaflets and
posters in GP practices, media coverage and local engagement events. The care record has been operational
for more than 18 months and so far 67 out of 760,000 patients in Leeds have chosen to opt out.

69. In the public Policy Lab workshop the Review heard: ‘If I was a drug user 70. Social care evidence session 24 November 2015
I wouldn’t want a community nurse who was coming to treat my ulcers to 71. https://www.england.nhs.uk/wp-content/uploads/2014/10/5yfv-web.pdf
look down on me for being a drug user. You would have to make it clear
who will see this and who will not.’ At the Patients, Users, Carers 72. Caldicott2 highlighted good practice around appropriate sharing of
Evidence Session, 24 November 2015 and Policy Lab workshop 10 personal confidential data between registered professionals and
December 2015 individuals also stated that patients would expect to be non-regulated staff
able to opt out of information being shared for direct care, as they can 73. Interview with NHS England 18 November 2015.
now.

25
National Data Guardian for Health and Care  |  Review of Data Security, Consent and Opt-Outs

CASE STUDY 6: Whole System Integrated Care Record (WSIC)

Patients in London are more likely to have their information available at the point of care following
developments across the capital. A Whole System Integrated Care (WSIC) record is enabling information
sharing between health and social professionals in North West London. One of the aims is for the health and
the social care systems to work together to improve care services.
Communication materials are provided for GPs and social care professionals to support communication with
the public. Patients and service users are informed that their care information may be shared with acute
services consultants, mental health consultants, community health professionals and social care workers
directly involved in their care.
Patients can opt out of their information being made available outside a particular care setting. In addition, the
North West London care information exchange will provide patient and service users with a single view of their
information with the ability to control information sharing.
In both these examples, an integrated record is created on the basis of implied consent. Smart cards and role
based access controls ensure that only information relevant to a job role is viewed and information sharing
agreements are in place. Explicit consent is obtained before a patient’s Whole System Integrated Care Record
is accessed.

professionals would use data they hold to improve their return to their registered practice. As well as being
care on the basis they could dissent from the treatment confusing, opt-out forms do not reflect the granularity
when offered. However, some CCGs are using the of people’s concern, as individuals may worry about a
same predictive tool for both risk stratification for case very specific piece of information. The Department of
finding and risk stratification for planning. The Review Health, working with other stakeholders, should
suggests that these two functions are separated. consider how this is addressed.
The Review considers that risk stratification for case
3.2.12  The different successful approaches being
finding, where carried out by a provider involved in an
taken at local level led the Review to conclude that an
individual’s care or by a data processor acting under
overarching, national, consent question should not be
contract with such a provider, should be treated as
framed around direct care. A person can still ask for
direct care for the purpose of the opt out (and
their health care professional not to share a
therefore should not be subject to the opt out of
particular piece of information with others involved
personal confidential data being used for purposes
in providing their care75. This may be in relation to a
beyond direct care.)
local shared record programme. Local communication
3.2.11  There are some elements of direct care which materials should inform people what they should do if
rely on the processing of data nationally, for example they have concerns.
the electronic transfer of prescriptions, screening74,
immunisation programmes and the Summary Care Purposes beyond direct care
Record. The Review heard no evidence to suggest 3.2.13  The Review considered the extent to which
that there should be a change to effective local or personal confidential data was needed for purposes
national arrangements for sharing information. beyond direct care. The Review heard that high
However, multiple opt-out forms are confusing for quality, linked data was required for running the
patients and health and social care professionals. health and social care system and improving the
In West Hampshire, a number of GP practices are safety and quality of care, but that for the majority
working collaboratively to provide same-day of purposes personal confidential data was not
appointments to patients. A GP described how a required.
patient would attend from a different practice, but their
record cannot be accessed because they have opted 3.2.14  The purposes where personal confidential data
out of their information being shared. Often the patient are needed are as follows:
response is ‘I didn’t mean that, please can you opt me (i) Commissioning – NHS England, commissioners
in again?’ However, this is not possible unless they in CCGs and Local Authorities play a valuable role

74. Caldicott2 provides further information about screening

75. If withholding information would result in a patient receiving unsafe care,
it should be explained to the patient that it will not be possible to arrange
effective treatment for them without disclosing information (GMC
guidance)

26
 Consent/opt-out of information sharing in health and social care

in improving the care of patients. The Review heard include alerting the provider, using the NHS number,
examples of local commissioners working closely to the individual patients. In addition, CQC monitors
with health and social care professionals to the care of people moving between adult social care
coordinate care and evaluate the impact of new residential services and hospitals so that action can
services or interventions resulting in improvement to be taken to protect people using services. The CQC
the care patients receive. Evidence received from also coordinates the NHS Patient Survey
NHS England, which was informed by feedback Programme, which allows patients and the public to
from local commissioners, set out the specific have a say about the quality of NHS services78.
circumstances when commissioners require
NHS Improvement is responsible for supporting
personal confidential data:
urgent operational improvements and ensuring
• invoice validation of non-contracted activity; long-term sustainability of the healthcare system79.
Personal confidential data is required to audit the
• national patient surveys;
quality of hospital data80 by comparing it to patient
• analyses where the level of geographical records.
precision required necessitates the use of
Clinical audits are used to check whether healthcare
personal confidential data e.g. to consider the
is being provided in line with agreed and reputable
impact on its patients of a GP practice moving
standards e.g. those of NICE81. Regulators, those
premises;
providing care, and the public can see what is
• ensuring that cohorts of patients with highly working well and where improvements can be
individual needs are treated in the most made. The use of personal confidential data for local
appropriate setting, e.g. detecting patterns in clinical audit is permissible within an organisation
relation to the care of patients with learning with the participation of a health and social care
disabilities. professional with a legitimate relationship to the
patient through implied consent82. For audit across
Concern was expressed about the impact of an
organisations, the use of personal confidential data
opt-out on the quality of data for these purposes –
is permissible where there is approval under
for example, resources may be allocated on the
Regulation 5 of the Health Service (Control of Patient
basis of incomplete information, or unusual trends
Information) Regulations 2002. NHS England
which may indicate unsafe care might not be
commissions the Healthcare Quality Improvement
highlighted76. The Review considered whether to
partnership (HQIP) to manage 30 national audits83
exclude from the opt-out the use of data for
and there are also 20 clinical audits, which are
purposes which enable direct care such as planning
funded by the specialist societies themselves.
local services. However, the use of information for
this type of purpose was ‘new news’77 to the public (iii) Public health purposes – Protecting and
and there was a lack of knowledge and interest in improving the nation’s health and wellbeing and
this type of data use. Public engagement suggests reducing health inequalities are fundamental to the
that understanding of direct care did not align with health and social care system. As set out in the
an extended definition at the present time. The 2013 review, some uses of information for public
Review is keenly aware that public attitudes are health purposes can be seen as direct care, i.e.
likely to change as more information about the where they relate to the care of an individual. This
potential benefits of increased data usage are includes the oversight and provision of population
provided. screening programmes84. There is an overriding
public interest for using personal confidential data
(ii) Monitoring health and social care services
for some public health functions, e.g. the control of
– CQC is a statutory body, which is responsible for
outbreaks of infectious diseases. These are
monitoring, inspecting and regulating services to
discussed in further detail below.
support the improvement of care. Personal
confidential data is used as part of its NHS outliers (iv) Research – Research is an essential part of
programme. Statistical methods are used to identify improving the safety and quality of care: research
unexpected performance (outliers) in mortality or facilitates the development of innovative new
maternity indicators that may be linked to problems medicines, treatments and services. The National
with the quality of care. Part of this process can Research Ethics Service provides an ethical review

76. Meetings with stakeholders including NHS England, NHS Improvement 81. https://www.nice.org.uk
and CQC 82. As set out in Calidott2
77. Evidence from public focus groups 83. http://www.hqip.org.uk/national-programmes/a-z-of-nca/
78. http://www.nhssurveys.org 84. Even though authorised under the Health Service (Control of Patient
79. It brings together Monitor, the NHS Trust Development Authority (TDA) Information) Regulations 2002
and patient safety and improvement functions from across the NHS.
80. Hospital Episode Statistics (HES) and Secondary Uses Service (SUS) data

27
National Data Guardian for Health and Care  |  Review of Data Security, Consent and Opt-Outs

CASE STUDY 7: Information sharing in Worcestershire and elsewhere

In Worcestershire, commissioners estimate that approximately 35% of their local budget is spent on 1% of
their population. Commissioners are using this information to identify a cohort of people who will be provided
with an individual care and support package. A separately allocated budget for this cohort will help incentivise
those providing care across different organisations to work together to deliver better outcomes.
Analysis undertaken by Midlands & Lancashire Commissioning Support Unit (CSU) for commissioners uses
person-level data drawn across health and social care. This data is linked through a unique identifier based
on the NHS Number in the CSU to identify the cohort of people most in need of joined-up care and support.
The CCGs and the County Council, which is responsible for providing social care services, then need to track
this cohort of patients to monitor the impact of interventions. For example does an investment in specialist
nurses in the community reduce admissions to hospital? The CCG and County Council create a list of the
cohort of patients, which is shared with those providing care. This allows the care provided and payments to
be tracked and allocated to the separate budget.

of all health research involving patients in England. services and research, these uses were regarded as
Researchers have worked hard to gain the trust of beneficial and sensible: ‘The data is there, so it should
research participants: 2.2 million patients have be used’88. The Review also heard that people want a
agreed to take part in medical cohort studies, and choice about how their personal confidential data is
the Review heard that this valuable contribution used and to understand the types of organisation that
should not be undermined85. The Review also heard are accessing data. The public tended to make a
that there is support for information being used for distinction between the NHS ‘family’ and others making
research, but that ‘the public is likely to react use of data89.
differently to research that does not have a link back
3.2.16  The Review tested a model giving two opt-out
to improving direct care’. Personal confidential data
questions with patients and health care professionals
is currently used for research with explicit patient
in response to hearing that some patients made a
consent or where there is approval under the Health
distinction between sharing within and beyond the
Service (Control of Patient Information) Regulations
NHS ‘family’. In this testing the first opt-out related to
2002. These Regulations can support research use
personal confidential data being used for essential
where there is no practicable alternative to reliance
purposes to run the NHS, e.g. planning services and
upon them: where neither consent, nor the use of
funding care; the second opt-out related to the
data that is not identifiable, can be practical
monitoring and improving the quality of care through
alternatives. Decisions on approval are taken by the
research. For each question, patients and healthcare
Secretary of State or the Health Research Authority
professionals were given scenarios to support
with independent advice from the Confidentiality
understanding of the two different choices. The Review
Advisory Group86.
was told by both the public and professionals that
there was confusion about how the existing system
The consent/opt-out model worked, what the new opt-outs related to and how the
3.2.15 The Review found that there is support for two categories of information differed90.
data being used for running the health and social
3.2.17  The Review then considered providing greater
care system and for improving the safety and
clarity and developed two opt-outs which stakeholders
quality of care when the benefits of doing so are
thought were clearer and gave a more helpful
clearly explained87. In public focus groups and in the
distinction. These two opt-outs were:
Policy Lab testing workshop the Review heard that
when individuals were given information explaining (i) providing local services and running the NHS
uses other than for direct care, such as planning and social care system. This would cover the use

85. http://www.mrc.ac.uk/publications/browse/maximising-the-value-of-uk- 88. Public focus group.

