protecting and using patient information - hscic guidance...where local circumstances dictate that...
Post on 09-Jun-2018
219 Views
Preview:
TRANSCRIPT
Protecting and Using Patient InformationA Manual for Caldicott Guardians
A C T I O N
nhs caldicot binder 26/7/01 4:41 pm Page 1
Author Phil Walker
Further copies from Confidentiality Issues
NHS Executive Headquarters
Quarry House
Leeds LS2 7UE
Catalogue Number 15279
Date of issue March 1999
A C T I O N
matters requiring action
Purpose of this document
Action
Contents
Introduction
• Introduction
• The Caldicott Principles
• The Guardian Work Programme Timetable
HSC 1999/012: Issued 22 January 1999
Introducing Caldicott Guardians into the NHS
• Who should be the Guardian?
• Resources and Support
• The Guardian Role
• Specific tasks in the first year
Management Audits & Improvement Plans
• Management Audit
• Organisational Profile
• Improvement Plans
• Primary Care Groups
Information Protocols
• Protocols Governing the Receipt & Disclosure of Patient/Client
Information
• The Crime and Disorder Act 1998
Controlling Access to Patient/Client Information
• The Guardian as “Gatekeeper”
• Staff Access to Patient Information
• Safe-Haven Procedures
• Access to the NHS Strategic Tracing Service
Reviewing Information Flows
• Mapping and Prioritising Information Flows
• Reviewing Information Flows
• Dataflow Review rules
• Appendices: Key Information Flows
• Review Questionnaire
Summary of Existing Department of Health Guidance
• The Protection and Use of Patient Information
• Ensuring Security & Confidentiality in NHS Organisations
• The Management of Health, Safety and Welfare Issues for NHS Staff
• Handling confidential information in contracting: A Code of Practice
• Video Recording NHS Operations
• Access to Medical Reports Act 1988
Support and Advice for Guardians
• Introduction
• Networking
• Training
• Sources of Advice
Annex A: Core Information to be provided to Patients
Introduction
1. The requirement for NHS organisations to appoint Caldicott Guardians of
patient information is a product of the Government’s commitment to
implementing the recommendations of the Caldicott Committee’s Report on
the Review of Patient-Identifiable Information, published in December 1997.
2. The Caldicott Committee had found that compliance with the full range of
confidentiality and security requirements was patchy across the NHS. Action
to raise awareness was seen to be essential but it was acknowledged that
awareness raising alone would result in progress being slow and variable.
The Caldicott Committee suggested that progress could be facilitated, and to
a degree managed, through the development of a network of Organisational
Guardians. The Caldicott Report called for the Department of Health to take
the development of this role forward in partnership with interested parties.
3. Under the direction of a broad based implementation steering group,
consultation on the Guardian role ran from May through to July 1998.
Guidance, which reflected the comments received, was prepared and tested
out over the autumn period with a range of key professional bodies and
groups. A Health Service Circular (HSC 1999/012 – reproduced in section 2 of
this manual) advising on the requirement to appoint Guardians, and outlining
the Guardian role and responsibilities in brief, was issued on 22 January
1999.
4. An important influence on the development of the Guardian role was the
emergence of proposals for the operation of clinical governance in the NHS.
Consultation on these proposals (A First Class Service: Consultation
Document, DoH 1998), confirmed that the protection and use of information
– largely collected by health professionals from patients, in confidence, to
support the delivery of care – was a part of the overall quality of care and
was therefore an important component of clinical governance.
5. An equally important milestone was the clarification, informed by the
consultation exercise, of the Guardian’s role – strategic, advisory and
facilitative – and the consequent person specification outlined in HSC
1999/012, i.e. that the Guardian should be, in order of priority:
• An existing member of the management board of the organisation
• A senior health professional
• An individual with responsibility for promoting clinical governance
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Introduction 1
6. Where local circumstances dictate that it is not practicable to satisfy all three of
these criteria and this will inevitably be the case for some organisations, a
Guardian should still be appointed but the assignment of responsibility should
be kept under review.
7. It is particularly important for Guardians, their Chief Executives and other
colleagues, to understand the nature of the Guardian role. There needs to be
a clear understanding of where responsibility for protecting and using patient
information actually lies, i.e. with the organisation, headed by the Chief
Executive, and with each individual member of staff.
8. Efforts have been made to minimise the burden of work that will fall to
Caldicott Guardians, particularly where IM&T and other staff effectively
support them, but inevitably Guardians are likely to attract a wide range of
difficult problems and issues. This manual aims to provide straightforward
guidance on the key tasks that need to be addressed in the first year, but
beyond that, the intention is that it should serve as a resource for Guardians.
Summaries of key guidance are provided and addresses included for
Guardians to obtain source documents if required. Contact points are listed
for Guardians to obtain advice on particular subjects.
9. It is intended that the manual will be updated whenever new information
becomes available, when new guidance is written, when the law changes or
is clarified in particular areas and when Guardians flag up particular issues
which need to be addressed on a national basis.
The Caldicott Principles
10. The Caldicott Committee were conscious that, though they reviewed the key
flows of patient information that were in existence at the early mapping stage
of the review, this was nothing more than a snapshot of what is a constantly
evolving picture. In recognition of this, the Committee developed a set of
general principles that, in essence, capture the direction of travel promoted
by the Caldicott Report.
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Introduction 2
Timetable of work 1999/2000
11. Although it is intended that each organisation should determine the pace at
which it addresses the work programme that was outlined in HSC 1999/012,
and described in more detail in this manual, there is an important element of
sequencing which the following suggested timetable of work illustrates.
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Introduction 3
APRIL – MAY Conduct initial management audit, present first annual
stock-take report and proposed improvement plan to the
organisation’s Management Board (Trust Board, HA
Board, PCG Board etc.)
MAY – SEPT Develop and agree protocols to govern information
sharing with partner organisations
JUNE Agree and initiate work programme to implement the
improvement plan. Submit stock-take report and
improvement plan to the Regional Office (Trusts &
Health Authorities) or to the Health Authority (PCGs)
JUNE – SEPTEMBER Determine Access Registration Levels for the Strategic
Number Tracing Service
OCTOBER Update Management Board on progress against the
Improvement Plan
NOVEMBER – JANUARY Review of current organisational information flows
FEBRUARY – MARCH Conduct management audit and prepare first annual out-
turn report for the Management Board. Also prepare the
improvement plan for 2000/20001
APRIL Agree and initiate work programme to implement the
improvement plan. Submit out-turn report and
improvement plan to the Regional Office (Trusts &
Health Authorities) or to the Health Authority (PCGs)
HSC 1999/012: Caldicott GuardiansThe text of HSC 1999/012, issued on 22 January 1999 for action by Chief Executives
of all Health Authorities, Special Health Authorities, NHS Trusts and Primary Care
Groups, is reproduced here for information.
Private Summary
A key recommendation of the Caldicott Report published in December 1997 was
the establishment of a network of Caldicott Guardians of patient information
throughout the NHS. This circular advises on the appointment of Guardians,
outlines the first year work programme for improving the way each organisation
handles confidential patient information and identifies the resources, training and
other support for Guardians.
Action
Each Health Authority, Special Health Authority, NHS Trust and Primary Care Group
should appoint a Caldicott Guardian by no later than 31 March 1999. Ideally the
Guardian should be at Board level, be a senior health professional and have
responsibility for promoting clinical governance within the organisation.
The attached documentation should be made available to the Caldicott Guardian
but should also be copied to all Board members and discussed if this is felt
appropriate at a subsequent Board meeting. It outlines the action that each
organisation should take during 1999/2000, as well as the Guardian’s role and
responsibilities. This action will include:
• A management audit of current practice and procedures
• Annual plans for improvement that will be monitored through the clinical
governance framework
• The introduction of registered access authorisation to certain patient
information held outside of the organisation (i.e. through the NHS Strategic
Tracing Service)
• The development of clear protocols to govern the disclosure of patient
information to other organisations
Resources
Support for Guardians and the work to improve the protection and use of patient
information may be drawn, where necessary, from the modernisation funds that are
being made available to implement Information for Health. Action in this area, and
planned resource allocation, should be outlined in the Local Implementation Strategy
that each organisation is required to prepare (HSC 1998/999). Training seminars are
being organised by the NHS Executive for Guardians and supporting staff – details
can be found in the attached paper.
Protecting and Using Patient Information
A Manual for Caldicott Guardians
HSC 1999/012: Caldicott Guardians 1
Caldicott Guardians in the NHS
Summary
1. NHS organisations are required, on receipt of this circular and by no later than
31 March 1999, to appoint a Caldicott Guardian. The Guardian’s name and
address for correspondence, including e-mail address, should be sent to Raj
Kaur, NHS Executive, 3E58 Quarry House, Leeds LS2 7UE (Fax: 0113 254
6114).
2. This circular provides a broad overview of the Guardian role in the NHS.
Detailed guidance on specific actions to be addressed in 1999/2000 by NHS
organisations and by Guardians will be made available prior to 31 March 1999.
Training seminars will be held in each NHS Executive Region from March
onwards for Guardians and the staff who will most closely support them (see
Annex A).
3. The appointment of Guardians and, in general terms, work to improve
confidentiality and security, should be included in local IM&T implementation
plans (HSC 1998/25 refers). Resources to support Guardians and work
generally on confidentiality and security matters can be allocated from the
IM&T modernisation funds made available to support the implementation of
Information for Health.
Background
4. In its Report, published in December 1997, the Caldicott Committee made a
number of recommendations aimed at improving the way that the NHS
handles and protects patient information. These recommendations received
widespread support and the programme of work established to implement
them underpins many aspects of the NHS information strategy: Information
for Health.
5. A key recommendation of the Caldicott Report was the establishment of a
network of organisational Guardians to oversee access to patient-identifiable
information.
6. It is intended that Caldicott Guardians will be central to the development of a
new framework for handling patient information in the NHS. Other Caldicott
recommendations identified actions which should be undertaken by NHS
organisations in support of the Guardian, namely to:
• develop local protocols governing the disclosure of patient information
to other organisations
• restrict access to patient information within each organisation by
enforcing strict need to know principles
• regularly review and justify the uses of patient information
• improve organisational performance across a range of related areas:
database design, staff induction, training, compliance with guidance etc.
Protecting and Using Patient Information
A Manual for Caldicott Guardians
HSC 1999/012: Caldicott Guardians 2
7. Responses to consultation on the introduction of Caldicott Guardians and the
implementation of the Caldicott recommendations emphasised the need to
introduce change at a pace that would not prove disruptive, whilst ensuring
that we support and sustain momentum. This support and emphasis will be
provided by the clinical governance initiative:
• NHS organisations will be held accountable, through clinical
governance, for continuously improving confidentiality and security
procedures in accordance with the Caldicott Report. Annual
improvement plans and outcome reports will be mandatory.
Who should be the Guardian?
8. The Guardian should be, in order of priority:
• an existing member of the management board of the organisation
• a senior health professional
• an individual with responsibility for promoting clinical governance
within the organisation
Where it is not practicable to satisfy the criteria listed above, assignment of
Guardian responsibility should be kept under review.
