Rapid Responses to:
|
|
Rapid Responses: Rapid Responses published:
-
![[Read Rapid Response]](/icons/misc/sectionDOWN.gif)
Caldicott principles should be sufficient for decisions about patient-identifiable information
- D Graham Mackenzie, Gina Radford, Alison McCallum, Rod Muir (3 July 2007)
-
Ethics of collecting and using healthcare data
- Michael J Lockwood (4 July 2007)
-
Use of electronic storage of patient data
- Matthew W Daunt (5 July 2007)
-
Caldicott guardians are not involved
- Derick T Wade (6 July 2007)
-
Identifiable patient information was not the subject of the editorial
- Derick T Wade (6 July 2007)
-
Re: Use of electronic storage of patient data
- Derick T Wade (6 July 2007)
-
Caldicott function has developed - and is central to the debate
- D Graham Mackenzie, Gina Radford, Alison McCallum, Rod Muir (10 July 2007)
-
Re: Caldicott function has developed - and is central to the debate
- Derick T Wade (13 July 2007)
|
|
|||
|
D Graham Mackenzie, Locum Consultant in Public Health Medicine Department of Public Health, NHS Fife, Cameron House, Windygates, Leven, Fife, KY8 5RG, Gina Radford, Alison McCallum, Rod Muir
Send response to journal:
|
Wade calls on health care organisations to develop internal organisational arrangements to safeguard patient data for purposes of quality assurance, using examples from the United States and Australia.1 Wade appears to ignore the existence of Caldicott Guardians and the recommendations of the Caldicott committee which considered these points in detail a decade ago.2
The Caldicott recommendations originally referred to the sharing of patient-identifiable information between NHS organisations, but are equally relevant to internal decision-making within an individual NHS organisation. Caldicott principles are central to protecting patient confidentiality in the NHS.3 The six Caldicott principles provide designated senior professionals within NHS organisations (Caldicott Guardians) with a framework to consider requests to access patient-identifiable data: i. Justify the purpose. ii. Don’t use patient identifiable information unless it is absolutely necessary. iii. Use the minimum necessary patient identifiable information. iv. Access to patient identifiable information should be on a strict need to know basis. v. Everyone should be aware of their responsibilities. vi. Understand and comply with the law.2 A network of Caldicott Guardians (with the support and expertise of data protection officers, IT security staff, records managers and others), trained and experienced in the use of these principles, already provides the “conscience” of the NHS.4 There is no need to reinvent this system. D Graham Mackenzie, locum Consultant in Public Health Medicine, Department of Public Health, NHS Fife, Cameron House, Windygates, Leven, Fife, KY8 5RG Gina Radford, Director of Public Health, Department of Public Health, NHS Fife, Cameron House, Windygates, Leven, Fife, KY8 5RG Alison McCallum, Director of Public Health, Department of Public Health and Health Policy, NHS Lothian, Deaconess House, 148 Pleasance, Edinburgh, EH8 9RS Rod Muir, Consultant in Public Health Medicine, Information Services, NHS National Services Scotland, Edinburgh EH12 9EB References 1. Wade D. Ethics of collecting and using healthcare data. BMJ 2007;334;1330-1331 2. The Caldicott Committee Report on the Review of Patient-Identifiable Information. Department of Health 1997. www.dh.gov.uk/prod_consum_dh/idcplg?IdcService=GET_FILE&dID=22658&Rendition=Web accessed 2 July 2007 3. Confidentiality. NHS Code of Practice. Department of Health 2003. www.dh.gov.uk/prod_consum_dh/idcplg?IdcService=GET_FILE&dID=9722&Rendition=Web accessed 2 July 2007. 4. The Caldicott Guardian Manual. Department of Health 2006 (and adapted for use in Scotland, Scottish Executive Health Department 2007) Competing interests: Dr Radford, Dr McCallum and Dr Muir are Caldicott Guardians for the respective NHS organisations. |
|||
|
|
|||
|
Michael J Lockwood, Retired General Practitioner Andover. SP10 2JJ
Send response to journal:
|
The statement that "Patients using any healthcare system have an ethical responsibility to help with quality assurance activities, and with epidemiological research based on population-wide databases" comes perilously close to denying patients the right to withhold their consent to the sharing of their personal secrets. Quality assurance and epidemiological research can usually be performed with the patient data anonymised. If so, it can be argued that patients' informed consent is not required though an opt-out facility has been recommended by the General Medical Council. However, the sharing of personal information about identifiable patients without their explicit informed consent surely remains unethical, even if they may benefit from such sharing, not least in that it is a breach of trust on the part of the doctor and a deterrent to patients revealing their private secrets in the interest of diagnosis and effective treatment. Competing interests: None declared |
|||
|
|
|||
|
Matthew W Daunt, F1 Doctor Queen's Medical Centre, Nottingham
Send response to journal:
|
Abstract:
Method: During the first 4 months of Foundation programme training in Nottingham, a questionnaire found that 72% of F1 doctors used electronic storage of patient identifiable data, and that 40% used portable USB memory sticks to carry around data. The current trust guidelines do not allow this without improved security techniques, but none of the 50 junior doctors questioned met the current criteria for using USB storage properly. Summary: For hospital Trusts to aid their junior doctors to handover patients more effectively, they should invest in appropriate secure USB memory sticks to minimise the risk of a breach of patient confidentiality. Our Trust is currently proposing a new security policy in light of this. I am a Foundation Programme house officer working at the Nottingham University Hospitals Trust. The current working hours for junior staff mean that handovers regarding patients are more crucial than ever before. Much of this used to be hand written sheets, lists of jobs to do etc, but the widespread use of computers has led to electronic storage of patient data which can then be printed out for all members of the team. When I started, it was stressed how important patient confidentiality is, and that any documents containing patient identifiable data should be properly disposed of in confidential waste bins. However, the use of Universal Serial Bus (USB) sticks to store patient data has become increasingly popular. They have many other names; USB pens, USB keys, mini -USB drives, Flash drives, but are essentially all the same type of device. Our Trust policy states, as a general rule, that confidential data can only be stored on 128 bit-encrypted USB sticks, that they must have “if found” labels on them, and that they should only be used on Trust computers (with active, up to date and on-access scanning anti-virus software). I asked 50 Foundation Programme doctors across the Trust about their electronic storage of patient data during the first month of work. 72% of junior doctors store patient identifiable data electronically. 40% store on USB, 6% on floppy disk, and 26% on the hard drive of a hospital access computer. Of those using a USB stick, none had 128-bit encryption, and only 3% had a password on the device (which still does not meet security requirements for the Trust). 17% of people using USBs also used the same device on their home computer(s) and 5% had patient data stored on their home computer. I contacted the Caldicott & Data Protection advisor at Nottingham University Hospitals Trust who informed me that information security and confidentiality continue to be a problem. Recently we had an incident whereby clinically sensitive patient identifiable data was held on an unprotected USB that was stolen. In the not too distant past, we would have said that the data would be wiped and the equipment sold on, but now the concern is criminals recognise there is money to be gained by selling on personal data to the growing identity theft market; the patient has to be informed and we are liable for any distress or damage that might cause (as well as public condemnation). In addition, there are clinical risks as clinical information is lost for good. Then, of course, there is a financial loss somewhere as the equipment has to be replaced. USB sticks have the same security risks as other removable media such
as CDROM,
Zip disks and floppy disks, but the risk is increased with memory sticks
due to:
As the use of memory sticks becomes more popular, I feel that it is important that security is kept a priority. To label all USB devices with appropriate “If found” details is easily achievable. To encrypt data to a level of 128-bit will doubtless cost more to implement, but it appears to be an inevitable necessity. While the Trust does not think it is appropriate to use such devices to store patient data without suitable security, they would not go so far as to ban it, as it is no worse than leaving around confidential information on paper. I have asked the Information Governance Committee that the Trust look into this, and as a result, they are about to make a policy recommendation to the Trust in that the security protection of a memory stick must be sufficient to protect the type of information that it is holding - the higher level of protection needed with the higher level of sensitivity - and that is a mandatory requirement that all USBs must have password protection ability as a minimum requirement before they can be used for trust data. They are also looking into supplying 128-bit secured USB sticks for NHS staff to use for ward based firms. This article is due to be presented at the Information Governance Committee, after which the Trust intend to give the matter some exposure through a Trust-wide communications plan to raise awareness and encourage good practice. Matthew Daunt
Competing interests: None declared |
|||
|
|
|||
|
Derick T Wade, Professor of Neurological Rehabilitation Oxford Centre for Enablement, OX3 7LD, UK
Send response to journal:
|
Dear Sir, Dr Mackenzie and colleagues suggest that there is no problem concerning the collection and use of data on patients because the Caldicott guardian is responsible for ensuring proper use of NHS data. Unfortunately this is not so. To quote the first paragraph of the executive summary " ... the Chief Medical Officer established the Caldicott Committee to review all patient- identifiable information which passes from National Health Service (NHS) organisations in England to other NHS or non-NHS bodies for purposes other than direct care, medical research, or where there is a statutory requirement for information." The Caldicott guardian has no responsibility for the collection or use of data within the NHS. The Caldicott guardian is only responsible for the transfer of data that is tied directly to individual patients from one specified NHS organisation either to another specified NHS organisation (e.g. a primary care trust commissioning health activity) or to a specified non-NHS organisation. Incidentally the report also assumes that medical research is an easily identified activity, though it does not contrast it with other activities using aggregated data such as audit. Yours Derick Wade Competing interests: None declared |
|||
|
|
|||
|
Derick T Wade, Professor of Neurological Rehabilitation Oxford Centre for Enablement, OX3 7LD, UK
Send response to journal:
|
Dear Sir Dr Lockwood is suggesting that I supported the unauthorised use of identifiable patient data. I am sorry that my editorial was insufficiently clear. The whole content of the editorial concerned the use of aggregated, anonymous data which is subject to significant constraints if deemed to be for 'research' purposes but to no constraints if deemed to be for 'audit' purposes. The concern is that there is no clarity or agreement on what uses do or do not require authorisation by external review committees. I am suggesting that the need for external review should not depend upon the (apparent) goal of a project. It should be determined by the nature of the processes of data collection and analysis, which determine the potential risks and harms to the individual patients. Yours Derick Wade Competing interests: None declared |
|||
|
|
|||
|
Derick T Wade, Professor of Neurological Rehabilitation Oxford Centre for Enablement, OX3 7LD, UK
Send response to journal:
|
Dear Sir The content of Dr Daunt's letter is clearly completely unrelated to the content of the editorial, but he has highlighted a large problem that is generally ignored, primarily because to insist upon adherence to the guidance would make it impossible to run hospitals safely. Handover was (fortunately) a minor problem when I was a junior doctor, but even so almost every doctor had written lists and books with patient details to help them provide safe care. It is unrealistic to expect anyone to function safely without carrying around material concerning their patients. Rather than imposing confidentiality through prohibiting certain actions, it would be better for employing organisations to promote actively systems that encourage staff (not only doctors) to carry around as much patient information as they need but in a safe way. For example all staff could be given a personal digital assistant (PDA) which includes security to protect confidential data. Yours Derick Wade Competing interests: None declared |
|||
|
|
|||
|
D Graham Mackenzie, Locum Consultant in Public Health Medicine Department of Public Health, NHS Fife, Cameron House, Windygates, Leven, Fife KY8 5RG, Gina Radford, Alison McCallum, Rod Muir
Send response to journal:
|
Editor,
When we responded to Wade’s editorial we were highlighting the central importance of Caldicott Guardians and Caldicott principles in decisions about use of patient data. Wade’s subsequent response makes a number of important errors. We refer him to the Caldicott Manual 2006.1 Wade focuses on the executive summary of the original report of the Caldicott Committee (1997). However, as the Caldicott Manual makes clear (paragraph 1.40), subsequent developments in information management in the NHS and Councils with Social Services Responsibilities have expanded the Caldicott Guardian role in the intervening decade.1 Wade states that the “Caldicott guardian has no responsibility for the collection or use of data within the NHS [and] is only responsible for the transfer of data that is tied directly to individual patients from one specified NHS organisation either to another specified NHS organisation....”. This is incorrect on both points, as highlighted by the duties listed in the job description for Caldicott Guardians, a section of which is quoted in the box below. Point 1.3 in the box has the most direct relevance to the subject of Wade's original editorial. Wade’s response focuses on the role of the Caldicott Guardian. It is important to realise that the UK NHS has now introduced guidance, standards and training for a range of Information Governance staff of which Caldicott Guardians are one element. This is relevant to professionals working across the NHS including the Caldicott Lead working at individual GP practice level. Fortunately the Department of Health is now providing Caldicott training for individuals across the NHS.2 D Graham Mackenzie, locum Consultant in Public Health Medicine, Department of Public Health, NHS Fife, Cameron House, Windygates, Leven, Fife, KY8 5RG Gina Radford, Director of Public Health, Department of Public Health, NHS Fife, Cameron House, Windygates, Leven, Fife, KY8 5RG Alison McCallum, Director of Public Health, Department of Public Health and Health Policy, NHS Lothian, Deaconess House, 148 Pleasance, Edinburgh, EH8 9RS Rod Muir, Consultant in Public Health Medicine, Information Services, NHS National Services Scotland, Edinburgh EH12 9EB
References 1. www.dh.gov.uk/en/Publicationsandstatistics/Publications/PublicationsPolicyAndGuidance/DH_062722 2. www.connectingforhealth.nhs.uk/systemsandservices/infogov/policy/resources/training 3. www.connectingforhealth.nhs.uk/systemsandservices/infogov/policy/resources/job_descriptions/nhs.rtf Competing interests: Gina Radford, Alison McCallum and Rod Muir are Caldicott Guardians |
|||