population-cohorts/ 89. The engagement events and analysis of existing literature on public
86. http://www.hra.nhs.uk/about-the-hra/our-committees/section-251/ opinion showed that people become concerned about data sharing
87. Existing literature on public opinion shows that when individuals are Existing when their data is accessed outside the NHS, especially with commercial
literature on public opinion shows that when individuals are informed about organisations or those looking to profit from data usage. Stevenson, F.,
data sharing and its benefits their support for the project increased, see Lloyd, N., Harrington, L., Wallace, P., (2013) Use of electronic patient
GMC (2007). Public and professional attitudes to the privacy of healthcare records for research: views of patient and staff in general practice.
data. A survey of the literature. http://www.gmc-uk.org/GMC_Privacy_ Family Practice Vol 30 (2) pp. 227-232
Attitudes_Final_Report_with_Addendum.pdf_34090707.pdf 90. Public focus group and testing workshops with patients and health and
OPM (2015) Review of public and professional attitudes towards social care professionals
confidentially of healthcare data. http://www.gmc-uk.org/Review_of_Public_
and_Professional_attitudes_towards_confidentiality_of_Healthcare_data.
pdf_62449249.pdf

28
 Consent/opt-out of information sharing in health and social care

of personal confidential data by registered that the data flows are new and therefore controversial.
providers, statutory bodies using data for their The Review recommends that there should be a
statutory purposes and the Royal Colleges formal, full and comprehensive consultation on the
undertaking national clinical audit. The relevant proposed consent/opt-out model. Alongside that
statutory bodies are NHS England, NHS consultation, there should be further testing of both a
Improvement, Public Health England, the Care two-question and a single question model with patients
Quality Commission, Clinical Commissioning Groups and professionals to see if people would prefer to have
and Local Authorities. This would also include more than one choice. Following the consultation and
organisations which process information on behalf testing, further work on the wording would be needed
of statutory bodies for their statutory purposes, e.g. before the model is ready for implementation.
CSUs processing data on behalf of CCGs.
(ii) supporting research to improve treatment and Recommendation 11: There should be a new
care. This would cover the use of personal consent/opt-out model to allow people to opt-out of
confidential data to support research and improve their personal confidential data being used for
the quality of care. These applications are currently purposes beyond their direct care. This would apply
approved by the Secretary of State or the Health unless there is a mandatory legal requirement or an
Research Authority with independent advice from overriding public interest.
the Confidentiality Advisory Group.
3.2.21  Whilst patients have a right under the NHS
3.2.18  As an alternative, the Review also looked at a Constitution to request that their personal
possible single opt-out for personal confidential data confidential data is not used beyond their direct
being used for purposes beyond direct care. This has care, there is currently no easy way for them to do
the advantage of being a simple message for the that. The Review suggests that the new opt-out
public, and would be simpler to implement both locally model should be implemented by every
and nationally. However, there was subsequent organisation which shares health and social care
concern that a single opt-out would limit people’s information. Where someone has opted out this
choice. The review heard from those running the choice should be respected by data controllers
system that it could result in people who are content (subject to the exceptions outlined in the exceptions
for their information to be used for core health and and overrides section below). Ultimately, a patient
social care uses, such as planning local services, should be able to state their preference once (online
opting out due to their concern about broader uses or in person) and be assured that this will be applied
such as research. across the system. They should be able to change
3.2.19  Further testing was then conducted of both a their minds if they wish, and this new preference
two-question and a single question model. This should be honoured. This would be a significant step
showed that some people were fully supportive of data forward in allowing people to more easily state a
sharing and agreed with the need to find the right preference about the use of their health and social
balance between using data for the benefit of patients care information.
and the wider NHS, and keeping that data safe. People 3.2.22  There is confusion amongst care
were very interested in the language used to describe professionals and patients about the law in relation
the choices, and one group recommended that the to confidentiality. For example, the requirements
language should be as simple and direct as possible, under the Data Protection Act 1998 and the Common
with clear examples of the impact of either sharing or Law duty of Confidentiality are often confused.
not sharing data. The Review suggests that the ICO and Information
3.2.20  A summary of the two models and indicative Governance Alliance (IGA) should work jointly to make
questions are set out at the end of this chapter. It was the relationship between the two clear for local
clear throughout the Review that public understanding practice including social care91.
of the current arrangements for data sharing is limited;
when communicating choices, there is an assumption

91. The ICO has recently consulted on a code of practice on communicating

privacy information to individuals which is part of a range of guidance
provided by the ICO to support organisations in meeting DPA
requirements (https://ico.org.uk/about-the-ico/consultations/privacy-
notices-transparency-and-control-a-code-of-practice-on-communicating-
privacy-information-to-individuals/)

29
National Data Guardian for Health and Care  |  Review of Data Security, Consent and Opt-Outs

3.2.23  The Review recommends that the new model a name. The Review heard that the public was
should apply to uses of personal confidential data concerned about protections in place to safeguard
that are specifically authorised under law, e.g. in their data.
accordance with Regulation 5 of the Health Service
3.2.27  The Review also heard that de-identified
(Control of Patient Information) Regulations 2002.
data is of considerable benefit to commissioners,
Where a patient does not opt out this does not mean
planners and researchers. They were concerned
that they have consented for their information to be
that an opt-out would have a negative impact. For
used for purposes beyond direct care. In the absence
example, CCGs would not have a complete dataset for
of consent, there will always need to be a specific legal
their population including patients with complex care
authority for sharing (e.g. in accordance with
needs, regulators would not have complete data to
regulations under section 251 of the NHS Act 2006).
look at trends for example in relation to the quality of
There will also be some specific circumstances where
care94, and researchers may not be able to answer
an individual’s decision to opt out does not apply, as
questions confidently, such as how many people have
set out under ‘exceptions and overrides’ below.
a certain condition or to identify associations between
3.2.24  This is consistent with the stance taken by the causes and health effects95.
Confidentiality Advisory Group (CAG). CAG provides
3.2.28  De-identified data and anonymised data are
independent expert advice on whether applications to
widely used in the health and social care system. Data
access patient confidential data without explicit
which does not identify individuals has been used to
consent should be supported under Regulations 2 and
understand the future health needs of the population,
5 of the Health Service (Control of Patient Information)
for example to inform NICE cancer guidance and
regulations. It has taken a position that it will advise
ensure the safety of drugs and medication. Also, the
that it is not in the public interest to override an opt-out
safety of the MMR vaccine was confirmed using
in anything other than the most exceptional
de-identified data. A complete set of de-identified data
circumstances, e.g. serious public safety concerns.
enables NHS Improvement to conduct system level
analysis of patterns, consider what is working well and
Use of anonymised data where improvements are needed, develop payment
3.2.25  The majority of purposes beyond direct care tariffs, and improve the quality of data relating to the
do not require personal confidential data: those cost of care as part of its costing transformation
commissioning, regulating, and monitoring services, or programme.
undertaking research, often do not need to know the
3.2.29  In future, more person-level data will be
identity of an individual. Instead they either require
required by commissioners because services will
high quality linked person level data, which allows
increasingly be integrated around an individual,
them to track patients without knowing who they are,
which means that commissioners will need to
for example to track patients with asthma who are
understand the impact of interventions on cohorts
repeatedly admitted to hospital, or aggregate/
of patients and service users, as well as on
statistical data, for example to count how many
organisations and the local population as a whole.
patients in England have asthma.
Since the last review, it has become evident that a
3.2.26  The previous Review on Information significant amount of work has been undertaken to
Governance described two types of data: (i) de- help support commissioners to have appropriate
identified data for limited access and (ii) anonymised access to information96, but commissioners stated in
data for publication. This was based on the definitions the Review that they were still experiencing challenges
in the ICO’s Anonymisation Code of Practice92. The in relation to accessing the data required to carry out
Review considered whether the opt-out should their statutory functions. The absence of data,
apply to de-identified and anonymised data. The particularly from GP practices and social care, makes
Review heard that the public is broadly content for it difficult for commissioners to evaluate the impact of
their anonymised information to be used for health interventions across all care settings97. One
and social care purposes: ‘I think if it’s kept commissioning GP said: ‘What would members of the
anonymous, then it’s not a problem. If they share it, public think if they knew the NHS could not fully
they wouldn’t have your name against the data’93. The account for the money it is spending? It should be a
definition of anonymised provided by the public was standard part of the business’. A driver for using
closer to de-identified for limited access, e.g. removing

92. https://ico.org.uk/for-organisations/guide-to-data-protection/anonymisation/ 97. A recent National Audit Office report states: ‘The Department and NHS
93. Public focus groups England are taking steps to improve access but they are making decisions
without fully understanding either the demand for services or the capacity
94. Evidence from CQC. of the current system. Given the important role general practice plays in
95. Evidence from Medical Research Council. the health and social care system, the Department and NHS England need
96. For example a draft document ‘Enabling Information Sharing: A User’s Map better data in order to make well-informed decisions about how to use
for Health and Social Care’ sets out six reasons for sharing information limited resources to best effect. (https://www.nao.org.uk/wp-content/
informed by the experience of local integrated care pioneers and vanguards, uploads/2015/11/Stocktake-of-access-to-general-practice-in-England.pdf)
systems.hscic.gov.uk/infogov/iga/consultations/nhsenframework.pdf

30
 Consent/opt-out of information sharing in health and social care

CASE STUDY 8: Use of linked data in East and North Hertfordshire

Health and social care services in East and North Hertfordshire are using MedeAnalytics’
(http://medeanalytics.co.uk) software to better understand their local population. As East and North
Hertfordshire emphasised, the tool’s benefit is that it facilitates data-enabled decisions and valuable insights
visible to users. Having access to timely, linked data about local patients and service users has enabled East
and North Hertfordshire to undertake powerful impact analysis of their re-ablement service (helping people
regain their independence) and set up automated information alerts – for example, advising a GP if one of
their patients is making frequent visits to A&E.
Identifiers such as name, NHS number, and full postcode are coded rather than removed altogether.
This means that where an individual is identified as being at risk or in need of a specific intervention, the
relevant health and care professional involved in the care of the patient can use the system to re-identify the
individual or individuals and make the necessary intervention.

personal confidential data has been the absence of organisations to access personal confidential data.
high quality linked person level data98. This absence For that reason the Review recommends that, in due
results in the NHS number and postcode being used course, the opt-out should not apply to any flows of
to link data, check the quality of the linked data, and to information into the HSCIC. This requires careful
track patients for example to monitor the impact of consideration with the primary care community,
interventions or check the quality of care. The review which take its responsibility as data controller
found no reason for commissioners to access personal seriously, and with the public. It would, however,
confidential data for risk stratification for planning if enable commissioners, for example, to fulfil many
they were provided with de-identified linked data and duties currently subject to Confidentiality Advisory
the function was separated from risk stratification for Group (CAG) recommendations, without requiring
case finding, as set out in the direct care purposes access to personal confidential data. For the time
section above. being the status quo should prevail. The Review notes
the Government’s decision to change the name of
3.2.30 The third Caldicott principle calls for the
HSCIC to NHS Digital. This will provide the
minimum amount of personal confidential data to be
organisation with a good opportunity to use the NHS
transferred or accessible as is necessary for a given
brand making it clear to everyone that it is part of the
function to be carried out99. That is best achieved by
NHS ‘family’.
encouraging organisations to switch from using
personal confidential data to de-identified data for
limited access or anonymised data. East and North Recommendation 12: HSCIC should take advantage
Hertfordshire CCG has explored the benefits of using of changing its name to NHS Digital to emphasise to
de-identified data. the public that it is part of the NHS ‘family’, while
continuing to serve the social care and health system
3.2.31  The Review heard strong evidence from as a whole.
organisations such as NHSE, NHSI and CQC about
the importance of high quality person level data for 3.2.32 The Review recommends that the good
running the health and social care system, to protect practice advice contained in the Information
public health and support research. Most purposes do Commissioner’s Office Anonymisation Code should
not need personal confidential data, but do require a be used to safeguard all de-identified data. The
subset of information drawn from a full dataset. The Code provides advice on how to turn data into a form
Review proposes that personal confidential data which ‘does not identify individuals and where
should be passed to the HSCIC, as the statutory identification is not likely to take place’. The code sets
safe haven of the health and social care system, out how any risk of re-identification can be mitigated
to de-identify or anonymise and share it with those where there is limited access for a specific purpose by
that need to use it. If HSCIC were able to disseminate the use of contracts and other controls. The ICO code
high quality anonymised data based on a complete covers various techniques that can be used to convert
dataset, it would reduce the need for these personal confidential data into de-identified data, to

98. Evidence from statutory bodies including NHS England and local CCGs.
99. Caldicott Principle 3: “Use the minimum necessary personal confidential
data: Where use of personal confidential data is considered to be
essential, the inclusion of each individual item of data should be
considered and justified so that the minimum amount of personal
confidential data transferred or accessible as is necessary for a given
function to be carried out.”

