NHS Information Authority Security and Data Protection website at http://www.standards.nhsia.nhs.uk/sdp/index.htm
Strategy for cryptographic support services in the NHS at http://www.doh.gov.uk/nhsexipu/strategy/crypto/index.htm
Department of Health: Patient Confidentiality and Caldicott Guardians http://www.doh.gov.uk/ipu/confiden/index.htm
The Caldicott report is available online at http://www.doh.gov.uk/confiden/crep.htm.
i) In the light of the requirements in The Protection and Use of Patient Information and taking into account work undertaken by a joint Department of Health (DH) and British Medical Association (BMA) Working Group which has been considering NHS Information Management and Technology (IM&T) security and confidentiality, the Chief Medical Officer established the Caldicott Committee to review all patient-identifiable information which passes from National Health Service (NHS) organisations in England to other NHS or non-NHS bodies for purposes other than direct care, medical research, or where there is a statutory requirement for information.
ii) The purpose was to ensure that patient identifiable information is only transferred for justified purposes and that only the minimum necessary information is transferred in each case. Where appropriate, the Committee was asked to advise whether action to minimise risks of breach of confidentiality would be desirable.
iii) The work of the Committee was carried out in an open and consultative manner. Written submissions were sought from many organisations to identify existing concerns, and members of the Committee have met with representatives of a number of key bodies. Working groups containing a wide range of health professionals and managers were established to consider related groups of information flows and to take soundings on emerging findings.
iv) Some 86 flows of patient-identifiable information were mapped relating to a wide range of planning, operational or monitoring purposes. Some of these flows were exemplars, representing locally diverse information flows with broadly similar characteristics and purposes.
v) The Committee was greatly encouraged to discover that, within the context of current policy, all of the flows identified were for justifiable purposes. However, a number of the flows currently use more patient-identifiable information than is required to satisfy their purposes. Also many of the patient-identifiers currently used (eg name and address) could be omitted if a reliable, but suitably controlled, coded identifier could be used to support identification.
vi) It was recognised that some flows of information were likely to be missed and that flows commence, evolve or are discontinued with such frequency that specific recommendations could soon date. Although specific recommendations have been included where appropriate, in general the recommendations reflect this evolving picture by developing a direction of travel, outlining good practice principles and calling for regular reviews of activity within a clear framework of responsibility.
Recommendation 1: Every dataflow, current or proposed, should be tested against basic principles of good practice. Continuing flows should be re-tested regularly.
Recommendation 2: A programme of work should be established to reinforce awareness of confidentiality and information security requirements amongst all staff within the NHS.
Recommendation 3: A senior person, preferably a health professional, should be nominated in each health organisation to act as a guardian, responsible for safeguarding the confidentiality of patient information.
Recommendation 4: Clear guidance should be provided for those individuals/bodies responsible for approving uses of patient-identifiable information.
Recommendation 5: Protocols should be developed to protect the exchange of patient-identifiable information between NHS and non-NHS bodies.
Recommendation 6: The identity of those responsible for monitoring the sharing and transfer of information within agreed local protocols should be clearly communicated.
Recommendation 7: An accreditation system which recognises those organisations following good practice with respect to confidentiality should be considered.
Recommendation 8: The NHS number should replace other identifiers wherever practicable, taking account of the consequences of errors and particular requirements for other specific identifiers.
Recommendation 9: Strict protocols should define who is authorised to gain access to patient identity where the NHS number or other coded identifier is used.
Recommendation 10: Where particularly sensitive information is transferred, privacy enhancing technologies (e.g. encrypting identifiers or "patient identifying information") must be explored.
Recommendation 11: Those involved in developing health information systems should ensure that best practice principles are incorporated during the design stage.
Recommendation 12: Where practicable, the internal structure and administration of databases holding patient-identifiable information should reflect the principles developed in this report.
Recommendation 13: The NHS number should replace the patient's name on Items of Service Claims made by General Practitioners as soon as practically possible.
Recommendation 14: The design of new systems for the transfer of prescription data should incorporate the principles developed in this report.
Recommendation 15: Future negotiations on pay and conditions for General Practitioners should, where possible, avoid systems of payment which require patient identifying details to be transmitted.
Recommendation 16: Consideration should be given to procedures for General Practice claims and payments which do not require patient-identifying information to be transferred, which can then be piloted.
Ross Anderson (Cambridge University) has some remarks (http://www.cl.cam.ac.uk/~rja14/caldicott/caldicott.html) critical of its proposals. He felt it raised "a number of issues about the then policy, and particularly the wisdom of introducing the NHS number tracing service - the first accurate and up-to-date database of the whereabouts of every adult and child in Britain. This database will be open to large numbers of people in the health service, and the potential for abuse - for example, by private detectives, stalkers, organised criminals and foreign intelligence agencies - is frightening."
See http://www.doh.gov.uk/confiden/index.htm and http://www.nhsia.nhs.uk/caldicott/pages/links.asp
Before Caldicott, the BMA looked at security and confidentiality of patient records.
"Security in Clinical Information Systems (http://www.cl.cam.ac.uk/users/rja14/policy11/policy11.html) was published by the British Medical Association on 12th January 1996. It sets out a number of rules that are designed to uphold the principle of patient consent and to be independent of the details of specific equipment. It is the medical profession's response to creeping infringement of patient privacy by NHS computer systems, and the foundation for much of the other work we have done." [Ross Anderson]
A set of interim guidelines (http://www.cl.cam.ac.uk/ftp/users/rja14/guidelines.txt) was prepared to advise the healthcare community on steps they should take.
Other comments he has on the safety and privacy of medical information can be found at http://www.cl.cam.ac.uk/users/rja14/#Med.
In fact, if you want to know a lot about security and confidentiality, read everything that Ross Anderson has written! (http://www.cl.cam.ac.uk/users/rja14/)
"For the Record: Protecting Electronic Health Information", Committee on Maintaining Privacy and Security in Health Care Applications of the National Information Infrastructure, Computer Science and Telecommunications Board, National Research Council, Washington D.C., 1997 (http://www.nap.edu/readingroom/books/ftr/)