Council meeting

22nd February 2018

Chairman’s update

The National Data Guardian’s panel met on 15 January 2018: topics discussed included a presentation on the Internet of Things (IoT), definitions to used by the National Data Opt-out programme, a request from NHS Digital for advice regarding a potential review of the information in and use of the Summary Care Record (SCR), and a presentation from NHS Genomics regarding their proposed consent model.

Dr Bunch reported on a recent two-day visit to NHS Digital in Leeds during which he met with a range of programmes and colleagues including the Data Services Platform (DSP), the Data Collections team, the Data Security Centre, and the GP Data Implementation and National Data Opt-out programmes. He also visited the new NHS Digital Cyber Security centre and saw a demonstration of the National Data Opt-out web portal. Dr Bunch expressed his thanks to NHS Digital colleagues who had been very open, and generous with their time. He was pleased to see such a huge amount of effort into rationalisation and modernisation of services whilst ensuring public trust is considered and privacy is maintained.

Dr Bunch reported that he is considering the aims for UKCGC in 2018 /19, and requested input from members on the matter via the Council forum.

Requests for advice

The Council discussed recent requests for advice received. These included the status of records maintained by bereavement counsellors; visiting specialist nurses' access to patient information; the future role of the Caldicott Guardian in light of the GDPR; and the requirement and responsibilities of Caldicott Guardians for approving their organisation's involvement in national registries and databases. For the latter, Council has been asked if it would be able to provide central Caldicott Guardian approval on behalf of all Caldicott Guardians. This is a complex issue, as the data requirements for such databases vary significantly in various ways, for example whether the data required is identifiable, pseudonymized or anonymized; the purpose (direct care or secondary use); the legal basis for processing; whether consent is required, or set aside via Section 251; etc. Perhaps because of this complexity, several such initiatives have been delayed because of tardy — and sometimes unfavourable responses from Caldicott Guardians.

 Council agreed that it is not constituted to make such decisions on behalf of Caldicott Guardians; these ultimately need to be made by the individual data controllers on the advice of their Caldicott Guardian. However, Council is well placed to advise organisations wishing to set up such databases on appropriate governance arrangements.

Independent members’ updates

Christopher Fincken reported that the Centre for Excellence in Information Sharing has now published its guidance on Improving Information Sharing between Police and Health Services. The Centre is considering new areas of focus for the coming year, including safeguarding and domestic abuse, with the aim of linking to national initiatives. Christopher is exploring how the UKCGC can potentially support these work streams. He also is considering further work to develop guidance on information sharing between NHS and the police to support the investigation and prevention whilst minimising interruptions to the delivery of care, for example in an accident and emergency care setting. 
 
Christopher is also progressing his domestic abuse guidance and has discussed with the General Medical Council their safeguarding guidance for children and adults.

Ben Heal reported on a workshop event he is arranging with the northern UKCGC networks, together with experts from DAC Beachcroft and StayCompliant training. The event will explore with delegates the general problems of overseeing the guarding and sharing of patient/service-user personal information in a small organisation (under 50 staff). The workshop will specifically focus on sharing service-user personal data with relatives or significant others including what should happen after their death. 

Updates from regional networks

South West: The network continues to provide a valuable service in pointing its members to appropriate guidance and membership continues to grow (currently circa 280 registered on the south west network mailing list).

London:  There was no meeting held in December due to availability of attendees over the holiday period the provisional March 2018 meeting already has encouraging planned attendance. The recently published GDPR guidance has been circulated to London network members and has raised some queries.

North West:  The network held a meeting during February 2018 where case studies were reviewed, and members discussed how they could make the guidance more setting specific? Attendance remains steady and with a turnover rate of circa 20%. 

The Council is working on appropriate geographic breakdowns of the Caldicott Guardian Register to support increased engagement with membership. 

Office of the NDG update

Jenny Westaway Head of the Office of the National Data Guardian provided an update on the current focus of the NDG:

The Health and Social Care (National Data Guardian) Bill 2017-19 has passed through its second reading in the House of Commons. No date has yet been set for its next stage, in committee.  

The National Data Opt-out: the NDG is engaging with the National Data Opt-out programme team, which is responsible for ensuring effective communications and engagement with the public to support the National Data Opt-out (and for a wider data sharing campaign).Colleagues from the programme will be attending the NDG’s panel in March 2018 to present an update on the communications plan.