31
National Data Guardian for Health and Care  |  Review of Data Security, Consent and Opt-Outs

produce anonymised data but on a person-level basis. anonymisation guidance could also be used to
The code shows that the effective anonymisation of underline the need for all those that use health and
personal confidential data is possible and desirable social care data, such as universities, to work with the
and can help society to make use of rich data same approach.
resources whilst protecting individuals’ privacy.
3.2.33  The ICO has the powers to issue monetary Recommendation 13: The Government should
penalty notices of up to £500,000 for serious breaches consider introducing stronger sanctions to protect
of the Data Protection Act. Under the EU General Data anonymised data. This should include criminal
Protection Regulation (GDPR)100, these sanctions will penalties for deliberate and negligent re-identification
increase to a maximum of £20 million for public bodies of individuals.
and 4% of global turnover if a private company. The
recently published report from the House of Commons Recommendation 14: The forthcoming Information
Science and Technology committee101 recommends Governance Alliance’s guidance on disseminating
that the Government introduces criminal penalties for health and social care data should explicitly refer to
serious data protection breaches. In response to the the potential legal, financial, and reputational
committee102, the Government has pledged to review consequences of organisations failing to have regard
the existing sanctions regime, as the GDPR is to the ICO’s Anonymisation Code of Practice by
implemented. The Review welcomes this work and re-identifying individuals.
recommends that the Government should consider
introducing stronger sanctions to protect
anonymised data. This should include criminal Contributing to a specific research
penalties for deliberate and negligent project
re‑identification of individuals.
3.2.35  People should continue to be able to give
3.2.34  The combination of recognised national their explicit consent separately if they wish,
guidance for anonymisation alongside severe e.g. to be involved in research, as they do now.
penalties for serious breaches of the Data They should be able to do so regardless of whether
Protection Act 1998 enables the Review to propose they have opted out of their data being used for
that data that has been de-identified according to purposes beyond direct care. This should apply to
the ICO’s Anonymisation Code should not be patients’ decisions made both before and after the
subject to the opt-out. The review recommends that implementation of the new opt-out model. There are
the forthcoming Information Governance Alliance local and international examples of effective solutions.
guidance on Anonymisation for health and social
care, which is intended to support the ICO Code, 3.2.36  There is also evidence of controlled
should explicitly refer to the potential legal, environments, safe havens or research banks being
financial, and reputational consequences of successfully implemented on the basis of explicit
organisations failing to have regard to the consent where personal confidential data is required.
ICO Code by re-identifying individuals. The There is scope for further innovation in this area.

CASE STUDY 9: UK Biobank

UK Biobank holds data and clinical samples to support longitudinal research on more than 500,000 people.
It can initiate requests for participants to submit tissue samples and undergo diagnostic tests and can also
link to data held by a participant’s GP. The consent model is explicit and facilitated by an in depth consultation
process.
UK Biobank makes use of a three part model to withdraw consent enabling participants to: withdraw consent
to be contacted in future, but allowing the organisation to continue to draw information from a medical record
and to use existing samples taken; withdraw consent for any future use of data, but retaining Biobank’s ability
to use samples and data collected previously; or to completely opt out of the system, where Biobank would
delete a participant’s data and destroy any remaining samples.

100. The Regulation is published in the Official Journal – http://eur-lex.europa.

eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN
101. Science and Technology Committee Report http://www.publications.
parliament.uk/pa/cm201516/cmselect/cmsctech/468/46802.htm
102. Government response to Science and Technology Committee Report
http://www.publications.parliament.uk/pa/cm201516/cmselect/
cmsctech/992/992.pdf

32
 Consent/opt-out of information sharing in health and social care

CASE STUDY 10: HealthBank (Switzerland)

HealthBank is a for-profit co-operative company, based in Switzerland. Individuals (members of the public)
pay £65 to join as a shareholder and upload their own health data as they see fit. Shareholders are asked
explicitly to contribute their data to research trials and are paid for their efforts (and data) at a price stipulated
by the study owner. In this way, HealthBank offers an ‘opt-in’ model whereby shareholders choose, on a study
by study basis to donate or sell their data. As explicit informed consent is required, no specific legal gateway
is required for the sharing of confidential data.

Recommendation 15: People should continue to be National disease registers

able to give their explicit consent, for example to be 3.2.39  Public Health England (PHE) maintains national
involved in research. registers of diseases including cancer, congenital
anomalies and rare diseases. These registers have
Genomics played a vital role in improving outcomes for many
patients. The Review heard evidence that such
3.2.37  Genomics offers huge potential for registers rely on completeness of data and linkage for
personalised medicine to improve the effectiveness of their validity. The Review understands that PHE intends
healthcare while reducing or eliminating side-effects. to enhance the level of consent taking for its disease
However, the lines between direct care and secondary registers, by contacting patients directly where
use of data are blurred: interpreting the clinical appropriate at the point of registration. In addition,
significance of an individual’s genomic variants is Macmillan Cancer Support and Cancer Research UK
reliant on the data of larger cohort of patients with have embarked on a rapid review to define a new
similar disorders. The timescales of the Review have approach to informing patients about cancer
not enabled a detailed consideration of this area. registration. They are involving people affected by
Useful work has taken place on these issues, for cancer, NHS staff caring for them, cancer charities and
example a recent joint report from the Public Health other stakeholders including Public Health England
Genomics Foundation and the Association for Clinical and privacy campaigners. The Review looks forward to
Genetic Science makes a number of commendable seeing progress in this vital area.
recommendations103.
3.2.38  The 2013 Information Governance Review
Exceptions and overrides
considered the issue of consent for consent, where 3.2.40  As now, there are a limited number of
researchers may need to access personal confidential specific circumstances in which an individual’s
data to identify people with particular characteristics to decision to opt-out should not apply:
invite them to take part in clinical trials and other
(i) Where there is an overriding public interest,
interventional studies; this is considered as good
on a case by case basis, such as preventing and
practice. This Review has not received any evidence
responding to natural disaster; monitoring and
that the professional standard and good practice in
control of important diseases in humans such as TB
relation to consent for consent, as set out in the last
and diseases of epidemic potential such as Ebola;
report, needs to be re-examined.
infections that pass between animals and humans
such as the zika virus; and for chemical, biological,
radiological and nuclear events. The Review heard

CASE STUDY 11: Genomics England

Genomics England aims to sequence 100,000 human genomes from around 70,000 people to support better
diagnosis and better treatments for patients and enable medical research. To do this they operate an explicit
consent model, which makes it clear to participants that by agreeing to genomic sequencing they are also
agreeing to the use of their information for medical research including by commercial organisations.

103. http://www.phgfoundation.org/file/17089/

33
National Data Guardian for Health and Care  |  Review of Data Security, Consent and Opt-Outs

evidence of the importance of the opt-out not • information must be provided to the police when
applying to the monitoring and control of requested to help identify a driver alleged to
communicable diseases and certain other public have committed a traffic offence (The Road
health emergencies. The Review suggests that the Traffic Act 1988);
use of personal confidential data for monitoring
• information must be provided to the police to
and control of communicable diseases and other
help prevent an act of terrorism or prosecuting a
risks to public health104 are not subject to an
terrorist (The Terrorism Act 2000 and Terrorism
opt-out to ensure the safety of the public’s
Prevention and Investigation Measures Act
health.
2011);
(ii) When information is required by law or by a
• information must be shared for child or
court order. This includes the following
vulnerable adult safeguarding purposes
examples:
(e.g. s.47 Children Act 1989); and
• the Care Quality Commission, which has powers
• health professionals must report known cases
of inspection and entry to require documents,
of female genital mutilation to police
information and records – a code of practice
(Female Genital Mutilation Act 2003).
sets out how the CQC can use these powers105
(Health and Social Care Act 2008); HSCIC collecting data
• the HSCIC, the statutory safe haven, which has 3.2.41  The exceptions above set out when information
powers to collect information when directed by is required by law – including the legal powers of the
the Secretary of State or NHS England (Health HSCIC to collect information when directed by the
and Social Care Act 2012); Secretary of State or NHS England. The Review looked
• the NHS Counter Fraud Service, which has at public opinion on HSCIC collecting data. In public
powers to prevent, detect and prosecute fraud focus groups, the Review heard that although HSCIC
in the NHS (National Health Service Act 2006); was not widely known, when information was provided
people understood that it was part of the NHS ‘family’
• investigations by regulators of professionals
and was seen as a trusted internal organisation106.
(e.g. Health and Care Professions Council, The Review heard strong evidence, for example from
General Medical Council, or Nursing and statutory bodies, that flows of information to the HSCIC
Midwifery Council investigating a registered are important for ensuring that high quality linked data
professional’s fitness to practise) (e.g. under the can be provided by HSCIC e.g., for running the health
Medical Act 1983); and care system. The Department of Health’s current
• coroners’ investigations into the circumstances policy position allows people to opt out of their
of a death, i.e. if the death occurred in a violent personal confidential data held by GPs being collected
manner or in custody (Coroners and Justice Act by HSCIC107. Applying this policy to all HSCIC data
2009); collections, including existing data collections from
hospitals, would degrade the quality of data currently
• health professionals must report notifiable
available to statutory bodies, researchers and local
diseases, including food poisoning (The Public
commissioners. The Review recognises that the new
Health (Control of Disease) Act 1984 and the
opt-out should not cover HSCIC’s already
Health Protection (Notification) Regulations
mandated data collections, such as Hospital
2010);
Episode Statistics (HES) data. The Review believes
• the Chief Medical Officer must be notified of it is important that there is consistency and
termination of pregnancy, giving a reference therefore where there is a mandatory legal
number, date of the birth and postcode of the requirement for data in place, opt-outs would not
woman concerned (Abortion Regulations 1991); apply.
• employers must report deaths, major injuries
and accidents to the Health and Safety
Executive (Reporting of Injuries, Diseases and
Dangerous Occurrences Regulations 2013);

104. As authorised in regulation 3 of The Health Service (Control of Patient 107. https://www.gov.uk/government/uploads/system/uploads/attachment_data/
Information) Regulations 2002, SI No. 1438 file/251750/9731-2901141-TSO-Caldicott-Government_Response_
105. http://www.cqc.org.uk/content/code-practice-confidential-personal- ACCESSIBLE.PDF
information
106. Public focus groups.

