The Caldicott Reviews

Caldicott Review 1997

A review was commissioned by the Chief Medical Officer of England owing to increasing concern about the ways in which patient information was being used in the NHS in England and Wales and the need to ensure that confidentiality is not undermined. Such concern was largely due to the development of information technology in the service and its capacity to disseminate information about patients rapidly and extensively.

The review was undertaken by Dame Fiona Caldicott; the Caldicott Report recommended the following six principles, which provide a framework to put the Data Protection Act into operation in respect of patient data, that were subsequently approved by the Department of Health (DoH):

  1. Justify the purpose(s)
    Every proposed use or transfer of patient identifiable information within or from an organisation should be clearly defined and scrutinised, with continuing uses regularly reviewed, by an appropriate guardian.
  2. Don’t use patient identifiable information unless it is absolutely necessary
    Patient identifiable information items should not be included in an information flow unless it is essential for the specified purpose(s) of that flow. The need for patients to be identified should be considered at each stage of satisfying the purpose(s).
  3. Use the minimum necessary patient-identifiable information
    Where use of patient identifiable information is considered to be essential, the inclusion of each individual item of information should be considered and justified so that the minimum amount of identifiable information is transferred or accessible as is necessary for a given function to be carried out.
  4. Access to patient identifiable information should be on a strict need-to-know basis
    Only those individuals who need access to patient identifiable information should have access to it, and they should only have access to the information items that they need to see. This may mean introducing access controls or splitting information flows where one information flow is used for several purposes.
  5. Everyone with access to patient identifiable information should be aware of their responsibilities
    Action should be taken to ensure that those handling patient identifiable information – both clinical and non-clinical staff – are made fully aware of their responsibilities and obligations to respect patient confidentiality.
  6. Understand and comply with the law
    Every use of patient identifiable information must be lawful. Someone in each organisation handling patient information should be responsible for ensuring that the organisation complies with legal requirements.

These principles have been subsumed into the Confidentiality: NHS Code of Practice

Caldicott Review 2012

A second review, Information: to share or not to share, was commissioned due to issues surrounding the imbalance of sharing and protecting information. The Caldicott Report was published in April 2013 and, in September 2013, the DoH approved the recommendations.

The Caldicott Report recommeded a seventh key principle:

  • The duty to share information can be as important as the duty to protect patient confidentiality Health and social care professionals should have the confidence to share information in the best interests of their patients within the framework of the existing principles.

The DoH published the following expectations in respect of the seventh principle:

  • That all staff and workers in the health and care system are aware that the duty to safeguard children or vulnerable adults may mean that information should be shared, if it is in the public interest to do so, even without consent
  • That relevant, personal, confidential data held by all health and care organisations is shared among the registered and regulated health and social care professionals who have a legitimate relationship with the individual.

The full DoH response to the latest Caldicott Review is accessible via the following link: