{{org_field_logo}}

{{org_field_name}}


N13. Caldicott Principles

This policy relates to the sharing or transfer of data within NHS or social care organisations, including hospitals, local authorities and GP services. It should be read with {{org_field_name}}’s separate policies and procedures on data protection, confidentiality and data management.

The Data Protection Act

{{org_field_name}} recognises that it has a legal duty under the Data Protection Act 2018 and the General Data Protection Regulation (GDPR) to ensure the security and proper management of personal data and that this duty applies to its management, processing and storing of records and data, including information, data and notes about service users.

Central to the Data Protection Act is compliance with principles designed to protect the rights of individuals about whom personal data is processed, whether this is through electronic or paper records.

The eight Data Protection principles state that organisations should make sure that personal information about people is:

{{org_field_name}}’s data protection policies and procedures are designed to comply fully with the Act and these principles. However, {{org_field_name}} also recognises that a further set of additional data protection principles apply to the NHS and social care, the Caldicott Principles.

The Caldicott Report

In 1997, the original Caldicott Report provided guidance to the NHS on the use and protection of personal confidential data and, due to the sensitive and personal nature of medical information in particular, emphasised the need for additional controls over the availability of such information and access to it.

The report recognised the importance in a medical and care context of sharing relevant health-related information and made a series of recommendations to ensure that such sharing took place in a way that protected the rights of patients. This led to the requirement for all NHS organisations to appoint a Caldicott Guardian who is responsible for compliance with the principles.

In 2002, the government decided that these standards should be extended to “councils with social service responsibilities” in order to provide a foundation for joint working between health and social services. HSC 2002/003: LAC(2002)2 Implementing the Caldicott Standards Into Social Care was subsequently published.

A further review of the Caldicott Principles took place during 2012 and The Information Governance Review — To Share or Not to Share was published.

The revised Caldicott Principles are as follows.

{{org_field_name}} understands that health and social care professionals should have the confidence to share information in the best interests of their patients and service users within the framework set out by these principles.

Person Identifiable Information

With reference to both the data protection laws and the Caldicott guidelines, {{org_field_name}} recognises person-identifiable confidential information as including:

Importantly, {{org_field_name}} recognises that person identifiable information does not only relate to medical information and can take many forms. It can be stored on computers, transmitted across networks, printed or stored on paper, spoken or recorded.

{{org_field_name}} understands that overall there should be a balance between the protection of patient information and the use and sharing of this information between agencies to improve care.

Policy

{{org_field_name}} recognises that:

In {{org_field_name}}:

a) every proposed use or transfer of person identifiable information within or from {{org_field_name}} should be clearly defined and justified
b) personal identifiable information should not be used unless it is absolutely necessary and there is no alternative
c) where use of person identifiable information is considered to be essential, the minimum necessary personal identifiable information should be used and each individual item of personal information should be justified with the aim of reducing identity
d) where the use of personal confidential data is considered to be essential, the inclusion of each individual item of information should be considered and justified so that the minimum amount of identifiable information is transferred or accessible as is necessary for a given function to be carried out
e) access to personal identifiable information should be on a strict “need-to-know” basis; only those individuals who need access to person identifiable information should have access to it and they should only have access to the personal information items that they need to see; this may mean introducing access controls or splitting data flows where one information flow is used for several purposes

This policy will be regularly reviewed and updated as required.


Reviewed on: {{last_update_date}}

Next Review Date: {{next_review_date}}

Copyright ©2024 {{org_field_name}}. All rights reserved

Leave a Reply

Your email address will not be published. Required fields are marked *