Last reviewed 19 September 2013

The Government’s full response to an independent review of health information governance has set out the responsibilities of health and care organisations with regards to keeping patient information safe and secure.

The Department of Health (DH) has accepted all of the recommendations in Dame Fiona Caldicott’s report, Information: To Share Or Not To Share? The Information Governance Review, saying relevant personal confidential data should be shared among “registered and regulated health and social care professionals who have a legitimate relationship with the individual”. Information should also be shared with other members of the care team as long as there are “appropriate safeguards” in place.

The response states: “The duty to share information can be as important as the duty to protect patient confidentiality. Health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by these principles.”

However, the DH agreed that while information sharing is essential to provide good care, there are rules that must be followed. Its response sets out the responsibilities of health and care organisations for ensuring staff have appropriate training and education on information governance, for being open and honest if a data breach occurs and take action to prevent it happening again, and introducing a “Caldicott Guardian” or lead on information governance in each organisation.

The Health and Social Care Information Centre (HSCIC) has also published A Guide to Confidentiality in Health and Social Care, which sets out rules to ensure that confidential information about an individual does not leak outside their care team but is shared within it “to provide a seamless, integrated service”.

The five rules are that:

  • information about service users or patients should be treated confidentially and respectfully

  • members of a care team should share confidential information when it is needed for the safe and effective care of individuals

  • information shared for the benefit of the community should be anonymised

  • an individual’s right to object to the sharing of confidential information about them should be respected

  • policies, procedures and systems should be put in place to ensure the confidentiality rules are followed.

Health Secretary Jeremy Hunt confirmed: “If someone has an objection to their information being shared beyond their own care, it will be respected. All they have to do in that case is speak to their GP and their information won’t leave the GP surgery.”

The British Medical Association (BMA) and NHS England will become involved where the number of patients objecting to identifiable data leaving a GP practice appears to be abnormally high. They will look at reasons behind this with the practice, eg whether it is due to coding errors or misunderstandings.

The BMA said in its response to the review that it recognised the importance of using healthcare data to develop NHS services. It supported stricter controls around the use of data for commissioning, stressing that anonymised data should be used whenever possible, and said further work was needed to implement pseudonymisation techniques to remove the need for any identifiers.

“Whilst recognising the need to link data,” it stated, “we are concerned about overreliance on the NHS number because the use of any identifier creates a risk to confidentiality. The use of grey data must be limited and only used when absolutely necessary within the strict controls detailed by the review.”