New Caldicott Principle and statutory guidance on Caldicott Guardians

The National Data Guardian for Health and Social Care (NDG), Dame Fiona Caldicott, has launched a public consultation about revising and expanding the existing seven Caldicott Principles and issuing guidance to organisations about the appointment of Caldicott Guardians.

Since 1998 every NHS organisation has had to have a Caldicott Guardian. Local authorities with adult social care responsibilities followed suit in 2002. The principles themselves, which Caldicott Guardians are responsible for upholding in their organisations, arose out of the Caldicott Committee’s Report on the Review of Patient Identifiable Information in 1997 which recommended the introduction of six best practice principles. A seventh principle was added in 2013.

The NDG is now consulting on:

• Revisions to the existing seven Caldicott Principles
• The introduction of an eighth principle
• A proposal to issue guidance about organisations appointing Caldicott Guardians.

We summarise the proposed changes below.

Revisions to the principles

The proposed revisions to the existing principles are intended to refresh the wording, make the principles clearer and make them more compatible with the data protection legislation. For example, as proposed, the new principles will refer simply to ‘confidential information’ rather than ‘personal confidential data.’ Under the revised principles 2 and 3, such information should only be used if ‘necessary’ (rather than if ‘essential’ which was the wording under the old principles) – this brings the wording in to line with the GDPR and the Data Protection Act 2018.

Principle 8: No surprises

Those who have followed the NDG’s public statements over the last few years will know that she has long emphasised the importance of an open dialogue with the public about how their confidential information is used, and that there should be “no surprises” for the public in how their confidential information is used. This is consistent with the strong focus in the GDPR on transparency and openness.

The proposed eighth principle would give the “no surprises” mantra a basis in the principles. It provides for organisations to take a range of steps to inform patients and service users’ expectations about use of their confidential information. As a minimum, this would include them being provided with “relevant and appropriate information,” but in some cases “greater engagement will be required” to promote an understanding and acceptance of how such confidential information is used. Perhaps, most significantly, principle 8 would provide that individuals should be given an accessible way to ‘opt out’ from their information being used.

This eighth principle echoes the requirements for transparency in the first data protection principle, and the rights given to data subjects under the GDPR. For the NDG, such transparency is essential to maintaining public trust in health and care services and encourages a “partnership approach” between professionals and those in their care.

The NDG proposes to issue guidance under the statutory powers she was granted as a result of the Health and Social Care (National Data Guardian) Act 2018. It is intended that all public bodies exercising functions which relate to the health service, to adult social care or to support provided to carers under Part 1 of the Care Act 2014 will have to have regard to the guidance. The same applies to those persons or private organisations who have entered into arrangements with public bodies exercising such functions.

It is proposed that the new guidance will require all such organisations to appoint a Caldicott Guardian. The NDG has recognised that it may not be proportionate for some smaller organisations to appoint a dedicated guardian so the guidance may specify which types of organisations ought to have a dedicated guardian, and where it might be appropriate to have a shared guardian or for the Caldicott function to be carried out as part of a dual role (presumably, by a data protection officer or Senior Information Risk Officer).

The new guidance has not yet been drafted, so the consultation is an opportunity for those interested to help shape it. The online survey, which you can complete as part of the consultation, asks for views on what the new guidance should cover (e.g. expected competencies of Caldicott Guardians; their roles, responsibilities and accountability; training and continuous professional development). The NDG is also asking for views on what additional support might be helpful to assist the implementation of the guidance (e.g. training for Caldicott Guardians, training for senior staff within organisations, peer-to-peer support).

How you can get involved

Organisations or individuals wishing to respond to the consultation have until midday on 3 September 2020 to provide their views. Details of how to respond can be found here, where you can also read the consultation document in full.

We have seen an increasing number of queries about the use of confidential information in health care settings. Over the next few months, we will be publishing a series of articles about the law of confidentiality, information sharing and related issues. These guides will provide an overview of the legal framework that applies to confidentiality; the relationship between confidentiality and data protection; the practical implications of a breach of confidence; and confidentiality in a digital health context.

If you wish to discuss the impact of the changes proposed by the NDG on your organisation, or other information sharing queries, please get in touch with Charlotte Harpin and Steve Atkinson. We are particularly keen to hear from Caldicott Guardians, Data Protection Officers and Information Governance Professionals about issues you would like us to consider in this series.