What is Caldicott?
The term Caldicott refers to a review commissioned by the Chief Medical Officer. A review committee, under the chairmanship of Dame Fiona Caldicott, investigated ways in which patient information is used in the NHS.
The review committee also made a number of recommendations aimed at improving the way the NHS handles and protects patient information.
These are summarised by:
Six Information Management Principles
The Six Caldicott Principles
- Justify the purpose(s) of using confidential information
- Only use it when absolutely necessary
- Use the minimum that is required
- Access should be on a strict need-to-know basis
- Everyone must understand his or her responsibilities
- Understand and comply with the law
What is the Data Protection Act 1998?
The Data Protection Act 1998 became law in March 2000. It sets standards which must be satisfied when obtaining, recording, holding, using or disposing of personal data. These are summarised by 8 Data Protection Principles.
As well as information held on computers, the Data Protection Act 1998 also covers most manual records e.g.
- Health
- Finance
- Personnel
- Suppliers
- Occupational Health
- Contractors
- Volunteers
- Card Indices
Data Protection Principles
Personal data must be:
- Processed fairly and lawfully
- Processed for specified purposes
- Adequate, relevant and not excessive
- Accurate and kept up-to-date
- Not kept for longer than necessary
- Processed in accordance with the rights of data subjects
- Protected by appropriate security (practical and organisational)
- Not transferred outside the EEA without adequate protection
Principle 1
Processed fairly and lawfully
There should be no surprises, so ... inform data subjects why you are collecting their information, what you are going to do with it and who you may share it with... for example:
When formulating a research project remember to be open and transparent about what you will be doing with the information.
When working in a team, ensure that the patient/client is aware of who the members of the team are, and that all those involved with their care may need to see their notes.
- Be open, honest and clear
Principle 2
Processed only for specified purposes
Only use personal information for the purpose(s) for which it was obtained.
eg personal information on a Patient Administration System must only be used for healthcare purposes - not for looking up friends’ addresses or birthdays.
Only share information outside your practice, team, home, ward, department or service if you are certain it is appropriate and necessary to do so.
- If in doubt, check first!
Principle 3
Adequate, relevant and not excessive
Only collect and keep the information you require.
It is not acceptable to hold information unless you have a view as to how it will be used. Do not collect information “just in case it might be useful one day!” eg taking both daytime and evening telephone numbers if you know you will
only call in the day.
- Explain all abbreviations
- Use clear legible writing
- Stick to the facts - avoid personal opinions and comments
Principle 4
Accurate and kept up-to-date
Take care inputting information to ensure accuracy.
How do you know the information is up-to-date?
What mechanisms do you have for checking information is accurate and up-to-date?
For example: each time a patient attends a clinic, they should be asked to confirm that their details are correct - address, telephone number etc.
- Check existing records thoroughly before creating new records
- Avoid creating duplicate records
Principle 5
Not kept for longer than necessary
- Follow retention guidelines in the Records Management: NHS Code of Practice
- Check your organisation’s retention policy
- Ensure regular housekeeping/spring cleaning of your information
- Do not keep “just in case it might be useful one day!”
- Check your organisation’s disposal policy and dispose of your information correctly
Principle 6
Processed in accordance with the rights of data subjects
- Subject access
- Prevention of processing
- Prevent processing for direct marketing
- an end to junk mail and faxes!
- Automated decision taking
- Compensation
- Rectification/blocking/erasure
- Request an assessment
Principle 7 (Practical)
Protected by appropriate security
- Ensure security of confidential faxes by using safe haven/secure faxes
- Always keep confidential papers locked away
- Do you have a clear desk policy?
- Ensure confidential conversations cannot be overheard
- Keep your password secret
- Ensure information is transported securely
Principle 7 (Organisational)
Protected by appropriate security
Your organisation should have...
- Good information management practices
- Guidelines on IT security
- Staff training
- Confidentiality clause in employment contracts
- Procedure for access to personal data
- Disposal policy/procedure for confidential information
- Confidentiality contracts with third parties eg archiving companies, cleaners, temporary staff, outside contractors
Principle 8
Not transferred outside the European Economic Area (EEA) without adequate protection
- If sending personal information outside the EEA ensure consent is obtained and it is adequately protected
- Be careful about putting personal information on websites: gain consent first
- Check where your information is going eg where are your suppliers based?
The EEA comprises: EU Member States plus Iceland, Liechtenstein and Norway
To sum up, remember that information must be:
Held securely and confidentially Obtained fairly and efficiently
Recorded accurately and reliably
Used effectively and ethically
Shared appropriately and lawfully
For further information contact:
Your Data Protection Officer
Your Caldicott Guardian
The Information Commissioner’s website:
ico.org.uk
The Caldicott website:
www.connectingforhealth.nhs.uk/systemsandservices/infogov/caldicott
Reproduced with the kind permission of Surrey Health Community