Login

CHW62-Caldicott Principles and Patient Information Policy

{{org_field_logo}}

{{org_field_name}}

Registration Number: {{org_field_registration_no}}

Caldicott Principles and Patient Information Policy

1. Purpose

The purpose of this policy is to ensure that {{org_field_name}} manages, records, stores, uses and shares confidential information about individuals safely, lawfully, fairly and transparently. This includes personal data, special category data, care records, health information, safeguarding information, information about representatives and family members, and any other confidential information obtained in the course of providing care and support.

{{org_field_name}} will apply the Caldicott Principles when handling confidential information and will balance the duty to protect confidentiality with the duty to share information where this is necessary, lawful and proportionate to support safe and effective care, safeguarding, treatment, continuity of care, regulatory compliance or another legitimate purpose.

This policy supports compliance with the Regulation and Inspection of Social Care (Wales) Act 2016, the Regulated Services (Service Providers and Responsible Individuals) (Wales) Regulations 2017, as amended, the Social Services and Well-being (Wales) Act 2014, the Data Protection Act 2018, UK GDPR, the Mental Capacity Act 2005, Deprivation of Liberty Safeguards requirements where applicable, Wales Safeguarding Procedures, CIW regulatory expectations, and relevant information governance guidance.

This policy must be read alongside the organisation’s Confidentiality and Data Protection Policy, Safeguarding Policy, Records Management Policy, Information Security Policy, Complaints Policy, Duty of Candour Policy, CCTV/Surveillance Policy where applicable, and any local data-sharing or safeguarding procedures.

2. Scope

This policy applies to all staff, managers, volunteers, agency workers, contractors, visiting professionals and any other person who may create, receive, access, use, store, disclose or dispose of confidential information on behalf of {{org_field_name}}.

This policy applies to information in all formats, including paper records, electronic care records, emails, text messages, photographs, CCTV or surveillance recordings where used, telephone notes, handover notes, incident records, safeguarding records, medication records, care plans, assessments, financial records held on behalf of individuals, correspondence with families or representatives, and information shared with external professionals or agencies.

This policy applies to information relating to individuals who use the service, prospective residents, former residents, relatives, representatives, staff, volunteers, visitors, professionals and any other identifiable person whose information is handled by {{org_field_name}}.

All staff must follow this policy when recording, accessing, sharing or discussing confidential information. Confidential information must only be used where there is a lawful basis, a legitimate care or business need, and a clear reason connected with the person’s care, support, safety, well-being, rights, legal obligations, safeguarding, regulation, complaints, audit, quality assurance or service management.

3. The Caldicott Principles

{{org_field_name}} adopts the following Caldicott Principles as a foundation for handling patient information:

  1. Justify the Purpose – Every proposed use or transfer of patient-identifiable information must be clearly defined and justified. This includes ensuring that data sharing is essential for care provision and not for administrative convenience.
  2. Use Only When Absolutely Necessary – Patient information should only be used where it is essential for care provision. Any unnecessary access or sharing of information is strictly prohibited.
  3. Use the Minimum Necessary – The least amount of personally identifiable data should be used to fulfil the purpose, reducing risk exposure.
  4. Access on a Need-to-Know Basis – Only those with a legitimate need should have access to patient information, ensuring controlled and secure access at all times.
  5. Everyone with Access Must Understand Their Responsibilities – All staff must be trained in information governance and confidentiality, ensuring they fully understand their responsibilities.
  6. Comply with the Law – Legal and regulatory requirements for data protection must be met, including compliance with GDPR and the Data Protection Act 2018.
  7. The Duty to Share Can Be as Important as the Duty to Protect – Information should be shared where it is necessary for safe and effective care, ensuring that privacy concerns do not result in delays in medical interventions.
  8. Inform Individuals About How Their Confidential Information Is Used – Individuals and, where appropriate, their representatives must be given clear, accessible and transparent information about how their confidential information is collected, used, stored, shared and protected. Information must be provided in a format and language suitable to the individual’s needs, level of understanding and communication preferences.

{{org_field_name}} recognises that the Caldicott Principles apply to confidential information used for direct care and to other appropriate purposes connected with the delivery, safety, quality, regulation and improvement of health and social care. Staff must not use confidentiality as a reason to withhold information where sharing is necessary, lawful and proportionate to protect an individual, support safe care, prevent harm, comply with safeguarding duties, respond to an emergency, or meet a legal or regulatory requirement.

3.1 Definitions

For the purpose of this policy:

“Confidential information” means information that is private, sensitive or not normally publicly available and which relates to an identifiable person. This includes information about health, care, support needs, medication, mental capacity, safeguarding, finances, family circumstances, complaints, incidents, personal history, beliefs, preferences and daily living arrangements.

