Proposed changes to data security and consent in the healthcare system

In September 2015, the Secretary of State for Health commissioned an intensive review of how personal data is used within the healthcare system. This called for recommendations to be made on improving data security and developing a new, clear opt-out and consent model for how a patient’s data can be used. In June the results of this review were announced and are outlined here.

As we move yet further into the digital age, healthcare providers are increasingly using online databases to store patient information. This could ultimately improve healthcare as it allows information to be shared between caregivers, used in research projects or analysed to identify services that need attention. However, this also increases the risk of a data breach of confidential data. In addition, patients are often not aware that their personal data may be used for purposes beyond their direct care, and that they have the ability to opt out of this.

Summary of Recommendations:

Improving data security:

  • Every organisation within the healthcare system should take responsibility for data protection, just as it does for clinical and financial accountability.
  • There should be new, tighter data security standards for health and social care information. The current Information Governance Toolkit should be updated to incorporate these standards and support healthcare providers to adhere to them.
  • The Care Quality Commission should inspect healthcare providers to assess whether these standards are being upheld and that efforts are being made to improve cyber-security.
  • All health and social care workers should receive annual training in data security.
  • Harsher sanctions should be in place for malicious or intentional data breaches.

A new opt-out and consent model:

  • There should be a new consent/opt-out system where patients can choose whether their personal confidential data can be used for purposes beyond their direct care. This will either be a single decision or divided into research or NHS operational purposes. The patient should be able to make the decision once and for this to apply across the whole healthcare system.
  • This opt-out model should not apply to anonymised data, where patients cannot be identified. For purposes other than direct patient care, anonymised data should be used wherever possible.
  • Relevant patient information should still be shared between those involved in their direct care.
  • Patients should still have the ability to give explicit consent to take part in research studies.

What does this mean for patients?

Stricter data protection measures should help improve patient’s trust in allowing healthcare providers to handle their personal information. A simpler opt-out model would also reassure patients that their data cannot be used for purposes without their consent.

Find out more about the review.

By Caroline Wood