34
 Consent/opt-out of information sharing in health and social care

Information for statistics 3.2.46  During testing, members of the public did not
express concern about their information being used for
3.2.42  The Office for National Statistics (ONS) is the payment purposes. ‘Overall there were no issues with
UK’s largest independent producer of official statistics this example of data sharing because the information
and is the executive office of the UK Statistics is shared within the NHS – just one hospital to another’.
Authority, which is the recognised national statistical The law is not clear on whether personal confidential
institute for the UK. It is responsible for collecting and data can be used for these purposes without an
publishing statistics related to the economy, population opt-out. Taking into account the importance of
and society at national, regional and local levels. It also accurately allocating NHS resources and the lack of
conducts the census in England and Wales108. evidence of public concern in relation to the use of
3.2.43  Under the Statistics and Registration Service data for this specific purpose, it is recommended that
Act 2007, ONS can receive person level demographic invoice validation for non-contracted activity should be
information (in particular: date of birth; sex; NHS an exception to the opt-out. The Department of Health
number; address and previous addresses; and should enable this through new regulations, which
primary care registration history) for the production of should be limited to when there is no alternative
population statistics, which include internal migration. solution, such as the use of anonymised data. NHS
This excludes information about individuals’ health and England should continue to work on solutions which do
social care and the data that the ONS produces using not require personal confidential data. There should be
this information is vital to the appropriate funding of further engagement with the public about how their
local public services, among other uses. For this information is used, including for payment, because
reason, the Review has not made data flows into this use of information whilst being broadly acceptable
the ONS for the production of official statistics part was ‘new news’.
of the proposed opt-out.
Recommendation 16: The Department of Health
Invoice validation for non-contracted should look at clarifying the legal framework so that
health and social care organisations can access the
activity information they need to validate invoices, only using
3.2.44  The Review also looked at the information personal confidential data when that is essential.
needed to allow for payment of services, which
commissioners had identified as an area where
personal confidential data is required. Non-contracted Deceased patients
activity refers to NHS funded services delivered to a 3.2.47  Where a patient has opted out, this should
patient by a provider, which does not have an agreed continue to apply after they have died unless the
contract with the patient’s responsible commissioner. public interest served by the disclosure outweighs the
For example, a patient may live in Bromley and be public interest served maintaining confidentiality. The
taken critically ill whilst on holiday in Devon. South fact of a person’s death is not patient confidential data
Devon and Torbay CCG will send an invoice to and, therefore, would not be part of the opt-out.
Bromley CCG for the patient’s care. Bromley CCG will
want to check that they are responsible for the patient Restrictions on disclosure
before paying the invoice.
3.2.48  There are restrictions on the disclosure of some
3.2.45  NHS England estimates that CCGs process specific types of information. For example, the
hundreds of thousands of non-contracted activity disclosure of ‘protected information’ under the Gender
invoices per year, worth up to £1 billion. The proportion Recognition Act 2004 or information kept by clinics
of patients that will opt out of the new model is and the Human Fertilisation and Embryology Authority
unknown, but even a small percentage of opt-outs (HFEA) under the Human Fertilisation and Embryology
could represent a serious financial risk as without Act 1990109.
access to data about those that opt out,
commissioners will be unable to validate non-
contracted activity invoices relating to them.

108. http://www.ons.gov.uk/ons/about-ons/index.html
109. Written evidence from the HFEA

35
National Data Guardian for Health and Care  |  Review of Data Security, Consent and Opt-Outs

As part of managing this transition, the Department of

3.3.  Implementing the new Health should make sure it considers how to manage
the objections already registered by patients both
opt-out model locally and nationally.
3.3.1  From recent public engagement it is evident 3.3.5  The Review heard that people trust the NHS
that there is a low level of understanding of the to handle their information securely and that they
health and social care system and how information trust their GP in particular. The Review also heard
is used. The Review recommends that the from GPs’ professional bodies that they value the
Department of Health conducts a formal public confidential relationship between doctors and patients.
consultation on the proposed new opt-out model. From patients it heard that they find the many different
It is important that this consultation is accessible opt-outs that already exist confusing. This Review has
to members of the public and is used to start an benefited considerably from the advice and support of
enhanced public dialogue about the use of GPs and their professional bodies, as well as other
information. Alongside the consultation, both the health and social care professionals. In the next stage
one-question and two-question models should of the work, these groups should be asked how to
also be tested with professionals and the public. support professionals to discuss the new opt-out and
3.3.2  At the moment, there are a number of ensure that people’s preferences are respected. There
different opt-outs, including Type 1 and Type 2 is a responsibility on professionals to ensure that they
opt-outs and other objections and opt-outs are providing information openly and respecting
housed in national and local computer systems. patients’ own wishes.
In September 2013 the Secretary of State for Health 3.3.6  Work will also be needed to ensure that all
said: ‘Any patient who does not want the personal data registered providers, public bodies and other
held in their GP record to be shared with the HSCIC organisations participating in the health and social
will have their objection respected’. Two opt-outs were care system are in a position to implement the new
subsequently introduced: one for personal confidential consent/opt-out model. The size of this task should
data leaving the GP practice for purposes beyond not be underestimated. It would be good practice for
direct care (Type 1), and the other for personal information sharing choices to be discussed when a
confidential data being disseminated from HSCIC new patient registers at a GP practice. In addition, it
aimed at purposes beyond their direct care (Type 2). should be made clear to patients that they can change
In December 2015, the HSCIC started to collect data their mind in the future and what they would need to do
from general practices in England relating to patient to change their preference.
objections. It began upholding those objections from
the end of April 2016110 111. 3.3.7  This Review was not asked to look at care.data,
although the pathfinder areas have been involved in
3.3.3  The Review is not recommending any shaping and testing the proposed consent/opt-out
changes to the existing arrangements until there model, as have vanguards and health and social care
has been a full consultation on the proposed new integration pioneers. The consent and opt-out models
consent/opt-out model. Both Type 1s and 2s should proposed by the Review go further than the approach
apply while the Department of Health conducts a that was planned for the pathfinder areas, and should
formal consultation and further testing of both types of replace the approach that had been developed for
the questions proposed with patients and those areas. The consent model should be tested in at
professionals. least one pathfinder area, as well as in vanguards and
3.3.4  People have told the Review they want a integration pioneers. In the light of the Review,
simple explanation and choices that are clearer to Government should consider the future of the care.
understand. The Review is proposing a new model data programme. The lessons learnt by the care.data
that has been designed to provide that simpler and programme and pathfinder areas should continue to
less complex approach. The HSCIC, as the statutory be used to inform future developments.
safe haven, can share data securely, and the public 3.3.8  On 15 December 2015, agreement was reached
can have confidence in a simpler model. Once the on new data protection rules, which mean that citizens
consultation is complete, and the new model is in will have the same data protection rights across the EU
place, the past arrangements should be replaced. regardless of where their data are processed. The

110. http://www.hscic.gov.uk/article/7072/Applying-Type-2-Opt-Outs
111. https://www.gov.uk/government/uploads/system/uploads/attachment_
data/file/517522/type2objections.pdf

36
 Consent/opt-out of information sharing in health and social care

rules are set out in a new General Data Protection assurance that their data will never be used for
Regulation (GDPR) which has been adopted by the marketing or insurance purposes.
European Parliament and Council112. The GDPR will
3.3.11  Returning to the theme of trust, the Review
apply from 25 May 2018. Member states can, however,
heard consistently that the public want to
decide how they wish to regulate in a number of
understand who will have access to what data and
significant areas. There will be a two year transition
for what purpose and how their personal
period, and analysis of how the new framework is likely
confidential data will be protected. Gaps in this
to impact on existing UK data protection legislation is
information lead to public scepticism or fear.
underway, as is early policy thinking around
implementation. The Department of Health will need 3.3.12  The Health Research Authority publishes a list
to consider this during the implementation phase. of applications which are approved under Regulation 5
of the Health Service (Control of Patient Information)
Communication Regulations 2002. However, this information is hard
3.3.9  Communication with the public cannot be to find and may not be easily understood by a
viewed as a single event. There is a risk that if the non‑specialist audience. There are also no updates to
health and social care system does not communicate indicate any benefits that have been achieved from
effectively with the public, people will rely on less using the data. Every organisation which processes
reliable sources of information and public concern will information should ensure it has clear accessible
increase, which could in turn impact upon information on how it uses information. Whilst the
participation. This could impact on the availability of Review recognises that it is difficult to communicate
data for important uses such as monitoring services the complexities of information sharing in the health
that ensure safe care is being provided, and on the and social care system, it should be easier for the
quality of research in the UK. The support and public to access information about how data is used.
engagement of healthcare professionals in
communicating how information is used is fundamental Recommendation 17: The Health Research Authority
to the successful implementation of the new opt-out should provide the public with an easily digestible
model. The review has developed two different models explanation of the projects that use personal
– there are a variety of ways that these could be confidential data and have been approved following
presented and communicated to professionals and advice from the Confidentiality Advisory Group.
the public. One example which received positive
feedback in workshops was a Facebook-style of Recommendation 18: The Health and Social Care
‘preferences’ model. Information Centre (HSCIC) should develop a tool to
3.3.10  Our focus groups reflected evidence elsewhere help people understand how sharing their data has
that some members of the public feel uneasy about benefited other people. This tool should show when
commercial organisations accessing information. personal confidential data collected by HSCIC has
The Review found that people are particularly been used and for what purposes.
concerned that if they allow their personal confidential
data to be used they will be targeted by marketing or
insurance companies. The Care Act 2014 introduced
new protections which mean that the HSCIC can only
disseminate information for the provision of health care
and adult social care, or the promotion of health.
It further makes clear that the HSCIC cannot
disseminate data for solely commercial purposes such
as for commercial insurance. In addition, the Data
Protection Act 1998 provides protections more broadly
against data being processed for any purpose that is
incompatible with the original purpose for which it was
collected. Therefore the Review believes that is will
be important that patients are given robust

112. The Regulation is published in the Official Journal – http://eur-lex.europa.

eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN

37
National Data Guardian for Health and Care  |  Review of Data Security, Consent and Opt-Outs

3.4.  National Data

Guardian’s proposed
consent/opt-out model
3.4.1  The Review has considered how the
recommendations in this Section might be distilled into
a set of eight statements that people could readily
understand. The eight-point model is shown below.
3.4.2  It is followed by four different approaches that
might be adopted when asking the public whether or
not they wish to opt out from having information about
them used for purposes beyond their direct care, such
as checking the quality of care and researching better
cures. The four options could be used to test whether
or not the public would prefer a single opt-out, or two
opt-outs distinguishing between using information
about them to run services and using it for research.
In each case there are two variants: asking people to
choose an information profile that accords with their
preferences; or asking them to tick a box when they
want to opt out. These options are purely illustrative
and the Review does not express a preference, or
rule out alternative approaches. Extensive testing
would be needed before asking people to make this
important choice.

38
 Consent/opt-out of information sharing in health and social care

The eight-point model • a commercial organisation receiving data from an

NHS organisation to look at whether contamination
1. You are protected by the law. levels are safe for workers in the nuclear industry.
Your personal confidential information will only ever be This choice could be presented as two separate
used where allowed by law. It will never be used for opt-outs. Or there could be a single opt-out covering
marketing or insurance purposes, without your consent. personal confidential information being used both in
running the health and social care system and to
2. Information is essential for high quality care. support research and improve treatment and care.
Doctors, nurses and others providing your care need
to have some information about you to ensure that your 5. This opt-out will be respected by all
care is safe and effective. organisations that use health and social care
information.
However, you can ask your health care professional
not to pass on particular information to others involved You only have to state your preference once, and it will
in providing your care. be applied across the health and social care system.
You can change your mind, and this new preference
3. Information is essential for other beneficial will be honoured.
purposes.
6. Explicit consent will continue to be possible.
Information about you is needed to maintain and improve
the quality of care for you and for the whole community. Even if you opt out, you can continue to give your
It helps the NHS and social care organisations to provide explicit consent to share your personal confidential
the right care in the right places and it enables research information if you wish, for example for a specific
to develop better care and treatment. research study.

