The COVID-19 Pandemic has shone a spotlight on the role of data and data sharing in delivering effective healthcare services. It has also helped healthcare practitioners and the public more fully appreciate the importance of accessing clear and simple information about why and how confidential information is used and protected within healthcare services.
The Caldicott Principles have helped guide decisions about the handling of confidential information for over 20 years. They are named after Dame Fiona Caldicott, whose 1997 review into how patient data should be handled, led to the development of 6 good practice Principles relevant first to the NHS and then later extended to local authority adult social care.
An information governance review led by Dame Caldicott in 2013, led to the addition of a 7th principle and then in November 2014, Dame Caldicott was appointed the first National Data Guardian (NDG) for health and adult social care. This role was subsequently made a statutory appointment in 2019.
The current Calidicott Principles are:
Every proposed use or transfer of personal confidential data within or from an organisation should be clearly defined, scrutinised and documented, with continuing uses regularly reviewed by an appropriate guardian.
Personal confidential data items should not be included unless it is essential for the specified purpose(s) of that flow. The need for patients to be identified should be considered at each stage of satisfying the purpose(s).
Where the use of personal confidential data is considered to be essential, the inclusion of each individual item of data should be considered and justified so that the minimum amount of personal confidential data is transferred or accessible as is necessary for a given function to be carried out.
Access to personal confidential data should be on a strict need-to-know basis.
Only those individuals who need access to personal confidential data should have access to it, and they should only have access to the data items that they need to see. This may mean introducing access controls or splitting data flows where one data flow is used for several purposes.
Action should be taken to ensure that those handling personal confidential data – both clinical and non-clinical staff - are made fully aware of their responsibilities and obligations to respect patient confidentiality.
Every use of personal confidential data must be lawful. Someone in each organisation handling personal confidential data should be responsible for ensuring that the organisation complies with legal requirements.
The duty to share information can be as important as the duty to protect patient confidentiality
Health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by these Principles. They should be supported by the policies of their employers, regulators and professional bodies.
All organisations subject to the Principles must also appoint a guardian with responsibility for upholding the Principles. The Caldicott Guardian is seen as a senior person within a healthcare organisation whose role it is to ensure that the information of those using its services is handled legally and ethically and that confidentiality is maintained.
The Caldicott Guardian is also expected to provide impartial direction and guidance on complex considerations involving information sharing and confidentiality and act, in the words of the UK Caldicott Guardian Council's 2017 overview Caldicott Guardian Manual, as the "conscience of the organisation".
Dame Caldicott announced earlier this summer that that she expects to step down from her post as NDG after March 2021 and efforts are currently underway to find her replacement. Ahead of that, she and her advisory panel are considering the results of a consultation into proposals to:
The proposed changes are intended to help ensure the Principles remain relevant in future and after Dame Caldicott has relinquished her role. The proposals aim to take into account changes in the public's relationship with the healthcare services ecosystem, legal developments (including the GDPR and the UK GDPR which will replace it in the UK from 1 January 2021) and relevant jurisprudence, (particularly in relation to society's changing expectations of privacy).
The revisions proposed to the existing Principles focus on making certain wording clearer, more up to date and consistent with other requirements relevant to data sharing. In particular:
The more substantive proposed change to the Principles relates to the introduction of a new 8th principle. The proposed text is:
Inform the expectations of patients and service users about how their confidential information is to be used
A range of steps should be taken to ensure 'no surprises' for patients and service users about how their confidential information is to be used - these steps will vary depending on the use. As a minimum, this should include providing relevant and appropriate information – in some cases, greater engagement will be required to promote understanding and acceptance of uses of information. Patients and service users should be given an accessible way to opt-out.
The new principle is concerned with ensuring that there will be no surprises for patients and service users about how their confidential information is to be used and that any use of their confidential information falls within their expectations. The 8th principle would focus on transparency and can, in part, be seen as aligning the Caldicott Principles with enhanced transparency requirements within the GDPR and the UK Data Protection Act 2018 (DPA18) as well as in reflecting the development by UK courts over the years of concepts of a 'reasonable expectation of privacy' within the law of confidence.
The NDG has the power (under the Health and Social Care (National Data Guardian) Act 2018 to publish guidance and is proposing to use those statutory powers to advise that all health and adult social care organisations which could be within the scope of the NDG guidance powers appoint a Caldicott Guardian to uphold the Caldicott Principles. The guidance may specify whether certain types of organisation need a dedicated Caldicott Guardian or (perhaps for reasons of size) may instead share a Caldicott function (such as a consortium of GP's).
In practice, given the varied nature of the organisations which should appoint a Caldicott Guardian, the current available guidance falls short of advising in detail on matters such as how the role should be carried out. In this respect the NDG is proposing that further guidance be provided including advice on how the role aligns with other compliance roles in particular that of the Data Protection Officer under the GDPR and DPA18 and the role of Senior Information Risk Officers (SIROs) in the context of wider public health and social care compliance requirements.
Further details on all the above, along with detail on the revisions and additions to the Caldicott Principles can be found in the background document published by the National Data Guardian in June 2020.
Mary Rendle looks at the regulatory framework for medical devices processing NHS health data.
1 of 5 Insights
Debbie Heywood considers the exemptions and restrictions that apply to health data-related subject access requests.
2 of 5 Insights
Thanos Rammos looks at the new regulatory regime for digital healthcare and 'apps by prescription' in Germany.
3 of 5 Insights
Jo Joyce looks at the privacy issues involved in developing contact tracing apps and whether they impact their ultimate success.
4 of 5 Insights