9. It is particularly important that the Guardian have the seniority and authority
to exercise the necessary influence on policy and strategic planning and carry
the confidence of his or her colleagues. Obvious candidates include:
Health Authority: Director of Public Health
NHS Trust: Board level clinician
Primary Care Group: Board member with clinical governance
responsibilities
10. Other organisations that share NHS patient information, such as Special
Health Authorities, the National Blood Authority, PHLS, Cancer Registries,
research bodies etc should also nominate a senior officer to fulfil the
Guardian’s role.
11. It is recognised that a degree of flexibility is required to accommodate the
organisational structure and complexity of Primary Care Groups. There
should be a single Guardian appointed by each Primary Care Group, but
within each practice there should be a nominated lead person for
confidentiality and security issues.
Protecting and Using Patient Information
A Manual for Caldicott Guardians
HSC 1999/012: Caldicott Guardians 3
Resources and Support for Guardians
12. Preserving the confidentiality of patient information, specifically through
implementation of the Caldicott recommendations, is a cornerstone of the NHS
information strategy. Action in this area, including the appointment of
Guardians, should be specified as part of each organisation’s local information
strategy implementation plan. The modernisation funds that are being made
available to support local implementation could legitimately be used to support
Caldicott Guardians and/or broader work on confidentiality and security.
13. The requirement for a senior member of an organisation to act as the
Caldicott Guardian will raise concerns about workload and priorities.
Nevertheless, this is an extremely important role and Guardian responsibilities
must only be delegated within a clear framework. Guidance for Guardians
will identify key Guardian responsibilities which should not be delegated, and
which aspects might be actioned by other staff under the Guardian’s
direction. Wherever possible, tasks will build on existing procedures and
requirements. This clarity of focus should minimise the additional workload
resulting from Guardian responsibilities.
14. It is not intended or even desirable that the Guardian should have
responsibility for all aspects of confidentiality, or IM&T security, though this
may be the pragmatic solution in small organisations. However, the Guardian
should liaise closely with IM&T Security Officers, Data Protection Officers and
others charged with similar responsibilities, to ensure that there is no
duplication / omission of duties.
15. Local networks of Guardians may find it advantageous to discuss issues, share
best practice and identify training needs. The Regional Offices of the NHS
Executive should facilitate this local networking.
16. Training seminars for Guardians and supporting staff will be run in each
Region from March 1999 onwards. Details of these seminars and an
application form can be found in Annex A to this paper (not attached – see
Support and Advice)). These will cover the actions required by each
organisation in the first year (see para 24 below), the wider responsibilities of
Guardians and the sources of advice that are available to Guardians. The NHS
Executive will shortly be consulting on the need for, and possible remit of, a
national body that might provide a focal point for advice, good practice
guidance and uniform standards in this area. Advice on specific issues should,
in the interim, be sought by e-mail to rwalkeu@doh.gov.uk or by writing to
the contact address provided at the end of this circular.
17. Detailed guidance will be available on the specific tasks that will need to be
addressed by NHS organisations and their Guardians in the first year.
Additional material will draw together, from existing sources, relevant
guidance on a wide spectrum of confidentiality and security related issues.
This additional consolidated guidance will be updated periodically and will
form a valuable reference tool both for Guardians and other staff.
Protecting and Using Patient Information
A Manual for Caldicott Guardians
HSC 1999/012: Caldicott Guardians 4
The Guardian Role
18. The creation of a network of Caldicott Guardians in the NHS is a key
component of work to establish the highest practical standards for handling
patient information in the NHS. NHS performance in this area will be
monitored against annual improvement plans developed locally by each
organisation.
19. This emphasis on year on year improvement, at a pace that the NHS is able
to sustain, is of paramount importance. Pressure for improvement must be
balanced by a realistic appraisal of what is practicable each year. The specific
tasks for NHS organisations and Guardians outlined later in this paper take
account of this balance and should be addressed by all NHS organisations.
However, we recognise that some organisations have already made
improvements in this area and it is not intended that this limited approach
should constrain those able to achieve more.
20. Guardians will be responsible for agreeing and reviewing internal protocols
governing the protection and use of patient-identifiable information by the
staff of their organisation. Guardians will need to be satisfied that these
protocols address the requirements of national guidance / policy and law and
that their operation is monitored.
21. Guardians will also be responsible for agreeing and reviewing protocols
governing the disclosure of patient information across organisational
boundaries, e.g. with social services and other partner organisations
contributing to the local provision of care. These protocols should underpin
and facilitate the development of cross boundary working, health
improvement programmes and other changes heralded in the White Paper
‘The New NHS: Modern, Dependable’.
22. Guardians will have a strategic role, developing security and confidentiality
policy, representing confidentiality requirements and issues at Board level,
advising on annual improvement plans, and agreeing and presenting annual
outcome reports.
23. Local issues will inevitably arise and be referred to the Guardian for
resolution. It will be important in these circumstances for the Guardian to
know when and where to seek advice. This may be either on the particular
issue or on the alternative and perhaps more appropriate ways of handling
the issue e.g. referral on to the NHS Complaints Procedures, to the local
Research Ethics Committee or to the Data Protection Commissioner.
Specific Tasks in the First Year
24. The following section briefly outlines the action that each NHS organisation is
required to undertake during 1999-2000. Caldicott Guardians will have an
important role in developing policy and “signing off” many of these actions
as having been satisfactorily completed. However, safeguarding confidentiality
Protecting and Using Patient Information
A Manual for Caldicott Guardians
HSC 1999/012: Caldicott Guardians 5
should be seen as an organisational responsibility – the Guardian’s role is
essentially advisory even though in some organisational settings he/she may
be closely involved in implementation.
25. The initial task for each organisation will be to conduct a management audit
of existing procedures for protecting and using patient-identifiable
information. This management audit will inform an initial ‘stock-take’ report
for the Guardian to present to the organisation’s senior management team.
Detailed guidance on conducting the management audit and the required
content of the stock-take report will be made available shortly, but it will
cover the following core areas:
• an overall “health-check” assessment of the organisation, including
existing codes of conduct, induction procedures, training needs, IM&T
risk management, operational and environmental security, quality of
information supplied to the public etc
• a review of existing flows of patient-identifiable information
• a review of database construction and management where patient-
identifiable information is stored
• a review of procedures for handling patient-identifiable information
collected by or transferred to the organisation, and of procedures for
disclosing information to other organisations.
26. This stock-take will itself inform the development of an improvement plan that
will begin to address any identified deficiencies. Again, detailed guidance on
the content of improvement plans and the standards that all NHS organisations
are expected to achieve in 1999/2000 will be available shortly, but key
requirements will include:
• Procedures to control staff access to the NHS Strategic Tracing Service
to be put in place in advance of this service being made available
• Protocols governing the receipt, collection and disclosure of patient-
identifiable information to be locally agreed and complied with.
Further Information
27. Any enquiries about the content of this circular or further information on
related subjects should be addressed to:
RC Walker
NHS Executive
Room 3E58
Quarry House
Leeds LS2 7UE
Protecting and Using Patient Information
A Manual for Caldicott Guardians
HSC 1999/012: Caldicott Guardians 6
Management Audits and Improvement Plans1. It is essential that all organisations take stock of their current performance
across a wide range of confidentiality and security measures. This should serve
to highlight areas where improvement is needed and provide a benchmark for
evaluating progress over time.
2. Upon appointment, the Guardian, working with the information security officer
or other support staff, should carry out an audit of existing systems, procedures
and organisational capabilities relating to confidentiality and security in the
organisation.
3. Using this audit as a measure of the current organisational baseline, i.e. current
performance, an improvement plan should be developed to begin the process
of year on year improvement. At the end of the year, an out-turn report should
be prepared to measure whether planned improvements have been achieved.
This out-turn report is effectively the management audit that will underpin the
following year’s improvement plan.
INITIAL MANAGEMENT AUDIT
YEAR 1 IMPROVEMENT PLAN
OUT-TURN REPORT (MANAGEMENT AUDIT)
YEAR 2 IMPROVEMENT PLAN
The Management Audit
4. A straightforward audit tool is provided in this manual. It provides a simple and
effective assessment of organisational performance and capacity by rating
current performance from 0 – 2 against eighteen broad headings to construct an
organisational profile.
5. It should be stressed that this tool has been developed to facilitate year on year
improvement at a pace that is challenging but locally sustainable. It should not
to be used for comparison purposes and calculating a score from 0-36 for each
organisation will not provide a meaningful measure of comparative
performance.
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Management Audits and Improvement Plans 1
6. Additional headings can be added to the audit tool at local discretion and, if
there is a logical or practical need to do so, existing headings can be sub-
divided to facilitate achievable target setting.
The Improvement Plan
7. At its simplest, an improvement plan should have the following components:
• The most recent Management Audit Organisational Profile
• Realistic targets agreed by the management board e.g. to raise
performance from level 0 to 1 in one or more specified categories
• Details of how the improvement is to be achieved, resource
requirements and likely milestones etc
8. Inevitably however, some improvements may necessitate far more detailed
planning and project management techniques are likely to be required to
deliver change for any but the smallest organisations.
The Out-Turn Report
9. As noted above, the out-turn report serves the dual purpose of assessing
progress against the improvement plan and providing the new performance
baseline for the following year’s improvement plan. It should therefore be
based around the management audit organisational profile supported by an
objective assessment of successes, failures and issues.
In-Year Monitoring
10. Although in many organisations the actual work to audit organisational
performance and implement agreed improvements will fall to the information
security officer or to other staff in support of the Guardian, the Guardian
should ensure that he/she is kept up to date on progress and problems. If
necessary, the Guardian should draw the attention of the management board
to significant problems and, if practicable, suggest options for addressing
them.
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Management Audits and Improvement Plans 2
Clinical Governance
11. Although all staff have a legal duty to keep information confidential, the
nature of the clinician-patient relationship, and the fact that most patient
information is provided in confidence to clinicians, means that there is an
important clinical governance element to safeguarding confidentiality. The
handling of information provided in confidence is an important aspect of the
quality of care.
12, The acceptance that organisational performance in this area must be
addressed through continuous improvement necessitates a degree of
monitoring and, where appropriate, performance management. This has to be
supported by effective reporting arrangements. Management Audit/Out-Turn
Reports and Improvement Plans should therefore be signed off by the
organisation’s Chief Executive and submitted to the NHS Executive Regional
Office or, in the case of PCGs, to the Health Authority. It must be stressed
that the objective is to secure year on year improvements at a realistic but
challenging pace, and the commitment to achieving this is the key aspect of
performance that should be pursued by monitoring bodies.
