What is Caldicott?

In 1997 the Chief Medical Officer commissioned a review to investigate the ways in which patient information was used in the NHS.  The findings were published in The Caldicott Report and made a number of recommendations aimed at improving the way the NHS handles information. 

Originally 6 Caldicott Principles were identified which provide a framework of good practice which should be adopted by all staff who have access to patient information.  The paper has now been reviewed and a seventh principle has been added.  

In line with the recommendations the Trust has appointed Dr Timothy Jobson, Deputy Medical Director and Consultant, as Caldicott Guardian with executive responsibility for ensuring that patient confidentiality is maintained at all times.

The Caldicott principles (Caldicott 2)

There was widespread support for the original Caldicott principles, which are as relevant and appropriate for the health and social care system today as they were for the NHS in 1997. However, evidence received during the review has persuaded the Panel of the need for some updating, and inclusion of an additional principle.

Patients and clients give staff in health and social care personal and confidential information about themselves all the time and they trust that we will protect the information they give.  As we move to a more electronic age, where information can be shared more easily, and across many more types of organisations, the Government accepted the Future Forum’s recommendation for a review of the balance between protecting patient information and its sharing, to improve patient care.  The term used to describe how we manage this is ‘Information Governance’.

Dame Fiona Caldicott has been leading this review with an independent panel of experts, on behalf of the secretary of state.  The panel was asked to make recommendations on the balance between sharing personal information and protecting individuals’ confidentiality taking into account; how to ensure that we improve the sharing of personal information to support the care of individuals; enable the further use of information more widely to improve health and social care services; protect individuals’ confidentiality and respect their wishes in relation to how their information is used.

Caldicott 2 Report

Professional standards and good practice

The revised list of Caldicott principles therefore reads as follows:

1. Justify the purpose(s)

Every proposed use or transfer of personal confidential data within or from an organisation should be clearly defined, scrutinised and documented, with continuing uses regularly reviewed, by an appropriate guardian.

2. Don’t use personal confidential data unless it is absolutely necessary

Personal confidential data items should not be included unless it is essential for the specified purpose(s) of that flow. The need for patients to be identified should be considered at each stage of satisfying the purpose(s).

3. Use the minimum necessary personal confidential data

Where use of personal confidential data is considered to be essential, the inclusion of each individual item of data should be considered and justified so that the minimum amount of personal confidential data is transferred or accessible as is necessary for a given function to be carried out.

4. Access to personal confidential data should be on a strict need-to-know basis

Only those individuals who need access to personal confidential data should have access to it, and they should only have access to the data items that they need to see. This may mean introducing access controls or splitting data flows where one data flow is used for several purposes.

5. Everyone with access to personal confidential data should be aware of their responsibilities

Action should be taken to ensure that those handling personal confidential data — both clinical and non-clinical staff — are made fully aware of their responsibilities and obligations to respect patient confidentiality.

6. Comply with the law

Every use of personal confidential data must be lawful. Someone in each organisation handling personal confidential data should be responsible for ensuring that the organisation complies with legal requirements. 

7. The duty to share information can be as important as the duty to protect patient confidentiality

Health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by these principles. They should be supported by the policies of their employers, regulators and professional bodies