“Personal data” means information relating to an identified or identifiable living person.

“Special category data” includes information about a person’s health, racial or ethnic origin, religious or philosophical beliefs, sex life, sexual orientation, genetic data, biometric data used for identification, political opinions or trade union membership. Health and care information will normally be special category data and must be given a higher level of protection.

“Processing” means any action involving personal data, including collecting, recording, storing, viewing, using, sharing, amending, deleting, archiving or destroying information.

“Individual” means a person who receives care and support from {{org_field_name}}. The term includes residents and service users.

“Representative” means a person with legal authority or the individual’s consent to act on the individual’s behalf. This may include an attorney, deputy, advocate, litigation friend, parent with parental responsibility, or another person authorised by law or by the individual.

3.2 Lawful Basis for Processing Information

{{org_field_name}} will only process personal data where there is a lawful basis under UK GDPR and the Data Protection Act 2018. Depending on the circumstances, the lawful basis may include:

Where special category data is processed, including health and care information, {{org_field_name}} will also identify a valid Article 9 condition. This may include processing necessary for the provision of health or social care, safeguarding, public health, employment obligations, legal claims, substantial public interest, or explicit consent where appropriate.

Consent will only be relied upon where it is freely given, specific, informed and capable of being withdrawn. Where information is required to provide care safely, comply with the law, protect an individual from harm, meet safeguarding duties or satisfy regulatory requirements, consent may not be the correct lawful basis and withdrawal of consent may not prevent the information from being processed or shared.

Staff must seek advice from the Registered Manager, Data Protection Officer or Information Governance Lead where they are unsure whether information can be used or shared.

4. Recording, Storing and Managing Individual Information

{{org_field_name}} will maintain accurate, complete, factual, timely and up-to-date records for each individual who receives care and support. Records must be written in a respectful, professional and objective manner and must contain sufficient detail to support safe, consistent and person-centred care.

Staff must ensure that records are completed as soon as practicable after the event or care activity and must not be falsified, backdated, altered inappropriately or destroyed without authorisation. Any amendment to a record must be transparent, dated, attributable and auditable. The original entry must remain visible or retrievable where records are amended.

Records relating to individuals may include assessments, personal plans, care and support plans, provider assessments, medication records, daily notes, risk assessments, mental capacity assessments, best-interest decisions, Deprivation of Liberty Safeguards records, safeguarding records, incident records, complaints, health professional correspondence, communication with representatives, end-of-life wishes, financial records held on behalf of the individual, and any other information required for the safe and effective operation of the service.

Paper records must be stored securely in locked cabinets or locked rooms with access restricted to authorised staff. Electronic records must be protected by appropriate technical and organisational security measures, including individual user accounts, strong passwords, access controls, encryption where appropriate, regular backups, audit trails and secure disposal arrangements.

Staff must not leave confidential information unattended, visible to unauthorised persons, or accessible in communal areas. Confidential conversations must take place in a private setting wherever possible.

Records must be kept securely for the required retention period. Records relating to adults must be retained for at least three years from the date of the last entry. Records relating to children must be retained for at least fifteen years from the date of the last entry, unless transferred to the placing authority in accordance with legal requirements. Where another law, contract, safeguarding requirement, insurance requirement, litigation hold or professional guidance requires a longer retention period, the longer period must be followed.

If the service closes, {{org_field_name}} will ensure that records continue to be stored securely and remain available for lawful access, regulatory inspection, safeguarding, complaints, legal proceedings and continuity of care.

Records must be made available to CIW on request. Individuals must be informed that they can access their own records, subject to applicable legal exemptions and safeguards.

Confidential waste must be disposed of securely by shredding, confidential waste collection or secure electronic deletion. Disposal must be documented where appropriate and must prevent unauthorised access, reconstruction or recovery of confidential information.

5. Sharing Confidential Information

{{org_field_name}} will share confidential information only where there is a lawful basis, a clear purpose, and the information shared is necessary, relevant and proportionate. Staff must apply the Caldicott Principles and must share the minimum information required to achieve the purpose.

Internal sharing

Information may be shared internally with staff who need it to provide safe and effective care, support personal outcomes, administer medication, manage risk, respond to incidents, protect individuals from harm, maintain records, investigate complaints, audit quality, or meet management and regulatory responsibilities. Staff must only access records where they have a legitimate need to know.

External sharing

Information may be shared with external professionals and agencies where necessary and lawful. This may include GPs, community nurses, pharmacists, hospitals, social workers, local authorities, safeguarding teams, commissioners, advocates, emergency services, the police, CIW, Healthcare Inspectorate Wales where relevant, the Public Services Ombudsman for Wales, the Information Commissioner’s Office, professional regulators, and other organisations involved in the person’s care, safety, rights or well-being.

