The Caldicott Review recommends how personal data should be used for research

Posted on April 26, 2013 by


The Caldicott Review on information governance in health and social care has published its report today, making recommendations on how people’s personal information should be handled by the NHS and social care services, including for the purposes of research. It’s really important that researchers can access people’s health records to answer health questions, but people’s personal confidentiality must be protected, this review aimed to find a balance that works for everyone.

The report recommends the use of “safe havens” where data that could potentially identify patients should be handled, and that more should be done to make patients aware of how and why their data might be used for research.


As part of the new information Strategy for the NHS, the government asked Dame Fiona Caldicott to review how we balance protecting personal health information with its sharing, including allowing researchers to access it to improve patient care. Dame Fiona recruited a panel to help her conduct this review including Sir Mark Walport, former-Director of the Wellcome Trust and Government Chief Scientist, and Jeremy Taylor, CEO of National Voices.

This previous blog gives more detail on why the review was set up and this lovely booklet gives lots of examples of why patient data is valuable to researchers.

What’s in the report?

You can read the full report here. Chapter 6 focuses on research, it makes two central recommendations:

  • How to deal with data that has been stripped of personal identifiers but could potentially identify someone if linked to other key bits of information (data geeks know this as pseudonymised or key-coded). The review recommends that this type of data should be processed in well-governed, independently scrutinised and accredited environments called “accredited safe havens” and discusses the practicalities of how these would function.
  • Consent for consent – where consent must be sought for a researcher to contact someone to ask for their consent to take part in research, creating a catch 22 situation. The Review Panel concludes that, wherever possible, privacy enhancing technologies should be used to minimise the need for access to identifiable information. For example, these would contact a GP if their patient was identified as being suitable to take part in a trial and ask the GP to approach the patient, meaning the researcher need not know the patient’s details. GPs already their patients consent to look at their health record. The CPRD takes this approach.

Chapter 5 (Information governance and the law) also makes a recommendation urging all organisations in the health and social care system to explain to patients and the public how the personal information they collect could be used in de-identified form for research and other purposes. The government has already made changes to the NHS Constitution to make this clearer for clinicians and the public – we are concerned that this is not enough by itself and our proposed new statement on patient data calls for the NHS to do more to talk to patients and the public about how they handle personal data.

The government has responded to the report

The Health Secretary, Jeremy Hunt responded to the report today, saying that  while effective sharing of patient information has enormous potential to improve patient care, services and treatments, this can only be done effectively if patients are given a say over how their personal information is used. He promised a  full government response in the summer, in the meantime he announced that:

  • Any patient that does not want personal data held in their GP record to be shared with the Health and Social Care Information Centre will have their objection respected
  • Where personal data has already been shared from a GP practice to the Information Centre, a patient will still be able to have the identifiable information removed

What next?

We are currently consulting on our new statement on the use of patient data for research, you can read our draft and have your say here.

The BMA, NHS England and the Royal College of GPs will be raising public awareness of how and why their data is used and how they can lodge an objection. GPs will also be contacted so that they understand the role they need to play.

Dame Fiona will now chair an independent panel to oversee and scrutinise implementation of the review’s recommendations and to provide advice on information governance issues.

Posted in: Policy