Why isn't data being shared?
"GDPR Says No" Syndrome
Too often the default setting of Data Protection Officers is “GDPR Says No”.
A breach of GDPR/DPA carries the risk of a large fine. A failure to meet the Caldicott Principles doesn’t. (GDPR is enforceable; Caldicott isn’t.) This appears to be a major contributor to the caution expressed by many DPOs and data processors.
However, in practice, in the last two years (the period for which information is available) the ICO has not sanctioned a single NHS body, local authority or care provider for inappropriately sharing data with other professionals.
This is often reinforced by generic GDPR training provided across an organisation, which carries a subliminal or overt message that "GDPR says No", with little or no emphasis on situations where data should or must be shared.
Examples from Prevention of Future Deaths reports:
Potential solutions:
Clearer leadership, support and training for DPOs and other staff about the positive provisions for data sharing included in GDPR.
The joint statement from the National Data Guardian, Information Commissioner and Chief Medical Officer (September 2023) is an example of this, but it's less clear how effectively this has been communicated throughout the health and care professions.
Common Law Duty of Confidentiality
In the health sector in particular, "GDPR Says No" Syndrome is coupled with a deep-seated reliance on the common law duty of confidentiality.
Whilst this has been the governing principle for many years, it doesn't take account of the positive provisions for data sharing in GDPR and elsewhere.
This is reflected in much of the health sector's professional guidance. For example, the General Medical Council's guidance makes no overt reference to GDPR Art. 9 (2)(h) and implies that consent (express or implied) is the main lawful basis for professional information sharing.
This contrasts with ICO guidance, which states that consent should not be relied upon if another lawful basis for processing can be used, as consent can be withdrawn (see “Consent or public task?”)
Prevention of Future Deaths (PFD) reports show evidence of specialisms within a hospital setting failing to share information with each other, preventing proper care for co-morbidities. PFD reports also highlight a problem in prisons, where healthcare staff don’t always give prison staff essential info about prisoners’ health conditions and needs, citing medical confidentiality.
Statute law (including DPA and GDPR) overrides common law, but the provisions in statute law for professional information sharing do not include any mandatory requirement to share data (except in limited cases such as children’s safeguarding).
Examples from PFD reports:
Potential solutions:
Clearer leadership, support and training for DPOs and other staff about the balance between the duty of confidentiality and Caldicott Principle 7, along the lines of the joint statement from the National Data Guardian, Information Commissioner and Chief Medical Officer (September 2023).
Updated clinical/professional guidance, with clear reference to GDPR Art. 9 (2)(h) and Caldicott Principle 7. This should explicitly challenge the routine assumptions about reliance on consent (even implied consent) and on common law.
Ideally, a change in the law to require essential health and care information to be accessible to people with a legitimate clinical/professional need for it. (The Data (Use and Access) Bill, with its provision for mandated data standards, would provide a useful platform for this.)
See also Consent or Public Task?
Data and technical silos
There is a widespread lack of integration and/or interoperability between systems.
Data is held in unstructured formats.
Available Application Programming Interfaces (APIs) don’t provide for significant areas where data sharing would be of major benefit, e.g. hospital discharge or GP referrals to social care.
Examples from Prevention of Future Deaths reports:
Potential solutions:
Schedule 15 of the Data (Use and Access) Bill will provide for data standards to be mandated across IT systems in health and social care. Good news, but the Bill’s progress will need to be monitored carefully to ensure that this provision achieves what it’s capable of.
A collaborative focus on key pain points (e.g. hospital discharge, GP referral to social care, sharing of communication needs/reasonable adjustments), and the development of data standards and APIs to enable widespread adoption; coupled with positive and visible leadership to drive take-up.
Time pressure
Because of all the above, information sharing tends to happen by exception rather than by default, requiring actions to be taken to make it happen. If staff are under pressure to complete routine tasks they may not have the time to take those actions.
Professional silos
GDPR Art. 9 (3) expects health and social care information to be shared only with people under a codified duty of “professional secrecy”.
This applies to health and care professionals; others (e.g. housing officers, firefighters, benefits advisors etc) could be expected to maintain professional secrecy, but this is not codified by any accreditation body. (Check with Regulator of Social Housing)
Health and social care – intrinsic to any reasonable definition of well-being – are excluded from the scope of the DEA gateways. This risks the creation of two parallel universes for data sharing, one operating under GDPR Art. 9 (h) and the other under DEA s.35.
Key lines of enquiry:
Investigate the accreditation regimes in other professions (beyond health and social care) and their expectations of "professional secrecy".
Is there a competent authority which could provide a "professional secrecy" accreditation across multiple sectors, allowing professionals to qualify as recipients/processors of special category data?
Other obstacles
Other obstacles include:
An alarmist approach in the media towards any form of data sharing.
The NDG has recently published a survey on Barriers to Information Sharing (dated 2020). The research was carried out pre-pandemic, but many of the findings still hold true. Among other factors it refers to “A reluctance to share potentially inaccurate information.”
Several stakeholders have highlighted the problem of needing to reinvent the wheel in terms of identifying the legal and technological mechanisms to share data. This might be (e.g.) agreeing data sharing agreements, implementing data structures or setting up APIs.
Examples from Prevention of Future Deaths reports
Possible approaches:
National templates for data sharing agreements, data protection impact assessments etc, signed off as GDPR compliant, could save considerable time and stress.
Other research
Several research reports have been published about the reasons people don't share their needs with providers of essential services (e.g. banks and utility companies). They all emphasise the serious consequences in terms of people not receiving the help, support and/or reasonable adjustments they need as a result.
Examples include:
Closing the Gap (Citizens Advice, 2023)
Too much information? Key considerations for vulnerability data sharing (Money and Mental Health Policy Institute, 2023)
Barriers to disclosure (Phoenix Group, 2024)
