Unfortunately, however, the Caldicott committee chose to ignore the potential of properly de-identified data and preferred to entrench existing unethical practices. This leads progressively into deeper trouble.
For example, in the implementation document [14], there is a `test of reasonableness' to the effect that staff should not have access to data which they could identify `by any means likely to be available to them'; this surely means that data `de-identified' by postcode plus date of birth should not be available to staff not involved in a patient's care, and data which also carries the NHS number should be even more out of bounds.
Although an attempt has been made to define access levels for NHS staff and contractors, the upshot is that access to patient identities will only be restricted for a small number of purposes, such as health improvement programmes and postpayment validation of GP claims. However, the staff who perform these functions will in most cases perform related functions (epidemiological studies and prepayment claim validation) which require access to at least the linkage between NHS number and the date of birth/postcode combination, or even to the full name and address. It is not clear that there will be many staff in the NHS who do not have some access to the linkage between NHS number and identity. Full access to the mapping between NHS number and name is being made available to GPs, HAs, NHS Trusts, and staff involved in contract data validation and screening. That includes most of the people who work for the NHS.
An interesting parallel here is the availability of criminal records. In most countries, criminal records are easily available to private investigators and others who should not in theory have access, because large numbers of police officers require constant access and some of them pass on information for money or as a favour for a former colleague who now works as a private eye. It has proved extremely difficult to devise effective controls, and to prosecute policemen suspected of compromising security. For example, if record access is limited to the custody sergeant, then beat officers will constantly call him for reports on arrested suspects, and an accurate log of these reports cannot practicably be kept. Similarly, as the NHS number becomes a requirement for almost every transaction in the service, access to the name/number linkage will become so widespread that control will become impossible.
In short, the Caldicott committee's view that the NHS number would help solve the problem is so wide of the mark that it fatally undermines the report's credibility. Indeed, the addition of the NHS number to records previously identified by postcode and date of birth will have the effect of destroying the privacy of the remaining 2% of the population who share a birth date with another person living at the same postcode. Caldicott's failure to access appropriate computer security expertise was a major blunder and is evident in the unconvincing appendix on computer security technology ([8], appendix 6). Caldicott also fails to tackle the problems that arise when one patient's records contain identifiers for another patient (e.g. family therapy and child protection cases, and family histories for genetic counselling) and the issue -- central to data protection -- of how one ensures that data are not kept for longer than necessary. Had the existing literature on clinical system security been read (e.g. [1]), these mistakes should not have been made.
Caldicott recommended, and the implementation document now seeks, to have each hospital, general practice or other provider organisation appoint a senior clinical professional as a Guardian, who will be responsible for approving requests to release personal health information for purposes outside direct patient care.
Firstly, the recommendations are extremely vague about the appointment proceedures. On first reading, the post would appear to be in the gift of the Chief Executive -- a situation open to abuse or the suspicion of it.
Secondly, the implementation document admits that finding Guardians for the primary care sector will be difficult, and does not try to tackle the problem. It appears to ignore the fact that general practices are about to become part of Primary Care Groups -- bodies which will include almost everyone providing ``health care'' -- including Social Services. A critical problem here will be whether GPs will be allowed to act as their own Guardians and enforce patients' rights of informed consent (as medical ethics require), or whether someone will be appointed by authority.
However, as the committee acknowledged, the fundamental tension comes from the fact that healthcare professionals are bound to keep confidences, while the system design is in the hands of the NHS Executive ([8] 4.4). The appointment of Guardians does not solve this problem; it does leave the Guardians in an extremely difficult position -- and especially so as the implementation document acknowledges ([14], Annex E, section 3.5) that individuals do indeed have the right to restrict the sharing of their personal health information. The resulting conflict between the patient's right to privacy and the Guardian's employer's contractual duty to share data unethically with the centre is particularly extreme in hospitals, which do not get paid unless personal health information is sent to Clearing (which in turn sends it to HES). This conflict should be tackled by building systems that de-identify data properly, as the private sector has done, rather than fudged as in the Caldicott report.
Finally, the consultation on the implementation document is inadequate. It has an issue date of 15th May 1998, and consultation ends on 30th June 1998. No copy was sent to the writer, and the criteria for selecting or excluding people from the consultation list remain obscure. There is also no indication how the views expressed will be taken into account. This lack of openness in the consultation process will further undermine confidence.