Reasonable expectations

The National Data Guardian's panel has been talking about people's expectations about how health and care data is used.

Lately on the National Data Guardian’s Panel, we have been talking in some detail about how people expect health and care information to be used.

The National Data Guardian (NDG) Dame Fiona Caldicott has often said it is important that there should be ‘no surprises’. It’s crucial to understand the boundary between what would and would not surprise people. This understanding should shape the way health and care professionals talk to people about how information is used. This is not just a matter of courtesy. It is also a question of law. It is important to remember that the boundary of what people reasonably expect is itself a restriction on the way information can lawfully be used.

I vividly remember a practical lesson I had as a GP about the care that needs to be taken to understand people’s expectations. It was about 20 years ago when we were just at the beginning of the computerisation of GP records. Known as a bit of a whizz kid in how these new-fangled computers worked, I was approached by a doctor at the local hospital who specialised in diabetes. He wanted to see if examining information about people in the area affected by the condition could help him spot patterns and work out how to provide better care. So I extracted information from our system about patients with diabetes and together we examined it with interest.

Excited about what we had been doing to harness technology to benefit patients, I enthusiastically told one of my diabetic patients about this good work. He was appalled. He worked at the local hospital and had chosen not to tell colleagues about his condition; he feared it would affect his prospects. The information I had shared could have identified him and he challenged me to justify why I had done this without his consent, which he would not have given.

I realised that while I needed to know this information as his GP providing him with care, my hospital colleague was not directly looking after him and I should not have shared the information in this way. I won my patient’s trust back by taking action to retrieve the data and to remove details which could identify him and others, so that it could then be used in an anonymised form to benefit diabetic patients.

And I learned some valuable lessons. That we must not make assumptions about what patients want and expect us to do with information about them. That the relationship of trust between a care professional and an individual is to be protected with care. That new uses of technology can often cause anxiety.

So the health and care system needs to work with patients and service users to make sure people are not receiving unpleasant surprises as my diabetic patient did those years ago. Does that mean that health and care professionals need to get consent forms signed and witnessed each time they share any piece of information about an individual which might identify them?

The answer is no. Every day doctors, nurses and care professionals rely on a legal concept called ‘implied consent’ to share information in order to make sure their patients and service users get the care they need.

When a GP refers a patient to a hospital surgeon for a knee operation, the referral will include medical details about the individual patient. She doesn’t need to spell this out to the patient; it is reasonable to believe her patient understands this and has agreed to it by agreeing to the referral. Likewise, a nurse caring for a patient in a hospital does not need to seek consent for updating the next nurse on duty about how the patient has been, what medication they have had etc when he finishes his shift. Indeed, it would seem unnecessary and frustrating to the patient if they had to keep giving consent for this kind of information sharing. Instead people expect information to be shared so that care can be as seamless as possible.

It seems to have become accepted wisdom, that the legal basis of implied consent can be used to share information about individuals as long as you are providing what is termed ‘direct care’. That is often the case, such as in the examples of the GP referral or the nurse going off shift, but it’s not quite as simple as that.

The Information Governance Review that Dame Fiona Caldicott led provided a working definition for when information that identifies individuals could be shared on the basis of implied consent in its 2013 report. It strongly emphasised the need for there to be a “legitimate relationship” between the person looking at the information and the individual. The thrust was that in this context information should be shared only with members of a care team involved in providing care directly to a person. We felt this was what patients would expect.

Since 2013 there have been developments which have led us to revisit this. We are now seeing the emergence of new ways of delivering care. These often rely on the sharing or pooling of data in ways that were not necessarily envisaged in the 2013 report. Also an erroneous belief has taken hold in some parts of the health and care system that if you believe that what you are doing is direct care, you can automatically share information on a basis of implied consent. This appears to have led to a drive to categorise activity as direct care, which might arguably be closer to development, research or planning.

Among the NDG panel, we have carefully considered whether the definition of direct care in the 2013 report needs to be broadened or adjusted to take account of these developments.

Firstly, we have concluded that where information is shared on the basis of implied consent to support direct care, it is important to maintain the emphasis on the legitimate relationship. Even if a health and care professional spends all their working hours providing direct care to many people, they only have a legitimate relationship with those individuals for whom they care directly. We do understand that this gets more challenging as the health and care service moves away from traditional and conventional ways of delivering care.

Secondly, we think it’s important to underline that the delivery of direct care is not of itself a catch-all to allow information to be shared under implied consent. The crucial thing is that information sharing must be in line with the reasonable expectations of the individual concerned.

So it comes back, as it does so often in the issues that the NDG and her panel look at, to honesty and transparency. Informing people about what is being done with their data (especially if it is something an individual may not obviously anticipate) is the right thing to do to build trust and to meet legal obligations.

Following our discussions, we’ve developed a further iteration of where we think confidential personal information can generally be shared on an implied consent basis for direct care. It is:

"To inform and improve decisions about an individual’s health and care by those who are delivering care to that individual or supporting such care and it is reasonable to believe that the people concerned understand the information sharing involved, have indicated by their actions that they are content, and have not raised any objections."

We would be interested to hear views on this. Please send yours to the NDG office mailbox at If you want more detail about our thoughts we have also been developing a paper on this that we would be happy to share with individuals or organisations who would like to see it.

I should mention that we’ve been pleased to hear about the work that the new Understanding Patient Data initiative being co-ordinated by Wellcome is doing to see whether terms such as ‘direct care’ make sense to the public or if there are clearer ways of expressing this and other important concepts related to data. We look forward to seeing their findings published.


National Data Guardian