On the 8th December 2020, the National Data Guardian for Health and Social Care Dame (‘NDG’) published its response to the NDG’s consultation on the Caldicott Principles and the role of Caldicott Guardians.
The Caldicott Principles (‘the Principles’) were first introduced in 1997 as good practice principles to safeguard the use of confidential information within the NHS. Every NHS organisation and local authority with adult care responsibilities is required to appoint a Caldicott Guardian with the responsibility of upholding the Principles. However, the Principles and the role of Caldicott Guardians are now commonly implemented within the wider health and social care sector by organisations such as care homes and hospices and other sectors including prisons, the police and armed forces.
We summarise below the key outcomes of the consultation, and briefly consider the implications going forward.
What is changing?
1) Wording of the existing Caldicott Principles has been amended
The feedback widely acknowledged that although the Principles are of general importance, few actually understood what each principle meant and how these were implemented in practice.
As a result, the wording of the existing principles has been amended with a view to increasing clarity and effectiveness in practice. An introduction has been added which provides context as to how the Principles should be used, placing emphasis on patients and service users as active partners in the use of their personal data. Much of the wording throughout has also been simplified; for example, use of the term ‘personal confidential data’ has been replaced with ‘confidential information’ which is more commonly used in professional and regulatory guidance and widely understood by frontline professionals.
Furthermore the wording of Principle 7, the most recently added principle following the Information Governance Review 2013, has been tightened. This particular Principle previously opined that the duty to share information can be as important as the duty of confidentiality, but the balance between the competing duties has been recalibrated such that the duty to share information now ‘is as important’ . The Principle has also been further contextualised by adding the words ‘for individual care’. This is to address anxiety among health and care professionals that information governance rules were preventing the sharing of information to support individuals’ care (noting that the introduction addresses that the Principles also apply to purposes beyond individual care).
The revised wording and full list of Caldicott Principles can be accessed here.
2) A new, eighth Caldicott Principle
A new Principle has been added, which reads as follows:
'Principle 8: Inform patients and service users about how their confidential information is used.’
A range of steps should be taken to ensure no surprises for patients and service users, so they can have clear expectations about how and why their confidential information is used, and what choices they have about this. These steps will vary depending on the use: as a minimum, this should include providing accessible, relevant and appropriate information - in some cases, greater engagement will be required.’
This has been added to the existing seven principles to further emphasise the need for the active involvement of the patient or service user in how their confidential information is being used. This is to underline the need for transparency, leaving ‘no surprises’ for the patient or service user.
3) Commitment to issue guidance in 2021 about the appointment of Caldicott Guardians for health and adult social care organisations
The NDG has committed to using her statutory power under the Health and Social Care (National Data Guardian) Act 2018 for the first time to issue guidance specifying that all public bodies within the health and adult social care sector, and all organisations which contract with such public bodies to deliver health or adult social care services in England, should have a Caldicott Guardian. It is obligatory, in accordance with the Act, for such bodies to have regard to guidance issued by the NDG.
The guidance will cover issues such as the role and responsibilities of Caldicott Guardians, competencies and knowledge required, training and continuous development, relationships to other key roles (for example, Data Protection Officers), accountability, types of organisations that should be appointing dedicated Caldicott Guardians, and how smaller organisations can arrange a Caldicott function where it may not be proportionate to have a Caldicott Guardian.
The guidance is to be drafted in the new year and will published before the end of the 2020-21 financial year, with an expected implementation period before coming into force in 2021-22.
What does this mean?
The changes to the Principles emphasise a move in recent years towards a partnership between health and care professionals and those in their care. The amendments also align the Principles more closely with the General Data Protection Regulation (GDPR) emphasis on transparency and data subject rights. We do not anticipate that the refresh of the Principles will require fundamental changes by health and care organisations. However, the addition of a further Principle relating to the need to inform patients about how their data will be used makes it even more critical that the various ways in which patient data is used organisation is fully mapped out and then reflected in Privacy Notices.
We also anticipate that most health and care organisations will already have appointed a Caldicott Guardian, although clearly for those who have not then the forthcoming guidance in this regard will be crucial. For those organisations who already have a Caldicott Guardian in place then the crucial steps to take will be to ensure that their role and responsibilities are consistent with the guidance.
We will provide a further update in due course, once further details of the guidance are available.
