In 1997 the government conducted a review of Patient-Identifiable Information (PII), chaired by Dame Fiona Caldicott, who produced the Caldicott Report. The report made a number of recommendations for regulating the use and transfer of person identifiable information between NHS organisations and between NHS and non-NHS bodies. The aim was to ensure that patient-identifiable information was shared only for justified purposes and that only the minimum necessary information was shared in each case in accordance with six key principles.
Over recent years the issue of whether professionals shared information effectively and safely was evident. There had been a growing perception that information governance was being cited as an impediment to sharing information, even when sharing would have been in the patient’s best interests. A Caldicott review in 2012 identified the need for a 7th principle. Following a further review in December 2020, an 8th principle was included to support transparency.
The Caldicott Principles
Principle 1. Justify the purpose(s) for using confidential information
Every proposed use or transfer of personal confidential data within or from an organisation should be clearly defined, scrutinised and documented, with continuing uses regularly reviewed, by an appropriate guardian.
Principle 2. Don't use personal confidential data unless it is absolutely necessary
Personal confidential data items should not be included unless it is essential for the specified purpose(s) of that flow. The need for patients to be identified should be considered at each stage of satisfying the purpose(s).
Principle 3. Use the minimum necessary personal confidential data
Where use of personal confidential data is considered to be essential, the inclusion of each individual item of data should be considered and justified so that the minimum amount of personal confidential data is transferred or accessible as is necessary for a given function to be carried out.
Principle 4. Access to personal confidential data should be on a strict need-to-know basis
Only those individuals who need access to personal confidential data should have access to it, and they should only have access to the data items that they need to see. This may mean introducing access controls or splitting data flows where one data flow is used for several purposes.
Principle 5. Everyone with access to personal confidential data should be aware of their responsibilities
Action should be taken to ensure that those handling personal confidential data - both clinical and non-clinical staff - are made fully aware of their responsibilities and obligations to respect patient confidentiality.
Principle 6. Comply with the law
Every use of personal confidential data must be lawful. Someone in each organisation handling personal confidential data should be responsible for ensuring that the organisation complies with legal requirements.
Principle 7. The duty to share information can be as important as the duty to protect patient confidentiality
Health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by these principles. They should be supported by the policies of their employers, regulators and professional bodies.
Principle 8. Inform patients and service users about how their confidential information is used
A range of steps should be taken to ensure no surprises for patients and service users, so they can have clear expectations about how and why their confidential information is used, and what choices they have about this. These steps will vary depending on the use: as a minimum, this should include providing accessible, relevant and appropriate information - in some cases, greater engagement will be required.
The Welsh Information Governance Toolkit assessment replaced the Caldicott Principles into Practice assessment (C-PiP) in 2020. Following changes to data protection legislation in May 2018 and guidance from the Information Commissioner's Office (ICO), a more robust assessment was developed to ensure the health board is compliant with the latest data protection legislation, national information governance standards and good practice. The toolkit is a mandatory annual assessment that sets a series of compliance targets in the following areas:
The Assessment score for 2021/2022 will be published when available.