The Caldicott Principles – what are they & why do they exist?

If you work in the healthcare sector, then you may well have heard of the Caldicott Principles, but you may not understand what they specifically cover or why there was and is a need for them. The Caldicott Principles should be comprehensively understood by those in senior healthcare roles, and the relevant elements transmitted to those in less senior healthcare roles.

What are the Caldicott Principles?

The Caldicott Principles were created as a means to provide individuals an acceptable level of confidentiality where their personal medical history and data are concerned. The principles were created, and subsequently added to, as a means to tackle the problems within the National Health Service (NHS) involving the treatment of patient data, particularly in light of technological advances which were leading to the digitisation of this data.

Why do the Caldicott Principles exist?

Only a generation ago, it may surprise you to discover that personal information of individuals in relation to their health, medical conditions and any treatment received was not confidential. It was information that any member of the public could access, and many did. This personal information was used by those in positions of authority as leverage for personal or financial gain. Patients' personal information was so easily accessible that they became victims of social discrimination and abuse.

Additionally, because of the very personal nature of healthcare and the treatment of any illness, confidentiality surrounding health issues played a major part in the psyche of patients and their ability to recover.

Consequently, it became apparent that there needed to be a set of rules established that would help to wipe out what had become indiscriminate access to private, sensitive and personal information. The situation had basically come to a head as information on the medical history of political opponents was being accessed and used against them.

One of the biggest problems that perhaps delayed the problem being addressed was the general need for the sharing of patients' information as a means to identify problems and improve patient treatment. Without the sharing of vital medical information, there was a risk that the price of protecting the confidentiality of patient information would be too high.

When were the Caldicott Principles introduced?

It was in 1997 that Dane Fiona Caldicott chaired a committee which produced ‘The Caldicott Committee’s Report on the Review of Patient-Identifiable Information’ and which also provided a review on the transfer of identifiable patient information within the health services. The result of this report was the creation of what became known as the Caldicott Principles. Initially, there were six principles. However, in 2013 there was a second report prepared by the Caldicott Committee, known as Caldicott2, which expanded, substantially on the original 1997 report. 26 additional recommendations were made, while a seventh Caldicott Principle was added to the list. In December 2020, after a public consultation which covered Dame Fiona Caldicott's intention to revise the existing seven Principles, add a further eighth Principle, and issue guidance about Caldicott Guardians. This resulted in the addition of the eighth Caldicott Principle in 2021.

How many Caldicott Principles are there?

caldicott principles

The ‘The Caldicott Committee’s Report on the Review of Patient-Identifiable Information’ resulted in the creation of the first Six Caldicott Principles. In 2013 a Seventh Caldicott Principle was introduced, and in 2021 the newest principal, the Eighth Caldicott Principle was added to the list. The eight Principles are as follows:

Let's have a more detailed look at each of these Principles.

Justify the purpose for using confidential information

T he guiding factor here is that no information relating to a patient should be shared with anyone unless it is genuinely in the patient's best interest. In other words, the use of any patient data, or its transfer within or to another organization must be clearly defined and documented. An appropriate guardian should be responsible for ensuring there are continuous checks on its ongoing use. It is important it is clearly stipulated what the reasons are for giving out any personal information about a patient and that a guardian be present for proper documentation and to act as a witness in the event there is further use of the information.

Don’t use personal, confidential data unless absolutely necessary

Any data used must be necessary for a specific purpose. It is critical that this criterion be applied every time that data is used. It must always be borne in mind that requesting or handing out of patient information puts their safety at risk, so such actions must be carefully considered. If the use of the information will be of no (potential) benefit to the patient, then their data should not be used.

Use the minimum necessary personal confidential data

If personally identifiable data has to be used, each and every element of that data should be assessed in terms of its justification. The less the volume of data used, the smaller the chance of the person whose data is being used being identified. Once again it is critical that the minimum of personal data be shared, and that data is important to the recipient.

Access to personal confidential data should be on a strictly need-to-know basis

One of the most important stipulations of the Caldicott Princip-les is that the person with whom any personal data is to be shared with is allowed access to that information. A request for data cannot be made just by anyone, and once obtained by an approved/authorised third party, they cannot then automatically share it with anyone they choose. In other words, whoever is given access to the data must have full authorisation to do so. For each individual or organization who has access to personal data of a patient, it is their responsibility to ensure that any additional third party who wants access to the data has the appropriate permission(s).

Everyone with access to personal confidential data should be aware of their responsibilities

Here it is important to understand that while access can be given to personal patient data, it cannot be classed as a 'free for all' and that access must be limited to the fewest number of people possible. It is also important that anyone who is given access to a patient's private data is made fully aware of their ethical and moral obligations in terms of keeping that information confidential. Should anyone who has access to a patient's data feel the need to share that information with anyone else, they must ensure that that person has the right to see the information and that the sharing of it is in the patient's best interests.

Understand and comply with the law

This is the last of the original Caldicott Principles and it stipulates that the use of any patient data must be for legal purposes only. Consequently, any organisation that requires access to patient data must have a an individual who can oversee how that data is used and who can ensure that all legal requirements are met. Beyond that, the individual must also ensure that all data is kept securely and all efforts to protect the confidentiality of all information are made. It should be noted that such data comes under the jurisdiction of the Data Protection Act . In addition, in the UK there is a duty of confidentiality which is not a property or proprietary right. It's a legal right to prevent the transmission of confidential information to another person which would be in breach of a confidential relationship.

The duty to share information correctly and appropriately can be important as the duty to protect patient confidentiality

Instigated in 2013, this principle is based on the fact that as much as it is permitted to share information only in the best interest of a patient, an organisation must ensure it protects the confidentiality of that patient. There may be circumstances where health or social care professionals may be required to share certain information about a patient, or information about a patient may be required by a government agency or an R&D organisation. While health and social workers may share certain information, they must still ensure that the patient remains anonymous.

A patient’s personal identification information can be given where:

Inform patients and service users about how their confidential information is used

Specific steps should be taken to guarantee that there are no surprises for patients. They should have clear expectations about how and why their confidential information is used, and they should be fully informed as to what choices they have concerning the sharing of their data. As a minimum, these steps should include providing accessible, relevant and appropriate information – while in certain cases a greater level of engagement will be necessary .

Here at Commodious we specialise in providing online courses that cover many aspects of Health & Safety at work.