The Caldicott report

The Caldicott Report was published in 1997 and made recommendations relating to patient confidentiality and recommends ways the NHS can improve the way it handles patient identifiable information.

The Committee produced six key principles which govern the use of patient information. A key recommendation was the establishment of a network of organisational Guardians to oversee access to patients-identifiable information. All NHS organisations are now required to have such a Guardian, known as the Caldicott Guardian.

The principles and recommendations highlight all areas of information handling, including the obtaining, storing and sharing of data. There is also a requirement to appoint a Caldicott Guardian by each health organisation (NHS Trusts) and a lead individual (Family Health Services) to co-ordinate a programme of work.

Caldicott Guardian Principles

Principle 1: Justify the purpose(s)
Every proposed use or transfer of patient-identifiable information within or from an organisation should be clearly defined and scrutinised, with continuing uses regularly reviewed by an appropriate guardian.

Principle 2: Don’t use patient-identifiable information unless it is absolutely necessary
Patient-identifiable information items should not be used unless there is no alternative.

Principle 3: Use the minimum necessary patient-identifiable information
Where use of patient-identifiable information is considered to be essential, each individual item of information should be justified with the aim of reducing identifiability.

Principle 4: Access to patient-identifiable information should be on a strict need to know basis
Only those individuals who need access to patient-identifiable information should have access to it, and they should only have access to the information items that they need to see.

Principle 5: Everyone should be aware of their responsibilities
Action should be taken to ensure that those handling patient-identifiable information, clinical and non-clinical staff, are aware of their responsibilities and obligations to respect patient confidentiality.

Principle 6: Understand and comply with the law
Every use of patient-identifiable information must be lawful. Someone in each organisation should be responsible for ensuring that the organisation complies with legal requirements.

How this affects complaints handling

Care must be taken at all times throughout the complaints procedure to follow Caldicott principles and ensure that only information about the patient relevant to the investigation of the complaint is disclosed. Further, disclosure should only be to those who have a demonstrable need to know in order to investigate the complaint. Where a complaint is made on behalf of a patient who has not been able to give consent for someone to act for them, care must be taken not to disclose personal health information to the complainant.

Useful resources

Department of Health guidance
Caldicott web page (external link)

Implementing the recommendations of the Caldicott Report (external link)

NHS Confidentiality Code of Practice (external link)

BMJ article (external link)