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Management Audits and Improvement Plans 3
The Management Audit OrganisationalProfile
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Management Audits and Improvement Plans 4
LEVEL 0 LEVEL 1 LEVEL 2
Information for patients/clients No information provided, or An active information campaign An active information campaign on the proposed uses of limited to simple posters and is in place to promote patient is supported by comprehensive information about them leaflets in waiting rooms etc understanding of NHS arrangements for patients with
information requirements special/different needs
Staff code of conduct in respect No code exists, or staff not Code of conduct exists and all Code regularly reviewed and of confidentiality generally aware of it staff aware of it updated as required
Staff Induction Procedures No mention of confidentiality Basic requirements outlined as Comprehensive awareness and security requirements in part of induction process raising exercise undertaken and induction for most staff comprehension checked
Confidentiality & Security Training needs not assessed Training needs only considered Systematic assessment of staff Training needs assessment systematically for most staff as a consequence of training needs and evaluation
organisational or systems of training that has occurredchanges
Training Provision No training available to the Training opportunities broadcast In house training provided for (confidentiality & security) majority of staff with take-up left to line staff e.g. comparable to health
management discretion and safety training provision
Staff Contracts No reference to confidentiality Confidentiality requirements Contractual requirements (see explanatory note 22) requirements in staff contracts included in contracts for included in all staff contracts
some staff
Contracts placed with other No confidentiality Basic agreements of Formal contractual organisations requirements included undertaking are signed by arrangements exist with all
contractors contractors and support Organisations
Reviewing information flows Information flows have not Information flows have been Procedures are in place to containing patient-identifiable been comprehensively mapped and senior regularly review information information mapped management has been flows and justify purposes
informed
Internal information/data Information/data “ownership” “Ownership” established for All “owners” justifying “ownership” established has not been established for all information/data sets and purposes and agreeing staff
all information/data sets register established access restrictions with the Guardian
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Management Audits and Improvement Plans 5
LEVEL 0 LEVEL 1 LEVEL 2
Safe Haven procedures in No Safe Haven procedures Safe Haven procedures used Safe Haven procedures in place to safeguard information used for some information flows Place for all patient-flowing to and from the identifiable informationorganisation
Protocols governing the No locally agreed protocols Partner organisations clearly Agreed protocols in place to sharing of patient-identifiable in place identified and information govern the sharing and use of information with other requirements understood confidential informationorganisations locally agreed
Security Policy Document No Security Policy available Security Policy exists but not Security Policy reviewed reviewed within last 12 months annually and reissued if
appropriate
Security Responsibilities No information security officer An appropriately trained Responsibility for information appointed, or existing officer is information security officer is security identified in various not appropriately trained in post staff roles, co-ordinated by
the security officer
Risk Assessment and No programme of information A risk management A formal programme exists Management risk management exists programme is underway and with regular reviews,
reports are available outcome reports and recommendations provided for senior management
Security Incidents No incident control or The security officer handles Procedures are documented investigation procedures exist incidents as they arise and accessible to staff to
ensure incidents reported and investigated promptly
Security Monitoring No monitoring or reporting of Basic reporting of major There are regular reports security effectiveness or incidents or problem areas made to senior management incidents takes place only on the effectiveness of
information security
User Responsibilities No guidance issued to staff for Users encouraged to change Password changes are password management passwords regularly but this is enforced on a regular basis
at their discretion
Controlling access to Staff vigilance, and/or an Access for many staff All staff have defined and confidential patient “honour” system control access. controlled by ‘all or nothing’ documented access rights information Some physical controls, systems. Staff groups requiring agreed by the Guardian.
lockable rooms etc may exist access identified and agreed Access is controlled, with the Guardian monitored and audited
Explanatory Notes
Information for Patients/Clients
13. All NHS bodies must have an active policy for informing patients of the kind
of purposes for which information about them is collected and the categories
of people or organisations to which information may need to be passed.
Patients also need to be made aware of their rights, particularly their rights of
access to their records.
14. Subject to some important common elements (see Annex A) the precise
arrangements for informing patients are for local decision, taking account of
views expressed by community health councils, local patient groups, staff,
and partner organisations. As a general rule, patients should be informed
about prospective uses of information in advance of the information actually
being used. Local arrangements should also provide, wherever practicable,
for people whose first language is not English or who have restricted vision
or reading skills.
15. Methods of providing information to patients include:
• Leaflets which may be provided on registration with a GP, during A&E
triage, enclosed with appointments letters or provided when
prescriptions are dispensed.
• Posters on waiting room walls supported by leaflets distributed by
means of dispensers in waiting rooms are unlikely to be sufficient on
their own.
• Routinely providing patients with appropriate information as a part of
care planning.
• Identifying someone able to provide detailed information if patients want
it.
Code of Conduct
16. All staff in the NHS need to be aware of their responsibilities for safeguarding
confidentiality and preserving information security. NHS organisations may
address this by developing staff codes of conduct, based on legal
requirements and best practice, which are tailored to the needs of different
staff groups. Although this need not be in the form of a stand alone code,
such a code facilitates review and updating procedures and can be
distributed as part of induction or with pay slips etc.
17. The core content of a confidentiality code of conduct should be drawn from
the Department of Health guidance booklet on the Protection and Use of
Patient Information, supplemented as necessary by material drawn from
other sources (See Support and Advice).
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Management Audits and Improvement Plans 6
Staff Induction Procedures
18. It is particularly important that new members of staff are provided with clear
guidelines on their responsibilities in respect of confidentiality and security,
and more importantly, that the understand how these responsibilities impact
on their behaviour and working procedures.
Confidentiality and Security Training Needs
19. It is inevitable that the staff of even small organisations have different levels
of awareness of their responsibilities for safeguarding confidentiality and
preserving information security. It is also difficult for many staff, particularly if
they are busy and have well-established routines and habits, to convert
theory and guidance into practical work procedures.
20. This needs to be addressed by regular and systematic assessment of training
needs, consideration of these might best be met, and evaluation of any
training that has been undertaken.
Training Provision
21. This is closely linked to the previous heading but looks more to the support
that an organisation provides for its staff. The way in which an organisation
addresses the provision of training is largely dependent upon numbers of
staff, their access to confidential information and their assessed training
needs. The Resource Pack: Ensuring Security and Confidentiality in NHS
Organisations (see Support and Advice) provides guidance and supporting
materials for running an awareness campaign on IM&T security. The level 0 –
2 classifications need to be interpreted intelligently here, and organisations
may wish to amend the profile descriptions, e.g. to indicate that staff have (0)
considerable unmet training needs, (1) key staff are receiving appropriate
training and (2) All staff are appropriately trained.
Staff Contracts
22. NHS staff have a legal duty of confidence to patients and it should be made
clear to them that breaching patient confidence can be a serious disciplinary
offence. This can best be supported by the inclusion of a duty of confidence
requirement in employment contracts or other documents setting out terms
and conditions. These requirements should also include a clear statement
emphasising that staff have a rights and a duty to raise concerns about health
service issues with their managers. Under no circumstances should staff who
express their concerns in accordance with current guidance be penalised.
The duty of confidence staff have to patients, including contractual
requirements, may be overridden where there is a strong case for disclosure
in the public interest.
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Management Audits and Improvement Plans 7
Contracts Placed with Other Organisations
23. Where a non-NHS agency or individual is contracted to carry out or support
NHS functions, the contract must specify appropriate confidentiality and
security requirements. The standards specified in the contract should be
consistent with the best practice expected of NHS organisations and, in
particular, should require that patient information is treated and stored
according to specified security standards and used only for purposes
consistent with the terms of the contract. Action in the event of confidence
being breached should also be specified (e.g. termination of contract). NB
The Data Protection Act 1998 makes it a legal requirement that effective
contractual arrangements exist where data is processed by a third party.
Reviewing Information Flows
24. The Caldicott Committee recommended that every flow of patient-identifiable
information should be regularly justified and routinely tested against the
principles developed in the Caldicott Report.
• Principle 1 - Justify the purpose(s) for using confidential
information
• Principle 2 - Only use it when absolutely necessary
• Principle 3 - Use the minimum that is required
• Principle 4 - Access should be on a strict need-to-know basis
• Principle 5 - Everyone must understand his or her
responsibilities
• Principle 6 - Understand and comply with the law
25. It is recognised that this can be a major task for large organisations with
complex and often only partially mapped flows of information that have
been put in place on an ad hoc basis to satisfy business needs. Guidance on
the Review Process, and particularly on setting priorities for action, will be
sent to Caldicott Guardians for incorporation in this manual when piloting
work has been completed (expected to be April/May 1999).
Information/Data “Ownership”
26. See the section in this manual on Controlling Access.
Safe Haven Procedures
27. See the section in this manual on Protocols.
Protocols to Govern Information Sharing
28. See the section in this manual on Protocols.
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Management Audits and Improvement Plans 8
Security Policy
29. Work in this area is largely the responsibility of information security staff, and
detailed guidance can be found in the Resource Pack: Ensuring Security and
Confidentiality in NHS Organisations (see Support and Advice).
Security Responsibilities
Risk Assessment and Management
Security Incidents
Security Monitoring
User Responsibilities
Detailed guidance on headings 25 – 29 can be found in the NHS IM&T Security
Manual included in the Resource Pack: Ensuring Security and Confidentiality
in NHS Organisations (see Support and Advice).
Access Controls
30. See the section in this manual on Controlling Access.
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Management Audits and Improvement Plans 9
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Management Audits and Improvements Plans 1
PCG Guardians
1. Each PCG is required to appoint a Caldicott Guardian who should be, in
order of priority:
• a member of the PCG Board
• a senior health professional
• an individual with responsibility for promoting clinical governance
within the PCG
2. For the purposes of the Caldicott work programme, the PCG should be
regarded as a distinct organisation, composed of the HQ element plus the
constituent GP practices etc. However, the extent to which the PCG Guardian
and Board will need the assistance of the Health Authority, particularly IM&T
specialist staff, to address the Caldicott work programme will depend upon
local circumstances. NHS Executive guidance on the Information
Management and Technology Requirements to support Primary Care Groups
makes it clear that Health Authorities and PCGs should collaborate on
Caldicott related work, that support for PCG Guardians should be provided
where necessary and that PCG requirements in this area should be taken into
consideration when developing arrangements for shared Health Informatics
Services.
3. It is not essential for each part of the PCG to possess its own Guardian – this
would likely prove wasteful of time and resources, but a lead individual
should be identified in each part of the PCG, e.g. each GP practice, for
confidentiality and Caldicott issues. This individual may or may not be a GP,
nurse or other clinician – depending upon role and responsibilities, a practice
manager might prove a suitable lead individual. The development of this
supporting network is an important early task for the PCG. Where dentists,
pharmacists and opticians are being included within the work programme
similar principles should apply.
Timetable of Work
4. It is recognised that many PCGs are, through no fault of their own, beginning
to address the required Caldicott work programme somewhat later in the day
than the majority of Health Authorities and NHS Trusts. The work programme
for the current year (to 31 March 2000) must therefore be approached
sensibly with the aim of ensuring, at the very least, that the PCG is prepared
to address the full cycle of work next year. This preparation should include:
• the appointment of a Guardian
• establishing a supporting network of confidentiality leads in each practice
• developing an understanding of how all components of the PCG are
performing in key areas (the management audit)
• a plan for improving performance in at least some of the key areas (the
improvement plan).
5. Where practicable, the improvement plan should be for the current year. This
would then support an out-turn report at the end of the year – basically a
revised management audit accompanied by a description/explanation of the
progress made – which in turn can form the baseline for the next year’s
improvement plan. However, it is preferable for the PCG to conduct a
thorough management audit and to develop a challenging but realistic and
locally supported improvement plan for next year, than to hit this year’s
deadlines through rushed and possibly superficial activity.
Management Audit
6. PCGs need to undertake a management audit of current standards and
practice and to construct an easily understood organisational profile. An
improvement plan that targets one or more of the audited aspects of
organisational performance then needs to be agreed by the PCG Board. As
suggested earlier, it is unhelpful and largely meaningless for these purposes to
view the PCG HQ function as part of the Health Authority – the different
component parts of the PCG should be considered together.
