Caldicott Report 1997
First Caldicott review establishing principles for the handling of patient-identifiable information in the NHS. Introduced the concept of the Caldicott Guardian and six foundational principles for data flows.
Government Response
The Government implemented the review through NHS Executive Health Service Circular HSC 1999/012 ('Caldicott Guardians', 1999), which required every NHS organisation to appoint a senior 'Caldicott Guardian' to oversee the use of patient-identifiable information and to apply the report's good-practice principles. The report set out six good-practice principles and recommended the Guardian role; the requirement was extended to local authorities with social services responsibilities in 2002. The Caldicott principles and Guardian role became embedded in NHS data governance.
Recommendations
Every proposed use or transfer of patient identifiable information within or from an organisation should be clearly defined and scrutinised, with continuing uses regularly reviewed, by an appropriate guardian.
Patient identifiable information items should not be included unless it is essential for the specified purpose(s) of that flow. The need for patients to be identified should be considered at each stage of satisfying the purpose(s).
Where use of patient identifiable information is considered to be essential, the inclusion of each individual item of information should be considered and justified so that the minimum amount of identifiable information is transferred or accessible as is necessary for a given function to be carried out.
Only those individuals who need access to patient identifiable information should have access to it, and they should only have access to the information items that they need to see. This may mean introducing access controls or splitting information flows where one information flow is used for several purposes.
Action should be taken to ensure that those handling patient identifiable information — both clinical and non-clinical staff – are made fully aware of their responsibilities and obligations to respect patient confidentiality.
Every use of patient identifiable information must be lawful. Someone in each organisation handling patient information should be responsible for ensuring that the organisation complies with legal requirements.