Updating the Caldicott Principles

The COVID-19 Pandemic has shone a spotlight on the role of data and data sharing in delivering effective healthcare services. It has also helped healthcare practitioners and the public more fully appreciate the importance of accessing clear and simple information about why and how confidential information is used and protected within healthcare services.

The Caldicott Principles have helped guide decisions about the handling of confidential information for over 20 years. They are named after Dame Fiona Caldicott, whose 1997 review into how patient data should be handled, led to the development of 6 good practice Principles relevant first to the NHS and then later extended to local authority adult social care.

An information governance review led by Dame Caldicott in 2013, led to the addition of a 7th principle and then in November 2014, Dame Caldicott was appointed the first National Data Guardian (NDG) for health and adult social care. This role was subsequently made a statutory appointment in 2019.

The current Framework

The current Calidicott Principles are:

Justify the purpose(s)

Every proposed use or transfer of personal confidential data within or from an organisation should be clearly defined, scrutinised and documented, with continuing uses regularly reviewed by an appropriate guardian.

Don’t use personal confidential data unless it is absolutely necessary

Personal confidential data items should not be included unless it is essential for the specified purpose(s) of that flow. The need for patients to be identified should be considered at each stage of satisfying the purpose(s).

Use the minimum necessary personal confidential data

Where the use of personal confidential data is considered to be essential, the inclusion of each individual item of data should be considered and justified so that the minimum amount of personal confidential data is transferred or accessible as is necessary for a given function to be carried out.

Access to personal confidential data should be on a strict need-to-know basis.

Only those individuals who need access to personal confidential data should have access to it, and they should only have access to the data items that they need to see. This may mean introducing access controls or splitting data flows where one data flow is used for several purposes.

Everyone with access to personal confidential data should be aware of their responsibilities

Action should be taken to ensure that those handling personal confidential data – both clinical and non-clinical staff - are made fully aware of their responsibilities and obligations to respect patient confidentiality.

Comply with the law

Every use of personal confidential data must be lawful. Someone in each organisation handling personal confidential data should be responsible for ensuring that the organisation complies with legal requirements.

The duty to share information can be as important as the duty to protect patient confidentiality

Health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by these Principles. They should be supported by the policies of their employers, regulators and professional bodies.

All organisations subject to the Principles must also appoint a guardian with responsibility for upholding the Principles. The Caldicott Guardian is seen as a senior person within a healthcare organisation whose role it is to ensure that the information of those using its services is handled legally and ethically and that confidentiality is maintained.

The Caldicott Guardian is also expected to provide impartial direction and guidance on complex considerations involving information sharing and confidentiality and act, in the words of the UK Caldicott Guardian Council's 2017 overview Caldicott Guardian Manual, as the "conscience of the organisation".

The proposed revisions

Dame Caldicott announced earlier this summer that that she expects to step down from her post as NDG after March 2021 and efforts are currently underway to find her replacement. Ahead of that, she and her advisory panel are considering the results of a consultation into proposals to:

• revise and expand the Caldicott Principles
• use her statutory powers to issue updated guidance, extending the scope of organisations who should appoint a Caldicott Guardian, and
• provide more detailed guidance on the role of a Caldicott Guardian.

The proposed changes are intended to help ensure the Principles remain relevant in future and after Dame Caldicott has relinquished her role. The proposals aim to take into account changes in the public's relationship with the healthcare services ecosystem, legal developments (including the GDPR and the UK GDPR which will replace it in the UK from 1 January 2021) and relevant jurisprudence, (particularly in relation to society's changing expectations of privacy).

Revision and expansion of the existing Principles

The revisions proposed to the existing Principles focus on making certain wording clearer, more up to date and consistent with other requirements relevant to data sharing. In particular:

• There is more of a focus on the application of the rules to confidential information (rather than personal confidential data) and a definition of what constitutes 'confidential information' is included in a new preface to the Principles.
• The scope of application of the Principles and the need to involve the Caldicott guardian in difficult judgements or novel judgements is set out in the new preface enabling those viewing them in isolation to more readily understand how the Principles apply.
• Recipients of healthcare are more broadly referred to as 'patients and service users' as opposed to just patients.

The more substantive proposed change to the Principles relates to the introduction of a new 8th principle. The proposed text is:

Inform the expectations of patients and service users about how their confidential information is to be used

A range of steps should be taken to ensure 'no surprises' for patients and service users about how their confidential information is to be used - these steps will vary depending on the use. As a minimum, this should include providing relevant and appropriate information – in some cases, greater engagement will be required to promote understanding and acceptance of uses of information. Patients and service users should be given an accessible way to opt-out.

The new principle is concerned with ensuring that there will be no surprises for patients and service users about how their confidential information is to be used and that any use of their confidential information falls within their expectations. The 8th principle would focus on transparency and can, in part, be seen as aligning the Caldicott Principles with enhanced transparency requirements within the GDPR and the UK Data Protection Act 2018 (DPA18) as well as in reflecting the development by UK courts over the years of concepts of a 'reasonable expectation of privacy' within the law of confidence.

Guidance extending the scope for appointment of a Caldicott Guardian

The NDG has the power (under the Health and Social Care (National Data Guardian) Act 2018 to publish guidance and is proposing to use those statutory powers to advise that all health and adult social care organisations which could be within the scope of the NDG guidance powers appoint a Caldicott Guardian to uphold the Caldicott Principles. The guidance may specify whether certain types of organisation need a dedicated Caldicott Guardian or (perhaps for reasons of size) may instead share a Caldicott function (such as a consortium of GP's).

More detailed guidance – the Caldicott Guardian's role

In practice, given the varied nature of the organisations which should appoint a Caldicott Guardian, the current available guidance falls short of advising in detail on matters such as how the role should be carried out. In this respect the NDG is proposing that further guidance be provided including advice on how the role aligns with other compliance roles in particular that of the Data Protection Officer under the GDPR and DPA18 and the role of Senior Information Risk Officers (SIROs) in the context of wider public health and social care compliance requirements.

Further details on all the above, along with detail on the revisions and additions to the Caldicott Principles can be found in the background document published by the National Data Guardian in June 2020.