Will the Care Record be secure?
MI5 has already asked for access. So has the Metropolitan Police. Insurance companies would die to see what's in it. Government departments want to get in too.
The planned National Care Record, which will contain the entire nation's health records, will be one of the most valuable databases of information around.
And wherever something valuable is housed, there will always be those who will try to break in, whether through fair means or foul.
Many of those who want to gain access to the Care Record may have entirely valid requests for looking at patient data. Scientific research and clinical audit, for instance.
Others will have more questionable motives. The Department for Education and Skills, for instance, would like more data on those who are off on long-term sick leave.
And at the extreme end, there could well be illegal attempts by NHS workers and others to access confidential medical information.
A workforce of more than a million is bound to include a few jealous spouses who want to peek inside their ex's notes, or a potential blackmailer looking for intimate medical details about a colleague.
These dangers have sparked a row between doctors and Connecting for Health over whether patients' summary records should be automatically uploaded to the national system, unless they opt out, or whether each person should give their individual consent.
Connecting for Health is insisting on the former option, but doctors want the latter.
It is into this arena that Harry Cayton, director of patient and public involvement at the Department of Health – or patient choice tsar as he's known – has stepped.
He has just completed a review, commissioned by Connecting for Health, of information governance – the rules, policies and practice around the handling of confidential patient data.
His conclusion is that attitudes towards confidentiality among NHS staff need to improve dramatically.
Cayton says rules and practice around information sharing and protection have been well intentioned.
But the system overall is not up to scratch for an electronic environment and one where commercial companies are playing an ever-increasing role in health provision.
In GP practices, for example, there have already been examples of people writing their password on the smart-cards they used to gain access to systems, or letting others use their card while they leave the room.
Cayton says Caldicott Guar-dians, on whose shoulders responsibility for protecting confidentiality rests, have felt isolated and are not entirely sure what is expected of them.
'Overall levels of confidentiality in the NHS are very good and there are lots of people trying to do a good job, but they are not linked to each other and there is no systematic training or support,' he says.
'My overall aim was to bring clarity into the system so people know what it is they need to do and where to go for help.'
He is recommending introducing a common job specification for the role, professional training and a defined number of hours per week for guardians.
Their title will also change to Information Guardians.
GPs as Information Guardians will have an increasingly important role to play, Cayton says. First, they ensure that they, their colleagues and their staff abide by rules.
Then as practice-based commissioners forge closer links with social care, they have a responsibility to spread NHS best practice outside the service.
'It's important we promote the same standards the NHS has,' Cayton says. 'It's right to co-operate with them. The public have a high level of trust in confidentiality in the NHS but slightly less in social care.'
Health care organisations – including practice-based commissioning consortia but not individual practices – will have to produce annual reports of their information governance under Cayton's plans.
Private providers must be subject to the same stringent rules as the rest of the NHS, he adds.
'The private sector has been very positive,' he says. 'They said "we want to be part of this". But they must demonstrate they are following good practice and it should be written into contracts.'
As for the efforts of security services and others to access data held on care records, Cayton has held firm.
'We are absolutely clear. There's no question of the sharing of NHS records outside the NHS. We won't even share them with the Department for Education and Skills for child protection.'
For those that do breach confidentiality, Mr Cayton is backing the Information Commissioner's calls for Draconian penalties of up to two years imprisonment and unlimited fines.
Overall, he maintains that a system where records are held electronically, and can be shar-ed across the NHS, will reduce the risks of confidentiality breaches, not increase them.
Paper records, he says, can get lost.
Recently he was sat waiting in his own GP surgery beside a pile of patient notes he could easily rifle through. He, naturally, resisted. But others might not.
However, Cayton agrees that the added element of remote access to the whole nation's records that the Care Record brings, increases the temptations.
But it is up to GPs and other NHS staff, he says, to ensure they minimise the risks.
'If we can get implementation of the system right, the new systems will be more secure rather than less so.
'But it will only be so with human beings following good professional standards and good practice.'
Harry Cayton's recommendations
• Caldicott Guardians to become 'Information Guardians', with specified job descriptions and competencies
• Chief Medical Officer should become Caldicott Guardian for the Department of Health to ensure independence from policy
• A national, independently-appointed Information Governance Board to advise department and ministers and to arbitrate on interpretation of policy
• All organisations – including private firms – supplying services to the NHS to have information governance responsibilities enforced through contract or service agreement
• Health bodies to submit annual reports to their directors and the national board
'The GP's role is central'
Dr Laurie Slater says the extent to which GPs and practice staff follow clear rules will be by far the most important factor in determining that the National Care Record is secure.
Dr Slater, a GP in west London, information governance lead for his PCT and adviser to Connecting for Health, says that however sound security measures are in theory, they are only as strong as the people who have to follow them.
GPs must understand their responsibilities and they and their staff should realise they could face the sack if they breach the rules, Dr Slater says.
Every time someone accesses clinical data on the care record, it will leave an audit trail, and even accessing simple demographic data will be monitored and followed up if inappropriate.
'If staff share their cards or passwords they need to understand they are breaching patient confidentiality and will be subject to disciplinary action,' Dr Slater says.
'Staff should become familiar with the idea that such monitoring will be a routine part of their work and that on occasions they may be asked to explain why they have accessed a given record.'
By Ian Cameron