In a new report issued on Wednesday, the Department of Health confirmed (84-page / 1.02MB PDF) its plans to accept recommendations made last year following two separate reviews it had commissioned.
National data guardian in England, Dame Fiona Caldicott, carried out a review of data security, consent and opt outs in the health and care sectors, while the Care Quality Commission (CQC) looked at how data is safely and securely managed in the NHS. The reports were published in July 2016.
In her report, Dame Fiona recommended 10 new data security standards should be applied in the health and social care system in England. The Department of Health has now said it endorsed those standards.
The 10 standards encourage secure handling of personal data, the operation of secure and up-to-date technology, controls and audit trails on access to "personal confidential data", prompt response to data breaches or "near misses" and that IT suppliers are held accountable for protecting personal data they are tasked with processing, among other things.
The Department of Health said a recent cyber attack that impacted the NHS, the so-called 'WannaCry' attack, "reaffirmed the potential for cyber incidents to impact directly on frontline care". It said it would work towards helping health and care bodies to migrate away from using unsupported IT systems and said the organisations will each need to "have a named executive Board member responsible for data and cyber security". It further confirmed that they will be obliged to report "significant cyber-attacks ...as soon as possible following detection".
Dame Fiona's report also contained a recommendation for the implementation of a new consent and opt-out model for data sharing in the NHS in England. According to her proposals, NHS bodies should generally be free to share patients' medical data for the purposes of delivering care directly to those people, but that patients should be given control over any other proposed uses of their health records.
The new opt out and consent model could consist of either asking patients a single question about whether they will allow their data to be used for purposes beyond direct care or a "two-part" mechanism that would allow patients to be more specific about the way their data can be used, Dame Fiona said. Digital health expert Matthew Godfrey-Faussett of Pinsent Masons, the law firm behind Out-Law.com, set out his view on the proposals last summer.
In its new response, the Department of Health said a new "national opt-out" will be implemented from March 2018 through a transitional period which will apply until 2020 when the new system will become fully effective.
"The new opt-out will clarify how people can opt out, recognising that information will flow where there is a mandatory legal requirement, an overriding public interest or other exceptional cases," the department said. "Individuals will be able to make their choice known online as well as in person. People will be able to express their own preference on sharing their data and be able to change their preference. Where someone has opted out, this will be respected by all health and care organisations."
"During 2017, we are working collaboratively with stakeholders and the public to test how the opt-out can be presented in a meaningful way," it said.
The department endorsed Dame Fiona's recommendation that patients should not be able to opt out from the use of their information in anonymised form.
It further confirmed new guidelines are in the process of being developed "which will set out clear expectations" for organisations in the health and social care sector on how they can anonymise patient data in a way that conforms to a code of practice on anonymisation already developed by the UK's Information Commissioner's Office (ICO). The guidance is expected to be consulted on next year.
To deter attempts to re-identify patients whose data have been the subject of anonymisation measures, the government confirmed it would "provide a revised framework for protecting personal data and impose more severe penalties for data breaches and to deter reckless or deliberate misuse of information".
The new laws will have effect from May 2018, which fits with the timing of the application of the EU's new General Data Protection Regulation (GDPR) and new UK data protection laws designed to fit with the GDPR which have already been consulted on by the government.