Council Meeting

21 November 2024 

Present  

Dr George Fernie (Vice-Chair), Helen Dyer, Mr Adrian Marchbank, Alison Metcalfe, Allison Newell, Dr Matt Noble, David Riley 

Guests 

Mike Fell (Director of National Cyber Operations, NHS England), Manpreet Pujara (Clinical Director for Patient Safety and Freedom to Speak up Guardian, NHS England) 

Observers 

Raz Edwards, Marjorie Gillespie, Phil Koczan, Alastair Moore, Deborah Topping, Alex Wilson 

Secretariat 

Ryan Avison, Helen Bauckham 

Apologies 

Dr Arjun Dhillon (Chair), Dr Neil Bhatia, Martin Crook, Christopher Fincken, Rhidian Hurle, Dr Erum Nomani, Surgeon Commodore Jason Smith 

Declarations of interest 

Dr George Fernie (Vice-Chair) chaired the meeting in the absence of the UKCGC Chair.   

Declarations of Interest can be found on register of interests. No other new interests were declared. 

Notes of previous meeting and matters arising 

Council reviewed the notes of the 18 September 2024 Council meeting and accepted them as an accurate record. There were no matters arising. 

Action log 

The UKCGC vice-chair and Council members reviewed the action log. An update was provided by the vice-chair on the four open actions.  

Vice Chair’s report 

  1. Vice-chair meetings: the UKCGC vice-chair provided an overview of the meetings that have taken place over the last few months. Several of the meetings discussed were regarding requests for advice received through the UKCGC website, submitted by Caldicott Guardians. 

  2. Vice-chair attended NDG Panel: the UKCGC Vice-chair attended the National Data Guardian’s (NDG) Panel meeting on 12 November 2024 virtually. Topics included:  

  3. Public Engagement in Data Research Initiative (PEDRI) project 

  4. Developments in the use of OpenSAFELY and associated elements (access decisions / national data opt-out / stakeholder involvement etc) 

  5. Announcement of newly appointed UKCGC Chair: Dr George Fernie (UKCGC vice-chair) announced that following a selection and interview process, he has been successfully appointed as the new UKCGC Chair, with his 3-year term commencing on 01 January 2025.  

Requests for advice to Council 

Council discussed recent requests for advice. The vice-chair noted that requests were mostly routine questions where the secretariat signposted inquirers to the relevant guidance. The vice-chair thanked specific Council members who helped with some of the more complex requests for advice. 

Updates from the NHS Business Services Authority (NHSBSA) 

Allison Newell (Executive Director of Strategy, Performance, Business Development and Growth and an Executive Board member, NHSBSA) and Alison Metcalfe (Head of Professional and Clinical Services, NHSBSA) attended the UKCGC meeting to provide an overview of the NHS Business Services Authority (NHSBSA), its role, and the specific responsibilities of the Caldicott Guardian within the organisation.  

NHSBSA is an arm’s length body of the Department of Health and Social Care, delivering a wide range of national services to support primary care, the NHS workforce, and UK citizens. Their platforms, systems, and services facilitate the flow of approximately £100 billion in NHS funds annually, impacting millions of lives. 

Allison and Alison explained that from January 2024 to November 2024, the Caldicott Guardian function at NHSBSA received 67 requests for advice and support. These requests covered a variety of topics, including the consideration of NHSBSA proposals to link NHSBSA data with external datasets, issues relating to consent, subject access requests, and Confidentiality Advisory Group (CAG) section 251 applications. 

Council members commended Allison and Alison for the extensive work they undertake and the broad scope of their Caldicott Guardian-related responsibilities within NHSBSA’s wide-reaching services. 

Cyber Updates from NHS England 

Mike Fell (Director of National Cyber Operations, NHS England) and Manpreet Pujara (Clinical Director for Patient Safety and Freedom to Speak up Guardian) attended the UKCGC meeting to discuss cyber in the NHS. Mike highlighted the evolving threat of cyber risks, with specific reference to key events impacting the NHS since 2017, including the 2017 WannaCry ransomware attack, the 2020 COVID-19 cyber threats, the 2021 Irish Health Service Executive (HSE) ransomware attack, the Advanced attack in 2022, and the more recent 2024 Synnovis attack. 

Mike emphasised that cyber security is not just an IT issue but a critical patient safety concern. He provided an overview of the NHS’s system-level risk management strategies and operational responsibilities regarding cyber security, as well as existing cyber services. In addition, Mike shared insights and lessons learnt from real-life near-misses within the NHS, underscoring the importance of proactive cyber risk management. 

A key aspect of the discussion was the NHS’s cyber strategy for 2030, which envisions a system resilient to cyber-attacks across both health and social care sectors. Council members expressed interest in learning more about cyber lessons learned, and offered to help identify opportunities for Caldicott Guardians to support efforts to increase cyber resilience in NHS settings. 

ACTION: the UKCGC vice-chair invited Mike Fell to speak at the 2025 Caldicott Guardian conference to share further updates and insights on cyber security in the NHS. 

Other Business 

No other business. 

Next meeting 

The next meeting will be held virtually on 28 January 2025 from 13:00-16:30pm.