7. The PCG audit is simplified by the relatively small size of the organisation in
comparison with NHS Trusts, but is complicated by the evolving nature of
PCGs and the independent contractor status of the constituent practitioners.
The 18 areas to be audited also map more neatly on to larger organisations
and need to be adapted to meet the profile and needs of PCGs. The
management audit was purposely designed to provide organisations with a
flexible tool that can easily be adapted for these purposes.
The Audit Process
8. Two alternative models may be adopted. The first of these is to audit the PCG
as a single entity with the resulting organisational profile being determined by
the part of the PCG that scores the lowest in each area. Alternatively, each
part of the PCG, e.g. each GP practice, can be audited separately and be
given its own organisational profile (the HQ function should also be audited
separately in this case). Whichever model is adopted, the work required is
essentially the same, as the performance of each component must be
determined to construct the organisational profile and subsequently the PCG
improvement plan. The audit process will be greatly facilitated where an
internal network of confidentiality leads has been put in place as suggested
earlier in this guidance.
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Management Audits and Improvements Plans 2
9. The first model has the advantage that the PCG is perceived as a single
organisation. The text that accompanies the audit report can identify, if
appropriate, those parts of the PCG that are operating at a higher level than the
profile suggests.
10. The second model permits each part of the PCG to retain a separate identity. This
model may need to be adopted out of necessity in extreme cases where, for
example, it proves impossible to audit a particular GP practice. Such cases should
be rare, as improving the protection and use of patient information should be the
goal of all parts of the health service. However, in these exceptional cases the
audit report should clearly identify the parts of the PCG for which no information
is available and provide a brief explanation of the reasons why.
Adapting the Audit Tool
11. The audit tool was developed to provide a straightforward and useful measure
of performance in respect of confidentiality and security. Although some of the
areas to be audited are more applicable to larger organisations than small, the
audit tool can be adapted in a relatively simple manner, with the approval of
the PCG Board, to the needs of the PCG. Perhaps the most straightforward way
of addressing this is to take a view on the applicability of each of the 18
identified performance areas. The Board may, for example, take the view that
the optimum level of performance in a particular area should be less than level
2. It is also possible that the Board may wish to introduce additional areas for
assessment.
12. It is recognised that the language used in the audit tool, necessarily a form of
short hand and in parts technical, may not be easily accessible to those
unfamiliar with IM&T security and data protection. This may not be a problem
where, for example, a single individual or team carries out the whole of the
audit. If, however, it is intended that each component part of the PCG, e.g.
each GP practice, conducts its own audit and supplies the results to the PCG
Guardian/Board, then it may prove helpful to use a questionnaire which sets
out the information required in a more accessible way. An example is included
in this section of the Guardian manual.
The Improvement Plan
13. The improvement plan should be based around the final form of the
management audit as agreed by the PCG Board. The improvement plan should
cover the following points:
• the performance areas targeted for improvement should be clearly
identified
• the work required to deliver the improvements should be clearly
described
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Management Audits and Improvements Plans 3
• those responsible for undertaking the work should be clearly identified
• milestones and deadlines should be set where applicable
• the resources required and where they are to be obtained from should
be clearly stated
Out-turn Reports
14. At the year-end, the Management Audit should be repeated with a particular
emphasis on establishing what progress was made against the improvement
plan and the reason for any particular success or failure. The revised
Organisational Profile that results from this audit process should be used as
the basis for developing the following year’s improvement plan.
Health Authority Monitoring
15. The Health Authority is required to monitor the performance of PCGs to
ensure that thorough audits are carried out and realistic but challenging
improvement plans are drawn up and implemented. Given the degree of
support that most Health Authorities will be providing PCGs in the area of
Health Informatics, it is likely that a collaborative and facilitative relationship
will prove most productive. It is important however that improvements are
made year on year, and that these improvements are documented as
components of local action to implement both clinical governance and the
NHS IM&T strategy. Management Audits, Improvement Plans and Out-turn
Reports are mandatory. PCG documentation should be submitted to the
Health Authority which will, in turn, be asked for a simple report on current
standards and progress by the appropriate Regional Office.
Information Sharing Protocols
16. Whilst each PCG should be a signatory to any local protocols governing the
disclosure or exchange of patient information with other organisations, the
NHS Executive guidance on the Information Management and Technology
Requirements to support Primary Care Groups makes it clear that Health
Authorities should lead on their development in collaboration with the local
PCGs and partner agencies. It would not be a good use of resources for each
PCG to independently draw up its own protocols, though it is important that
all the component parts of the PCG agree, understand and adhere to the
protocols that are put in place. The basic framework that is provided in the
Guardian manual should provide a useful starting point. Once the Health
Authority, PCGs and other organisations agree the key components of a local
protocol, it may be found desirable to adapt the protocol to the particular
circumstances of individual PCGs. However, it is strongly recommended that
all of the components of each PCG adhere to the same protocols and that
variation at the practice level should not occur.
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Management Audits and Improvements Plans 4
Caldicott AuditQuestionnaireORGANISATION: ..............................................................................................................
1. Information for patients/clients on the proposed uses of information
about them.
Telling patients about the ways in which information collected about them,
e.g. in their medical records, will be used may be required under law
(although the law isn’t entirely clear on this point it is safest to assume that
this requirement exists) and is considered to be an essential part of best
practice in handling patient information by the Department of Health and the
Professional Regulatory Bodies.
Audit
Level
Does your organisation inform patients
about how their information will be used? Yes □. No □If ‘No’, go to 2 below. 0
If ‘Yes’, is the information provided limited to
posters and leaflets which patients may
ask for or look at e.g. in waiting rooms
if they are interested? Yes □. No □If ‘Yes’, go to 2 below. 0
If ‘No’, please outline how the information is provided.
The PCG will need to agree a standard for proactively informing
patients. If your organisation’s approach meets this standard the
audit level will be 1
Is the information provided tailored for
patients with special/different needs
(e.g. those who cannot read English)? Yes □. No □
If ‘No’, go to 2 below. If ‘Yes’, please outline the steps taken to ensure such
needs are identified and met.
The PCG will need to agree a standard for assessing needs. If your
organisation’s approach meets this standard and the standard for
informing patients, the audit level will be 2
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Management Audits and Improvements Plans 5
2. Staff Code of Conduct in respect of Patient Confidentiality
All staff in the NHS need to be aware of their responsibilities for safeguarding
confidentiality and preserving information security. Organisations may best
address this by developing staff codes of conduct, based on legal
requirements and best practice, tailored to their own working practices and
circumstances.
Audit
Level
Does your organisation have in place
a code of conduct in respect of
Confidentiality? Yes □. No □If ‘No’, go to 3 below. 0
If ‘Yes’, are all staff aware of and familiar
with the code of conduct? Yes □. No □If ‘No’, go to 3 below. 0
Please attach a copy of the code for review by the PCG. The PCG will
need to agree a standard for organisational codes of conduct and
if your code meets this standard it will be audited as level 1
If ‘Yes’, is the code regularly reviewed
(at least annually), and updated as necessary? Yes □. No □
If ‘Yes’ and the code meets the agreed PCG standard, the audit
level will be 2
3. Staff Induction Procedures
It is particularly important that new members of staff are provided with clear
guidelines on their responsibilities in respect of confidentiality and security,
and more importantly, that the understand how these responsibilities impact
on their behaviour and working procedures.
Are all new members of staff provided
with a clear understanding of their
responsibilities in respect of confidentiality
and security? Yes □. No □If ‘No’, go to 4 below. : 0
If ‘Yes’, are new staff provided with
written guidelines, e.g. a code of conduct? Yes □. No □If ‘No’, go to 4 below. 1
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Management Audits and Improvements Plans 6
Audit
Level
If ‘Yes’, are the common confidentiality
and security issues that staff will face
explained, discussed and their
understanding checked? Yes □. No □If ‘No’, go to 4 below.
If ‘Yes’, the audit level will be 2
4. Confidentiality and Security Training Needs
It is inevitable that the staff of even small organisations have different levels
of awareness of their responsibilities for safeguarding confidentiality and
preserving information security. It is also difficult for many staff, particularly if
they are busy and have well-established routines and habits, to convert
theory and guidance into practical work procedures. This needs to be
addressed by regular and systematic assessment of training needs,
consideration of how these might best be met, and evaluation of any training
that has been undertaken.
Does your organisation take any action to
establish training needs in respect of
confidentiality and security? Yes □. No □If ‘No’, go to 5 below. 0
If ‘Yes’, are needs only reviewed when
an individual’s job changes or new
IT is introduced? Yes □. No □If ‘Yes’, go to 5 below. 1
If ‘No’, are the training needs of all staff in
egularly assessed e.g. as part of an annual
appraisal cycle? Yes □. No □If ‘Yes’, the audit level is 2
5. Training Provision
This is closely linked to the previous heading but looks more to the support
that an organisation provides for its staff and the way that identified training
needs are met. The way in which an organisation addresses the provision of
training is largely dependent upon numbers of staff, their access to
confidential information and their assessed training needs.
Is there any training available to the staff
in your organisation on confidentiality and
security requirements? Yes □. No □If ‘No’, go to 6 below. 0
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Management Audits and Improvements Plans 7
Audit
Level
If ‘Yes’, is the training provided routinely
for all staff ? Yes □. No □If ‘No’, go to 6 below. 1
If ‘Yes’, the Audit Level is 2
6. Staff Contracts
NHS staff have a legal duty of confidence to patients and it should be made
clear to them that breaching patient confidence can be a serious disciplinary
offence. This can best be supported by the inclusion of a duty of confidence
requirement in employment contracts or other documents setting out terms
and conditions.
Do any of the staff in your organisation have
contracts which contain confidentiality
requirements? Yes □. No □If ‘No’, go to 7 below. 0
If ‘Yes’, do all staff members have contracts
which contain appropriate confidentiality
requirements? Yes □. No □If ‘No’, go to 7 below. 1
If ‘Yes’, the Audit Level is 2
7. Contracts Placed with Other Organisations
Where a non-NHS agency or individual is contracted to carry out or support
NHS functions, the contract must specify appropriate confidentiality and
security requirements. This may include cleaners, IM&T support etc – anyone
who might gain access to confidential material.
Are confidentiality requirements
routinely included in contracts? Yes □. No □If ‘No’, go to 8 below. 0
If ‘Yes’, do the contracts meet an agreed
PCG standard? Yes □. No □If ‘No’, go to 8 below. 1
If ‘Yes’, audit level is 2
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Management Audits and Improvements Plans 8
Audit
Level
8. Reviewing Information Flows
The Caldicott Committee recommended that every flow of patient-identifiable
information should be regularly justified and routinely tested against the
principles developed in the Caldicott Report.
Has your organisation fully mapped
all flows of patient information, in to
and out of the organisation, and all data
bases holding such information? Yes □. No □If ‘No’, go to 9 below. 0
If ‘Yes’, has the senior management
team been provided with full details? Yes □. No □If ‘No’, go to 9 below. 1
If ‘Yes’, have the flows been tested
against the Caldicott principles and
a rolling program of review
established? Yes □. No □If ‘No’ go to 8 below. 1
If ‘Yes’, the audit level is 2
9. Information/Data “Ownership”
Data ownership may not be necessary within a single GP practice. However,
if the PCG is being audited as a whole, each practice might be a ‘data owner’
and large practices might find it helpful to assign ownership to, for example,
their paper based filing system. This is largely a means of delegating
responsibility for the data held and of controlling access to it.
