Burnetts logo

InfoLaw Update - June 2013

In this month's information law update, solicitor Natalie Ruane takes a look at the Caldicott review on information sharing in healthcare sector.

Caldicott review on information sharing in healthcare sector published

On 26 April 2013, the Department of Health published an independent report (“the Report”) by Dame Fiona Caldicott, reviewing how information about patients is shared between public sector healthcare bodies. The Information Commissioner's Officer (ICO) has welcomed the publication of the Report , which follows a government-commissioned review and provides important recommendations around the use of patients’ information.


Data protection law and information governance principles seek to establish a balance between the rights of a data subject and a third party using his or her personal data. The Report’s aim was to ensure that information sharing procedures achieve an appropriate balance between the protection of patient information and the provision of appropriate patient care.

Dame Fiona Caldicott chaired a Review in 1996-97 on the use of patient-identifiable data, which recommended six principles for the protection of people’s confidentiality. These became known as the ‘Caldicott principles’ and included a recommendation that organisations should appoint someone to take responsibility for ensuring the appropriate security of confidential information. The people undertaking these responsibilities became known as ‘Caldicott Guardians’. In her Introduction to the Report, Fiona Caldicott says that she has been gratified to learn that the Caldicott principles continue to be valuable and the Report revisits and restates these principles in the context of health and social care today.

What is the context of the Report?

Health and social care services have become much less paternalistic and much more patient centred. Now patients are generally more aware of, and more concerned about what happens to their  personal information, who has access to it, for what purposes is it used and why it is shared with third parties. We are all increasingly aware of accidental and serious data breaches and organisations are beginning to take their data protection responsibilities much more seriously, especially in light of the Information Commissioner’s ability to impose financial penalties in cases where significant damage or distress is caused.

This has, however, resulted in a reluctance to share information. It is clear that healthcare and social services cannot work effectively without trust, and that trust depends to some extent on confidentiality, but it is also true that data sharing is often vital for patient safety and integrated, high quality care.

The Report notes the loss of confidence of many clinicians who were interviewed to judge when it is safe to share information and the safeguards that are required for sharing. Whilst people using health and social care services are entitled to expect that their personal information will remain confidential and must feel able to discuss sensitive matters with a doctor, nurse or social worker without fear that the information may be improperly disclosed, people also expect professionals to share information with other members of the care team, who need to co-operate to provide a seamless, integrated service.

Since Victoria Climbie, we are all too aware of the tragedies which can ensue when different agencies fail to share information appropriately. So good sharing of information, when sharing is appropriate, is as important as maintaining confidentiality. All organisations providing health or social care services must succeed in both respects if they are not to fail the people that they exist to serve.

When it comes to sharing information, the Report concludes that a culture of anxiety permeates the health and social care sector. It feels that managers, who are fearful that their organisations may be fined for breaching data protection laws, are inclined to set unduly restrictive rules for information governance and that front-line professionals, who are fearful of breaking those rules, do not co-operate with each other as much as they would like by sharing information in the interests of patients and service users.

There is also a lack of trust between the NHS and local authorities and between public and private providers due to perceived and actual differences in information governance practice. The Report concludes that this state of affairs is profoundly unsatisfactory and needs to change.

The Report’s recommendations

The Report made several recommendations, including that:

• a patient’s right to access his/her own care records should cover hospital records, community records and personal confidential data held by all organisations within the health and social care system;
• access should become available within the next decade, through a clear implementation plan;
• patient records should include an audit trail of everyone who has accessed a patient's personal confidential data, and this audit trail should be made available to patients;
• safe and appropriate data sharing between healthcare teams that have a legitimate relationship with the patient (in the interests of the individual's direct care) should be the rule, not the exception; and that
• protocols should be introduced to assist staff to distinguish between an individual such as a relative legitimately seeking information about a patient and someone making improper inquiries, as should procedures for informing and helping people if mistakes are made.

The Report has also revised the Caldicott principles, which should underpin information governance across the health and social care services, and which are now restated as follows;

1. Justify the purpose(s)

Every proposed use or transfer of personal confidential data within or from an organisation should be clearly defined, scrutinised and documented, with continuing uses regularly reviewed, by an appropriate guardian.

2. Don’t use personal confidential data unless it is absolutely necessary

Personal confidential data items should not be included unless it is essential for the specified  purpose(s) of that flow. The need for patients to be identified should be considered at each stage of satisfying the purpose(s).

