Governing patient data is much more than data protection – it’s about trust
By Jon Shingleton, Senior Manager and Claire McInnes, Manager, Health and Care Information Governance Specialists, Deloitte
Being able to share patient data is fundamental to delivering patient care, enabling medical innovation, and improving population health outcomes. This is particularly acute within the new NHS Integrated Care Systems (ICS), whose success pivots on the effective and prompt sharing of patient data between their component organisations. Information Governance (IG) is all too often blamed for preventing patient data sharing, especially for purposes beyond providing direct care. It’s true that health and care IG is complicated – it’s a latticework of laws, frameworks and expectations spanning data protection, confidentiality, records management and information security. However, deployed effectively and robustly, IG frameworks can be an enabler, quickly demonstrating that data sharing is lawful, ethical and secure, and unlocking access to groundbreaking data insight. To be effective, IG frameworks need to be founded on one simple principle – trust.
The importance of trust
Patients trust their healthcare professionals (HCPs) to keep anything discussed between them confidential and only share with other clinicians involved in their care. The same expectations apply to patient data generated from those conversations. Trust is pivotal to securing the public’s support for data sharing in health and care, whether that be to support commissioning, research, or the adoption of new technologies such as AI. It’s crucial to maintain trust at every stage of the patient data lifecycle.[i]
While the NHS is one of the UK’s most trusted public institutions, public trust in data sharing across the health service has not followed suit, especially when such sharing could include the government or third parties. National health and care data sharing initiatives championed by successive governments have been consistently met with public distrust. This distrust led to the abandonment of care.data in 2016 and halted the General Practice Data for Planning and Research (GPDPR) scheme. More recently, NHS England’s flagship Federated Data Platform (FDP) programme has faced significant legal scrutiny over its ambition to create a unify patient data for secondary purposes, and the procurement of a third party to provide the platform[ii].
Addressing the problem of public trust is essential, requiring both clarity on the benefits and associated costs and an open conversation at a public level to determine what values public institutions should promote.[iii] Data sharing initiatives that do not garner the trust of patients - and clinicians - are almost certain to fail.
Data protection and patient confidentiality
Unlocking the power of patient data and respecting patient confidentiality are not mutually exclusive, but solutions need a robust understanding of the intersection of (and occasional tensions between) data protection laws and patient confidentiality. Patient data is, of course, regulated by the UK GDPR, but satisfying data protection laws alone doesn’t always permit data to be shared. Organisations must also respect patient confidentiality, as protected by the Common Law Duty of Confidentiality (CLDC).
There’s usually a genuine case to process patient data to undertake NHS business that satisfies GDPR (subject to the appropriate technical and organisational safeguards being in place), but this can still breach peoples’ confidentiality. This is because Common Law Duty of Confidentiality imposes a separate, and more stringent, suite of lawful bases for which an organisation can process a patient’s confidential data – that being medical data likely to identify a patient.
For example: an NHS Integrated Care Board (ICB) wants to use patient data provided by its local hospitals to evaluate health inequalities across the communities it serves. This is a perfectly legitimate and well-intended activity, underpinned by a clear lawful basis (the Health and Care Act 2022 which requires NHS commissioners to reduce health inequalities). Problems arise, however, because passing confidential patient data to a data analyst with no involvement in the patient’s care would breach the duty of confidentiality owed to them. This then loops back to data protection - if the ICB can’t demonstrate compliance with patient confidentiality, they are breaching GDPR’s first principle that any processing must comply with the law.
Managing this delicate balance requires an understanding of the fundamental difference between using patient data to ensure they receive the treatment they immediately need (direct care) and for other (secondary) uses. Patients trust HCPs to use their data to provide them with care, so it is easier share information for this purpose without breaching confidence. However, that same trust often doesn’t extend to organisations using their data for secondary purposes, such as planning, service improvement, research or population health management, and so the Common Law Duty of Confidentiality places additional obligations on organisations wanting to use patient data for non-direct care purposes. This usually requires patient data to be de-identified for such purposes – a key challenge here, however, is doing so in such a way that doesn’t break the ability to track patients across care pathways.
These challenges are being tackled across health and care organisations with the support of Caldicott Guardians. Where deployed effectively, and possessing significant authority within their organisations, Caldicott Guardians ensure that patient confidentiality is respected through the advice, leadership, guidance and assurance they provide. Often described as the ‘conscience of the organisation’ or ’the voice of the patient’, Caldicott Guardians ensure that confidential patient data is used lawfully, ethically and securely.[iv] They play a key role in garnering the trust and support of patients when sharing their data for secondary purposes.
Information governance (IG) can be a powerful enabler
It’s no secret that patient data can improve health outcomes not only for the individual, but also wider society. Getting IG right is critical to enabling these benefits.
Source: UnderstandingPatientData.org.uk
The key challenge lies in reconciling the fact that the organisations generating patient data (i.e., local providers) are often not those who can derive the best value from it to support secondary uses like population-level health management (i.e., ICBs). The requirement for a strong data governance strategy, that protects individuals, groups and communities against harm and violations while enabling the safe sharing of patient data, is critical.
Data governance should also seek to balance the protection and rights of individuals, groups and communities with the societal value of data use for health. This balance requires rigorous evaluation and risk assessment of data practices to identify and mitigate potential harm, which should be built into every stage of the data lifecycle. Similarly, it requires meaningful participation of civil society, communities and individuals – it means building trust with the patients and populations that the NHS serves.
The more data literate an organisation, the better it will use data-led insights to improve its operations and provide customers with the services and experiences they expect.[v]
Emerging challenges
While neither data protection nor patient confidentiality is new (in fact, confidentiality existed long before data protection laws came along), the pace of technological advancements like Software as a Medical Device and generative AI pose increasing challenges to IG compliance. Added to this, the surge in initiatives that blur the distinction between direct care and secondary uses (such as population health management) are exacerbating the tensions between maximising the utility of patients’ data to realise the benefits of these great new capabilities while respecting their right to confidentiality.
Conclusion
As we reflect on these important themes and emerging challenges, we must also learn from past mistakes in healthcare data management – where the lack of trust has repeatedly challenged and, in some cases, destroyed well-intended data programmes in the NHS. Change can only happen where there is public trust and confidence and to be successful in harnessing the value of patient data it’s crucial that all stakeholders in the health ecosystem take the privacy and confidentiality of patients as seriously as any provider or commissioner of healthcare services.
_______________________________________________________________________________
[i] NHS England » Information governance and data protection
[ii] NHS England faces legal action over redacted NHS data contract with Palantir | The BMJ
[iii] Data-driven research and healthcare: public trust, data governance and the NHS | BMC Medical Ethics | Full Text (biomedcentral.com)
[iv] Caldicott Guardian role — UKCGC
[v] Data governance builds trust, drives positive healthcare outcomes | Blog | OneTrust
Comments
You can follow this conversation by subscribing to the comment feed for this post.
Verify your Comment
Previewing your Comment
This is only a preview. Your comment has not yet been posted.
As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.
Having trouble reading this image? View an alternate.
Posted by: |