Sometimes a consultant in public health (usually a Director of Public Health) is asked to be a Caldicott Guardian of their organisation. All NHS organisations and local authorities must have a Caldicott Guardian. This summary is not meant to be a comprehensive view on the role, rather than some notes that may be of interest to you.
Role of Caldicott Guardian
The role of the Caldicott Guardian is to protect the confidentiality of patient information and enable appropriate information sharing. All data relating to patients in the NHS are confidential to protect a patient from being identified and to ensure patient safety. There are 3 conditions where this can be overruled - where there is a legal basis, patient permission and where there is overwhelming public interest. The Caldicott Guardian is responsible for checking whether or not it is correct for an organisation or members of an organisation to share patient information.
A Caldicott Guardian needs to be a senior manager, have a clear grasp of the issues affecting patient confidentiality and consent, be aware of the legislation and guidance that supports confidentiality and consent issues and be able to make practical decisions that help the organisation to respond effectively to confidential issues.
All Caldicott Guardians are members of the UK Caldicott Guardian Council which is a subgroup of the National Data Guardian's Panel.
Patient identifiable information should not be disclosed unless the patient has consented. Consent must be freely given. Organisations should have clear confidentiality and consent policies that are available to patients. Staff should make sure that patients are informed of the consequences of giving or withholding consent. Patients have the right to withdraw consent at any time. There are two types of consent - implied consent where the patient is told that they are being referred to another clinician, for example and explicit consent where the patient is directly asked for consent. This can be written or verbal. When asked to share information on a patient, it is often useful to ask yourself the following questions:
- Do you have patient consent?
- Is there a suitable basis for disclosure?
- Is there sufficient public interest to warrant disclosure?
If no to all questions, then don't share the information.
The 6 Caldicott Principles
- Justify the purpose for use if confidential information
- Only use it when absolutely necessary
- Use the minimum required
- Access should be on a strict need to know basis
- Everyone must understand their responsibility
- Everyone understands and complies with the law
Useful Guidance to be Familiar with:
1. Caldicott Manual (2017)
2. Caldicott Principles (outlined above)
3. Common law duty of confidence
4. Data Protection Act (1998)
5. NHS Confidentiality Code of Practice
Tasks of Caldicott Guardian
1. Look at internal audits in relation to confidentiality and data protection assurance (and link to Information Governance Assurance Framework)
2. Oversee confidentiality and data protection assurance issues and ensure that they are properly discussed at board level
3. Advise the Board of the organisation (or other governing body) on the inclusion of confidentiality issues into statements of internal control
4. Ensure that results of internal audits are discussed at board level
5. Ensure that the board is aware of any results affecting confidentiality and data protection assurance revealed by external audits
Responsibility of Caldicott Guardian
This falls into 3 roles: (1) strategic (2) advisory and (3) operational.
The operational component can include the following:
- Being aware of how procedures for processing confidential information might impact on the organisation's business and goals
- Promoting a confidentiality culture by making sure the organisation upholds the highest standards and best practice on confidentiality
- Providing reports to the board/governing body/senior management team and maintaining a log of resolved Caldicott issues
- Providing advice to staff on Caldicott/confidentiality issues
- Helping to resolve local issues impacting on the Caldicott and confidentiality agenda
- Ensuring that there is appropriate confidentiality training available to staff
- Ensuring that the rules on confidentiality and information sharing are appropriately reflected in internal procedures
- Overseeing arrangements, protocols and procedures before confidential patient/service user information is shared with external organisation