3. Use the minimum necessary personal confidential data

Where use of personal confidential data is considered to be essential, the inclusion of each individual item of data should be considered and justified so that the minimum amount of personal confidential data is transferred or accessible as is necessary for a given function to be carried out.

4. Access to personal confidential data should be on a strict need-to-know basis

Only those individuals who need access to personal confidential data should have access to it, and they should have access only to the data items that they need to see. This may mean introducing access controls or splitting data flows where one data flow is used for several purposes.

5. Everyone with access to personal confidential data should be aware of their responsibilities

Action should be taken to ensure that those handling personal confidential data — both clinical and non-clinical staff — are made fully aware of their responsibilities and obligations to respect patient confidentiality.

6. Comply with the law

Every use of personal confidential data must be lawful. Someone in each organisation handling personal confidential data should be responsible for ensuring that the organisation complies with legal requirements.

7. The duty to share information can be as important as the duty to protect patient confidentiality

Health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by these principles. They should be supported by the policies of their employers, regulators and professional bodies.

How has the Report been received?

A member of the panel that helped Dame Fiona Caldicott carry out the review, Dawn Monaghan, ICO Strategic Liaison Group Manager for Public Services, has spent the last year working with the other panel members gathering evidence and considering the emerging issues across health and social care.

Welcoming the final report Dawn Monaghan expressed her belief that, if the Report’s recommendations are adopted, these will help improve how sensitive patient information is used, shared and secured, inspiring improved patient trust and confidence. She is of the view that adoption of the Report’s recommendations will also bolster compliance with the requirements of the Data Protection Act. She confirmed that the ICO has a particular interest in ensuring that appropriate sharing is encouraged and agrees that everyone in the health and social care system should see information governance as part of their responsibility and should be educated and trained to a level that will enable them to use data in a safe, secure and sensible manner.

Taking a slightly different approach, the Health Secretary emphasised that the Caldicott review has been about striking the right balance between sharing people’s health and care information to improve services and develop new treatments and respecting the privacy and wishes of the patient.

Jeremy Hunt, expressed his view that information and technology will only have a transformational effect on healthcare if the relationship of trust between a medical professional and a patient is respected and, speaking at the Electronic Patient Records Conference, he said that while effective sharing of patient information has enormous potential to improve patient care, services and treatments, this can only be done effectively if patients are given a say over how their personal information is used.

He said that, if patients are to see the benefits of these changes, the wishes of the small number of people who would prefer not to share their information must be respected. He expressed his firm belief that technology can transform the quality of healthcare in this country but emphasised the importance of respecting the fact that medical and other sensitive data is very personal information about an individual.

He announced that any patient that does not want personal data held in their GP record to be shared with the Health and Social Care Information Centre will have their objection respected and promised that, where personal data has already been shared by a GP practice, a patient will still be able to have the identifiable information removed should he or she so decide. He stressed that various organisations, including the NHS and GPs, will be tasked with raising public awareness both so that people are informed of the changes and know how they can lodge an objection and so that GPs understand the role they need to play in implementing this.


The Report is a clear and helpful restatement of the principles set out in the data protection act in a health and social care context. What it clearly identifies is a need for focussed and practical education and training at all levels in organisations working in the sector, whether large NHS hospitals or small charitable hospices.

Across the health and social care system, most staff are already required to undertake annual training in information governance but, as will not be a surprise to many, the mandatory training is often a ‘tick-box exercise’ which may have little or no practical value.

The Report notes the view of one nurse interviewed that the experience was equivalent to an annual “sheep dip”, which staff could go through without thinking. A lack of general awareness about data protection issues is common - in my recent experience at a local dentists’ practice, for example, patients’ data forms were simply left lying on the reception desk.

There needs to be a fundamental cultural shift in the approach to learning about information governance. Health and social care professionals should be educated and not simply trained in effective policies and processes for sharing of information. They should have formal information governance education, with a link to and a focus on their specific role and responsibilities. In the context of patient information, education should also consider when a duty to share information in the interests of the patient arises.

Where children are concerned, there will need to be a focus on how health and social care professionals interface with schools and other education providers as well as consideration of the complicating factor of the competence of the child him or herself to consent or object to the sharing of his or her data.

Data protection is essentially a set of simple, easily understandable principles. Once they are understood, information governance, including data sharing, becomes a much less grey area. And that will benefit us all.

The full text of the Report is available here.

About the author

Natalie Ruane profile photo

Natalie Ruane

Natalie is a Partner and leads the Employment Law & HR team and specialises in education.

Published: Monday 17th June 2013
Categorised: Information Law, Public Sector

All Factsheets