3. Data Security and Caldicott Guardianship

Data Security and Caldicott Guardianship

This PatientPlus article is written for healthcare professionals so the language may be more technical than the condition leaflets. You may find the abbreviations list helpful.

The 1997 report of the Review of Patient-identifiable Information, chaired by Dame Fiona Caldicott (the Caldicott Report), made a number of recommendations for regulating the use and transfer of patient-identifiable information between NHS organisations in England and to non-NHS bodies.[1][2] It set out 6 principles to consider when any patient-identifiable data are accessed or passed on.

  • Justify the purpose(s) for using confidential information.
  • Only use it when absolutely necessary.
  • Use the minimum that is required.
  • Access should be on a strict need-to-know basis.
  • Everyone must understand his or her responsibilities.
  • Understand and comply with the law.

Larger NHS organisations (and non-NHS organisations using the data) need to nominate an appropriate Caldicott Guardian to act as the 'conscience' of the organisation, who then helps to enable appropriate information sharing whilst ensuring the application of the principles above, and advises on options for lawful and ethical processing of information as required.

Key Caldicott Guardian Responsibilities[2]
  • Strategy & Governance: the Caldicott Guardian should champion confidentiality issues at Board/management team level, should sit on an organisation's Information Governance Board/Group and act as both the 'conscience' of the organisation and as an enabler for appropriate information sharing.
  • Confidentiality & Data Protection expertise: the Caldicott Guardian should develop a knowledge of confidentiality and data protection matters, drawing upon support staff working within an organisation's Caldicott function but also on external sources of advice and guidance where available.
  • Internal Information Processing: the Caldicott Guardian should ensure that confidentiality issues are appropriately reflected in organisational strategies, policies and working procedures for staff. The key areas of work that need to be addressed by the organisation's Caldicott function are detailed in the Information Governance Toolkit.
  • Information Sharing: the Caldicott Guardian should oversee all arrangements, protocols and procedures where confidential patient information may be shared with external bodies both within, and outside, the NHS and councils with social services responsibilities (CSSRs). This includes flows of information to and from partner agencies, sharing through the NHS Care Records Service (NHS CRS) and related IT systems, disclosure to research interests and disclosure to the police.

Individual general medical and dental practices, pharmacists and opticians do not need to appoint a Caldicott Guardian, but do need to have an Information Governance lead who should be a lead clinician or high-level manager, with the knowledge and authority to provide the same role.[3]

In GP surgeries, the responsibility for making decisions about disclosure ultimately rests with the GP.[4] Data Protection officers may be available to advise on subject access requests by members of the public, and guidance on dealing with such requests is available on the Department of Health website.

The Data Protection principles

Personal data must be:
  • Processed fairly and lawfully.
  • Processed for specified purposes.
  • Adequate, relevant and not excessive.
  • Accurate and kept up-to-date.
  • Not kept for longer than necessary.
  • Processed in accordance with the rights of data subjects.
  • Protected by appropriate security (practical and organisational).
  • Not transferred outside the European Economic Area without adequate protection.
Provide feedback

Further reading & references

  1. Patient confidentiality and Access to Health Records, Dept of Health
  2. The Caldicott Guardian Manual, Dept of Health, 2006
  3. Information Governance, NHS Connecting for Health
  4. Records management: NHS code of practice, publications policy and guidance, Dept of Health, Apr 2006
Original Author: Dr Huw Thomas Current Version:
Last Checked: 26/10/2010 Document ID: 6955  Version: 2 © EMIS

Disclaimer: This article is for information only and should not be used for the diagnosis or treatment of medical conditions. EMIS has used all reasonable care in compiling the information but make no warranty as to its accuracy. Consult a doctor or other health care professional for diagnosis and treatment of medical conditions. For details see our conditions.

Advertisements