Caldicott Principles

A Caldicott Guardian’s function according to the UK Caldicott Guardian Council is:


“There are thousands of Caldicott Guardians in health and social care organisations across the UK. They share a common function, which is to make wise decisions about the use of people’s information. They balance the need to protect people’s confidentiality with the need to protect their welfare by ensuring that information is safely communicated among the various professional teams caring for an individual, sometimes across organisational boundaries. They bring to bear ethical as well as legal considerations, making judgements about real life human situations that could not be done by a machine.”


The Council also highlight the four core responsibilities for a Caldicot Guardian:


Strategy & governance: the Caldicott Guardian should champion confidentiality issues at Board/senior management team level, should sit on an organisation’s Information Governance Board/Group and act as both the ‘conscience’ of the organisation and as an enabler for appropriate information sharing. 


Confidentiality & data protection expertise: the Caldicott Guardian should develop a strong knowledge of confidentiality and data protection matters, drawing upon support staff working within an organisation’s Caldicott and information governance functions, but also on external sources of advice and guidance where available. 


Internal information processing: the Caldicott Guardian should ensure that confidentiality issues are appropriately reflected in organisational strategies, policies and working procedures for staff. The key areas of work that need to be addressed by the organisation’s Caldicott function are detailed in the Information Governance Toolkit. 


Information sharing: the Caldicott Guardian should oversee all arrangements, protocols and procedures where confidential personal information may be shared with external bodies and others with responsibilities for social care and safeguarding. This includes flows of information to and from partner agencies, sharing through IT systems, disclosure for research, and disclosure to the police. 


Many or all of these responsibilities may be shared with the Senior Information Risk Officer (SIRO), with whom the Caldicott Guardian should work closely.”



The Caldicott Guardian has 7 core principles to adhere to when considering sharing information - these are known as the Caldicott Principles after Dame Fiona Caldicott who chaired the panel that first proposed them. (source: https://www.igt.hscic.gov.uk/Caldicott2Principles.aspx)


“Principle 1 - Justify the purpose(s) for using confidential information

Every proposed use or transfer of personal confidential data within or from an organisation should be clearly defined, scrutinised and documented, with continuing uses regularly reviewed, by an appropriate guardian.


Principle 2 - Don't use personal confidential data unless it is absolutely necessary

Personal confidential data items should not be included unless it is essential for the specified purpose(s) of that flow. The need for patients to be identified should be considered at each stage of satisfying the purpose(s).


Principle 3 - Use the minimum necessary personal confidential data

Where use of personal confidential data is considered to be essential, the inclusion of each individual item of data should be considered and justified so that the minimum amount of personal confidential data is transferred or accessible as is necessary for a given function to be carried out.


Principle 4 - Access to personal confidential data should be on a strict need-to-know basis

Only those individuals who need access to personal confidential data should have access to it, and they should only have access to the data items that they need to see. This may mean introducing access controls or splitting data flows where one data flow is used for several purposes.


Principle 5 - Everyone with access to personal confidential data should be aware of their responsibilities

Action should be taken to ensure that those handling personal confidential data - both clinical and non-clinical staff - are made fully aware of their responsibilities and obligations to respect patient confidentiality.


Principle 6 - Comply with the law

Every use of personal confidential data must be lawful. Someone in each organisation handling personal confidential data should be responsible for ensuring that the organisation complies with legal requirements.


In April 2013, Dame Fiona Caldicott reported on her second review of information governance, her report "Information: To Share Or Not To Share? The Information Governance Review", informally known as the Caldicott2 Review, introduced a new 7th Caldicott Principle.


Principle 7 - The duty to share information can be as important as the duty to protect patient confidentiality

Health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by these principles. They should be supported by the policies of their employers, regulators and professional bodies.”

Previous
Previous

The Data Protection Act 2018 and General Data Protection Regulation (GDPR)

Next
Next

DDU Video - Confidentiality and Data Protection