The 1997 report of the Review of Patient-Identifiable Information, chaired by Dame Fiona Caldicott (the Caldicott Report), made a number of recommendations for regulating the use and transfer of person identifiable information between NHS organisations in England and to non-NHS bodies. The Caldicott Committee’s remit included all patient-identifiable information passing between organisations for purposes other than direct care, medical research, or where there was a statutory requirement for information. The aim was to ensure that patient-identifiable information was shared only for justified purposes and that only the minimum necessary information was shared in each case. The Committee also advised on where action to minimise risks of confidentiality would be desirable.
The recommendations of the Caldicott Committee defined the confidentiality agenda for NHS organisations for a number of years. Central to the recommendations was the appointment in each NHS organisation of a “Guardian” of person-based clinical information to oversee the arrangements for the use and sharing of clinical information. Subsequent work extended the requirement to appoint Caldicott Guardians into Councils with Social Care Responsibilities [CSSRs].1.3 A key recommendation of the Caldicott Committee was that every use or flow of patient-identifiable information should be regularly justified and routinely tested against the principles developed in the Caldicott Report.
Principle 1 – Justify the purpose(s) for using confidential information
Principle 2 – Only use it when absolutely necessary
Principle 3 – Use the minimum that is required
Principle 4 – Access should be on a strict need-to-know basis
Principle 5 – Everyone must understand his or her responsibilities
Principle 6 – Understand and comply with the law
Since then developments in information management in the NHS and CSSRs have added further dimension to the Caldicott role. These include:
• the Data Protection Act 1998;
• the Human Rights Act 1998;
• the Freedom of Information Act 2000;
• the NHS Code of Practice on Confidentiality 2003;
• the inception of NHS Information Governance 2003;
• ICT strategic developments (such as the NHS Care Record, Electronic Social Care Records, and the Secondary Uses Service) 2005 onwards;
• the election of the UK Caldicott Guardian Council 2005;
• section 251 of the NHS Act 2006 (formerly section 60 of the Health and Social Care Act 2001);
• establishment of the National Information Governance Board (NIGB) for health and social care as a statutory body in 2008;
• the Ethics and Confidentiality Committee of the National Information Governance Board;
• the final report on data handling procedures in Government by the Cabinet Office June 2008;
• publication of the NHS Constitution in January 2009 (updated March 2010);
• NHS Care Record Guarantee for England published in 2005 (updated 2009);
• Social Care Record Guarantee for England 2009.1.5
Individual general medical and dental practices, pharmacists and opticians do not need to appoint a Caldicott Guardian, but do need to have an Information Governance lead (sometimes referred to as a Caldicott lead) who, if they are not a clinician, will need support from a clinically qualified individual. Primary Care Trusts should ensure that within every practice there is an Information Governance lead and provide support and guidance as required.
Subscribers to the members section of the FPM website can access a model Caldicott Protocol in the practice administration index of the FPM policies and procedures library. If you are not a member, have a look at the information about the benefits of membership and how to subscribe.