The Caldicott Principles: the proposed updates explained

Medico-legal adviser Dr Kathryn Leask discusses the proposed changes to the Caldicott principals.

Proposals to expand the Caldicott Principals have recently been published by the National Data Guardian following a recent consultation into the role of the Caldicott Guardian and the existing principals.

NHS organisations have been required to have a Caldicott Guardian since 1998 following publication of the Caldicott Report and the introduction of the principles in 1997. This was part of a review into the use of patient identifiable information and concerns about patient confidentiality.

The principles are intended to apply to all data collected for the provision of health and social care services where patients and service users can be identified and where they would expect this to be kept private.

However, following the 2020 consultation, it was decided that an additional principle should be created to emphasise the importance of informing patients of how their confidential information is used. There was also continued support for the use of the pre-existing seven Caldicott Principles.

As such, the revised Caldicott Principles focus on:

  • Principle 1: Justify the purpose(s) for using confidential information
  • Principle 2: Use confidential information only when it is necessary
  • Principle 3: Use the minimum necessary confidential information
  • Principle 4: Access to confidential information should be on a strict need-to-know basis
  • Principle 5: Everyone with access to confidential information should be aware of their responsibilities
  • Principle 6: Comply with the law
  • Principle 7: The duty to share information for individual care is as important as the duty to protect patient confidentiality
  • Principle 8: Inform patients and services users about how their confidential information is used.

With respect to Caldicott Guardians, further guidance will be produced which will cover their role and responsibilities, paying particular attention to their role in helping to uphold the Caldicott Principles and the role in social care settings. This will cover the competencies, knowledge and qualities required and will acknowledge that a ‘one size fits all’ approach is not appropriate in the health and social care setting, given the diversity of organisations within it.

The UK Caldicott Guardian Council also intends to support the training and development of Caldicott Guardians through e-learning and other resources which will be available in due course.

Case example

A practice manager was contacted by a police officer who was requesting medical information about a patient. The police were aware that the patient was registered with the practice. The patient had been arrested following an allegation that she had assaulted a member of the public. She was currently in police custody and was clearly mentally unwell and possibly experiencing a psychotic episode. The patient currently lacked capacity to give consent for the disclosure to take place. The police officer asked for a copy of her entire record so that they could pass information on to the forensic medical examiner who would be assessing the patient at the police station. The practice manager was aware that this patient suffered from schizophrenia but did have capacity to make her own decisions when she was well.

The practice manager contacted the MDU for advice.

As this related to the disclosure of clinical information, the practice manager was advised to speak to one of the GPs, preferably one who had personal knowledge of the patient. The patient was not currently a risk to the public as she was in custody, however, it did appear that a limited disclosure was in the best interests of the patient as this would allow her clinical needs to be assessed and allow appropriate treatment. The practice manager was advised that under the circumstances and given the patient could not provide consent, a limited disclosure may be appropriate. Rather than disclose the entire record, however, only information that was relevant to the patient’s mental health should be disclosed and only to the appropriate person.

As the disclosure was to allow assessment and treatment of the patient, it was advised that the relevant information be provided directly to the doctor who would be involved in the patient’s care, rather than to the police officer. If the police needed her records at a later date in relation to the crime, they could wait until she had been treated and was able to provide consent.

This page was correct at publication on 28/02/2021. Any guidance is intended as general guidance for members only. If you are a member and need specific advice relating to your own circumstances, please contact one of our advisers.

Dr Kathryn Leask

by Dr Kathryn Leask BSc (Hons) MBChB (Hons) LLB MA MRCPCH FFFLM MRCPathME DMedEth Medico-legal adviser

Kathryn has been a medico-legal adviser with the MDU since 2007 and is a team leader, trainer and mentor in the medical advisory department. Before joining the MDU, she worked in paediatrics gaining her MRCPCH in 2002 and did her specialty training in clinical genetics. She has an MA in Healthcare Ethics and Law, a Bachelor of Law and a Professional Doctorate in Medical Ethics. She is also a fellow of the Faculty of Forensic and Legal Medicine and has previously been an examiner and deputy chief examiner for the faculty. Kathryn is currently a member of the faculty’s training and education subcommittee and a member of the Royal College of Pathologists (medical examiner).