Has ‘data ownership’ been assigned
for at least some of the patient data
held? Yes □. No □If ‘No’, go to 10 below. 0
If ‘Yes’, has ownership been assigned
for all such data and a register of
those with authorised access created? Yes □. No □If ‘No’, go to 10 below. 1
If ‘Yes’, do all data owners work with
their Caldicott Guardian to justify the
purposes for holding data and agreeing
staff access levels? Yes □. No □If ‘No’, go to 10 below.
If ‘Yes’, the audit level is: 2
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Management Audits and Improvements Plans 9
Audit
Level
10. Safe Haven Procedures
Safe Haven procedures aim to ensure that all confidential information which
enters or leaves an organisation is handled and accessed in a controlled and
transparent manner.
Are safe haven procedures used to
safeguard at least some of the information
flowing in and out of the organisation? Yes □. No □If ‘No’, go to 11 below. 0
If ‘Yes’, do the procedures cover all
routine flows of confidential material? Yes □. No □If ‘No’, go to 11 below. 1
If ‘Yes’, the audit level is: 2
11. Protocols to Govern Information Sharing
Information sharing protocols aim to ensure that confidential information is
shared in a controlled manner subject to agreed best practice standards. The
development of protocols will be best handled at the PCG level, though each
practice will need to understand and agree to the standards and procedures
that are adopted.
Have all routine partner organisations
been identified? Yes □. No □If ‘No’, go to 12 below. 0
If ‘Yes’, are the purposes for which
each partner organisation needs
patient information understood and
documented? Yes □. No □If ‘No’, go to 12 below. 1
If ‘Yes’, have protocols governing
information sharing been agreed and
put in place?
If ‘No’, go to 12 below. 1
If ‘Yes’, the audit level is: 2
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Management Audits and Improvements Plans 10
Audit
Level
12. Security Policy
Security policy should be documented and reviewed regularly. This is needed
if an organisation is to understand and satisfy security needs, detect and
resolve security breaches and ensure that staff and management
responsibilities are made clear.
Does your organisation have a
documented security policy? Yes □. No □If ‘No’, go to 13 below. 0
If ‘Yes’, has the policy been reviewed
in the last 12 months? Yes □. No □If ‘No’, go to 13 below.
If ‘Yes’, does the policy meet the
standard agreed by the PCG? Yes □. No □If ‘No’, go to 13 below. 1
If ‘Yes’, the audit level is: 2
13. Security Responsibilities
It is important that lead responsibility for information security is assigned in a
transparent manner, and that the lead individual – IM&T Security Officer – is
effectively trained and able to co-ordinate other staff to meet their
responsibilities for information security. Whilst this might be addressed at
PCG level, there should be a lead individual to support the Security Officer in
each practice.
Has your organisation got an
IM&T Security Officer? Yes □. No □If ‘No’ go to 14 below. 0
If ‘Yes’, is he/she trained to a
PCG agreed standard? Yes □. No □If ‘No’, go to 14 below.
If ‘Yes’, is the Security Officer
supported by other staff whose
roles include an element of
responsibility for IM&T security? Yes □. No □If ‘No’, go to 14 below. 1
If ‘Yes’, audit level is: 2
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Management Audits and Improvements Plans 11
Audit
Level
14. Risk Assessment and Management
Risk assessment and management is a formal methodology for identifying
and countering possible threats to information security.
Does your organisation undertake and
record risk assessments and risk
management strategies? Yes □. No □If ‘No’, go to 15 below. 0
If ‘Yes’, is the process of assessment
and management comprehensive and
well documented? Yes □. No □If ‘No’, go to 15 below. 1
If ‘Yes’, are outcomes and
recommendations routinely flagged for
senior management attention? Yes □. No □If ‘No’ go to 15 below.
If ‘Yes’, audit level is: 2
15. Security Incidents
It is important that an organisation has clear and well understood procedures
for identifying and investigating security incidents, with the aim of ensuring
that, wherever practicable, they do not reoccur.
Does your organisation have security
incident control and investigation
procedures? Yes □. No □If ‘No’, go to 16 below. 0
If ‘Yes’, are procedures documented
and understood by all staff? Yes □. No □If ‘No’, go to 16 below. 1
If ‘Yes’, audit level is: 2
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Management Audits and Improvements Plans 12
Audit
Level
16. Security Monitoring
Senior management need to be made aware of incidents, the effectiveness of
security measures and areas of particular concern.
Is the effectiveness of IM&T security
routinely monitored and are all staff
familiar with incident reporting
procedures? Yes □. No □If ‘No’, go to 17 below. 0
If ‘Yes’, are regular reports on
security effectiveness and serious
incidents considered by senior
management? Yes □. No □If ‘No’, go to 17 below. 1
If ‘Yes’ the audit level is: 2
17. User Responsibilities
Computer password management is a key user responsibility and the
effective use of passwords can considerably enhance computer security.
Is guidance issued to all staff on
computer password management? Yes □. No □If ‘No’, go to 18 below. 0
If ‘Yes’, are staff encouraged to
change their passwords regularly? Yes □. No □If ‘No’ go to 18 below. 0
If ‘Yes’, are password change
enforced on a regular basis? Yes □. No □If ‘No’, go to 18 below. 1
If ‘Yes’ audit level is: 2
18. Access Controls
Access control is essential to ensure that only authorised persons have
physical or electronic access to computer hardware and equipment, manual
files or computer files and databases. There are many ways that this can be
achieved and gauging current organisational performance in this area is not
readily addressed by a straightforward questionnaire approach. Could you
please therefore describe current procedures and capacity to control access to
IT equipment and confidential patient information.
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Management Audits and Improvements Plans 13
Protocols Governingthe Receipt and Disclosure of Patient/Client Information1. Ideally, the transfer of all confidential person-identifiable information should
be governed by clear and transparent protocols that satisfy the requirements
of law and guidance and regulate working practices in both the disclosing
and receiving organisations. It is particularly important that those asked to
transfer patient information can be confident that the highest standards,
agreed in advance, will apply and that the information will only be used for
agreed and legitimate purposes.
2. The Guardian has an important role in agreeing the protocols that should
govern the disclosure of patient/client information to other organisations, and
the receipt of information from them. The extent to which the Guardian will
need to become involved in the development of protocols, and any
necessary discussions with other organisations, will depend upon local
circumstances. The Guardian should satisfy him/herself that all routine flows
of information to and from other organisations have been identified.
3. Protocols need to be agreed both by the Guardian, on behalf of his/her
organisation, and by an appropriately senior individual in the organisation to
which information is to be disclosed. Where possible, best practice would be
to develop a protocol to cover all partner organisations. Information is
generally received as well as disclosed and the protocol should apply equally
to each signatory organisation.
4. The main priority is to identify all partner organisations that are involved in
the development of the local Health Improvement Programme and to ensure
that protocols are agreed and adhered to in support of seamless care. The
local family is likely to include:
• The Health Authority
• NHS Trusts
• Primary Care Groups
• Social Services
• Education Services
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Protocols Governing the Receipt and Disclosure of Patient/Client Information 1
• Voluntary Sector Providers
• Private Sector Providers
What Should a Protocol Cover?
5. There are five core sections that should be included within a protocol. Other
sections should be added locally as needed. The core sections are:
• Objectives of the protocol
• General Principles
• Agreed Parameters
• Defined Purposes
• Access and Security
Objectives
6. The objectives of the protocol should be clearly identified, understood and
agreed by all of the organisations to which it is to apply. These should
include:
• To set parameters for the sharing of information between agencies
which contribute to the health or social care of an individual.
• To define the purposes for holding personal information within each
agency.
• To define how personal information should be held within each
agency and who should have access to this information.
General Principles
7. Whilst it is vital for the proper care of individuals that those concerned with
that care have ready access to the information that they need, it is also
important that service users and their carers can trust that personal
information will be kept confidential and that their privacy is respected.
8. All staff have an obligation to safeguard the confidentiality of personal
information. This is governed by law, often by contracts of employment, and
in many cases by professional codes of conduct. All staff should be made
aware that breach of confidentiality could be a matter for disciplinary action
and provides grounds for complaint against them.
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Protocols Governing the Receipt and Disclosure of Patient/Client Information 2
9. Although it is neither practicable nor necessary to seek an individual’s
specific consent each time that information needs to be passed on for a
particular purpose that has been defined within the protocol, this is
contingent on individuals having been fully informed of the uses to which
information about them may be put. All agencies concerned with the care of
individuals should satisfy themselves that this requirement is met.
10. Clarity about the purposes to which personal information is to be put is
essential, and only the minimum identifiable information necessary to satisfy
that purpose should be made available. Access to personal information
should be on a strict need to know basis.
11. If an individual wants information about them to be withheld from someone,
or some agency, which might otherwise have received it, the individual’s
wishes should be respected unless there are exceptional circumstances. Every
effort should be made to explain to the individual the consequences for care
and planning, but the final decision should rest with the individual.
12. The exceptional circumstances which override an individual’s wishes arise
when the information is required by statute or court order, where there is a
serious public health risk or risk of harm to other individuals, or for the
prevention, detection or prosecution of serious crime. The decision to release
information in these circumstances, where judgement is required should be
made by a nominated senior professional within the agency, and it may be
necessary to take legal or other specialist advice.
13. Where information on individuals has been aggregated or anonymised, it
should still only be used for justified purposes. Care should be taken to
ensure that individuals cannot be identified from this type of information, as
it is frequently possible to identify individuals from limited data e.g. age and
post code may be sufficient.
Setting Parameters
14. There should be a nominated senior professional within each agency covered
by the protocol (Caldicott Guardians in NHS organisations), responsible for
agreeing amendments to the protocol, and mechanisms should be put in
place to monitor its operation, and ensure compliance.
15. Personal information should be transferred freely between the agencies that
have agreed and are complying with the protocol, for the purposes it defines.
Where practicable, a regularly updated register of individuals who need
access to personal information, and the defined purpose(s) for which they
need this access, should be made available to each agency concerned.
16. If appropriate, service level agreements can be used to establish standards for
sharing information, e.g. speed of response.
17. Specific consent is required prior to personal information being transferred
for purposes other than those defined in the protocol, unless there are
exceptional circumstances as outlined above.
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Protocols Governing the Receipt and Disclosure of Patient/Client Information 3
18. Where individuals are unable to give consent, the decision should be made
on the individual’s behalf by those responsible for providing care, taking into
account the views of patients and carers, with the individual’s best interests
being paramount. Where practicable, advice should be sought from the
nominated senior professional and the reasons for the final decision should
be clearly recorded.
Defining Purposes
19. There will be a range of justifiable purposes to be locally agreed. The
following list is not exhaustive and covers internal NHS purposes only:
• delivering personal care and treatment
• assuring and improving the quality of care and treatment
• monitoring and protecting public health
• managing and planning services
• contracting for NHS services
• auditing NHS accounts and accounting for NHS performance
• risk management
• investigating complaints and notified or potential legal claims
• teaching
• statistical analysis
• medical or health services research
20. Some purposes may require additional safeguards to be specified, e.g.
teaching or research that directly involves an individual should only proceed
with the individual’s informed and explicit consent. The requirement for NHS
organisations to obtain clearance from Local Research Ethics Committees
prior to releasing information for research purposes should also be made
explicit.
