Note: Your progress in watching these videos WILL NOT be tracked. These training videos are the same videos you will experience when you take the full Healthcare Health and Safety program. You may begin the training at any time to start officially tracking your progress toward certification.

Want to watch this video? Sign up for the course here. Or enter your email below to watch one free video.

Unlock This Video Now for FREE

This video is normally available to paying customers.
You may unlock this video for FREE. Enter your email address for instant access.

The Caldicott Report was published in December 1997 and was the result of an inquiry chaired by Dame Fiona Caldicott. The purpose of this article is to inform those who have not been directly involved about the main implications for those working in primary care. The Caldicott report is about the use of patient-identifiable information. The report found that the confidentiality and security of patient data were variable throughout the NHS. In the report it set out a list of principles which should be worked towards throughout the health service and proposed that each PCO and Trust appoint an individual referred to as a 'Caldicott Guardian', to be responsible for ensuring that the principles are implemented and monitored throughout their organisation. 

A Caldicott Guardian is a person who is responsible for the implementation of the Caldicott principles and is responsible for guarding patients’ data. This person will probably be a member of the Board but could be another senior health professional or an individual with responsibility for promoting clinical governance.

Individual Practices do not need to appoint their own Caldicott Guardian but they should have appointed a lead individual, a GP, nurse or other responsible people, for dealing with Caldicott issues. 

The Caldicott Principles for dealing with patient-identifiable information are:

1) Justify the purpose - all uses of patient identifiable information should be clearly defined. The Caldicott Guardian should keep these uses under review

2) Don’t use patient identifiable information unless it is absolutely necessary - this includes within Practices and PCOs as well as where information is transferred between NHS organisations

3) Use the minimum necessary patient identifiable information - where it is necessary to identify the patient the minimum information should be used. For example, using the NHS number or surname and date of birth

4) Access to patient identifiable information should be on a strict need to know basis - access to patient data should be restricted to those who need to know it, and then they should only have access to the data they need. Security measures should be introduced in Practices and all NHS organisations to restrict access to patient data

5) Everyone should be aware of their responsibilities - everyone who handles any patient information (from which individuals can be identified) should be appropriately trained in respect of patient confidentiality

6) Understand and comply with the law - each organisation should have an individual who is responsible for ensuring that legal requirements are met. This includes the Data Protection Act and other relevant legislation

Many Practices have completed the Caldicott Audit Questionnaire which aims to identify areas which could be improved. Areas which have been identified include:
* Providing posters and leaflets for patients explaining how information held about them is used
* Reviewing the practice code of conduct regularly to ensure it meets current requirements of confidentiality and security
* Ensuring that the code of conduct is part of all staff induction procedures
* Ensuring that confidentiality is kept in focus at all times
* Ensuring that all staff receive appropriately detailed confidentiality training
* Checking that all staff have current employment contracts which include confidentiality statements
* Providing a complete map of information flows – showing who uses patient identifiable information and where it goes (both within and outside the Practice)
* Agreeing protocols for sharing information with other organisations
* Undertaking risk assessments relating to security issues
* Maintaining a security policy detailing how breaches of security are detected, recorded and investigated
* Restricting access to IT equipment and regularly changing passwords
This is not an exhaustive list but is intended to give indications of the implications of Caldicott within Medical Practices.