Caldicott Report
Encyclopedia
A review was commissioned in 1997 by the Chief Medical Officer of England
"owing to increasing concern about the ways in which patient information is being used in the NHS in England and Wales and the need to ensure that confidentiality is not undermined. Such concern was largely due to the development of information technology in the service, and its capacity to disseminate information about patients rapidly and extensively".
A committee was established under the chairmanship of Dame Fiona Caldicott
, Principal of Somerville College, Oxford
, and previously President of the Royal College of Psychiatrists
. Its findings were published in December 1997.
The Caldicott Report highlighted six key principles, and made 16 specific recommendations.
These principles have been subsumed into the NHS confidentiality code of practice.
England
England is a country that is part of the United Kingdom. It shares land borders with Scotland to the north and Wales to the west; the Irish Sea is to the north west, the Celtic Sea to the south west, with the North Sea to the east and the English Channel to the south separating it from continental...
"owing to increasing concern about the ways in which patient information is being used in the NHS in England and Wales and the need to ensure that confidentiality is not undermined. Such concern was largely due to the development of information technology in the service, and its capacity to disseminate information about patients rapidly and extensively".
A committee was established under the chairmanship of Dame Fiona Caldicott
Fiona Caldicott
Dame Fiona Caldicott, DBE, FRCPsych, FRCP, FRCPI, FRCGP, FMedSci, is a psychiatrist and psychotherapist and, previously, Principal of Somerville College, Oxford....
, Principal of Somerville College, Oxford
Somerville College, Oxford
Somerville College is one of the constituent colleges of the University of Oxford in England, and was one of the first women's colleges to be founded there...
, and previously President of the Royal College of Psychiatrists
Royal College of Psychiatrists
The Royal College of Psychiatrists is the main professional organisation of psychiatrists in the United Kingdom responsible for representing psychiatrists, psychiatric research and providing public information about mental health problems...
. Its findings were published in December 1997.
The Caldicott Report highlighted six key principles, and made 16 specific recommendations.
Caldicott principles
- Justify the purpose(s)
Every proposed use or transfer of patient identifiable information within or from an organisation should be clearly defined and scrutinised, with continuing uses regularly reviewed, by an appropriate guardian. - Don't use patient identifiable information unless it is absolutely necessary
Patient identifiable information items should not be included unless it is essential for the specified purpose(s) of that flow. The need for patients to be identified should be considered at each stage of satisfying the purpose(s). - Use the minimum necessary patient-identifiable information
Where use of patient identifiable information is considered to be essential, the inclusion of each individual item of information should be considered and justified so that the minimum amount of identifiable information is transferred or accessible as is necessary for a given function to be carried out. - Access to patient identifiable information should be on a strict need-to-know basis
Only those individuals who need access to patient identifiable information should have access to it, and they should only have access to the information items that they need to see. This may mean introducing access controls or splitting information flows where one information flow is used for several purposes. - Everyone with access to patient identifiable information should be aware of their responsibilities
Action should be taken to ensure that those handling patient identifiable information - both clinical and non-clinical staff - are made fully aware of their responsibilities and obligations to respect patient confidentiality. - Understand and comply with the law
Every use of patient identifiable information must be lawful. Someone in each organisation handling patient information should be responsible for ensuring that the organisation complies with legal requirements.
These principles have been subsumed into the NHS confidentiality code of practice.
Summary of recommendations
- Every dataflow, current or proposed, should be tested against basic principles of good practice. Continuing flows should be re-tested regularly.
- A programme of work should be established to reinforce awareness of confidentialityConfidentialityConfidentiality is an ethical principle associated with several professions . In ethics, and in law and alternative forms of legal resolution such as mediation, some types of communication between a person and one of these professionals are "privileged" and may not be discussed or divulged to...
and information securityInformation securityInformation security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction....
requirements amongst all staff within the NHSNational Health ServiceThe National Health Service is the shared name of three of the four publicly funded healthcare systems in the United Kingdom. They provide a comprehensive range of health services, the vast majority of which are free at the point of use to residents of the United Kingdom...
. - A senior person, preferably a health professional, should be nominated in each health organisation to act as a guardian, responsible for safeguarding the confidentiality of patient information.
- Clear guidance should be provided for those individuals/bodies responsible for approving uses of patient-identifiable information.
- Protocols should be developed to protect the exchange of patient-identifiable information between NHS and non-NHS bodies.
- The identity of those responsible for monitoring the sharing and transfer of information within agreed local protocols should be clearly communicated.
- An accreditation system which recognises those organisations following good practice with respect to confidentiality should be considered.
- The NHS number should replace other identifiers wherever practicable, taking account of the consequences of errors and particular requirements for other specific identifiers.
- Strict protocols should define who is authorised to gain access to patient identity where the NHS number or other coded identifier is used.
- Where particularly sensitive information is transferred, privacyPrivacyPrivacy is the ability of an individual or group to seclude themselves or information about themselves and thereby reveal themselves selectively...
enhancing technologies (e.g. encryptingEncryptionIn cryptography, encryption is the process of transforming information using an algorithm to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information...
identifiers or "patient identifying information") must be explored. - Those involved in developing health information systemsInformation systemsInformation Systems is an academic/professional discipline bridging the business field and the well-defined computer science field that is evolving toward a new scientific area of study...
should ensure that best practice principles are incorporated during the design stage. - Where practicable, the internal structure and administration of databases holding patient-identifiable information should reflect the principles developed in this report.
- The NHS numberNHS numberThe NHS number is a unique number used by the National Health Service in England and Wales to identify patients. Scotland's equivilant is called a CHI Number...
should replace the patient's name on Items of Service Claims made by General PractitionerGeneral practitionerA general practitioner is a medical practitioner who treats acute and chronic illnesses and provides preventive care and health education for all ages and both sexes. They have particular skills in treating people with multiple health issues and comorbidities...
s as soon as practically possible. - The design of new systems for the transfer of prescription data should incorporate the principles developed in this report.
- Future negotiations on pay and conditions for General Practitioners should, where possible, avoid systems of payment which require patient identifying details to be transmitted.
- Consideration should be given to procedures for General Practice claims and payments which do not require patient-identifying information to be transferred, which can then be piloted.
See also
- Caldicott guardianCaldicott GuardianThe December 1997 Caldicott Report identified weaknesses in the way parts of NHS handled confidential patient data...
- Department of Health - NHS Caldicott Guardians