Holding information, access and security
21. The Protocol should specify how each organisation is to meet agreed
standards, e.g.:
• Staff should only have access to personal information on a need-to-
know basis, in order to perform their duties in connection with one or
more of the purposes defined above. Clinical and professional details
should be available to all those, but only those, involved in the care of
the individual.
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Protocols Governing the Receipt and Disclosure of Patient/Client Information 4
• Each agency will ensure that they have mechanisms in place to enable
them to address the issues of physical security, security awareness and
training, security management, systems development, site-specific
information systems security policies, and systems-specific security
policies.
• Each agency will take all reasonable care and safeguards to protect
both the physical security of information technology and the data
contained within it.
• All information systems will be effectively password protected and
users will not divulge their password nor leave systems active whilst
absent.
• All personal files and confidential information must be kept in secure,
environmentally controlled locations when unattended, e.g. in locked
storage cabinets, security protected computer systems etc.
• Keys to lockable storage cabinets should be held only be staff who
require regular access to the information they contain. Keys must be
held in a secure place.
Conclusion
22. The purpose(s) for which information is required by different organisations
will clearly differ and each needs to be sensitive to the particular
requirements of others in respect of confidentiality. E.g. whilst the emphasis
placed upon the clinician/patient relationship within the healthcare
environment is sometimes poorly understood by other organisations, the
importance of protecting records from access by staff who may be friends,
relatives or neighbours of a patient, is extremely important from a social
services perspective and unlikely to be fully appreciated by health
professionals.
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Protocols Governing the Receipt and Disclosure of Patient/Client Information 5
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Protcols Governing the Receipt and Disclosure of Patient/Client Information 6
Crime and DisorderAct 1998: ProtocolsIntroduction
1. The Crime and Disorder Act 1998 introduces a number of measures to reduce
crime and disorder, including the introduction of local crime partnerships
based around local authority boundaries to formulate and implement
strategies for reducing crime and disorder in the local area. The new
measures include Youth Offending Teams, anti-social behaviour orders, sex
offender orders and local child curfew schemes. All of these measures
depend upon close co-operation, including the proper exchange of
information, and the NHS clearly has an important role to play.
2. The Crime and Disorder Act supports and facilitates this exchange of
information but does not in itself constitute a statutory requirement for NHS
organisations to disclose patient information to other agencies. In the absence
of such a requirement, it is essential that NHS organisations, whilst
contributing as fully as they are able to their local crime partnership, continue
to operate within the constraints provided by common and statute law.
Lawful & Proper Information Exchange
3. Section 115 of the Crime and Disorder Act 1998 provides that any person has
the power to lawfully disclose information, for the purposes of the Act, to
the police, local authorities, probation service or health authorities (or
persons acting on their behalf), where they do not otherwise have this
power. However, whilst section 115 ensures that all agencies have a power to
disclose, it does not impose a requirement on them to exchange information
and responsibility for disclosure remains with the agency that holds the data.
4. Any disclosure of patient based information, almost always provided to NHS
staff in confidence by patients, must therefore have regard to both the
common law duty of confidence, and statutory restrictions on disclosure. NB.
The Courts have recently ruled that the common law duty of confidence does
not apply to information that has been effectively anonymised so that
individuals cannot be identified. There is thus no barrier to the sharing of
effectively anonymised data.
5. In the absence of a statutory requirement to disclose patient identifiable
information (or a court order requiring disclosure), a decision to disclose must
therefore be justified. This necessitates that the disclosing agency be confident:
• that there are no statutory restrictions on disclosure (e.g. those
provided by the Human Fertilisation and Embryology Act 1990);
• that the subject of the information has been informed of the proposed
disclosure and has consented to it; or
• that on balance, there is an overriding public interest in the disclosure.
6. The latter requires a balancing judgement to be made on a case by case
basis. Specific measures to prevent crime, reduce the fear of crime, detect
crime, protect vulnerable persons, maintain public safety, or divert young
offenders from re-offending are clearly in the public interest. It is the
responsibility of the holder of the confidential information to determine
whether the duty of confidence to the individual, the harm that could result
from disclosure and the public interest in maintaining the confidential nature
of the clinician/patient relationship is outweighed by the public interest
arguments for disclosure. If in doubt, NHS organisations should seek legal
advice.
Protocols
7. The best way of ensuring that disclosure is properly handled is to operate
within a carefully worked out information sharing protocol. Protocols should
be supported by all the agencies involved and should be made available to
the public. The Home Office, in guidance aimed largely at the police, has
promoted this approach. There remains a need however, for NHS
organisations to ensure that the particular sensitivities that apply to health
information are appropriately reflected. It is recommended therefore that the
following principles and associated good practice should be incorporated in
all Crime and Disorder Protocols and that all signatories are made aware of
the context within which NHS organisations must work.
Designated officers
8. It is usually suggested by the police that signatories to a C&D Protocol
should nominate designated officers to regulate, monitor and act as the
channel through which requests for information are made and handled. The
Department of Health supports this approach and it is recommended that the
Caldicott Guardian should be the designated individual for NHS
organisations.
Scope of C&D Protocols
9. Protocols should provide operational guidelines for signatory agencies on the
exchange of personal information (as defined and regulated by the Data
Protection Act 1998) and also effectively anonymised information to:
• help local partnerships to implement the provisions of the Crime and
Disorder Act,
• facilitate the work of youth offending teams.
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Protcols Governing the Receipt and Disclosure of Patient/Client Information 7
10. Protocols should govern the exchange of information to obtain the following
Orders
• Anti-Social Behaviour Orders,
• Sex Offender Orders,
• Child Safety Orders,
• Child Curfew Orders
11. Protocols should also apply to the exchange of information following a
conviction by a Court. It will therefore be relevant to:
• Drug Treatment and Testing Orders,
• Reparation Orders,
• Action Plan Orders,
• Supervision Orders,
• Detention and Training Orders,
• Parenting Orders.
12. Finally, protocols should apply to any other exchange of information that is
intended to support action under any other provision of the Crime and
Disorder Act.
General Principles
13. Section 115 of the Crime and Disorder Act provides a power to exchange
information where disclosure is necessary to support the local strategy to
reduce crime and disorder, the youth justice plan, or another provision of the
Act. However, although the Act creates a situation where the exchange of
information may be lawful, the duty of confidentiality will still apply to
personal health data. The Act does not provide a statutory authority to
disclose such information, though the duty of partnership requires that
signatories do all they can within the restrictions imposed by law. Data
Protection legislation, in the form of the 1998 Act is also relevant to the
sharing of “personal data” (as defined in the Act), and signatories should
obtain a copy of the guidance provided by the Data Protection Registrar’s
Office Crime and Disorder Act 1998: data protection implications for
information sharing.
14. It is clearly necessary for protocols to distinguish between effectively
anonymised information and information which remains capable of
identifying individuals. It is also necessary to distinguish between personal
information that is held in confidence and that which is not. A further
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Protcols Governing the Receipt and Disclosure of Patient/Client Information 8
distinction, generally of less importance, is between personal information
relating to the living and that relating to the deceased. The following matrix
illustrates the applicability of key legislation (and the common law) to the
various categories of information. A version of this matrix, expanded to cover
other legislation governing the use of information by each of the signatory
agencies, might usefully be included within the protocol.
1. It is not clear under law whether the Common law duty of confidence extends to
information provided in confidence by those who have subsequently died. However, the
Department of Health and the professional regulatory bodies advise that best practice is to act
as if the duty does continue after death.
Points to be included in C&D Protocols
General
• Protocols should commit signatories to ensuring, as best they are able,
that they are informed about and comply with all legal requirements –
e.g. Data Protection legislation and the common law duty of confidence
– and key responsibilities in this area should be flagged.
• It should be explicitly stated and agreed that all information received
under the protocol should only be used for the purposes defined and
listed in the protocol. Signatories must agree that they will not disclose
information received under the protocol to another agency without
seeking the consent of the agency that provided the information in the
first instance.
• The protocol should record agreed procedures for retention and
destruction of information. Information should be retained no longer
than is necessary and should be protected by adequate security
measures that should be outlined at least in brief within the protocol.
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Protcols Governing the Receipt and Disclosure of Patient/Client Information 9
Common Law Data Computer Human NHS Other?Duty of Protection Act Misuse Act Fertilisation & (Venereal Confidence 1998 1990 Embryology Diseases)
Act 1990 Regulation & Directions1974 & 1991
Anonymised/ No No Yes No NoInformation
Personal health Yes Yes Yes Yes Yesinformation (living individuals)
Personal health Yes1 No Yes Yes Yesinformation (deceased)
• The protocol should make it clear that only the minimum information
necessary to satisfy the purposes defined in the protocol should be
provided.
• The protocol should clearly outline the procedures that will apply
when individuals exercise their legal rights to have access to and
copies of any personal data held about them.
• The Protocol should make it clear that personal data relating to third
parties, e.g. a relative, victim, informant or witness should only be
disclosed to partner agencies in circumstances permitted by the Data
Protection Act 1998.
Confidential Personal Information
• The protocol should make it clear that where information is held in
confidence e.g. as is the case with personal information provided to
the NHS by patients, the consent of the individual concerned should
normally be sought prior to information being disclosed.
• Where consent is withheld or is unobtainable, the protocol should
require an agency to assess, on a case by case basis, whether a
disclosure is necessary to support action under the Crime and Disorder
Act and whether the public interest arguments for disclosure are of
sufficient weight to over-ride the duty of confidentiality.
• The protocol should require a formal record to be kept of the basis for
disclosure of confidential personal information – consent or the public
interest – and where the public interest is relied upon the grounds
should be documented.
• The protocol should make it clear that an agency receiving confidential
personal information from another agency under a Crime and Disorder
Protocol is itself bound by the common law duty of confidence and
also may need to comply with Data Protection legislation.
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Protcols Governing the Receipt and Disclosure of Patient/Client Information 10
Controlling Access
The Guardian as Gatekeeper
1. Once an organisation has procedures and systems in place to control access
to patient information, the Guardian should have responsibility for agreeing
who should have access to what. Although it is necessary to be realistic
about the pace at which existing systems and procedures can be changed if
there are significant resource implications, the introduction of new
procedures e.g. to control access to the new NHS Strategic Tracing Service
(NSTS), can provide an opportunity to set high standards from the outset.
This section provides an outline of key access control concepts and
recommended good practice. It also provides an overview of the proposals
for NSTS operation and associated Guardian responsibilities.
Access Control
2. Access control is essential for ensuring that only authorised persons have:
• physical access to computer hardware and equipment;
• access to computer system utilities capable of over-riding system and
application controls;
• access to manual files containing confidential information about
individuals;
• access to computer files and databases containing confidential
information about individuals
3. Whilst the introduction of appropriate procedures and systems is likely to fall
to information security officers, facilities management and building security
etc, it is important that the Guardian be aware of current organisational
capacity and intentions, through the management audit (see relevant section
of this guidance).
