The 2013 Caldicott Review looked closely at data sharing within the NHS. It confirmed the benefits of sharing data in situations where it was lawful and appropriate, but found there was often anxiety amongst professionals and others working with patient information around what was and what was not permitted. This meant patient information was often not shared, even when sharing would have been lawful and in the best interest of the patient.
The Health and Social Care (Safety and Quality) Act 2015 was the government response to the 2013 Review. It introduced a statutory ‘duty to share’ in an attempt to reduce anxiety about data sharing. Unfortunately, this new statutory ‘duty to share’ didn’t really change anything as it (quite correctly) included a number of major caveats:
“…[a] person need not comply…if…[they] reasonably consider that one or more of the following apply—
“This section does not permit…anything which…would be inconsistent with—
This of course somewhat missed the point. The real difficulty wasn’t a lack of will or desire amongst professionals to share data within the NHS. It was a lack of understanding about what was and what was not permitted in law. The new ‘duty to share’ re-affirmed the need but did little to address the root cause – the lack of clarity around what was and what was not permissible. For the average professional ‘on the ground’ therefore, data sharing remained a murky area in which it was often unclear what the rules of engagement were.
What the ‘duty to share’ did achieve was a greater focus on data sharing by middle and senior managers within the NHS and a renewed desire to improve data sharing between organisations across health and social care. Much of this was expressed through a focus on ‘integrated care’ in which different services and specialities, often provided by different organisations or providers, worked closely together, underpinned by effective data sharing.
Unfortunately, the renewed focus on data sharing had a tendency to manifest itself in a rather unhelpful way. Rather than seeking to understand how data could and should be shared and then design ‘integrated services’ and ‘new models of care’ around these to meet the needs of the system, professionals and patients alike, the focus was often solely on the sharing of data for data-sharing’s sake. The fallacy played out was often that, as long as data was being shared, improved service delivery and patient care would follow. Sadly, privacy law focusses on a need to identify the ‘purposes’ for which data are to be shared in order for this to be lawful. Unless a specific purpose or aim has been identified therefore, data sharing is extremely difficult to justify. Data sharing should never be an aim in and of itself. Data sharing must always be seen as an enabler which should underpin clearly defined practical objectives.
The Five Stages of Data Sharing Grief
Many of you may be familiar with the Kübler-Ross model of grief. In 1969 Elizabeth Kübler-Ross, a Swiss-American psychiatrist, wrote in her book “On Death and Dying” that grief could be divided into five stages. Although her observations were derived following years of working with terminally ill individuals, in my experience the same stages can often be observed when trying to establish data sharing.
The five stages of grief are:
When supporting projects which have not identified a clear purpose or objective beyond a perceived need to share data, I often find myself having to support project sponsors, programme boards or project managers to try and more accurately define the purpose of the data sharing being planned. Without an identified purpose, it is not possible to justify data sharing. In situations where data sharing models or frameworks have already been considered or decided upon, I will often identify fundamental issues which may require significant revision if they are to be adopted.
When going through this process, I have observed what we shall call the ‘5 stages of data sharing grief’.
The first stage of data sharing grief tends to be denial. It may be a denial that data sharing will be occurring at all, or that the data sharing envisaged will be any different to what is already occurring. There may be a denial that the arrangements being planned are sufficiently complex to warrant the expertise of a privacy professional from the outset, or possibly even that such input is not required at all. It can also be a denial that any change to current plans is necessary, perhaps pointing to other examples of where something similar has been already achieved elsewhere as evidence that what is being proposed must be permissible.
Sadly, this is often the result of decisions having been made without a full and detailed understanding of the law, or the environment to which the plans are being applied. Many data sharing initiatives draw inspiration from examples which have been developed or implemented elsewhere in the country, yet the importance of the infrastructure, commissioning arrangements, existing technology and regional information sharing frameworks which underpin these are often underplayed.
When attempting to replicate arrangements from one implementation to another, there will inevitably be a significant number of variables at play. Any variation can have a knock-on effect which needs to be fully understood and accounted for. Unless all of the potential variables are identical, it is unlikely that what has been achieved elsewhere will be directly applicable in another area without some form of localisation. A failure to fully appreciate this has the potential to prevent lawful data sharing from taking place at all, or to introduce unnecessary risk to patients, professionals or stakeholder organisations.
