Article Text

Download PDFPDF
Report from the national data guardian for health and care
  1. Sophie Brannan,
  2. Ruth Campbell,
  3. Martin Davies,
  4. Veronica English,
  5. Rebecca Mussell,
  6. Julian C Sheather
  1. Department of Medical Ethics, British Medical Association, London, UK
  1. Correspondence to Martin Davies, Department of Medical Ethics, British Medical Association, BMA House, Tavistock Square, London WC1H 9JP, UK; mdavies{at}

Statistics from

Request Permissions

If you wish to reuse any or all of this article please use the link below which will take you to the Copyright Clearance Center’s RightsLink service. You will be able to get a quick price and instant permission to reuse the content in many different ways.

Report from the National Data Guardian for Health and Care

In July, the National Data Guardian (NDG) for health and care in England, Dame Fiona Caldicott, published her Review of Data Security, Consent and Opt-Outs.1 The role of NDG was created in 2014 to advise and challenge the health and care system to help ensure that citizens' personal confidential information is safeguarded securely and used properly.

The review makes 20 recommendations to the Department of Health, including proposals for 10 new data security standards for the National Health Service (NHS) and social care, a method for testing compliance against the standards and a new ‘eight-point’ model for consent and opt-out for sharing personal confidential information for purposes beyond an individual's direct care.

Data security

The review heard that 41% of all breaches reported to the UK Information Commissioner's Office (ICO) were from the health sector.2 The review concluded that the breaches were caused by people, process and technology and have based the recommendations and standards around these three themes.

Dame Fiona proposes 10 data security standards that would apply in every health and care organisation which handles personal confidential information. These include measures which will protect systems against data breaches and ensure that organisations are as prepared as they can be to meet the challenges of the digital age and the growing threat from cyber-attacks.

Strong leadership was considered to be crucial to data security. The 10 data security standards are therefore clustered under three leadership obligations:

  • People: ensure staff are equipped to handle information respectfully and safely, according to the Caldicott Principles.i

  • Process: ensure the organisation proactively prevents data security breaches and responds appropriately to incidents or near misses.

  • Technology: ensure technology is secure and up to date.

Consent/opt-out of information sharing in health and social care

The review makes nine recommendations in relation to consent and opt-out. One of the recommendations puts forward a new ‘eight-point’ …

View Full Text


  • Competing interests None declared.

  • Provenance and peer review Not commissioned; internally peer reviewed.

  • i There are seven Caldicott Principles which apply to the handling of health data, see—Department of Health (2013) Information: to share or not to share p. 5.

  • ii The Information Commissioner's Office has a code of practice which sets out how data might be sufficiently anonymised that it may be used in controlled circumstances without breaching privacy.

  • iii NHS Digital (formerly the Health and Social Care Information Centre) is the focal point of heath information collection and analysis in England.