Reasonable expectations: the Office of the NDG, in collaboration with Connected Health Cities and Citizens Juries CIC, hosted a citizens’ jury on reasonable expectations in Manchester in January. A group of 17 jurors representing a broad cross-section of the public worked together to respond to a series of questions regarding when it is reasonable for a patient to expect health information about them to be shared, and when it is reasonable for a patient to expect information to be kept private.

The Memorandum of Understanding (MOU) on processing information requests from the Home Office to NHS Digital for tracing immigration offenders: The NDG attended the Health and Social Care Committee evidence session on Tuesday 16 January. Following discussions at the Commons Health Select Committee, Dr. Sarah Wollaston MP has written to NHS Digital’s chief executive Sarah Wilkinson requesting that NHS Digital suspend processing information requests from the Home Office for tracing immigration offenders immediately. 

Public Health England has made a call for evidence on the public health impact of the MoU, particularly on the healthcare-seeking behaviour and health outcomes of the migrant population. Council members suggested several stakeholders may wish to input into this process including Local Authorities and the Female Genitalia Mutilation programme. 

GDPR update

Dawn Monagahan reported that the Information Governance Alliance (IGA) has been commissioned to provide GDPR guidance to information governance  professionals and the NHS workforce: new guidance documents have been published recently on the NHS Digital website (also linked in the GDPR page on this site).  Further guidance is being developed and is currently going through the legal approval process. The IGA is also developing templates providing example texts for different situations for example National Data Opt-out text for privacy notices. The IGA continues to work closely with the British Medical Association and the Royal College of General Practitioners to develop GDPR guidance specifically for GPs. Once this has been completed they are hoping to do the same for different sectors (such as social care, dentists and pharmacists).

Some care homes have received legal advice that they do not require Data Protection Officers (DPO). However, the circumstances can vary as some care homes can be part of a larger groups which would require a DPO. 

The IGA has received many enquiries regarding the status of anonymized, pseudonymized and/or de-identified data under GDPR, and has submitted a paper to the ICO detailing the current position and discussing the required controls for access. 

NHS Code of Confidentiality Practice

Sean Kirwan reported that the DHSC aims to refresh the NHS Code of Confidentiality Practice guidance which was originally published in 2003. Since then,  public awareness and concern about what happens to their data has increased significantly due to changing societal attitudes, technology such as smart phones and, in the health care arena, public campaigns such as care.data and the National Data Opt-out. DHSC has commissioned the IGA to with stakeholders through a public consultation , and has established a working group which includes representatives from the UKCGC, the BMA Royal Colleges, local government and social care. 

The Brain Tumour Charity

The Brain Tumour Charity presented  their project to establish a brain tumour patient registry which aims to link quality of life data with health data from national datasets. The Brain TumouR Information and Analysis Network (BRIAN) will link patient-reported quality of life data with data from national health and social care datasets. This will help provide a clear picture of the brain tumour patient pathway, from their first contact with a healthcare professional to end of life. The registry will enable patients and their carers to compare their progress and experiences with groups of other individuals who have the same brain tumour, helping them to make better informed decisions about their treatment to get the best possible outcome.

The Charity is engaged with NHS Digital to access Hospital Episodes Statistics (HES) data, and is planning to use anonymised data for the first phases of the project. Council was supportive and discussed some of the challenges including using subject access requests (SARs), the legal basis for the registry, the higher standard of consent required under GDPR, and privacy statement.

Data Security and Protection Toolkit

John Hodson from NHS Digital provided a demonstration of the latest version of the upcoming Data Security and Protection Toolkit which will replace the current IG Toolkit from April. Council was encouraged by improvements made to reduce the burden and improve ease of use from the legacy toolkit. The new DSPT is at the 'live beta' stage, and will be implemented in a phased roll out by sector in the coming months. Council members suggested that a glossary of terminology and the addition of links to relevant websites (such as the UKCGC) could be helpful.

John advised that it was initially hoped that by completing the DSPTK it would also provide organisations feedback on alignment with GDPR, however due to the current timelines for GDPR it has not been possible to develop this feature yet. The team is working to develop the NDG recommendations and use the appropriate wording rather than identifying by numbers to improve understanding and enhance the meaning. The development of the DSPTK will continue beyond its launch, with incident reporting for GDPR next in the development pipeline.