Caldicott Guardians
The Caldicott Guardian for Sherwood Forest Hospitals NHS Foundation Trust is Dr David Selwyn, Medical Director.
Caldicott Guardians derive their name and inspiration from the Government Review of Patient-Identifiable Information, chaired by Dame Fiona Caldicott, which reported in December 1997. One of its recommendations was that “a senior person, preferably a health professional, should be nominated in each health organisation to act as a guardian, responsible for safeguarding the confidentiality of patient information.”
The Caldicott Guardian has a responsibility to ensure confidential patient information is kept secure and used in accordance with the principles below:
- Every proposed use or transfer of confidential information should be clearly defined, scrutinised and documented, with continuing uses regularly reviewed by an appropriate guardian.
- Confidential information should not be included unless it is necessary for the specified purpose(s) for which the information is used or accessed. The need to identify individuals should be considered at each stage of satisfying the purpose(s) and alternatives used where possible.
- Where use of confidential information is considered to be necessary, each item of information must be justified so that only the minimum amount of confidential information is included as necessary for a given function.
- Only those who need access to confidential information should have access to it, and then only to the items that they need to see. This may mean introducing access controls or splitting information flows where one flow is used for several purposes.
- Action should be taken to ensure that all those handling confidential information understand their responsibilities and obligations to respect the confidentiality of patient and service users.
- Every use of confidential information must be lawful. All those handling confidential information are responsible for ensuring that their use of and access to that information complies with legal requirements set out in statute and under the common law.
- Health and social care professionals should have the confidence to share confidential information in the best interests of patients and service users within the framework set out by these principles. They should be supported by the policies of their employers, regulators and professional bodies.
- A range of steps should be taken to ensure no surprises for patients and service users, so they can have clear expectations about how and why their confidential information is used, and what choices they have about this. These steps will vary depending on the use: as a minimum, this should include providing accessible, relevant and appropriate information - in some cases, greater engagement will be required.
The Caldicott Guardian is an advisory role although is seen as a pivotal point for handling and protecting confidential patient information across the Trust.
The Caldicott Guardian is the ‘conscience’ of the Trust, providing a focal point for patient confidentiality, information sharing issues and advising on the options for lawful and ethical processing of information as required.
National Data Guardian Standards
The National Data Guardian advises and challenges the health and care system to help ensure that citizens' confidential information is safeguarded securely and used properly.
The Health and Social Care (National Data Guardian) Act 2018 placed the NDG role on a statutory footing and granted it the power to issue official guidance about the processing of health and adult social care data in England. Public bodies such as the Trust, GPs, care homes, planners and commissioners of services will have to take note of guidance that is relevant to them, as will organisations such as private companies or charities which are delivering services for the NHS or publicly funded adult social care. The NDG may also provide more informal advice about the processing of health and adult social care data in England.
Dame Fiona Caldicott, who had held the non-statutory NDG role since 2014, became the first statutory post holder in April 2019.
Dr Nicola Byrne is the National Data guardian for health and adult social care in England, having been appointed to the role in March 2021 by the Secretary of State for Health and Social Care.
In 2016, Dame Fiona Caldicott, published her report: 'Review of Data Security, Consent and Opt-outs' in which she proposed ten standards for health and social care. These standards are now a legal requirement and are addressed in the Data Security and Protection (DSP) Toolkit.
We must comply with these standards.
Any companies contracting services to the Trust must sign a confidentiality agreement, to confirm that they have undertaken mandatory Data Security Awareness training, read and understand our Information Governance policies and accept personal responsibility to maintain confidentiality.
Sharing Information for Safeguarding Purposes
Information sharing plays a key role in safeguarding of children and adults at risk. In July 2018 the Government released information sharing guidance for practitioners providing safeguarding services to children, young people, parents and carers.
The following 7 golden rules were highlighted as follows:
- Remember that the UK GDPR, Data Protection Act 2018 and human rights law are not barriers to justified information sharing, but provide a framework to ensure that personal information about living individuals is shared appropriately.
- Be open and honest with the individual (and/or their family where appropriate) from the outset about what, why, how and with whom information will, or could be, shared and seek their agreement unless it is unsafe or inappropriate to do so.
- Seek advice from other practitioners or your information governance lead, if you are in any doubt about sharing the information concerned, without disclosing the identity of the individual where possible.
- Where possible, share information with consent, and where possible, respect the wishes of those who do not consent to having their information shared. Under the UK GDPR and Data Protection Act 2018 you may share information without consent if, in your judgement, there is a lawful basis to do so, such as where safety may be at risk. You will need to base your judgement on the facts of the case. When you are sharing or requesting personal information from someone, be clear of the basis upon which you are doing so. Where you do not have consent, be mindful that an individual might not expect information to be shared.
- Consider safety and wellbeing: base your information sharing decisions on considerations of the safety and wellbeing of the individual and other who may be affected by their actions.
- Necessary, proportionate, relevant, adequate, accurate, timely and secure.
- Keep a record of your decision and the reasons for it - whether it is to share information or not. If you decide to share, then record what you have shared, with whom and for what purpose.