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Controlling Access 1
Detailed guidance on access controls can be found in the
Resource Pack Ensuring Security and Confidentiality in the
NHS Organisations (see Support & Advice)
Physical Access Controls
4. Physical security protection should be based on defined physical perimeters
and achieved through a series of strategically located barriers throughout the
organisation. Critical installations should be protected, at the minimum, by
lock and key with only authorised staff permitted access.
Access to Systems Utilities
5. This is primarily a concern for the information security officer and is covered
in detail in Ensuring Security and Confidentiality in NHS Organisations.
Access to Confidential Information aboutIndividuals
6. Access to person identifiable information should be restricted to those staff
who have a justifiable need to know in order to effectively carry out their
jobs. The Caldicott Principles underpin the approach that NHS organisations
should develop and introduce at a pace that is sustainable locally.
• Principle 1 - Justify the purpose(s) for using confidential
information
• Principle 2 - Only use it when absolutely necessary
• Principle 3 - Use the minimum that is required
• Principle 4 - Access should be on a strict need-to-know basis
• Principle 5 - Everyone must understand their responsibilities
• Principle 6 - Understand and comply with the law
7. Registered access levels can be used to further limit the access of authorised
persons to the minimum information that they need to carry out a task or
function. This is particularly relevant to information held electronically, but
the principles apply to all records, e.g. staff who need access to manual files
for filing purposes should not need to access the information already
contained within the files.
8. There are also legal restrictions on who may see certain patient-identifiable
information, notably sexually transmitted diseases including HIV/AIDS. Only
staff whose responsibilities include the treatment of individual patients with
such diseases or who are involved more widely with the treatment or
prevention of disease, such as those employed by public health departments,
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Controlling Access 2
should be permitted access to such information. Organisations should
therefore develop procedures for filtering out and/or anonymising relevant
records (see the section on safe-havens below).
Information/Data “Ownership”
9. It is best practice for each physical set of information, e.g. manual files, or
logically discrete set of electronically held information e.g. a database, to be
assigned an “owner”. The information security officer should keep an up to
date register of data “owners” and the Guardian should be provided with a
copy. A number of responsibilities should be associated with ownership,
including:
• identifying all the information/data in the set
• identifying, and justifying to the satisfaction of the Guardian, how the
information/data can be used
• agreeing with the Guardian who can access the information/data, and
what type of access each user is permitted
10. Details of the other responsibilities of “data owners” - e.g. data classification,
security measures and compliance with Data Protection legislation - can be
found within Ensuring Security and Confidentiality in NHS Organisations.
Access Levels and Registration
11. There should be formal and documented user registration and de-registration
procedures, for access to all person-identifiable information held in
confidence, where multiple users need access. Again, although this is mainly
applicable to electronically held information, the principles extend to manual
files.
12. It is particularly important that it is clear, at any point in time, just who
should have access to what information. It should be possible to immediately
change or remove the access rights of individuals who have changed jobs or
left the organisation and a formal process to regularly review users’ access
rights should be established. For information held in electronic form, each
user should have a unique identifier (user-ID) for their personal and sole use.
A unique user-ID ensures that all activities on the system can be traced to the
individual responsible and audits of activity undertaken. Each user should
also have a password. As long as they are kept secret, passwords are an
effective and easily introduced security measure. Detailed guidance on the
use and management of passwords, aimed primarily at information security
officers, is included within Ensuring Security and Confidentiality in NHS
Organisations.
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Controlling Access 3
13. Ideally, systems should permit users to be given different levels of access,
and this requirement should be carefully born in mind when introducing new
systems or upgrading old ones. The example given above of the access
required by a filing clerk demonstrates that the principle can be applied to
manual records as easily as to that held on a computer. Procedures for
checking that the level of access granted to an individual is appropriate and
justifiable, in the context of the business purpose, should be put in place and
the Guardian’s approval sought (see Information “Ownership” above).
Incidents and Security Breaches
14. Detailed guidance on the management of security incidents is included within
Ensuring Security and Confidentiality in NHS Organisations, and is largely
the responsibility of the Information Security Officer. Guardians should
ensure, however, that all security incidents involving the unauthorised
disclosure of confidential personal information are reported both to
themselves and to the Chief Executive of the organisation. Where
appropriate, advice on the handling of such breaches of confidence should
be sought from the NHS Executive HQ or the Regional Office (see the
section on Support & Advice).
Safe-Havens
. To support the introduction of access controls within an organisation and
adherence to legal restrictions on the disclosure of certain information
(HIV/AIDS etc), a useful model to adopt for routine flows of information is
the use of designated safe-havens. This model requires confidential
information to be disclosed or accepted through designated safe-haven
contact points.
16. When information is received, access controls and registered access levels
agreed by the Guardian, should then determine which staff within the
organisation should have access to what information (see Controlling Access).
When information is disclosed by a designated safe-haven point to an
equivalent point in another organisation, staff can be confident that agreed
protocols will govern the use of the information from that point on.
17. Where it is not practicable for patient information to be routed in this way,
the staff involved must be made aware of any relevant protocols and take
responsibility both for adhering to them and for drawing the attention of
others to the standards that should apply. This is particularly relevant when
information is shared to directly support patient/client care as a perception
that another organisation does not adhere to the same rules of confidentiality
can put barriers in the way of information sharing and undermine the
effective provision of seamless care.
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Controlling Access 4
18. Safe-haven arrangements originated to support contracting procedures, and
detailed guidance was provided in EL(92)60 (See Summary of Existing
Guidance). The safe-haven model should, over time, be extended to cover all
procedures for transferring confidential patient/client information between
organisations when the purpose is not directly related to the provision of
care. Guardians should work with the information security officer and staff
familiar with safe-haven procedures to consider how the wider use of these
procedures might be promoted across the organisation.
19. The key principles, updated to incorporate the Guardian role, are that:
• Each organisation should establish safe-haven administrative
arrangements to safeguard confidential person-identifiable information.
This includes having one designated contact point per physical site.
Ideally, all information exchanged between NHS organisations should
pass between safe-haven contact points.
• All members of staff (including, for example, switchboard operators
and post room staff) should be made aware, at least in general terms,
of the policies and procedures surrounding safe-haven access.
• Safe-haven procedures should be fully documented, approved by the
Guardian and agreed by senior management.
• Safe-haven procedures should be comprehensive and cover:
• Management arrangements
• Staff roles and responsibilities
• Physical location and security
• Procedures for handling information
• Controls on disclosure of information
• Storage, archiving and destruction of information
Access to the NHS Strategic Tracing Service(NSTS)
20. The introduction of the Strategic Tracing Service - a new service for the NHS
- provides a clear opportunity to implement the high standards called for in
the Caldicott Report. Guardians will have an important gatekeeper role when
their organisations are signed up to access this new service, authorising
different levels of access as described below.
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Controlling Access 5
21. The NSTS will provide the NHS with a core set of administrative information
about people, places and organisations. The NSTS will provide administrative
information that:
• is accessible to a wide range of NHS organisations;
• is accurate and up to date;
• is sufficient to support NHS business
22. The NSTS will provide a range of functions to support NHS organisations,
including aggregate population analysis, updating local patient registers and
the ability to call up the full range of patient administrative details for an
individual.
23. Access to the NSTS is governed by strict security protocols, including the
ability to restrict access according to security clearance. The Guardian is the
only individual entitled to register, amend registration or de-register
members of staff.
24. The NSTS will recognise six different levels of access, with level 6 providing
access to all the information held. Each of the 5 restricted levels of access is
further sub-divided into three further categories, A, B or C each of which
provides a slightly greater degree of access than the previous. Whilst there is
a general trend from minimum to maximum information, on the 1 to 6 scale,
there are irregularities that have been introduced to support specific NHS
functions so care should be taken when assigning levels to staff groups.
Access may also be restricted according to other criteria e.g. to records
belonging to individuals residing in a particular geographical area.
25. Each organisation permitted access to the NSTS must assign an access profile
to each member of staff permitted access. This access profile will be
registered with the NSTS provider and will define both the permitted level of
access and any geographical or other restrictions.
26. Access levels should be set initially by business function unless there is a
need to vary this in special cases, and should be agreed following Caldicott
Principles of justification of purpose, need to know parameters and
consideration of precise information requirements.
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Controlling Access 6
NSTS Access Levels and what they permit access to:
ACCESS LEVEL (Y = ACCESS PERMITTED)
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Controlling Access 7
LEVEL LEVEL LEVEL LEVEL LEVEL LEVEL
NTS FIELD 1 2 3 4 5 6
A B C A B C A B C A B C A B C
DATE OF BIRTH Y Y Y Y Y Y Y Y Y Y Y Y Y Y
DATE OF DEATH Y Y Y Y Y Y Y Y Y
NHS NO. (OLD) Y Y Y Y Y Y Y
NHS NO. (NEW) Y Y Y Y Y Y Y Y Y Y Y Y Y
SURNAME Y Y Y Y Y Y Y Y Y
FORENAME 1 Y Y Y Y Y Y Y Y Y
FORENAME 2 Y Y Y Y Y Y
TITLE Y Y Y Y
SEX Y Y Y Y Y Y Y Y Y Y Y Y
ADDRESS Y Y Y Y Y Y
POSTCODE Y Y Y Y Y Y Y Y Y Y Y
ADDRESS IS MAIN / Y Y Y Y
TEMPORARY ETC
TELEPHONE NO. Y Y Y
GEOGRAPHIC AREA Y Y Y Y Y Y Y Y
REGISTERED GP Y Y Y Y Y Y Y Y
GP PRACTICE Y Y Y Y Y Y Y Y
ALIASES Y Y Y Y
LOCAL/OTHER Y Y Y Y
IDENTIFIER
ORGANISATION LINKS Y Y Y Y Y Y
27. The access control points outlined at the beginning of this section are clearly
relevant and it will be important for Guardians to be confident that any
supporting staff are familiar with the more detailed guidance that is available.
28. Local organisations will quite rightly have considerable flexibility as to the
access level assigned to different members of staff. The access levels
suggested in the following list cover a range of common functions and it is
recommended that they are adopted. However, no attempt has been made to
classify functions down to the A, B and C sub-classifications. This is a matter
for local discretion.
Recommended
Level
Patient Registration (NHS Trust) 5
Patient Registration (GP) 5
Set-up of New Patient Registers 5
NHS Number Tracing 3
Data Cleaning of Patient Registers 5
Waiting List Cleaning/Review 5
Set-up and Maintenance of Disease Related Registers 5
Health Improvement Programmes 1
Epidemiological Studies 2
Screening Programmes 5
Resource Allocation 1
Validation of Payment Claims by GPs 4
Post-payment validation 2
Person Tracing 5
29. More detailed guidance on the operation of the NSTS will be issued by the
NHS Executive later this year. This will include guidelines for auditing the use
of the NSTS by staff – each time that the NSTS is accessed the details are
logged – and Guardians will have an important role to play in monitoring
and signing off the audit procedures.
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Controlling Access 8
Review of Current Information Flows
30. It is important that NHS Organisations and their Guardians develop a
thorough understanding of how information is being used within the
organisation and ensure that each use is justified to the Guardian’s
satisfaction. Additional guidance on this review process will be made
available shortly.
