This site is intended for health professionals only

In full: Caldicott report’s 26 recommendations

Caldicott Report recommendations:

1.       People must have the fullest possible access to all the electronic care records about them, across the whole health and social care system, without charge.

An audit trail that details anyone and everyone who has accessed a patient’s record should be made available in a suitable form to patients via their personal health and social care records. The Department of Health and NHS Commissioning Board should drive a clear plan for implementation to ensure this happens as soon as possible.

2.       For the purposes of direct care, relevant personal confidential data should be shared among the registered and regulated health and social care professionals who have a legitimate relationship with the individual.

Health and social care providers should audit their services against NICE Clinical Guideline 138, specifically against those quality statements concerned with sharing information for direct care.

3.       The health and social care professional regulators must agree upon and publish the conditions under which regulated and registered professionals can rely on implied consent to share personal confidential data for direct care. Where appropriate, this should be done in consultation with the relevant Royal College. This process should be commissioned from the Professional Standards Authority.

4.       Direct care is provided by health and social care staff working in multi-disciplinary ‘care teams’ The Review Panel recommends that registered and regulated social workers be considered a part of the care team. Relevant information should be shared with members of the care team, when they have a legitimate relationship with the patient or service user. Providers must ensure that sharing is effective and safe. Commissioners must assure themselves on providers’ performance.

Care teams may also contain staff that are not registered with a regulatory authority and yet undertake direct care. Health and social care provider organisations must ensure that robust combinations of safeguards are put in for these staff with regard to the processing of personal confidential data.

5.       In cases where there is a breach of personal confidential data, the data controller, the individual or organisation legally responsible for the data, must give a full explanation of the cause of the breach with the remedial action being undertaken and an apology to the person whose confidentiality has been breached.

6.       The processing of data without a legal basis, where one is required, must be reported to the board, or equivalent body of the health or social care organisation involved and dealt with as a data breach.

There should be a standard of severity scale for breaches agreed across the whole of the health and social care system. The board or equivalent body of each organisation in the health and social care system must publish all such data breaches. This should be in the quality report of NHS organisations, or as part of the annual report or performance report for non-NHS organisations.

7.       All organisations in the health and social care system should clearly explain to patients and the public how the personal information they collect could be used in de-identified form for research, audit, public health and other purposes. All organisations must also make clear what rights the individual has open to them, including any ability to actively dissent (ie withhold their consent).

8.       Consent is one way in which personal confidential data can be legally shared. In such situations people are entitled to have their consent decisions reliably recorded and available to be shared whenever appropriate, so their wishes can be respected. In this context, the Informatics Services Commissioning Group must develop or commission:

Guidance for the reliable recording in care record of any consent decision an individual makes in relation to sharing their personal confidential data; and

A strategy to ensure these consent decisions can be shared and provide assurance that the individual’s wishes are respected.

9.       The rights, pledges and duties relating to patient information set out in the NHS Constitution should be extended to cover the whole health and social care system.

10.   The linkage of personal confidential data, which requires a legal basis, or data that has been de-identified, but still carries a high risk that it could be re-identified with reasonable effort, from more than one organisation for any purpose other than direct care should only be done in specialist, well-governed, independently scrutinised and accredited environments called ‘accredited safe havens’

The Health and Social Care Information Centre must detail the attributes of an accredited safe haven in their code for processing confidential information, to which all public bodies must have regard.

The Informatics Services Commissioning Group should advise the Secretary of State on granting accredited status, based on the data stewardship requirements in the Information Centre code, and subject to the publication of an independent external audit.

11.   The Information Centre’s code of practice should establish that an individual’s exiting right to object to their personal confidential data being shared, and to have that objection considered, applies to both current and future disclosures irrespective of whether they are mandated or permitted by statute.

Both the criteria used to assess reasonable objections and the consistent application of those criteria should be reviewed on an ongoing basis.

12.   The boards or equivalent bodies in the NHS Commisioning Board, clinical commissioning groups, Public Health England and local authorities must ensure that their organisation has due regard for information governance and adherence to its legal and statutory framework.

An executive director at board level should be formally responsible for the organisation’s standards of practice in information governance, and its performance should be described in the annual report or equivalent document.

Boards should ensure that the organisation is competent in information governance practice, and assured of that through its risk management. This mirrors the arrangements required of provider trusts for some years.

13.   The Secretary of State for Health should commission a task and finish group including but not limited to the Department of Health, Public Health England, Healthwatch England, providers and the Information Centre to determine whether the information governance issues in registries and public health functions outside health protection and cancer should be covered by specific health service regulations.

14.   Regulatory, professional and educational bodies should ensure that:

-information governance, and especially best practice on appropriate sharing, is a core competency of undergraduate training; and

-information governance, appropriate sharing, sound record keeping and the importance of data quality are part of continuous professional development are assessed as part of any professional revalidation process.

15. The Department of Health should recommend that all organisations within the health and social care system which process personal confidential data, including but not limited to local authorities and social care providers as well as telephony and other virtual service providers, appoint a Caldicott Guardian and any information governance leaders required, and assure themselves of their continuous professional development.

16. Given the number of social welfare initiatives involving the creation or use of family records, the Review Panel recommends that such initiatives should be examined in detail from the perspective of Article 8 of the Human Rights Act. The Law Commission should consider including this in its forthcoming review of the data sharing between public bodies.

17. The NHS Commissioning Board, clinical commissioning groups and local authorities must ensure that health and social care services that offer virtual consultations and/or are dependent on medical devices for biometric monitoring are conforming to best practice with regard to information governance and will do so in future.

18. The Department of Health and the Department for Education should jointly commission a task and finish group to develop and implement a single approach to recording information about ‘the unborn’ to enable integrated, safe and effective care through the optimum appropriate data sharing between health and social care professionals.

19. All health and social care organisations must publish in a prominent and accessible form:

-a description of the personal confidential data they disclose;

-a description of the de-identified data they disclose on a limited basis;

-who the disclosure is to; and

-the purpose of the disclosure.

20. The Department of Health should lead the development and implementation off a standard template that all health and social care organisations can use when creating data controller to data controller data sharing agreements. The template should ensure that agreements meet legal requirements and require minimum resources to implement.

21. The Health and Social Care Information Centre’s Code of Practice for processing personal confidential data should adopt the standards and good practice guidance contained within this report.

22. The information governance advisory board to the Informatics Services Commissioning Group should ensure that the health and social care system adopts a single set of terms and conditions that both staff and the public can understand. These terms and definitions should begin with those set out in this document. All education, guidance and documents should use this terminology.

23. The health and social care system requires effective regulation to ensure the safe, effective, appropriate and legal sharing of personal confidential data. This proves should be balanced and proportionate and utilise the existing and proposed duties within the health and social care system in England. The three minimum components of such a system would include:

-a Memorandum of Understanding between the CQC and the ICO

-an annual data sharing report by the CQC and the ICO; and

-an action plan agreed though the Informatics Service Commissioning Group on any remedial actions necessary to improve the situation shown to be deteriorating in the CQC-led annual ‘data sharing’ report.

24. The Review Panel recommends that the Secretary of State publicly supports the redress activities proposed by this review and promulgates actions to ensure they are delivered.

25. The Review Panel recommends that the revised Caldicott principles should be adopted and promulgated throughout the health and social care system.

26. The Secretary of State for Health should maintain oversight of the recommendations from the Information Governance Review and should publish an assessment of the implementation of those recommendations within 12 months of the publications of the review’s final report.

Download the full report here.