4. You have the right to opt out. 7. The opt-out will not apply to anonymised
information.
You have the right to opt out of your personal
confidential information being used for these other The Information Commissioner’s Office has a Code of
purposes beyond your direct care. Practice that establishes how data may be sufficiently
anonymised that it may be used in controlled
This opt-out covers: circumstances without breaching anyone’s privacy.
A)  Personal confidential information being used to The ICO independently monitors the Code.
provide local services and run the NHS and social The Health and Social Care Information Centre, as the
care system. statutory safe haven for the health and social care
For example: system, will anonymise personal confidential
• NHS England surveys, for example to find out information it holds and share it with those that are
patients’ experiences of care and treatment authorised to use it.
for cancer By using anonymised data, NHS managers and
• regulators and those providing care checking researchers will have less need to use people’s personal
its quality confidential information and less justification for doing so.
• NHS Improvement auditing the quality of
8. Arrangements will continue to cover
hospital data.
exceptional circumstances.
B)  Personal confidential information being used to
The opt-out will not apply where there is a mandatory
support research and improve treatment and care.
legal requirement or an overriding public interest.
For example:
These will be areas where there is a legal duty to share
• a university researching the effectiveness of the information (for example a fraud investigation) or an
NHS Bowel Cancer Screening Programme overriding public interest (for example to tackle the
• a researcher writing to an individual to invite ebola virus).
them to participate in a specific approved
research project

39
National Data Guardian for Health and Care  |  Review of Data Security, Consent and Opt-Outs

Two question opt-out presented as an information profile

My health and social care information profile

People providing you with care need to know a Limited setting – information about me can be
certain amount about you to ensure that care is safe used to run the NHS and social care system,
and effective. This personal confidential information but not for research.
about patients and service users is also useful for Your information will be used to check the quality
other purposes, such as checking the quality of care of your care and to ask your opinion about the
and researching better cures. You have a choice care you have received. .Your information will not
about how personal confidential information about be used by researchers to improve how diseases
you is used. such as cancer are treated and prevented.

• Standard setting – information about me can

be used to run the NHS and social care
Restricted setting – information about me can
only be used by the people directly providing
system and to support research to improve my care.
treatment and care for everyone. People providing your care will be able to see the
Your information will be used to check the quality information they need. The NHS and social care
of your care, to ask your opinion about the care system will not be able to use your information to
you have received, and to help researchers check the quality of care you receive, nor will
improve how diseases such as cancer are treated researchers use it to improve how diseases such
and prevented. as cancer are treated and prevented.
Your personal confidential information will only be used for purposes that benefit treatment and care. It will
never be used for marketing or insurance purposes.

Two question opt-out presented with tick box

At the moment information about your healthcare If you agree you do not need to do anything.
is used when you are treated or given support by
If you do not agree, tick here
a health or care professional. That will continue.
2. Allow my information to be used to run the NHS
People providing you with treatment and care need
and social care system
to know a certain amount about you to ensure that
care is safe and effective. This personal confidential This means:
information about patients and service users can be
The NHS can ask your opinion about the care you
useful for other purposes, such as checking the
have received
quality of care and researching improved treatment.
You have two choices about how personal The NHS can check the quality of the care that you
confidential information about you is used other than receive
for your own care. If you agree you do not need to do anything.
1. Allow my information to be used to support If you do not agree, tick here
research to improve treatment and care.
This means:
• Researchers can improve how diseases such as
cancer are treated and prevented
• Charities can evaluate the quality of services, for
example for people living with dementia

40
 Consent/opt-out of information sharing in health and social care

Single opt-out presented as an information profile

My health and social care information profile

People providing you with care need to know a Restricted setting – information about me can
certain amount about you to ensure that care is safe only be used by the people directly providing
and effective. This personal confidential information my care.
about patients and service users can be useful for People providing your care will be able to see the
other purposes, such as checking the quality of care information they need. The NHS and social care
and researching better cures. You have a choice system will not be able to use your information to
about how personal confidential information about check the quality of care you receive, nor will
you is used. researchers use it to improve how diseases such

• Standard setting – information about me can

be used to run the NHS and care system and
as cancer are treated and prevented.

to support medical research to improve

treatment and care for everyone.
Your information will be used to check the quality
of your care, to ask your opinion about the care
you have received and to help researchers
improve how diseases such as cancer are
treated and prevented.
Your personal confidential information will only be used for purposes that benefit treatment and care. It will
never be used for marketing or insurance purposes.

Single opt-out presented with tick boxes

At the moment information about your healthcare Allow my information to be used to run the NHS
is used when you are treated or given support by and social care system and to support research
a health or care professional. That will continue. to improve treatment and care.
This means:
People providing you with treatment and care need
to know a certain amount about you to ensure that • Researchers can improve how diseases such as
care is safe and effective. This personal confidential cancer are treated and prevented
information about patients and service users can be
• Charities can evaluate the quality of services, for
useful for other purposes, such as checking the
example for people living with dementia
quality of care and researching improved treatment.
You have a choice about how personal confidential • The NHS can ask your opinion about the care
information about you is used other than for your you have received.
own care.
If you agree you do not need to do anything.
If you do not agree, tick here

41
National Data Guardian for Health and Care  |  Review of Data Security, Consent and Opt-Outs

4. Next steps and

implementation
4.1.  Public consultation Recommendation 19: The Department of Health
should conduct a full and comprehensive formal
4.1.1  This has been a short Review in which significant public consultation on the proposed standards and
efforts have been made to take account of relevant opt-out model. Alongside this consultation, the
evidence and involve as many people and organisations opt-out questions should be fully tested with the
as possible. It has not been possible to address every public and professionals.
issue in detail. For that reason the Review recommends
that the Department of Health conducts a full and
comprehensive public consultation on the proposed
data security standards and proposed new consent/
opt-out model. The Review also recommends that 4.2.  Implementation
professional bodies and patient representative groups
are further involved in testing and refining both the one 4.2.1  This has been a report about trust. It is hard for
and two-question models with the public and people to trust what they do not understand, and the
professionals. This consultation and testing must Review found that people do not generally understand
precede asking members of the public if they wish to how their information is used by health and social care
exercise the new opt-out model. The consultation organisations. Engagement events with the public
should be as full and open as possible. were particularly instructive in this regard: when
longstanding elements of the current system for
4.1.2  Alongside this important engagement with sharing information between health and social care
patients and services users, it is also imperative that professionals were described in workshops, the public
organisations whose work would be affected by the tended to think they were hearing new proposals.
Review’s proposals have the chance to respond to the
recommendations during the consultation and are 4.2.2  The question of implementation is beyond the
supported to prepare for implementation. This must scope of this Review. However, the engagement
include GPs and other care providers who will need to carried out during the evidence gathering phase
meet the new security standards, to explain data highlighted a number of opportunities and issues that
sharing and the opt-out to patients, and to honour the the Department of Health and its arm’s length bodies
choices that those they are caring for have made. should consider when embarking upon
NHS and Local Authority commissioners must also be implementation.
engaged: they will be required to take account of the
data security standards when commissioning services
The public
and may need to change some of their business 4.2.3  There should be ongoing work under the
processes to rely less on personal confidential data National Information Board (NIB) to look at earning
and more on de-identified and anonymised data. public trust in the use of personal confidential data.
Researchers, who may have concerns that the quality The Review found that public understanding of the use
of the data they receive for some research projects is and benefits of information sharing is limited – in
affected by citizens opting out, must also be included particular there is a knowledge gap about the crucial
in the debate. need to share information across organisations to
integrate health and social care. There is a need to
ensure that the public have the information they need
on new ways of working to manage expectations about
their care, and the information sharing needed to

42
 Next steps and implementation

support care. The proposed public consultation on this support, and communications needed. This may
Review’s recommendations would be a good place to include an official launch and communications
start this process. campaign, peer mentoring and peer review, incentives
for compliance and sanctions for breaches, publicity
4.2.4  The NIB should work with organisations and
about existing organisations set up to support
umbrella bodies from across health and social care to
professionals (CareCERT and CERT-UK’s Cyber
ensure that people are informed about how the health
Security Information Sharing Partnership (CiSP)),
and social care system works. This should include
model commercial contract templates, and
informing people about new ways of working and the
procurement guidance. Formal accreditation of
role of information sharing in integrated care; the
the standards should also be considered.
importance of information sharing for running the
heath and care system; and the value of information 4.2.7  For implementation of the new consent/opt-out
to support researchers to improve treatments and model, the Department and its arm’s length bodies
care113. It will be important to consider creative ways of should consider the role of professionals in informing
communication, learning from best practice in social the public of their options. If social workers, GPs,
campaigning and behavioural insights, in order to fully nurses and other front-line professionals are expected
engage all parts of the population, some of whom may to discuss the choices with people, the Department
only rarely use health and social care services. The and its arm’s length bodies will need to work with the
Wellcome Trust has recently come forward with an relevant professional bodies to develop appropriate
offer to host an independent Taskforce looking at training materials and supporting information. The
improving discussions about data. This could be a Review found that in primary care it was helpful to
useful way of developing this work. involve practice managers in discussing data sharing
options with patients.
4.2.5  In communicating the value of data sharing for a
range of purposes, there is a need to assure the public 4.2.8  The Review heard the importance of having
that their data is used appropriately and securely. consistent messaging and guidance to support
The details of the processing and uses of data should be implementation. This is particularly problematic in
explained so that, for example, the public understand: social care, where the Review heard that different
the difference between anonymised and personal Government departments often convey different
confidential data; where anonymised data can be used; messages to social care professionals. The
and when personal confidential data is needed. The role Department of Health should work with other
of HSCIC and why it is important that HSCIC has access government departments with responsibility for
to information held by health and social care providers, social care to ensure consistent messaging.
in particular from GPs, also needs to be articulated.
Finally, the discussion should be framed within the Technical implementation
context of how information sharing in health and social 4.2.9  The Department of Health should consider
care compares to data use in different sectors and the the recommendations set out for embedding the
government’s wider ambitions for the use of data. mandatory data security standards. Further work is
needed to consider methods for tracking compliance
Recommendation 20: There should be ongoing work and assuring the standards, and sanctions for
under the National Information Board looking at the non‑compliance. The Department should consider the
outcomes proposed by this consultation, and how to resource needed to support an internal and external
build greater public trust in data sharing for health audit function to monitor compliance, and for updating
and social care. the IG Toolkit and IG training tool in line with the
Review’s recommendations.
Professionals 4.2.10  The Review has worked with HSCIC and others to
4.2.6  Work is needed to consider how best to consider the technical implications for implementing the
implement the mandatory data security standards in a proposed new consent/opt-out model and substantive
way that creates a learning culture so that work is needed to scope the requirements. The
organisations are supported to meet the requirements. Department of Health should consider how frequently,
The Department of Health and its arm’s length bodies by whom and in what manner the model is presented to
should consider the incentives and levers, training, an individual and the opportunities for digital solutions.

113. The organisations consulted for this Review would be a good starting
point for this work.

43
National Data Guardian for Health and Care  |  Review of Data Security, Consent and Opt-Outs

4.2.11  The Review recognises that implementing its

recommendations may take time and that some
organisations are not currently equipped to
implement consent and opt-out preferences, for
example. The Department of Health should look at
this issue as part of implementation and should seek
to find a mechanism to make it easy to register
people’s preferences and act upon them.
4.2.12  On data security specifically, the Review
consulted with social care professionals and
representative bodies. However, as the CQC’s part of
the review did not consider social care, further work
is needed to establish the validity of the data security
standards for this sector. This can be addressed
through a full and comprehensive public consultation.

