I seem to have caused a deal of angst by posting my remarks on the
Caldicott papers in WfW format; my apologies to those of you (the
majority it would seem!!) who have had problems.
An ASCII version is attached. This naturally loses some of the
layout, etc, but is I hope still legible.
Mike Wells
***************************************************
* M. Wells *
* 9 Hall Close *
* Bramhope *
* Leeds LS16 9JQ *
***************************************************
Caldicott Guardians & the NHS Strategic Tracing Service
I am responding to the invitations for comments in the two recent NHS Executive consultation
papers on Caldicott Guardians and on the NHS Strategic Tracing Service. There is clearly much
to support in both of these papers. They represent an organised attempt to deal with the issues of
security and confidentiality of patient data that will arise as the NHS progresses from its present
situation of isolated islands of mechanised data processing, with no overall national network, to
one in which nearly all data processing activities are mechanised, and there is ready access to
means of transferring data from any part of the system to any other part.
Caldicott Guardians
My main concern is the extent to which the NHS appears to setting itself up as the arbiter of
decisions relating to the processing of personal data relating to patients. I see this as a grave
error. The work with which I have been involved on patients' attitudes towards the processing of
their clinical records shows that patients are opposed to access to any part of their medical record
by anyone other than clinical staff directly involved in their treatment, and are opposed to the
NHS passing on any part of their medical records to other Government agencies or to non-
Government institutions. The Guardians paper clearly recognises these two forms of anxiety, in
its use of the concepts of 'internal' and 'external' roles for the Guardians. I would see it as natural
that there would be a publicly accessible mechanism for deciding what data transfers might take
place, and that part of this mechanism should include some form of system of appeal by
individuals or groups who feel that their interests have been damaged. The Guardians paper
(section 18) states
"Only those involved in the direct provision of care or with broader work (my Italics) concerned
with the treatment or prevention of disease in a population should normally (my Italics) access to
items of information which would allow them to identify an individual"
Thus two points which patients rightly see as fundamental, and which in a sense encapsulate the
internal and external roles of the guardians, have been by-passed, the inclusion of terms such as
those which I have italicised immediately opens the door to exactly the kinds of (mis-)use which
patients most fear, and which the report recognises. This might be acceptable if the control of
access was NOT in the hands of the NHS itself, or of Guardians who from the evidence of the
proposals are full-time employees of the NHS. The whole process of appointing Guardians, and
of deciding in effect what data transfers are permissible, which is outlined in sections 29 to 33
clearly places ALL the power within the NHS. This is not acceptable. The Caldicott report itself
sets out six guiding principles with admirable clarity, but fails to underline the importance of an
independent mechanism relating to the implementation of these principles. The report also lacks
a seventh principle, namely that all its decisions should be well publicised, and that anyone
should be able to find out exactly what the situation is in respect of their data. [This point is
actually well made in Annexe E, section 3.3 - however, it is of sufficient importance to merit
being promoted to the main body of the paper]. In view of this I strongly recommend that:
There should be established a permanent, fully independent body, containing only a
minority of NHS representation, able to make binding rulings as to who can access what
information held by the NHS, with an established appeals procedure, and whose
proceedings and pronouncements are open to the public.
Without such a body the NHS will be seen as acting as judge and jury in these matters, and no
matter how well intentioned the NHS might be, there will be continual disagreement in this most
sensitive of areas.
I would like to make one further, rather technical point, which appears not to be fully emphasised.
This relates to the granting by one person to another of permission to access data. There is a
distinction between
? One person granting to another permission to access a record
? One person granting to another the ability to grant to a third party permission to access a
record
I feel that there is some confusion at times, and that there is an assumption that the first type of
grant automatically implies the second. Unless this distinction is clearly understood, carefully
preserved, and properly implemented, it will become impossible to maintain proper control of
access to records.
NHS Strategic Tracing Service
I start by emphasising that I do not dispute the benefits of the introduction of NHS numbers.
There is a requirement within the NHS for some means of uniquely identifying each patient, and
for a two-way linking between an individual and this identification. It is also clear that there is a
recognition within the NHS of the formidable risks to the individual's rights and freedoms that
will arise from the introduction of such a numbering system.
There are two items lacking from the proposals as they presently stand. They are
1 Commitments as to what types of access will never be permitted
2 Provision of a forum for decisions relating to the operation of the service
Commitments as to what types of access will never be permitted
The NHS number will provide the nearest that the UK has to a national identity system. Many
European countries have such systems, and its existence is not, of itself, inconsistent with a
liberal regime. However, having such a system which is integrally linked with the provision of
Health Care is inviting problems. Obviously there will be concern that the system will be used by
other agencies, either overtly or covertly. If the public is to continue to have confidence that data
provided in confidence to medical practitioners is not to be accessed by other agencies, there
needs to be a clear statement BEFORE the NSTS service comes into operation as to what forms
of access will NOT be permitted. I make no specific proposals for the content of any such
statement, but its form must be as a permanent, binding commitment. The statement should be
devoid of terms such as 'need to know', or 'normally' which will inevitably invite exploitation at a
later date; there should be no loopholes or let-out clauses.
Forum for decisions relating to the operation of the service
The operation of the NSTS must be seen by the public as being above reproach. Part of this must
include a mechanism for ensuring that policy decisions relating to the operation of the service are
not taken by a single sector. It is an open question whether this forum is part of the mechanism
for the Caldicott Guardians, or, as I believe it should be, is a separate body. Whichever route is
followed, I strongly recommend that:
There should be established a permanent, fully independent body, containing only a
minority of NHS representation, able to make binding rulings as to who can access what
information within the NSTS, with an established appeals procedure, and whose
proceedings and pronouncements are open to the public.
Who should operate the NSTS?
The paper as presented makes an implicit assumption that the NSTS should be operated and
controlled by the NHS, in effect by the NHS Executive. I believe this to be a recipe for conflicts
of interests. If the NHS were the only Government agency able to access the service, then it
might be argued that the NHS should operate it. Even in this case, the number of people with
some form of authority to access the service will be very large, and there will be a serious risk of
abuse. However, there are reasoned arguments, which in principle I accept, that there might be
controlled access by other agencies, making the risks of abuse even greater. In these
circumstances the operation of the service would be better delegated to an independent group, set
up specifically for this purpose. I am NOT advocating that the NHS sub-contract the operation to
a private contractor; that would still leave the NHS with overall responsibility, while bringing in
yet another link in the chain (the private contractor) making control still more difficult. I am
advocating the creation of a separate service, responsible to the independent controlling body,
which would offer a service to the NHS and to those working in other public sector agencies
outwith the NHS who might be approved for access to the service.
Accountability and Audit
The paper makes a brief reference to 'reporting any incidents or breaches of protocols' in the
operation of the NSTS. I recommend that the reporting system should be operated much more
aggressively than this. It should be established at the outset that each and every access to the
service will be monitored and accounted, and that these records will be continually subjected to
the closest possible audit to seek out irregularities. ['Account' here does not refer to a financial
account; the funding of, and payment for, this service I see as quite separate] In particular, these
accounting records will contain enough information for each and every access to allow an
unambiguous trace back to the named individual who accessed the service, and the named
individual who authorised the access. These records will be made not only for accesses which are
'successful', in the sense that the person/system making the request for information receives all
the information they request, but also for accesses which are 'unsuccessful', in the sense that some
or all of the information requested is not supplied, or is not available. The existence of these
records will serve as a powerful deterrent to unauthorised use.
Caldicott Guardians & NSTS 3 Professor M. Wells
|