Part of A guide to confidentiality in health and social care: references
Section 1: The information governance review
The government asked Dame Fiona Caldicott to lead an independent review to see how best to balance the need to keep patient and service user information secure with the need to share it among health and care professionals for legitimate reasons.
The review’s report Information: to share or not to share? was published on 26 April 2013.
The review made 26 recommendations which the government has welcomed and accepted in principle. The review’s report contains a wealth of helpful detail, but is not itself a legally binding document. Where applicable, the recommendations of the review have been included within this guide.
The good practice guidance in ‘Information: to share or not to share?’ is laid out in boxes below and should be adopted.
The revised Caldicott principles are also set out below. These principles should underpin information governance across health and social care services.
The Caldicott principles
1. Justify the purpose(s)
Every proposed use or transfer of personal confidential data within or from an organisation should be clearly defined, scrutinised and documented, with continuing uses regularly reviewed, by an appropriate guardian.
2. Don’t use personal confidential data unless it is absolutely necessary
Personal confidential data items should not be included unless it is essential for the specified purpose(s) of that flow. The need for patients to be identified should be considered at each stage of satisfying the purpose(s).
3. Use the minimum necessary personal confidential data
Where use of personal confidential data is considered to be essential, the inclusion of each individual item of data should be considered and justified so that the minimum amount of personal confidential data is transferred or accessible as is necessary for a given function to be carried out.
4. Access to personal confidential data should be on a strict need-to-know basis
Only those individuals who need access to personal confidential data should have access to it, and they should only have access to the data items that they need to see. This may mean introducing access controls or splitting data flows where one data flow is used for several purposes.
5. Everyone with access to personal confidential data should be aware of their responsibilities
Action should be taken to ensure that those handling personal confidential data — both clinical and non-clinical staff — are made fully aware of their responsibilities and obligations to respect patient confidentiality.
6. Comply with the law
Every use of personal confidential data must be lawful. Someone in each organisation handling personal confidential data should be responsible for ensuring that the organisation complies with legal requirements.
7. The duty to share information can be as important as the duty to protect patient confidentiality
Health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by these principles. They should be supported by the policies of their employers, regulators and professional bodies.
Last edited: 13 January 2022 2:27 pm