Safeguarding

Where there is a safeguarding concern, suspected abuse, neglect, improper treatment, exploitation, risk of harm, or a serious concern about an individual’s safety or welfare, information must be shared promptly with the appropriate safeguarding agencies in line with Wales Safeguarding Procedures and the organisation’s Safeguarding Policy. Consent should be sought where appropriate, but lack of consent must not prevent lawful and necessary safeguarding action.

Families, friends and representatives

Information may be shared with family members, friends or representatives where the individual has consented, where the person has legal authority to receive the information, or where sharing is necessary and lawful in the individual’s best interests. Staff must check the individual’s wishes and any legal authority before sharing confidential information.

Where an individual has capacity, their decision about who information can be shared with must normally be respected. Where an individual lacks capacity to make a specific decision about information sharing, staff must act in accordance with the Mental Capacity Act 2005, any valid Lasting Power of Attorney, deputyship order, advance decision, best-interest decision or other lawful authority.

Data-sharing agreements and processors

Where {{org_field_name}} routinely shares information with another organisation, a written data-sharing agreement or protocol must be used where appropriate. Where another organisation processes personal data on behalf of {{org_field_name}}, a written data processing agreement must be in place before processing begins.

Secure sharing

Confidential information must be shared securely. Staff must use approved email systems, secure portals, encrypted transfer methods or other authorised systems. Personal email accounts, personal messaging apps and unapproved devices must not be used for confidential information unless specifically authorised in an emergency and risk assessed afterwards.

Recording sharing decisions

Staff must record significant information-sharing decisions, including what was shared, with whom, the reason for sharing, the lawful basis where relevant, and any refusal or restriction requested by the individual.

5.1 Transparency and Privacy Information

{{org_field_name}} will provide individuals and, where appropriate, their representatives with clear and accessible information about how their personal and confidential information is collected, used, stored, shared, protected and retained.

This information will be provided through the organisation’s privacy notice, service user guide, admission information, relevant consent forms where used, and direct discussion where appropriate. Information will be provided in a language, style, format and communication method suitable for the individual’s needs, level of understanding and communication preferences.

The privacy information will explain:

Staff must support individuals to understand how their information is used and must respond openly and honestly to questions about confidentiality and information sharing.

6. Individual Rights and Data Protection Requests

Individuals have rights in relation to their personal data under UK GDPR and the Data Protection Act 2018. These rights include, where applicable:

A request for access to personal data is known as a Subject Access Request. A request may be made verbally or in writing. Staff must immediately forward any request to the Registered Manager, Data Protection Officer or Information Governance Lead.

{{org_field_name}} will respond to Subject Access Requests without undue delay and normally within one month of receipt. Where a request is complex or multiple requests have been received from the same individual, the response period may be extended by up to a further two months where permitted by law. The individual will be informed of any extension and the reason for it.

Before disclosing information, {{org_field_name}} will verify the identity of the requester and confirm their authority to receive the information. Where a request is made by a representative, attorney, deputy, advocate, solicitor, family member or other third party, staff must check the individual’s consent or the third party’s legal authority before information is released.

Information may be withheld or redacted where disclosure would adversely affect the rights and freedoms of another person, breach confidentiality, prejudice safeguarding or legal proceedings, or where another legal exemption applies.

The right to erasure is not absolute. Care records will not normally be deleted where they are required for safe care, legal compliance, safeguarding, regulatory requirements, complaints, insurance, audit, professional accountability or the establishment, exercise or defence of legal claims. Where a request for erasure is refused in whole or in part, the individual will be told the reason and informed of their right to complain to the Information Commissioner’s Office.

All data protection requests and responses must be recorded.

7. Personal Data Breaches and Incident Reporting

A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This may include lost records, records sent to the wrong person, unauthorised access to care records, cyber incidents, ransomware, stolen devices, verbal disclosure to the wrong person, insecure disposal of confidential waste, or failure to keep records secure.

All actual or suspected personal data breaches must be reported immediately to the Registered Manager, Data Protection Officer or Information Governance Lead. Staff must not delay reporting while trying to investigate the matter themselves.

The Registered Manager, Data Protection Officer or Information Governance Lead will ensure that immediate action is taken to contain the breach, recover information where possible, reduce risk, protect affected individuals, preserve evidence, and begin a documented investigation.

Each breach will be assessed to decide:

Where a breach is reportable to the Information Commissioner’s Office, {{org_field_name}} will report it without undue delay and, where feasible, within 72 hours of becoming aware of it. If the report is made after 72 hours, the reason for the delay will be documented.

