A review was commissioned in 1997 headed by Dame Fiona Caldicott, to map how service user identifiable information is used within the NHS.
The Chief Medical Officer of England commissioned this review, owing to increasing concern about the ways in which service user information is used in the NHS in England and Wales and the need to ensure that confidentiality is not undermined. This concern was largely due to the development of information technology in the service and its capacity to disseminate information about service users rapidly and extensively.
A key recommendation of the report was to establish a network of Caldicott Guardians of service user information throughout the NHS and social care. They are responsible for agreeing and reviewing internal protocols governing the protection and use of service user identifiable data and for ensuring that the information is used in a fair and consistent manner.
The Report also set out the following Caldicott Principles:
-
Every proposed use or transfer of service user identifiable information within or from an organisation should be clearly defined and scrutinised, with continuing uses regularly reviewed, by an appropriate guardian.
-
Service user identifiable information items should not be included unless it is essential for the specified purpose of that flow. The need for service users to be identified should be considered at each stage of satisfying the purpose.
-
Where use of service user identifiable information is considered to be essential, the inclusion of each individual item of information should be considered and justified, so that the minimum amount of identifiable information is transferred or accessible as is necessary for a given function to be carried out.
-
Only those individuals who need access to service user identifiable information should have access to it, and if they should only have access to the information items that they need to see. This may mean introducing access controls or splitting information flows where one information flow is used for several purposes.
-
Every use of service user identifiable information must be lawful. Someone in each organisation handling service user information should be responsible for ensuring that the organisation complies with legal requirements including Data Protection.
-
Every use of service user identifiable information must be lawful. Someone in each organisation handling service user information should be responsible for ensuring that the organisation complies with legal requirements.
Infectious diseases