What are the Caldicott Principles?
The Caldicott Principles, developed in 1997, provide a framework of guidelines that help health organisations ensure proper treatment of patient-identifying information. Following the principles helps organisations make correct decisions when handling this information, and works to protect patient confidentiality in a variety of situations.
Organisations and those working within them must be able to determine when sharing confidential patient information could breach data protection laws.
When potential conflicts or difficult decisions arise, the Caldicott Principles can aid with decision making. The Principles additionally provide for secure methods of transfer for sensitive patient information to other agencies such as police, Social Services, the education system and the judicial system.
Where Did the Principles Come From?
The Caldicott Principles were developed after a review of NHS patient data handling practices. At the time, the rise of technology and data collection made cause for concern that patient-identifying data could be too easily shared, and privacy could be too easily breached.
Chaired by Dame Fiona Caldicott, the review led to identification of best practices concerning data security. The original six principles set out in 1997 have been expanded twice (in 2013 and 2020), and now the list includes eight caldicott principles.
The principles rest on the idea that patients should have as much control as possible over their personal information. And that patients should be assured that the information held by health and social care organisations is safe from unnecessary disclosure. Patients should also have full confidence in the systems that hold this information.
What is Patient-identifiable Information?
Patient-identifiable information includes:
- Patient’s full name (name and surname)
- Patient’s home address and full postal code
- Date of birth
- Patient’s NHS number
- Any photos, video or audio recordings or images of the patient
- Other identifying information
Health conditions or results that may be used to directly or indirectly to identify the patient are also considered identifiable information. For example, this could include rare diseases, specific drug treatments or results of statistical analyses using micro sample sizes that may lead to individuals being identified.
The Eight Caldicott Principles for Patient Information
There are eight principles to properly handle patient information for healthcare professionals.
Principle 1: Justify the purpose(s) for using confidential information
Each time confidential information is used or transferred, the purpose of doing so must be clearly defined, examined and documented. An appointed Caldicott Guardian should review each action, use or transfer to ensure that patient privacy is protected as much as possible. Even and especially if the same patient information is being shared multiple times, the guardian should examine each instance for propriety.
Principle 2: Use confidential information only when it is necessary
The inclusion of confidential information should be limited to purposes that require it. In other words, confidential information should be left out whenever possible. If a specified purpose requires the use or sharing of confidential information, the information shared should be carefully limited to the scope of the purpose. The need to identify individuals should be weighed at each step of the process, and alternatives should be used whenever possible.
Principle 3: Use the minimum necessary personal confidential data
When the use of confidential information is necessary and unavoidable, the amount of information used should be kept to an absolute minimum. Only the information pertaining to a task should be made available. Tasks and purposes requiring confidential information should be be completed with minimal privacy breach.
Principle 4: Access to confidential information should be on a strict need-to-know basis
The only people given access to confidential information should be those who truly need access. These people should only be given the items they need to see. To this end, access controls or split information flows may be beneficial.
Principle 5: Everyone with access to personal confidential data should be aware of their responsibilities
Action must be taken to ensure that personnel who work with, handle, organise, receive or transmit confidential data fully understand their responsibility and obligation to protect patient and service user confidentiality. Action could include special training, instructions built into a system, signage, memos, or other methods of training and reminding.
Principle 6: Comply with the law
Each and every use of confidential information must be lawful. Each person handling such information is personally responsible for ensuring that the legal integrity of data sharing and storage remains secure. All laws set out in statute and common law should be paid mind.
Principle 7: The duty to share information can be as important as the duty to protect patient confidentiality
If a health or social care worker finds that sharing information is in the best interest of the patient, they should be able to do so with confidence, provided that they follow the other Principles. The policies of their employer, regulator, and professional bodies or associations should support professionals in these decisions.
Some circumstances in which sharing may meet such criteria are when:
- The patient is being transferred from one hospital to another for further treatment
- The patient, or others to whom they are connected, may be at risk of harm
- The patient poses a risk to themselves or others
- A crime may be prevented by sharing the information
- The patient has died and their relatives need to be identified
- The information has been requested by legal authority or court order
Principle 8: Inform patients and service users about how their confidential information is used
Patients and service users should have clear expectations about how and why their confidential information is shared, and what choices are available to them regarding such. Organisations should follow proper procedures closely when handling confidential information. This procedure should, at minimum, include providing patients with accessible, relevant, and appropriate information about the process. Patients may need to participate more in the process depending on the case.
What is a Caldicott Guardian?
The review recommended that each NHS organisation should appoint a Caldicott Guardian. This is an individual who is responsible for safeguarding patient information. They must also make sure that good practices are followed and are implemented.
A Caldicott Guardian must also manage confidential information in accordance with:
- The Data Protection Act
- The Human Rights Act
- The NHS Act
- The Freedom of Information Act
- The Computer Misuse Act
- NHS Information Governance
- The NHS Constitution
An appointed Caldicott Guardian should be:
- On the management board or a member of the senior management team of the organisation
- A senior health or social care professional
- An employee who has responsibility over promoting clinical governance within the organisation
How can you apply the Caldicott Principles?
The Caldicott Principles act as rules and regulations that must be followed by health and social care organisations. They provide guidance on how best to ensure that patient data is kept confidential.They can also prevent data breaches which could lead to fines.
In applying the Principles to your situation, the first thing to do is to ensure that all involved understand that the goal of the Principles is to protect patients. While the Principles heavily emphasize caution and restraint when handling patient data, it is equally important to remember the seventh principle—sometimes sharing data will be more beneficial to the patient than withholding it.
Organisations and staff should regularly review their policies and procedures, keeping in mind the Caldicott Principles. Correct use of the principles should maximize patient privacy, while also maximising patient care.
The Caldicott Principles are beneficial to the health and social care industries. They give confidence to patients that their personal information is used and maintained correctly. If followed closely, they prevent data breaches that can be harmful to patients and organisations.