The duty of confidence and transparency should be central to data-driven innovation as efforts in that area accelerate across the public sector, according to national data guardian (NDG) Nicola Byrne.
Reflecting on the current excitement around data and technology advances, Byrne raised concerns over the risk of losing sight of key principles that ensure advancements are balanced against risks and harms to the individuals whose data is being used to propel those advancements.
“As the momentum for data-driven technology rapidly builds, and as the opportunities for linking data evolve across government and society, it is vital that those seeking to harness the power of data proceed with both optimism and caution – never losing sight of why the duty of confidence is so important within health and care,” said Byrne in a blog post.
Professionals and the public both want to be “informed, involved, and to understand what choices people have”, said Byrne, adding that failing to meet these conditions leads to issues such as the delay and reset of the General Practice Data for Planning and Research programme.
She stressed the importance of ensuring transparency and the duty of confidence, citing one of the newest Caldicott principles of information governance for patient-identifiable data introduced in December 2020 by the first NDG, Fiona Caldicott, who died in February 2021.
The eighth Caldicott principle, which states that steps should be taken to ensure patients are informed about how their confidential information is used, is “well timed”, said Byrne, and reinforces the guidance she has been giving the government and other organisations in relation to plans for data use.
Talking more specifically about her response to the government’s draft data strategy for health and care, Byrne emphasised the need for openness with people about who might be able to access data about them and why, and to use clear and unambiguous language in doing so.
One of the key priorities of the strategy is optimising data requests and data sharing. Within that goal, the idea is to collect the most important information from patients and enable it to be “shared widely and used many times”.
On the other hand, there have been concerns about how sensitive data is used in the healthcare system. The NHS has worked with suppliers Microsoft, Palantir and Google since the emergence of the pandemic to build the Covid-19 datastore, which is managing data requests. But the work caused controversy, particularly among privacy campaigners.
Given the recent advancements and future plans around how patient data is used, Byrne noted the need to acknowledge risks as well as selling the benefits of using confidential information.
“People know that, generally, there are risks associated with data use, so these need to be addressed for any specific use and context, alongside saying what is being done to mitigate them,” said Byrne.
She also commented on the need to follow these principles in other areas related to health and care. She has provided advice to the government on the police, crime, sentencing and courts bill, about which she said she has “significant concerns”.
The bill imposes a duty on clinical commissioning groups to disclose information to police and other authorities – and they can do so without breaching any obligation of confidence.
“While tackling serious violence is important, it is essential that the risks and harms that this new duty pose to patient confidentiality, and thereby public trust, are engaged with and addressed,” said Byrne.
The national data guardian added that people need to trust their private data with health and care professionals or the police, without worrying about how it will be used. Conversely, professionals need to trust that the ways in which data is used will not impact care or their ethical duties toward the public.
Failure to comply with those principles or using data in unexpected ways could “greatly undermine” trust from the public and professionals alike, said Byrne.
Negative consequences could include patients failing to seek treatment, or providing partial or false information. This, in turn, would result in incomplete and inadequate care records, which is detrimental to system-wide innovation, planning and research and also impacts the quality and safety of care of individuals, she said.
Byrne concluded: “Decisions about data use require not only expert data protection knowledge regarding what is lawful, but practical and professional wisdom and experience to consider what would be ethical and right, balancing potential benefits against the avoidance of future harms.”
