{{org_field_logo}}
{{org_field_name}}
N13. Caldicott Principles
This policy relates to the sharing or transfer of data within NHS or social care organisations, including hospitals, local authorities and GP services. It should be read with {{org_field_name}}’s separate policies and procedures on data protection, confidentiality and data management.
The Data Protection Act
{{org_field_name}} recognises that it has a legal duty under the Data Protection Act 2018 and the General Data Protection Regulation (GDPR) to ensure the security and proper management of personal data and that this duty applies to its management, processing and storing of records and data, including information, data and notes about service users.
Central to the Data Protection Act is compliance with principles designed to protect the rights of individuals about whom personal data is processed, whether this is through electronic or paper records.
The eight Data Protection principles state that organisations should make sure that personal information about people is:
- used fairly and lawfully
- used for limited, specifically stated purposes
- used in a way that is adequate, relevant and not excessive
- accurate
- kept for no longer than is absolutely necessary
- handled according to people’s data protection rights
- kept safe and secure
- not transferred outside the UK without adequate protection.
{{org_field_name}}’s data protection policies and procedures are designed to comply fully with the Act and these principles. However, {{org_field_name}} also recognises that a further set of additional data protection principles apply to the NHS and social care, the Caldicott Principles.
The Caldicott Report
In 1997, the original Caldicott Report provided guidance to the NHS on the use and protection of personal confidential data and, due to the sensitive and personal nature of medical information in particular, emphasised the need for additional controls over the availability of such information and access to it.
The report recognised the importance in a medical and care context of sharing relevant health-related information and made a series of recommendations to ensure that such sharing took place in a way that protected the rights of patients. This led to the requirement for all NHS organisations to appoint a Caldicott Guardian who is responsible for compliance with the principles.
In 2002, the government decided that these standards should be extended to “councils with social service responsibilities” in order to provide a foundation for joint working between health and social services. HSC 2002/003: LAC(2002)2 Implementing the Caldicott Standards Into Social Care was subsequently published.
A further review of the Caldicott Principles took place during 2012 and The Information Governance Review — To Share or Not to Share was published.
The revised Caldicott Principles are as follows.
- Principle 1 — justify the purpose(s) for using confidential information.
- Principle 2 — only use confidential information when absolutely necessary.
- Principle 3 — use the minimum information that is required.
- Principle 4 — access to confidential information should be on a strict need-to-know basis.
- Principle 5 — everyone must understand their responsibilities.
- Principle 6 — understand and comply with the law.
- Principle 7 — the duty to share personal information can be as important as the duty to have regard for patient confidentiality.
{{org_field_name}} understands that health and social care professionals should have the confidence to share information in the best interests of their patients and service users within the framework set out by these principles.
Person Identifiable Information
With reference to both the data protection laws and the Caldicott guidelines, {{org_field_name}} recognises person-identifiable confidential information as including:
- a service user’s name, address, full postcode and date of birth
- a service user’s NHS number and any notes, records or information about their care or treatment
- any pictures, photographs, videos, audio recordings or other images of service users
- anything that may be used to identify a service user directly or indirectly, such as rare diseases, drug treatments or statistical analyses using small sample sizes that may allow individuals to be identified.
Importantly, {{org_field_name}} recognises that person identifiable information does not only relate to medical information and can take many forms. It can be stored on computers, transmitted across networks, printed or stored on paper, spoken or recorded.
{{org_field_name}} understands that overall there should be a balance between the protection of patient information and the use and sharing of this information between agencies to improve care.
Policy
{{org_field_name}} recognises that:
- each health and social care organisation will have a data controller or manager who has overall responsibility for managing and effectively implementing all activities necessary to achieve compliance with the Data Protection Act 2018 and GDPR
- NHS organisations and local authorities will have an allocated Caldicott Guardian who is responsible for agreeing and reviewing protocols for governing the transfer and disclosure of personal confidential data about patients and service users
- a Caldicott Guardian is a senior health or social care person responsible for protecting the confidentiality of patient and service-user information and enabling appropriate information-sharing
- the Guardian plays a key role in ensuring that NHS, Councils with Social Services Responsibilities and partner organisations satisfy the highest practical standards for handling patient identifiable information
- NHS and Social Care Caldicott Guardians are required to be registered and there is a UK Council of Caldicott Guardians made up of guardians from health and social care.
In {{org_field_name}}:
- managers and staff will comply fully not only with the principles of the Data Protection Act 2018, but also with the seven Caldicott Principles and with the common law duty of confidentiality
- this means that any personal information given or received in confidence for one purpose may not be used for a different purpose or passed on to anyone else without the consent of the individual concerned; this duty can only be overridden if there is a statutory requirement, a court order, or if there is a robust public interest justification
- service users will be told exactly what their personal information will be used for and how it will be stored and shared; this means fully describing how the data will be used and taking into consideration any language requirements or barriers to understanding, such as requirements under the Mental Capacity Act 2005
- {{org_field_name}} and its staff have a legal and ethical duty to safeguard the integrity, confidentiality and availability of sensitive person identifiable information; every use of person identifiable information must be lawful
- individual service users have a right to believe and expect that private and personal information given in confidence will be kept securely and used only for the purposes for which it was originally given and consented to
- staff and managers must be aware of the Caldicott Principles that will apply to any data exchange — they should be aware that NHS organisations and local authorities will have a Caldicott Guardian who will be required to agree to the exchange of person identifiable information
- staff and managers must ensure that, to comply with the Caldicott guidelines:
a) every proposed use or transfer of person identifiable information within or from {{org_field_name}} should be clearly defined and justified
b) personal identifiable information should not be used unless it is absolutely necessary and there is no alternative
c) where use of person identifiable information is considered to be essential, the minimum necessary personal identifiable information should be used and each individual item of personal information should be justified with the aim of reducing identity
d) where the use of personal confidential data is considered to be essential, the inclusion of each individual item of information should be considered and justified so that the minimum amount of identifiable information is transferred or accessible as is necessary for a given function to be carried out
e) access to personal identifiable information should be on a strict “need-to-know” basis; only those individuals who need access to person identifiable information should have access to it and they should only have access to the personal information items that they need to see; this may mean introducing access controls or splitting data flows where one information flow is used for several purposes
- managers should ensure that everyone is aware of their responsibilities and that a culture of care and due diligence for data security is in place; actions should be taken to ensure that all staff who handle person identifiable information are aware of their responsibilities and obligations to respect confidentiality
- managers and staff should attend data protection and information governance training as required and to a level relative to the requirements of their role; all new staff should read this policy and {{org_field_name}}’s data protection policy and comply fully with them and with all related procedures
- any data breaches, including breaches of confidentiality, should be reported immediately on being discovered and should be fully investigated; a report should be submitted at board level
- data sharing arrangements should be regularly audited, with support and guidance obtained from the relevant local authority Caldicott Guardian wherever necessary.
This policy will be regularly reviewed and updated as required.
Reviewed on: {{last_update_date}}
Next Review Date: {{next_review_date}}
Copyright ©2024 {{org_field_name}}. All rights reserved