Where the breach is likely to result in a high risk to the rights and freedoms of affected individuals, those individuals will be informed without undue delay, unless a legal exemption applies. The information provided will explain, in clear language, what happened, what information was involved, the likely consequences, what {{org_field_name}} is doing in response, and what the individual can do to protect themselves.

Where a breach involves safeguarding concerns, risk of harm, criminal activity, serious service failure, loss of essential care records, or another event that is notifiable under the Regulated Services Regulations or CIW requirements, the Registered Manager will ensure that the appropriate notification is made to CIW, the local authority safeguarding team, commissioners, police or other relevant bodies without delay.

All breaches, near misses and confidentiality incidents must be recorded, investigated and reviewed. Lessons learned must be shared with staff and used to improve practice, systems, training, supervision and risk management.

Staff may be subject to additional training, supervision, capability action, disciplinary action or referral to a professional body where a breach results from negligence, misconduct, deliberate misuse of information or failure to follow this policy.

8. Staff Training and Responsibilities

All staff, volunteers, agency workers and relevant contractors must understand their responsibilities for confidentiality, data protection, accurate record keeping, secure information handling and appropriate information sharing.

Staff will receive information governance, confidentiality and data protection training during induction and at regular intervals thereafter. Training will be refreshed when legislation, guidance, systems, roles or organisational procedures change.

Training will include:

Staff must only access information required for their role. Accessing records out of curiosity, accessing information about relatives or colleagues without authorisation, sharing passwords, discussing residents in public areas, taking unauthorised photographs, or sharing confidential information through personal devices or social media is strictly prohibited.

Staff must sign a confidentiality agreement as part of their employment, volunteer or contractor arrangements. The duty of confidentiality continues after employment or engagement with {{org_field_name}} ends.

Managers are responsible for ensuring that staff understand this policy, follow correct procedures, receive supervision where needed, and are supported to raise concerns about unsafe or unlawful information handling.

8.1 Staff Confidentiality Rules

Staff must:

Staff must not:

8.2 Digital Systems, Devices and Cyber Security

Electronic systems used to record, store or share confidential information must be approved by {{org_field_name}} and protected by appropriate security measures.

Where electronic care records or digital systems are used, {{org_field_name}} will ensure that:

Staff must report phishing emails, suspected hacking, lost devices, unauthorised access, malware, ransomware, unusual system behaviour or accidental disclosure immediately.

8.3 Photographs, Video, CCTV and Surveillance

Photographs, video recordings, CCTV, monitoring equipment or other surveillance must only be used where there is a clear, lawful and proportionate reason. Their use must respect privacy, dignity, confidentiality and human rights.

Where CCTV or surveillance is used, {{org_field_name}} will ensure that:

Staff must not take photographs or recordings of individuals on personal devices. Any photograph or recording for care, identification, activity, family contact, evidence, publicity or other purpose must be authorised and recorded in line with consent, best-interest and data protection requirements.

9. Compliance, Monitoring and Audit

{{org_field_name}} will monitor compliance with this policy through regular governance, audit, supervision, training and quality assurance arrangements.

Monitoring may include:

The Registered Manager will ensure that any identified shortfalls are addressed through an action plan. The Responsible Individual will maintain oversight of governance, quality and compliance and will ensure that learning from audits, complaints, incidents, safeguarding concerns, data breaches and regulatory feedback is used to improve the service.

Where poor practice is identified, {{org_field_name}} will take proportionate action, which may include staff guidance, additional training, supervision, policy review, disciplinary action, referral to a professional body, notification to CIW, notification to the ICO, safeguarding referral, or other corrective action.

This policy will be reviewed at least annually, or sooner where there are changes in legislation, CIW guidance, ICO guidance, Caldicott guidance, organisational systems, service provision, incidents, audit findings or identified risks.

10. Related Policies

This policy should be read in conjunction with:

11. Policy Review

This policy will be reviewed at least annually or sooner where required due to changes in legislation, Welsh Government statutory guidance, CIW expectations, ICO guidance, Caldicott guidance, safeguarding procedures, organisational systems, service delivery, incidents, complaints, audit findings or identified risks.

The Registered Manager is responsible for ensuring that the policy is implemented in day-to-day practice. The Responsible Individual will maintain oversight of compliance and ensure that any required improvements are completed.

Any changes to this policy will be communicated to staff. Where changes affect individuals or their representatives, information will be provided in an accessible format and staff will support individuals to understand the changes where required.

Responsible Person: {{org_field_registered_manager_first_name}} {{org_field_registered_manager_last_name}}
Reviewed on: {{last_update_date}}
Next Review Date: {{next_review_date}}
Copyright © {{current_year}} – {{org_field_name}}. All rights reserved.

Leave a Reply

Your email address will not be published. Required fields are marked *