The 1997 report of the Review of Patient-identifiable Information, chaired by Dame Fiona Caldicott (the Caldicott Report), made a number of recommendations for regulating the use and transfer of patient-identifiable information between NHS organisations in England and to non-NHS bodies. It set out 6 principles to consider when any patient-identifiable data are accessed or passed on.
- Justify the purpose(s) for using confidential information.
- Only use it when absolutely necessary.
- Use the minimum that is required.
- Access should be on a strict need-to-know basis.
- Everyone must understand his or her responsibilities.
- Understand and comply with the law.
Larger NHS organisations (and non-NHS organisations using the data) need to nominate an appropriate Caldicott Guardian to act as the 'conscience' of the organisation, who then helps to enable appropriate information sharing whilst ensuring the application of the principles above, and advises on options for lawful and ethical processing of information as required.
Key Caldicott Guardian Responsibilities
Individual general medical and dental practices, pharmacists and opticians do not need to appoint a Caldicott Guardian, but do need to have an Information Governance lead who should be a lead clinician or high-level manager, with the knowledge and authority to provide the same role.
In GP surgeries, the responsibility for making decisions about disclosure ultimately rests with the GP. Data Protection officers may be available to advise on subject access requests by members of the public, and guidance on dealing with such requests is available on the Department of Health website.
The Data Protection principlesPersonal data must be:
- Processed fairly and lawfully.
- Processed for specified purposes.
- Adequate, relevant and not excessive.
- Accurate and kept up-to-date.
- Not kept for longer than necessary.
- Processed in accordance with the rights of data subjects.
- Protected by appropriate security (practical and organisational).
- Not transferred outside the European Economic Area without adequate protection.
Further reading & references
- Patient confidentiality and Access to Health Records, Dept of Health
- The Caldicott Guardian Manual, Dept of Health, 2006
- Information Governance, NHS Connecting for Health
- Records management: NHS code of practice, publications policy and guidance, Dept of Health, Apr 2006
|Original Author: Dr Huw Thomas||Current Version: Dr Gurvinder Rull|
|Last Checked: 26/10/2010||Document ID: 6955 Version: 2||© EMIS|
Disclaimer: This article is for information only and should not be used for the diagnosis or treatment of medical conditions. EMIS has used all reasonable care in compiling the information but make no warranty as to its accuracy. Consult a doctor or other health care professional for diagnosis and treatment of medical conditions. For details see our conditions.