Foreword - Dr Dan Poulter - Parliamentary Under Secretary of State for HealthAs a doctor myself, I know that the very best care for patients is delivered when different parts of health and care services work together and a key part of that is about sharing patient information. In an ideal world, all health and care professionals would share all the right information about their patient, in a safe, secure and in a timely fashion so that the person gets good care with no repeating themselves and their histories, no waits while paperwork is passed around, and no mistakes made because one part of the system isn’t talking to another.However, as Dame Fiona Caldicott pointed out in her review, people are concerned about what happens to their information, who has access to it, for what purposes it is used, and why it isn’t shared more frequently when common sense tells them it should be. She also pointed out that where information needs to be shared for commissioning purposes, there need to be strong controls around how it is used.The purposes that information is used for are clearly very important. Whilst most people obviously support information sharing for good quality care, we have heard a lot of concern about individuals’ confidential data being provided to insurance companies or other commercial bodies. We intend to make it clear, through regulations, that there must be no abuse of trust and that information collected for important purposes like commissioning or delivering public services will be used appropriately and subject to strong security controls.With all that in mind, this consultation signals our intention to make some important changes:Creating new safeguards around information sharing for the purposes of commissioning and understanding population health needs – requiring information to be processed in ‘accredited safe havens’.Establishing clear rules around the use of data that might potentially identify individuals disseminated by accredited safe havens and the Health and Social Care Information Centre.Clarifying the rules on when information about people receiving health or care services, particularly the most vulnerable, must be shared by those providing the care with those who commission it.I hope that everyone who has an interest in making sure NHS and care services are run securely will respond to this consultation, so we develop regulations that will help patients and other service users get good, safe, care.Annex C: Consultation QuestionsQ1. Are these purposes the right ones? Are there any other purposes that it is acceptable for an ASH to use data for? Please set out what you think the purposes should be.Q2. Are there any other regulatory controls that you think should be imposed?Q3. What are your views on the maximum amount of the civil penalty that we should set for breach of the controls proposed above in relation to ASHs?Q4. Should there be any restrictions as to the type of body which might become (in whole or in part) an ASH, for example, a social enterprise, a private sector body or a commercial provider (working under a data processor contract)? Please let us know what you think.Q5. Is there a maximum number of accredited safe havens that you would consider to be acceptable? Please give your reasonsQ6. What are your views on the level of the civil penalty that we should set for providers who do not comply with this duty?Q7. Do you agree with the circumstances in which commissioners (case managers) should be able to obtain confidential patient information of an individual for whom they commission care?Q8. What controls do you think should be in place in respect of such access? Please provide details.Q9. What are your views of the controls set out above?Q10. What are your views on the level of the civil penalty that we should set for any breach of these controls?Q11. Are there any other controls that you think should be imposed? If so, please set out what you think these should be.Q12. Do you think any of the proposals set out in this consultation document could have equality impacts for affected persons who share a protected characteristic, as described above?Q13. Do you have any views on the proposals in relation to the Secretary of State for Health’s duty in relation to reducing health inequalities? If so, please tell us about them.
Royal College of Physicians of Edinburgh Consultation response
Department of Health: Protecting Health and Social Care Information - A consultation on proposals to introduce new Regulations
The Royal College of Physicians of Edinburgh (“the College”) is pleased to respond to this Department of Health consultation on protecting health and social care information.
Q1. Are these purposes the right ones? Are there any other purposes that it is acceptable for an Accredited Safe Haven (ASH) to use data for? Please set out what you think the purposes should be.
Yes. However, if these are intended to improve the security of information, the monitoring of payments to GPs could reduce this security.
Q2. Are there any other regulatory controls that you think should be imposed?
No, although data access controls must be rigorous.
Q3. What are your views on the maximum amount of the civil penalty that we should set for breach of the controls proposed above in relation to ASHs?
The general public may view the maximum civil penalty of £5,000 as too lenient for misusing their health care data. There should be consideration of the option to impose a level of criminal sanction in extreme cases.
Q4. Should there be any restrictions as to the type of body which might become (in whole or in part) an ASH, for example, a social enterprise, a private sector body or a commercial provider (working under a data processor contract)? Please let us know what you think.
We do not believe this should be open to those with a commercial interest. There is also a need to closely define how an ASH works and ensure that there is independent strong scrutiny.
Q5. Is there a maximum number of accredited safe havens that you would consider to be acceptable? Please give your reasons
We would suggest 1 per district, although the number of ASHs will be determined, firstly, by the ability of the ASHs to do the work and, secondly, by the amount of data processing required, together with the ability of the government to regulate the ASHs safely.
Q6. What are your views on the level of the civil penalty that we should set for providers who do not comply with this duty?
Many providers are already facing severe financial challenges, so large fixed fines may not be desirable. A possibility may be a sliding scale with increasing fines where information is not provided, or incomplete data is delivered to the commissioner. Again, the possibility of imposing a level of criminal sanction in extreme cases should be considered.
Q7. Do you agree with the circumstances in which commissioners (case managers) should be able to obtain confidential patient information of an individual for whom they commission care?
Ideally, where confidential personal information is required, this should be provided only after consent is given directly by the individual. If it is not possible to obtain the patient’s consent, there should be discussion with family, or the system could consider the use of local independent assessors, similar to Independent Mental Capacity Advocacy. If an individual refuses consent, then the case manager needs to respect that decision and plan appropriately.
Q8. What controls do you think should be in place in respect of such access? Please provide details.
As above. There could be a role for an external body in providing oversight.
Q9. What are your views of the controls set out above?
These controls seem satisfactory, although they may still allow for the transfer to commercial or private enterprises.
Q10. What are your views on the level of the civil penalty that we should set for any breach of these controls?
The civil penalty should reflect the damage done. The penalty of up to £500,000 reflects significant breach of information security. Again, the option for criminal sanction in extreme cases should be considered. If a private contractor is providing the ASH, then loss of contract could be part of the penalty.
Q11. Are there any other controls that you think should be imposed? If so, please set out what you think these should be.
As above, the loss of contract for a private contractor should be considered as a sanction. There should be a national body to oversee all ASH groups.
Q12. Do you think any of the proposals set out in this consultation document could have equality impacts for affected persons who share a protected characteristic, as described above?
If there are very small numbers of particular protected characteristics it may be easier to recognise individuals.
Q13. Do you have any views on the proposals in relation to the Secretary of State for Health’s duty in relation to reducing health inequalities? If so, please tell us about them.
No.