4.3.  Conclusion
4.3.1  Beyond an understanding that patient records
are used to help deliver direct personal care, the
public’s knowledge about how health and social care
data is collected, protected, and used within the
health and social care system is limited. It is therefore
clear that future communications cannot make any
assumptions about existing knowledge of data
processes and uses, and that there is a role for all
health and social care professionals to support
public understanding.
4.3.2  There is a high degree of trust in NHS
organisations to look after people’s data and for health
professionals to use it appropriately. Work is now
needed to raise public understanding of the variety
of organisations and agencies involved in delivering
health and social care and to extend public trust
across this system. The proposals set out in this report
were designed to assure the public that their personal
confidential data is secure and empower them to make
informed choices about the use of that data.
4.3.3  As this report has noted throughout, use of data
is essential to providing excellent care, to running a
world-class health and social care system, to
improving the quality of care and to support life-
changing research. These important public benefits
rely on data being shared with the relevant health and
social care professionals and organisations. However,
this sharing should not discount the interests of the
individual – personal confidential data must always
be protected properly, and shared on the basis of
public trust.

44
 Annex A. National Data Guardian’s Review Terms of Reference

Annex A. National Data Guardian’s

Review Terms of Reference
On 2 September 2015 the Secretary of State for Health, Linking with CQC’s Review of current approaches to
Jeremy Hunt, commissioned an independent Review data security across the NHS to prevent personal
to deliver by January 2016. The Review aimed to help confidential data falling into the wrong hands, Dame
address the following issues: Fiona Caldicott, the National Data Guardian Review
was asked to:
• As the use of technology increases, so does the
need to reassure the public that their personal Develop new data security standards that can be
health and care data is being held and used applied to all health and care organisations
securely.
Work up a set of new, easily understandable
• The health and care system has not yet earned standards for the security of personal data, whether
the public’s trust in this area and must be able to held on paper or electronically, that can be applied
assure the security of confidential data. to the whole health and care system.
• Being clear with citizens and professionals how With CQC, devise a new method of testing
personal health and care data should be used, compliance with the new standards
and the benefits of doing so, how privacy is
To ensure health and care organisations are held to
protected and the choices available to people to
account for their data security capability. In
object to data about them being used.
developing new standards, work with CQC to
provide recommendations on how they can be
assured, as appropriate, through CQC inspections
and NHS England commissioning processes.
Propose a new consent/opt-outs model for data
sharing
Develop a single question consent model which
makes it absolutely clear to patients and users of
care when health and care information about them
will be used, and in what circumstances they can
opt out.

45
Annex B. Members of the National Data Guardian’s Panel

Annex B. Members of the

National Data Guardian’s Panel
The National Data Guardian’s Panel provided steers
and oversight to the Review. Membership is as follows:
• Dame Fiona Caldicott – National Data Guardian
and Chair, Oxford University Hospitals NHS
Foundation Trust
• Ian Atkinson – Former Sheffield Clinical
Commissioning Group, Healthcare Consultant
• Dr Joanne Bailey – GP, member HSCIC Data
Access Advisory Group
• John Carvel – member, Healthwatch England
National Committee
• Dr Alan Hassey – retired GP, HSCIC IG Clinical
Lead & Deputy Caldicott Guardian
• Eileen Phillips, Freelance Writer,
Communications Consultant
• Professor Martin Severs – University of
Portsmouth, Caldicott Guardian and Lead
Clinician, HSCIC
• Anne Stebbing – Consultant Surgeon, Caldicott
Guardian, Hampshire Hospitals NHS Foundation
Trust
• Dr Mark Taylor – University of Sheffield
• Richard Wild – Information Governance
Consultant
• Chris Cox – Royal College of Nursing
The Review Team and Panel Members would also like
to express deep gratitude for the work of Karen
Thomson on the Information Governance Review
(Caldicott2). Without her valuable contribution and
insights the foundations for much of the present
Review would not have been established.

46
 Annex C. Organisations consulted during the Review

Annex C. Organisations
consulted during the Review
During the course of the Review the organisations • Exabeam Inc
consulted during the evidence gathering process were
• Genetic Alliance
as follows:
• Genomics England
• 38 Degrees
• GlaxoSmithKline
• Academy of Medical Royal Colleges
• Government Communications Headquarters
• Alstrom Syndrome UK
• Government Digital Service
• Alzheimer’s Research UK
• Hammersmith & Fulham Council
• Apple Inc
• West Hampshire Clinical Commissioning Group
• Arthritis Research UK
• Hampshire County Council
• Association of Directors of Adult Social Services
• Health and Social Care Information Centre
• Association of Medical Research Charities
• Health Research Authority
• Association of the British Pharmaceutical
Industry • Healthcare Quality Improvement Partnership
• Asthma UK • Healthwatch East Sussex
• Big Brother Watch • Healthwatch England
• British Heart Foundation • Healthwatch Lambeth
• British Medical Association • Healthwatch Surrey
• Cabinet Office • Healthwatch Waltham Forest
• Camden Council • HM Revenue & Customs
• Cancer Research UK • Human Fertilisation & Embryology Authority
• Care Quality Commission • Hammersmith and Fulham Council
• Centre of Excellence in Information Sharing • IdenTrust
• Clinical Practice Research Datalink • Imperial College London
• Cystic Fibrosis Trust • Imperial College Healthcare NHS Trust
• Department of Health • Information Assurance for Small and Medium
Sized Enterprises (IASME)
• Department for Culture, Media and Sport
• Information Commissioner’s Office
• Department for Education
• Information Governance Alliance
• Department for Work & Pensions
• Involve
• East and North Hertfordshire Clinical
Commissioning Group • Kidney Research UK
• Equality and Human Rights Commission • Leeds City Council

47
Annex C. Organisations consulted during the Review

• Leeds GCSX • Public Health England

• Leeds West Clinical Commissioning Group • Richmond Group
• Leicester City Council • Royal College of General Practitioners
• Lewisham and Greenwich NHS Trust • Royal College of Nursing
• Liberty • Royal College of Physicians of London
• Local Government Association • Royal College of Psychiatrists
• Local Government UK • Royal Statistical Society
• Macmillan Cancer Support • Sciencewise
• MedConfidential • Skills For Care
• MedeAnalytics • Society of Local Authority Chief Executives and
Senior Managers
• Medical Defence Union
• South Central Ambulance Service NHS
• Medical Protection Society
Foundation Trust
• Medical Research Council
• Surrey County Council
• Medicines and Healthcare Products Regulatory
• Sussex Partnership NHS Trust
Agency
• TechUK
• Midlands and Lancashire Commissioning
Support Unit • Templar Executives Ltd
• Mind • The Bank of England
• MQ: Transforming Mental Health • The Brain Tumour Charity
• National Archives • The Health Foundation
• National Audit Office • The Patients Association
• National Care Forum • The Security Company
• National Crime Agency • The Security Awareness Special Interest Group
• National Institute for Health Research • TPP
• National Pharmacy Association • UK Council of Caldicott Guardians
• National Survivor User Network • Wellcome Trust
• National Voices • West Midlands Ambulance Service Foundation
NHS Trust
• NHS Choices
• Westminster Council
• NHS England
• WhizzKids
• NHS Improvement
• Yorkshire Ambulance Service NHS Trust
• NHS National Services Scotland
• NHS South Commissioning Unit
• North West London Collaboration of Clinical
Commissioning Groups
• Nuffield Council on Bioethics
• Palantir Inc

48
 Annex D. The seven Caldicott Principles

Annex D. The seven

Caldicott Principles
Principle 1: Justify the purpose(s) Principle 5: Everyone with access to personal
confidential data should be aware of their
Every proposed use or transfer of personal confidential
responsibilities
data within or from an organisation should be clearly
defined, scrutinised and documented, with continuing Action should be taken to ensure that those handling
uses regularly reviewed, by an appropriate guardian. personal confidential data – both clinical and
non‑clinical staff – are made fully aware of their
Principle 2: Don’t use personal confidential data
responsibilities and obligations to respect patient
unless it is absolutely necessary
confidentiality.
Personal confidential data should not be included
Principle 6: Comply with the law
unless it is essential for the specified purpose(s) of that
flow. The need for patients to be identified should be Every use of personal confidential data must be lawful.
considered at each stage of satisfying the purpose(s). Someone in each organisation handling personal
confidential data should be responsible for ensuring
Principle 3: Use the minimum necessary personal
that the organisation complies with legal requirements.
confidential data
Principle 7: The duty to share information can be
Where use of personal confidential data is considered
as important as the duty to protect patient
to be essential, the inclusion of each individual item of
confidentiality
data should be considered and justified so that the
minimum amount of personal confidential data is Health and social care professionals should have the
transferred or accessible as is necessary for a given confidence to share information in the best interests of
function to be carried out. their patients within the framework set out by these
principles. They should be supported by the policies
Principle 4: Access to personal confidential data
of their employers, regulators and professional bodies.
should be on a strict need-to-know basis
Only those individuals who need access to personal
confidential data should have access to it, and they
should only have access to the data items that they
need to see. This may mean introducing access
controls or splitting data flows where one data flow
is used for several purposes.

49
Annex E. Analysis of existing standards

Annex E. Analysis of existing

standards
In considering the introduction of a new data security expertise in broader information security topics
standard, the primary task was to conduct a review of (in particular the technical aspects), other than
those standards currently used within the health and that gleaned from the IG Toolkit and its associated
social care sector. In keeping with the emerging guidance and training.
evidential themes of the Review, those standards in
The current version (13) of the IG Toolkit contains 24
use were assessed in terms of: perceived
different groups of requirements called ‘views’, each
effectiveness; ease of use; proportionality (the ability to
pertaining to different organisation types. Each ‘view’
scale effectively between providers of differing scale
features a different suite of ‘requirements’ to which the
or complexity); financial cost; and resource burden.
organisation must score their respective ‘attainment
Within the health and social care sector, a number of levels’. The requirements are grouped into:
information assurance frameworks, standards and
• Information governance assurance;
information governance processes were found to be in
operation. These included: The Health & Social Care • Confidentiality and data protection assurance;
Information Centre’s Information Governance Toolkit
• Information security assurance;
(IG Toolkit) and Information Governance Statement of
Compliance (IGSoC), The Cabinet Office/CESG/CPNI/ • Clinical information assurance;
BIS produced Cyber Essentials, Cyber Essentials • Secondary use assurance;
PLUS, 10 Steps to Cyber Security, Cyber Streetwise
website, and the Public Services Network – Code of • Corporate information assurance.
Connection (PSN CoCo) operated by Government The allocation of requirements in differing tailored
Digital Services (GDS). Also considered within the organisational views makes sector wide assessment
Review were commercially available standards difficult.
operating within the wider public and private sectors,
including; the internationally recognised ISO/ As IG Toolkit compliance is a largely self-assessed
IEC27000:2013 series of Information Security process, its practical effectiveness has proven difficult
Management standards and the Information Security to evidence, although the incorporated Serious
Forum’s Standards of Good Practice (ISF SoGP). Incident Requiring Investigation (SIRI) tool, alongside
mandatory reporting of serious breaches has provided
Public sector standards significant insight into the types of events that have
resulted in breaches of confidentiality. Less apparent
The IG Toolkit is a mandatory governance process for
from these reports are details of technical failures, or
all organisations operating within the health and social
cyber security related events where the integrity or
care sector. The Review found widespread awareness
availability of data may be the key area of impact upon
of the IG Toolkit amongst those consulted. In larger
patient safety and the delivery of care services.
organisations, dedicated information governance staff
are employed to manage their information governance The IGSoC process has provided a means of assuring
frameworks and submit IG Toolkit assessments on the security provision surrounding the technical
behalf of the organisation. Smaller organisations do not infrastructure of potential service providers, although it
necessarily have dedicated staff to work in this area. is an additional, separate process from the IG Toolkit
Instead, such tasks are usually allocated to submission. Whilst the process provides some
management staff in addition to other governance assurance that the provider organisations accessing
duties. Often, such staff have a good appreciation of nationally provided systems and services have
the requirement for confidentiality of data, but little appropriate security provisions in place, this is not