It is essential that privacy professionals are engaged at the inception of any new initiative. Adopting a ‘data protection by design and by default’ approach and seeking advice and guidance at the earliest possible stage (ideally before any decisions have been made with regards to suppliers, products, contractual arrangements, etc.) can prove to be invaluable,supporting strategic and operational objectives whilst also resulting in significant time and cost-savings by ensuring workable models are implemented from the outset.
Anger will normally follow should it transpire that the plans for data sharing may not be possible, or that the intended approach may result in previously unforeseen risks or issues. It is common at this stage for Information Governance to be seen as a ‘blocker’ to the project’s progress and sadly, blame may even be directed towards the subject matter expert that is attempting to provide much-needed support.
Legal requirements need to be fully considered and understood at the design and planning stage of a new initiative. It is unsurprising that where planning has taken place without this, the results may not be legally compliant and retrofitting the necessary arrangements at a later date can be time-consuming or costly. Seeking the advice and input of a suitable privacy professional at the planning stages of a project can help to avoid this and ensure that expenditure is not wasted pursuing the wrong model. The type of advice that may be given might include the suitability of data sharing partners or suppliers and the need to select those that are able to demonstrate the necessary security controls to appropriately safeguard data. It may be around the best way to achieve the data sharing needed based on other successful examples (crucially, those which can be effectively replicated in the local environment). It could even be the identification of dependencies which may need to be addressed before plans can be effectively implemented, so that these can be addressed at the required stage.
As project go-live moves ever-closer, bargaining will inevitably commence:
“Is that really necessary?”
“Surely there is an easier way?”
“Can’t we just do this instead?”
“Perhaps we can look at that later after go-live?”
I always advocate a risk-based approach when it comes to data protection compliance. I recommend that every project agrees upon a ‘risk appetite’ which sets the level of risk that allstakeholders are prepared to accept before action is considered necessary to reduce the risk. It provides a balance between the potential benefits which may be realised through innovation and the threats that change inevitably presents. By preventing unwarranted effort being expended on matters which objectively present a tolerable risk, the focus can remain on the ‘big ticket items’ which cannot be ignored and need to be addressed. With GDPR giving the regulator (the ICO) the power to issue fines of up to €20m (£18m), or 4% of annual global turnover, whichever is greater, data protection compliance is arguably an area which presents a significant financial and reputational risk which many organisations will be unwilling to tolerate. Bargaining therefore should take place with the project stakeholders to understand whether the risks posed are below the risk appetite which has been set as this will determine whether or not remedial action is required to address risks to data protection compliance.
In a worst-case scenario, it may be considered necessary for chosen suppliers, technical solutions or even whole service designs to be reconsidered so that the identified risks can be brought within the risk appetite of the stakeholders. This can potential introduce delays andadditional expense to the project. Fortunately, significant disruption can often be avoided, however even when only minor changes are required, this can be a depressing realisation. “Surely it can’t be this difficult?” “How have other people managed to achieve this?” Was it this challenging for them?”
At this stage, it can seem as if data sharing is an impossible dream. The seemingly complex and numerous legal and regulatory requirements may appear to be stifling progress and innovation.
Finally, there will either be an acceptance of the need to make the necessary revisions to ensure high-quality, sustainable services can be delivered, or there will simply be an acceptance of the risks introduced. Under a risk-based approach, it may be acceptable to continue with sub-optimal arrangements where the risks are considered to be tolerable (either objectively, or when balanced against competing risks). Projects and services built upon a foundation and framework of good information governance however will normally be more effective and sustainable in the long-run.
Combatting Data Sharing Grief
Seeking expert advice from a privacy professional at the inception of a new initiative is an essential step in ensuring plans take full account of legal and regulatory constraints. The selection of suppliers, technical solutions, contracting models, operating models or any other key decisions should only be made once the requirements of privacy and confidentiality law have been fully understood to avoid unnecessary complications. By considering data protection and privacy issues upfront in everything you do, you can ensure that you comply with the GDPR’s fundamental principles and requirements, in particular the focus on accountability. This approach is referred to as ‘data protection by design and by default’. This concept is not new and has always formed a foundational principle of data protection law. Under the GDPR however, this is now a legal requirement.
8foldGovernance can assist organisations with their ‘data protection by design and by default’ approach. Our team of privacy professionals can provide invaluable advice and guidance around the legal and regulatory constraints which may have an impact and provide practical support in navigating the potentially complex areas information governance to support success.