|
|
|||
|
Derick T Wade, Professor of Neurological Rehabilitation Oxford Centre for Enablement, OX3 7LD, UK
Send response to journal:
|
Dear Sir, While I can agree that the Caldicott Guardian within the UK NHS might have a role to play in the process of maintaining an appropriate ethical standard in quality assurance and research activities, I cannot agree that the system protects patients fully or even to a reasonable extent. Moreover the editorial was not simply considering the UK perspective. The editorial was primarily concerned with the systematic collection and analysis of aggregated (not identifiable) patient data within health care organisations. It was not concerned with the use of patient- identifiable information. The Caldicott guardian’s responsibility is poorly defined in The Caldicott Guardian Manual 2006 [1]. However the key first paragraph states: “The Caldicott Guardian should play a key role in ensuring that NHS, CSSRs and partner organisations satisfy the highest practical standards for handling patient identifiable information. Acting as the ‘conscience’ of an organisation, the Guardian should actively support work to facilitate and enable information sharing and advise on options for lawful and ethical processing of information as required. Local issues will inevitably arise for Caldicott Guardians to resolve. Many of these will relate to the legal and ethical decisions required to ensure appropriate information sharing. It is essential in these circumstances for Guardians to know when, and where, to seek advice.” It is clear to me that the main goal of the guardian is to protect the confidentiality of patient-identifiable information – as Mackenzie and colleagues stated in their first letter. Furthermore the two main references they give concern ‘Connecting for Health’, the UK computerised patient record and these references concern the use of data relating to identified, specific patients. Any other matters flow from this, or are incidental. There is no mention in The Caldicott Guardian Manual 2006 of: - vetting or authorising prospective collection of data not directly connected to the clinical encounter - vetting or authorising the use of aggregated, anonymous patient data. My editorial is concerned with projects that set out to establish facts from aggregated patient data, where usually (but not inevitably) the data are collected prospectively using specifically designed data collection tools. I would hope that a Caldicott guardian as a senior member of a Health Organisation would in practice be concerned about and would review both audit and research projects but it is not expected of them nor is it part of normal practice for guardians. I also have one other concern. Mackenzie and colleagues talk repeatedly about Information Governance and confidentiality. My concern is not with confidentiality, but with the risks and benefits associated with the collection and analysis of data (which includes treating it confidentially, but only as a small part). To illustrate the point, I will recount a true story. I work in a service that monitors and supports severely disabled, often cognitively impaired, extremely vulnerable people living in the community. As part of this service many patients have a programme of planned assessment or treatment admissions. In about 2000 the service (at that time named “Ritchie Russell House”) was under threat of closure and at that time the Department of Health undertook a survey of people discharged from hospital to establish their satisfaction with care. The names of all patients discharged from hospital were transferred from our Trust to an organisation that sent them a letter saying “Following your discharge from Ritchie Russell House ...”. A large number of people were extremely distressed, believing that the service had been terminated and that they would no longer be seen by the service. The guardian, if involved, clearly had not considered anything other than the legal aspect of transferring data concerning individual patients. This survey should not have been allowed to occur using patient- identifiable information (names and addresses) because: - the data served no useful purpose (the Trust mixes a few neurological rehabilitation admissions with a large number of elective orthopaedic admissions, and the data could not be interpreted) - there was no benefit to the patients surveyed - there was harm to patients surveyed - there was no benefit to the system as the data could not be interpreted The Caldicott guardian doubtless fulfilled their role, but the transfer and use of patient identifiable information caused harm because the guardian's responsibility did not extend to the evaluation of the way the data might be used, the potential risks associated with its use, or whether there was any useful purpose beyond the political one of demonstrating apparent patient satisfaction. To summarise, the Caldicott Guardian is responsible for protecting individual patient information from disclosure with that identity attached. She or he is not responsible for considering systematic, prospective collection of data or the analysis of data or the use made of data or the risks and benefits associated with the use of aggregated, not identifiable data. Yours Derick Wade 1 http://www.connectingforhealth.nhs.uk/systemsandservices/infogov/policy/resources/new_guidance/caldicott_2006.pdf (accessed 11th July 2007) Competing interests: None declared |
|||