50
 Annex E. Analysis of existing standards

applied equally to NHS organisations that are already • Common Cyber Attacks and Summary report.
connected to the N3 network and have the necessary
The 10 Steps to Cyber Security are now used by over
levels of access they require. This has created an
two-thirds of the FTSE350 companies, and have been
unevenness of assurances within the sector, where
recognised as an effective means of raising awareness
NHS organisations are not obliged to provide
of cyber threats within the leadership of organisations,
assurances relating to the security provision
and to enable a greater capability to safeguard their
implemented within their technical infrastructure. The
most important information assets, such as personal
Public Service Network – Code of Connection (PSN
data, online services and intellectual property. The 10
CoCo) process has been refined and simplified
Steps to Cyber Security features controls to reduce
recently. The revised assurance model has been well
risks in the following areas:
received by the PSN community and compliance with
the process has begun to increase significantly as • Information Risk Management Regime;
evidenced by the Government Digital Service (GDS),
• Secure Configuration;
which administers the process. This evidence
suggests that a revised IGSoC process, perhaps also • Network Security;
being incorporated into a refreshed Information • Managing User Privileges;
Governance Toolkit platform may help raise
compliance in a similar manner to that experienced • User Education and Awareness;
within the PSN community. The imminent replacement • Incident Management;
of the current N3 contract may provide further
incentive to support such a transition. • Malware Prevention;
• Monitoring;
Cyber Essentials
• Removable Media Controls;
The Cabinet Office in partnership with CESG (the
Information Security arm of GCHQ), The Centre for the • Home and Mobile Working.
Protection of Critical National Infrastructure (CPNI) and By focusing attention on these key areas, organisations
the department for Business Innovation and Skills (BIS) can bolster their defences against the most common
has produced a number of freely available Information cyber threats. Cyber Essentials can also be completed
Security and Cyber Security related products and in parallel. Accreditation or certification against the
materials in recent years. These have been designed Cyber Essentials standard is available via a community
specifically to assist businesses in establishing and of CESG approved accreditation bodies.
maintaining defences against the most common
Internet related threats. The first product was The Cyber Essentials Scheme was published in 2013
published in 2012, entitled ‘10 Steps to Cyber to support the 10 Steps to Cyber Security in providing
Security’. This was well received by industry, raising a standardised approach to assessing vulnerability
levels of information security awareness amongst and developing tailored mitigation strategies. Cyber
senior management within organisations and helping Essentials is a cyber security standard aimed at
information security become a part of corporate risk organisations that are beginning the journey towards
management processes. Focusing upon key areas of an enhanced, effective information security capability.
vulnerability, the 10 Steps to Cyber Security guides The scheme focuses upon five key areas:
organisations in developing information security • Malware Protection;
controls tailored to their business needs and risk
profiles. • Secure Configuration;

Alongside the 10 Steps, a number of additional • Access Control;

supporting documents were published, including: • Patch Management;
• Executive companion; • Boundary Firewalls and Internet Gateways.
• 10 Steps: Infographic; This focus ensures that the known threats presented
• 10 Steps: A Board Level Responsibility; by internet connectivity can be mitigated by the
standardised implementation of control measures,
• Advice sheets; limiting either the potential for security events to occur,

51
Annex E. Analysis of existing standards

or the impact of an event should one occur. Cyber The ISO/IEC27000 suite of standards is currently not
Essentials is evidential in nature and features audit widely used within the health and social care sector,
criteria, upon which organisations can be but those organisations which have implemented an
independently assessed and certified (Cyber information security management system in line with
Essentials Plus), should the organisation wish to the standard have strengthened their capability to
demonstrate certification to the standard. To date, only defend themselves against the most common types of
13 organisations within the health and social care threat from the internet. They will have greater ability to
sector have completed Cyber Essentials. detect and respond to security events than those who
have not acted similarly. Implementation, independent
Commercial standards assessment and certification against the standards are
The ISO/IEC 27000:2013 series of standards is typically conducted under contract with independent
internationally recognised for its effectiveness in specialist consultants and accreditation service
assisting organisations to implement and maintain providers. Accreditation or certification against the
effective information security management systems. standard is recognised as being relatively costly as
The standards can be scoped to include all or parts of the standards materials must be purchased and
an organisation’s security provision. The suite of implementation usually requires the support of
standards covers all aspects of information security specialist consultancy. Certification assessments must
management, with separate detailed standards be paid for and must be renewed every three years to
available to support the development of enhanced remain valid.
capability in specific areas, in line with the overall ISMS The Information Security Forum – Standards of Good
standard. The main standard covers the following Practice (ISF SoGP) is an internationally renowned
‘domain’ areas: information security standard. Access to the standard
• Information Security Policies; is by subscription membership to the ISF, or by
purchasing the materials directly from the ISF online
• Organisation of Information Security; store. The standard is possibly the most detailed
• Human Resource Security; currently available. The standard is reviewed annually
to keep pace with changes in technology and the
• Asset Management; discovery of new vulnerabilities within systems and
• Access Control; software, and the techniques by which attackers seek
to exploit them. The ISF also contributed to the
• Cryptography; development of Cyber Essentials. The Standards of
• Physical and Environmental Security; Good Practice is undoubtedly comprehensive in its
scope, but for organisations with immature or untested
• Operations Security; information security capability, implementation would
• Communications Security; usually require external information security
consultants, adding to costs.
• System acquisition, development and
maintenance;
• Supplier relationships;
• Information Security Incident management;
• Information Security aspects of Business
Continuity management;
• Compliance; with internal requirements, such as
policies and with external requirements, such as
laws,
The 2013 version of the standard has been updated to
reflect changes in technologies, such as cloud
computing.

52
 Annex E. Analysis of existing standards

Overview of standards
Product Coverage Utilisation Strengths Weaknesses
NHS IG Toolkit Well established • Database of contact • Self-assessment provides
Information • Mandatory for all NHS & platform with good details for IGT limited assurances
Governance provider organisations functionality, but administrators • Little compliance
assurance inconsistent application • Good granularity in checking or audit of
processes • Partial coverage of at organisational level
social care attainment level evidence responses lessens
organisations where requirements assurance value
they wish to work with • Good focus on privacy • Little technical focus on
NHS organisations and confidentiality NHS organisations may
Information Governance aspects of care delivery suggest a lack of import
Statement of Compliance and management in this area
• All third parties requiring • Comprehensive historical • Seen by some
N3 network access records organisations as a ‘tick
• Extensive reporting and box’ exercise
broadcasting capabilities • Language and
vocabulary does not
always align with security
industry terminology
GESG • 10 steps to cyber Small & Medium-Sized • Materials are free of • Less detailed than
standards security Enterprises in the UK charge ISO/IEC, ISF (SoGP)
• Cyberstreetwise • Supported by • Lesser awareness and
• Cyber Essentials Confederation of British existing compliance
Industry (CBI), Federation within International
• Cyber Essentials plus of Small Business providers community
– Focuses upon the • Mandatory for suppliers • Cyber Essentials has very
‘essentials’ providing involved with HMG limited scope. Needs
a platform for procurements over a some contextual
continuous specified value wrappers around it, to
improvement avoid misinterpretation/
• Highly acclaimed
confusion
• More achievable
ISO/IEC • Information security Internationally • Detailed, broad in scope • Expensive to obtain
standards management, risks and recognised benchmark. • Scope can be tailored to certification
controls within the In the health & care suit organisational • Generally requires
context of an overall sector, certification is requirements, but better consultancy to complete
information security confined to a relatively suited to larger
management system small number of • Time consuming to
organisations complete
(ISMS) individual organisations
• Internationally recognised • Essentially, it’s still
• The series is deliverately
broad in scope, self-assessment
covering more than just (especially if the scope
privacy, confidentiality is broad)
and IT or technical
security issues

53
Annex F. Evidence and analysis

Annex F. Evidence and analysis

The Review wished to gain views from a broad range was also held with the IT providers that provide
of individuals as well as an in-depth understanding of systems to GPs and social care.
thinking around data security and consent to data sharing.
Eight focus groups with patients and the general
Due to limited time available during the Review, a mixed
public were led by the Review. Each group was
approach to evidence gathering and analysis took place.
designed to gain views from individuals with different
The Review gathered primary evidence (both quantitative
characteristics (based on life stage, health status and
and qualitative), as well as reviewing academic literature
economic status). The focus groups were held in
and existing surveys on relevant topics.
various locations. The groups discussed current
Evidence gathered from these various methods is used understanding of personal confidential data use in the
throughout the report. A secondary stage of analysis NHS, how data could be used across differing
has also compared the findings from the primary organisations, and explored patients’ views to a range
evidence to a review of the existing evidence not of data sharing scenarios. A range of in-depth
collected during the Review. interviews took place with key interested organisations
and individuals including NHS organisations,
Primary evidence collected by the Review composed
professional councils, government, charities and
a range of evidence gathering and analysis methods.
private organisations, providing more focused views
These included:
on both data standards and consent.
• Evidence sessions and interviews with key
Finally, written evidence from organisations into any
organisations;
views or studies they had undertaken which could
• Focus groups with patients, GPs and social care inform the Review, was welcomed.
providers;
• An online survey.
Summary of online survey findings
An online survey was publicised through networks of
Gathering of existing evidence was also undertaken,
those who attended the Patients, Service User and
including:
Carers Evidence Session and on Twitter and received
• Existing evidence on patient opinion; 416 respondents within the period the survey was
open for one week.
• Models of consent in international healthcare;
The survey asked individuals about trust in certain
• Existing models of consent in commercial
organisations to keep their private healthcare
organisations.
information safe and secure, the organisations involved
The Review also held four evidence sessions, each with in sharing data and whether they would consent to
groups of 15-25 individuals from the research community, sharing data for different purposes.
social care, NHS Providers and patients, service users
The main purpose of the survey was to inform the
and carers. The sessions discussed the understanding of
Review with views from patients, service users and the
how personal data was being used, how consent models
public. The survey results sit within a larger section of
were currently being used, and how a new opt-out model
analysis which looks at a wider group of people than
should be constructed. Also discussed were the
the small sample of this study. Due to the nature of the
perceptions of data standards and how a new data
survey, the circulation method, respondents and
standards model and system should be designed.
respondent numbers the survey may not be
A further evidence session was held which focused representative of the views of the wider population.
solely on data breaches and data standards. A session

