Changes to the Caldicott Principles – an overview and what this means for the healthcare sector
In June 2020, the National Data Guardian for Health and Social Care (the NDG), Dame Fiona Caldicott, launched a public consultation seeking views on her intention to revise the existing seven ‘Caldicott Principles’ and issue new guidance about the role of ‘Caldicott Guardians’.
The consultation response (National Data Guardian: response to consultation about Caldicott Principles and Guardians) was published on 8 December 2020 and can be accessed here. In this article, we consider what this means for the healthcare sector.
What are the Caldicott Principles?
The Caldicott Principles (the Principles) provide a framework for all health settings (in both the public and private sector) to follow in order to protect patient information. The Principles were initially developed in 1997 following a review of how the NHS handled patient information. They were expanded upon in 2013.
What are Caldicott Guardians?
A Caldicott Guardian is a senior person within a health or social care organisation appointed to ensure that patient data is used lawfully and appropriately, and that confidentiality is maintained. Following the 1997 review, all NHS organisations are required to appoint a Caldicott Guardian to ensure that the organisation complies with the Principles when using patient data. Local authorities with adult social care responsibilities have been required to do the same since 2002.
As explained in the consultation response document, the Principles and the Caldicott Guardian role are also implemented “by other organisations within the health and social care sector, such as care homes and hospices, and by some organisations in other sectors such as prisons, police and armed forces”. This is to ensure that they manage patient information data in as transparent and secure way as possible.
What is the outcome of the consultation?
Update to the Caldicott Principles
The existing principles have been revised to make the wording clearer and more accessible.
A new Principle has also been introduced to ensure patients and service users are informed about how their confidential information will be used and to ensure that the Caldicott Principles align with existing data protection legislation.
The new Caldicott Principles (which are set out below) can be found on page 25 of the consultation response document, which also provides the explanatory introduction for each:
- Principle 1: Justify the purpose(s) for using confidential information.
- Principle 2: Use confidential information only when it is necessary.
- Principle 3: Use the minimum necessary confidential information.
- Principle 4: Access to confidential information should be on a strict need-to-know basis.
- Principle 5: Everyone with access to confidential information should be aware of their responsibilities.
- Principle 6: Comply with the law.
- Principle 7: The duty to share information for individual care is as important as the duty to protect patient confidentiality.
- Principle 8: Inform patients and service users about how their confidential information is used.
Caldicott Guardian guidance
Guidance will be issued in relation to Caldicott Guardians. By way of a summary/extracts from Chapter 7 (pages 35-35) of the consultation response document, the Guidance will:
- “Provide flexibility for organisations for which it is not proportionate to appoint a dedicated Caldicott Guardian and will suggest options/models to ensure those organisations can still comply with the Principles.”
- “Cover the role and responsibilities of Caldicott Guardians, with particular attention given to what Caldicott Guardians provide in addition to other roles, their role in helping to uphold the Principles and their role in social care settings.”
- “Cover the competencies, qualities and knowledge required by Caldicott Guardians.”
- Address “the requirement for organisations to provide Caldicott Guardians with appropriate training and time for development.”
The guidance will also cover the relationship between the Caldicott Guardian and other key information governance roles within the Healthcare sector, and in particular the Data Protection Officer and Senior Information Risk Officer.
What does this mean for the healthcare sector?
The updated list of Principles is now in force and should be adhered to moving forward. Organisations should review their existing processes and procedures relating to the handling of patient data as updates may be needed. This may also require additional staff training, particularly for Caldicott Guardians. This will ensure data protection is maintained and that unnecessary referrals and investigations by the Information Commissioner are avoided.
The NDG has indicated that it hopes to publish the new guidance before the end of the financial year 2020-21 and that it will take effect at some point during 2021-22. Specific timings will be subject to further consultation.
Organisations should plan to ensure appropriate time is set aside for consideration of the new guidance and how this may impact on existing policies and procedures relating to patient data. This will also provide an opportunity to audit existing practices and address any particular issues or staff training needs.