54
 Annex F. Evidence and analysis

Organisational trust research, government policy development and public

health reasons. Respondents were given the options of
Individuals were asked, how well they trust the NHS saying that they supported data sharing (yes, yes if
organisations to collect, process and use information anonymised, and yes if asked first), or that they
about themselves safely and securely. The same opposed sharing.
question was also asked about social care
organisations. Responses were gathered on a scale of Generally there was support for data being shared
1 (not at all) to 5 (very much.) beyond direct care, particularly if the data is
anonymised, with the highest levels of support for
Overall there was a higher level of trust in the NHS sharing information for NHS purposes. 74% were
(average 3.1) than in social care organisations happy for their data to be shared to support NHS local
(average 2.7), although the difference between the planning (18% said yes and a further 56% said yes, if
sectors was not substantial. the data was anonymised). A further 13% per cent said
A further question asked respondents about which they would be happy, provided they were asked first.
organisations and professionals they trusted to collect,
process and use information about themselves safely Sources of information on data
and securely. Only the individuals’ GPs were trusted by sharing
more than half of respondents (83%). The Health and
Respondents were also asked where they expected
Social Care Information Centre (35%) and research
to find information about data use and data security.
organisations (29%) were the next most trusted, followed
Options included NHS and social care sites, online
by care workers (14%), pharmaceutical companies
and via friends and family. Over half of respondents
(12%) and other commercial organisations (7%).
chose gov.uk (74%), the GP practice (73%)and NHS
Purpose of sharing data choices (67%) over other places as where they would
most expect to find information about data use and
Respondents were asked whether they were happy for security.
information about themselves to be used to support
direct care with 1) a GP/hospital and 2) social care Survey respondents
organisations.
The online survey had 416 respondents. Not all
Respondents were generally in favour of information respondents answered every question; with the most
being shared for direct care purposes with a GP or a skipped question having 64 non-responses.
hospital (84% responded positively). For information
The majority (55%) of survey respondents were aged 55
sharing with care homes, a smaller majority showed
and over. When asked about which group most
support (58% positive).
accurately applies to themselves, a majority (69%) were
The survey also asked about whether respondents patients or service users with a long term condition or
would support sharing data for purposes beyond disability, while 11 % identified themselves as a carer,
direct care. It asked whether respondents would share 2% as a retired health care professional and 15% as an
their data for the following five purposes: NHS local interested member of the public. The large majority
planning, checking the quality of care, clinical (97%) of respondents were of white ethnicity.

The following table summarises responses to this question:

Yes Yes, if anonymised Yes, if asked first No I’m not sure

NHS local planning 18% 57% 13% 10% 2%
Check Quality of Care 16% 56% 14% 11% 2%
Clinical Research 18% 48% 18% 14% 3%
Public Health 14% 51% 14% 17% 4%
Government policy 13% 49% 15% 19% 5%
development

55
Annex G. Summary of terms used in the report

Annex G. Summary of terms

used in the report
Aggregated data: Statistical data about several Consent: The informed agreement for something to
individuals that has been combined to show general happen after consideration by the individual. For
trends or values without identifying individuals within consent to be legally valid, the individual must be
the data. informed, must have the capacity to make the decision
in question and must give consent voluntarily. In the
Anonymisation: The process of rendering data into a
context of consent to share confidential information,
form which does not identify individuals or makes the
this means individuals should know and understand
risk of re-identification sufficiently low in a particular
how their information is to be used and shared (there
context that it does not constitute personal data.
should be ‘no surprises’) and they should understand
Caldicott Guardian: A senior person responsible for the implications of their decision, particularly where
protecting the confidentiality of patients’ and their refusal to allow information to be shared is likely
service‑users’ information and enabling appropriate to affect the care they receive. This applies to both
information-sharing. Each NHS organisation is explicit and implied consent. See Caldicott2 for
required to have a Caldicott Guardian with specific definitions of explicit and implied consent.
responsibilities to oversee an ongoing process of
Cryptography: A discipline which embodies principles,
audit, improvement and control. This was mandated for
means and methods for the transformation of data in
the NHS by Health Service Circular: HSC 1999/012.
order to hide their information content, prevent their
CareCERT: CareCERT offers advice and guidance to undetected modification and/or prevent their
support health and social care organisations to unauthorised use [ISO 7498-2:1989, definition 3.3.20].
respond effectively and safely to cyber security
Cyber Essentials: Government-backed and industry-
threats.
supported scheme to guide businesses in protecting
Chief Information Officer (CIO): An executive job title themselves against cyber threats.
commonly given to the person at an enterprise in
Cyber threat: The possibility of a malicious attempt to
charge of information technology (IT) strategy and the
damage or disrupt a computer network or system.
computer systems required to support an enterprise’s
objectives and goals. Data breach: Any failure to meet the requirements of
the Data Protection Act, including but not limited to
Cloud services: Any resource that is provided over
an unlawful disclosure or misuse of personal data.
the internet.
Data controller: A person (either alone or jointly or in
Commissioning (and commissioners): Buying care with
common with others) who determines the purposes
available resources to ensure that services meet the
for which and the manner in which any personal
needs of the population. The process of
confidential data are or will be processed. A person in
commissioning includes assessing the needs of the
this context refers to a body with a legal identity and
population, selecting service providers and ensuring
data controllers are usually organisations rather than
that these services are safe, effective, people-centred
individuals.
and of high quality. Commissioners are responsible for
commissioning services. Data integrity: Property that reflects the fact that data
have not been altered or destroyed in an unauthorised
manner.
Data protection: Technical and social regimen for
negotiating, managing and ensuring informational
privacy, confidentiality and security.

56
 Annex G. Summary of terms used in the report

Data Protection Act 1998 (DPA): The Act of Parliament Disclose/Disclosure: The act of making data available
which regulates the processing of information relating to one or more third parties.
to living individuals, including the obtaining, holding,
Disclosure control: Assessing the risk of disclosure
use or disclosure of such information.
from a potential release and taking measures, if
Data quality: The correctness, timeliness, accuracy, appropriate, to lower that risk.
completeness, relevance and accessibility that make
Encryption: The process of transforming information
data appropriate for their use.
(referred to as ‘plain text’ or ‘in the clear’) using an
Data security: Protecting data, such as a database, algorithm (called a ‘cipher’) to make it unreadable to
from destructive forces and from the unwanted actions anyone except those possessing special knowledge,
of unauthorised users usually referred to as a ‘key’.
Data sharing: The disclosure of data from one or more General Data Protection Regulation (GDPR): The
organisations to a third party organisation or General Data Protection Regulation (GDPR) is the new
organisations, or the sharing of data between different EU Regulation 2016/679 adopted by the European
parts of an organisation. This can take the form of Parliament and Council, which is intended to
systematic, routine data sharing where the same data strengthen and unify data protection for individuals
sets are shared between the same organisations for an within the European Union.
established purpose or for exceptional, one-off
Genome: The total genetic complement of an
decisions to share data for any of a range of purposes.
individual.
Data sharing agreements/protocols: A common set of
ICO: The Information Commissioner’s Office,
rules adopted by the various organisations involved in
established as the UK’s independent authority to
a data sharing operation.
uphold information rights in the public interest,
Data subject: An individual who is the subject of promoting openness by public bodies and data
personal data. privacy for individuals.
De-identified: This refers to personal confidential data, Information Governance (IG): The set of multi-
which has been through anonymisation in a manner disciplinary structures, policies, procedures,
conforming to the ICO Anonymisation code of practice. processes and controls implemented to manage
There are two categories of de-identified data: information at an enterprise level, supporting an
organisation’s immediate and future regulatory, legal,
• De-identified data for limited access: this is
risk, environmental and operational requirements.
deemed to have a high risk of re-identification if
published, but a low risk if held in an accredited Information Governance Toolkit (IG Toolkit): An online
safe haven and subject to contractual protection system which allows NHS and social care
to prevent re-identification; organisations to assess themselves or be assessed
against Information Governance policies and
• Anonymised data for publication: this is deemed
standards. It also allows members of the public to view
to have a low risk of re-identification, enabling
participating organisations’ IG Toolkit assessments.
publication.
Incident reporting: A method or means of documenting
Direct care: A clinical, social or public health activity
any unusual problem, occurrence, or other situation
concerned with the prevention, investigation and
that is likely to lead to undesirable effects or that is not
treatment of illness and the alleviation of suffering of
in accordance with established policies, procedures or
individuals. It includes supporting individuals’ ability to
practices.
function and improve their participation in life and
society. It includes the assurance of safe and high Incident management: A term describing the activities
quality care and treatment through local audit, the of an organisation to identify, analyse and correct
management of untoward or adverse incidents, person hazards to prevent a future re-occurrence.
satisfaction including measurement of outcomes
undertaken by one or more registered and regulated
health or social care professionals and their team with
whom the individual has a legitimate relationship for
their care.

57
Annex G. Summary of terms used in the report

Integrated Care Pioneers: Local areas covered by a Pseudonymised data: Data that has been subject to a
Clinical Commissioning Group, Local Authority, or technique that replaces identifiers with a pseudonym.
larger area which work across the whole of their local In practice, pseudonymisation is typically used with
health, public health and care and support systems other anonymisation techniques.
and with other Local Authorities to achieve and
Records Management: The practice of maintaining the
demonstrate the scale of change needed.
records of an organisation from the time they are
ISO/IEC27000 series: Information security standards created up to their eventual disposal. This may include
published jointly by the International Organisation for naming, version control, storing, tracking, securing and
Standardization (ISO) and the International destruction (or in some cases, archival preservation) of
Electrotechnical Commission (IEC). records.
Linked data: The result of merging data from two or Re-identification: The process of analysing data or
more sources with the object of consolidating facts combining them with other data with the result that
concerning an individual or an event that are not individuals become identifiable. This is also known as
available in any separate record. ‘de-anonymisation’.
Malware: An umbrella term used to refer to a variety of Safe Haven: An agreed set of administrative
forms of hostile or intrusive software, including procedures and physical security to ensure the safety
computer viruses, worms, Trojan horses, ransomware, and secure handling of confidential patient information.
spyware, adware, scareware and other malicious Safe Havens were developed in the early 1990s to
programs. It can take the form of executable code, keep commissioning data secure and were often
scripts, active content and other software. associated with a locked room with limited staff
access.
N3: The national broadband network for the NHS in
England. Senior Information Risk Owner (SIRO): An Executive
Director or member of the Senior Management Board
NHS Vanguards: Sites taking the lead on the
of an organisation with overall responsibility for an
development of new care models as laid out in the Five
organisation’s information risk policy.
Year Forward View.
Serious Incident Requiring Investigation (SIRI):
Opt-out: The option for an individual to choose not to
Formerly known as Serious Untoward Incident.
allow their data to be used for the purposes described.
Any incident involving the actual or potential loss of
Personal Confidential Data (PCD): Personal information personal information that could lead to identity fraud
about identified or identifiable individuals, which or have other significant impact on individuals is
should be kept private or secret. For the purposes of regarded as serious. The severity of the incident
this Review ‘Personal’ includes the DPA definition of determines the action to be taken following the
personal data, but it is adapted to include dead as well incident.
as living people and ‘confidential’ includes both
Smartcard: Similar to a chip and PIN credit or debit
information ‘given in confidence’ and ‘that which is
card, but more secure. A Smartcard controls who has
owed a duty of confidence’ and is adapted to include
access to a particular computer system and what level
‘sensitive’ as defined in the Data Protection Act.
of access they can have. An NHS Care Records
Personal data: Data which relate to a living individual Service user’s Smartcard is printed with their name,
who can be identified from those data, or from those photograph and unique user identity number.
data and other information which are in the possession
of, or are likely to come into the possession of, the data
controller, and includes any expression of opinion
about the individual and any indication of the intentions
of the data controller or any other person in respect of
the individual.
Pseudonym: Individuals distinguished in a data set by
a unique identifier which does not reveal their ‘real
world’ identity.

58
© Crown Copyright 2016
2904918 June 2016
Prepared by Williams Lea for The National Data Guardian