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Controlling Access 9
Reviewing InformationFlows within NHSOrganisations1. The Caldicott Report recommended that every flow of patient-identifiable
information within, and from, an organisation should be tested against the
Caldicott principles. The continuation of a flow and, where a flow serves a
necessary purpose, the inclusion of each item of information capable of
identifying an individual should be justified. Continuing or routine flows of
information should be re-tested regularly and routinely. This is potentially a
significant task for a large and busy organisation the first time it is
undertaken, and it is essential that the work is tackled sensibly and at a pace
that is locally sustainable. This work should fall into three key stages:
Stage 1: Mapping information flows
Stage 2: Prioritising mapped flows for review purposes
Stage 3: Rolling program of review (2, 3, 4 or 5 year program)
2. The term patient-identifiable information or, alternatively, patient-identifiable
data means any data item or combination of data items by which a patient’s
identity may be established. The main patient-identifiable data items that you
should review are:
• forename;
• surname;
• date of birth;
• sex;
• address;
• postcode.
3. In this context, an information flow is a set of data that is sent by one party
to one or more other parties. Examples of this include:
• routinely sent free-text correspondence, eg hand written, word
processed;
• manually completed forms;
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Reviewing Information Flows 1
• print outs from systems;
• electronically exchanged data (both structured and unstructured
messages).
4. The aim of removing patient-identifiable data items is to enhance patient
privacy, e.g. by lessening the chances of people inadvertently recognizing
someone they know when reviewing patient data. If sufficient items can be
removed, individual patients may no longer be identifiable and the
information will no longer be classed as personal data and be regulated by
Data Protection legislation. However, it will rarely be possible to do more
than enhance privacy and thus support wider work on improving the security
and confidentiality of data flows.
5. It is important to note that the requirements of data protection legislation are
only satisfied when the amount of patient-identifiable information used for
any particular purpose is adequate, relevant and not excessive in relation to
that purpose, so each item of patient-identifiable data retained should be
justified.
Mapping and prioritising information flows
6. Pilot work has confirmed that within any sizeable NHS organisation there are
a large number of data flows that contain patient-identifiable data items.
Small organisations may find that they are able to map all existing
information flows in the initial mapping exercise. However, where this
appears to be too demanding a task, activity should be mapped in terms of
functional areas with the mapping exercise itself becoming part of the longer-
term process of the rolling program of review. If this approach is adopted,
the review task in the management audit/improvement plan section of this
manual should be sub-divided accordingly to demonstrate the continuous
improvements that are being made (e.g. to demonstrate that level 1 or 2 has
been achieved for functional areas X & Y).
7. Functional areas should themselves be assigned a priority rating for review –
high, medium or low and this should be reflected in the rolling review
program. Information staff who have a good understanding of the full
spectrum of data flowing around an organisation may be able to identify
functional areas with significant numbers of patient related flows that are not
related to the direct provision of patient care. Care delivery areas should
generally be assigned a lower priority for review and are likely to genuinely
need patient information, e.g. name and address, due to contact with the
patient.
8. To assist in this task the following table identifies the functional areas that
were identified during piloting and assigns priority levels to them. This list is
not exhaustive, but should guide you. More detailed explanation as to why
these areas are proposed and what flows to review are provided as
appendices to this section of the Guardian manual as noted in the table.
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Reviewing Information Flows 2
Proposed review areas
9. The appendices indicated in the table above suggest flows to look at and
flows to avoid for each functional area. Local circumstances may change the
way that information is used so these should be seen as examples rather than
fully inclusive models. A comprehensive map of information use should be
built up locally for each functional area.
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Reviewing Information Flows 3
Functional Areas Health Authority Trusts See Appendices
and Primary Care
Groups
High priority areas
Commissioning 3 3 1
Clinical audit 3 3 2
Information department 3 3 3
Clinical coding 3 4
Medium priority areas
Medical records 3 5
Patient care services (e.g. surgery, 3 6
mental health care teams)
Pathology 3 7
Low priority areas
Health Authority /General 3 8
Practitioner communications
Other areas 3 3
Reviewing Information Flows
10. It is important that the review of information flows should be addressed in
‘bite sized chunks’. For example, if reviewing a very large area such as
medical records, select part of the function to review, perhaps by selecting all
flows from one specialty. You may subsequently be able to apply findings
more widely if you identify flows that are common across specialties.
11. Information that is flowing into the functional area may prove the most
straightforward to review, simply because the recipient of the information will
know why they receive it, what they do with it and the decisions they make
with it. Those conducting the review might best determine this by
interviewing key staff to establish what patient related information they
routinely receive, hold and send, both electronically and on paper. Those
flows containing patient-identifiable information should be noted and
examples of the forms or printouts used should be copied. Outputs from
computerised systems should be reviewed by contacting the system manager
to find out what outputs/reports are regularly run. Note that outputs that
provide listings of multiple patients are less likely to need name and address
than outputs that relate to an individual patient’s care.
12. Included with this section of the Guardian manual, at Appendix 9, is a blank
questionnaire. Section 1 of the blank questionnaire can be copied. Make sure
you have enough copies to complete one for every data flow to be reviewed.
Read the guidance notes within the questionnaire carefully and make sure that
you understand what the questions mean.
13. For data flows which routinely go to other organisations you will need to set
up meetings with the relevant staff within those organisations. This might
usefully be done alongside meetings to discuss protocols for sharing
information or as part of the work of confidentiality groups put in place to
support local work on Information for Health. It is not sufficient to simply
interview the sender of the data flow about its purpose, because it may be
that more patient-identifiable data is sent than necessary because the sender
has a different understanding of why the data is exchanged than the receiver.
It is the receiver’s use of the data that should govern its content.
14. A separate section 1 of the questionnaire should be completed for each role
receiving a data flow, even if you identify that two roles are receiving the
same data flow. This is important because it is the individual role’s use of the
data flow that will govern what data items are required and these may not be
the same for multiple users of the data flow. A sample form/print out of the
data flow should be attached to the questionnaire for reference.
15. The piloting identified that thorough completion of a questionnaire is
imperative if others are to approve findings. If the detail of the flow is not
presented clearly, approvers are likely to respond with lots of questions about
the flow. So remember that whilst some information you gather may seem
very obvious to you if you are familiar with the functional area, it may not be
to others and hence needs recording.
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Reviewing Information Flows 4
16. Section 2 of the questionnaire should be photocopied and completed for any
flows that are seen to hold more patient-identifiable data than needed. This
is likely to be a relatively small proportion of the total number of flows you
review. The purpose of section 2 of the questionnaire is to help establish
whether a flow should be changed. Further interviews are likely to be
needed with the sender of the data flow and any other recipients to establish
what other users of the data flow require and to identify possible means of
changing the flow. As many options for change as possible should be
identified. These may include:
• redesigning system print outs, reports and screens to hide
unnecessary data;
• changing message definitions in electronically exchanged flows.
This will require both the sending and receiving system to be changed
and will need to be co-ordinated and may also be costly. Suppliers
and user groups should be consulted and if costs cannot be justified
then changes should be logged for inclusion in future upgrades;
• redesigning printed forms to remove name and address or other
unused patient identifiers, replacing them with less revealing
identifiers, such as NHS Number. The fact that an NHS number may
not be known for a small minority of patients should not prevent such
changes from being made. Guidance on forms can state ‘provide
name if NHS Number is not known’. The cost of changing forms can
be minimised by making the change when a reprint is required, rather
than discarding existing forms;
• leaving the flow unchanged, but improve the security of the flow
(eg. not using faxes);
• stopping the flow from going to recipients that do not need it;
• splitting flows that go to multiple recipients so that each one only
gets the data they need. Carbonated forms can be used and
unnecessary data items blocked on copies for some recipients;
• possible options for longer term strategic action to change the
flow include:
• implementation of electronic links for the data flow area. This
may negate the need to remove unjustified data items from the flow by
hiding the data items from the recipient or enable data to be more
easily selected locally from within the receiving system, without
impacting the user;
• revisiting the procedures and systems supporting the whole
business area. This may provide an opportunity to remove or totally
change the nature of the data flows supporting the business area, but
could only be done as part of a larger review, perhaps in preparation
for procuring new systems or merging business functions together.
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Reviewing Information Flows 5
17. Individual judgement should be used to ascertain if the improvement in
privacy that would be gained be removing data items outweighs the cost, risk
and impact of making the change. Bear in mind that it is a Data Protection
Act requirement that data should only be exchanged if it serves a purpose and
that the aim of the Caldicott review is to improve patient privacy. If it is not
justifiable to change a flow in current circumstances, perhaps because the
impact on staff is too great or the cost is prohibitive, consideration should be
given to what actions can be taken so that the flow can be reviewed for
change at a later point.
18. For each data flow recommended for change a more detailed proposal should
be drawn up. Develop the preferred option identified in the questionnaire
and gather more information to substantiate your view, such as better
estimates of costs. Agreement to the proposal should be sought from the:
• Sender;
• recipient(s);
• Caldicott Guardian;
• senior management (if appropriate).
19. If the sender or recipient of the data flow is from another organisation
negotiations will need to take place. It is recommended that the Caldicott
Guardian should lead negotiations by consulting with their counterpart in the
sending organisation. For data flows agreed for change, an implementation
plan detailing who needs to take what action and when, should be prepared.
In some instances the plan may need to be drawn up by another organisation,
typically where they are the sender. If so, there is still a need to negotiate to
make sure that it happens.
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Reviewing Information Flows 6
Dataflow Review Rules
Introduction
20. The aim of the process of reviewing patient-identifiable data, as set out in
this document, is to ensure that NHS organisations are applying the Caldicott
principles to all patient based data flows. To assist in applying these general
principles to the data flows that you review, a set of rules for reviewing
patient-identifiable data flows has been established. These aim to identify the
types of data flows where name and address are justified, unjustified or
acceptable given certain circumstances. These rules have been applied to the
design of the questionnaire and should be read before interviews commence
to complete questionnaires for individual data flows.
21. The personal data included within a data flow should be adequate, relevant
and not excessive for the recipient’s purpose(s). In particular, access to name
and address should be on a strict “need to know” basis. But all patient-
identifiable data should be reviewed to ensure that it is justified. Where a
flow has multiple purposes, the recipient’s “need to know” for each purpose
should be confirmed. It is not acceptable to hold more data than is adequate
for the current purpose of a flow in anticipation that additional data may be
needed later for secondary purposes.
22. There are four reasons to need to know name and/or address :
• to have direct contact (meet, telephone or correspond) with the
person or their representative / relative (e.g. GP, carer, social
worker, parent);
Patients want to be known by their name, not a number when
receiving care.
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Reviewing Information Flows 7
Rule 1: Personal data sent should not be excessive for purpose
Rule 2: Where there is a “need to know” name and address it should
be retrieved locally wherever possible
Rule 3: Where identifiable data is needed to trace a patient, name and
address may be justified in the short term
Rule 4: Flows should be prioritised for change by examining the
extent that the confidentiality gain exceeds the risk and cost
Rule 5: If the cost of changing a flow exceeds the benefits or is
prohibitive, consider the case for removing name and address
once the data has reached the recipient
Rule 1: Personal data sent should not be excessive for purpose
• because of a responsibility to maintain health records;
Most healthcare providers maintain their own register of patients they
treat. Hence when a patient first presents to a service, full patient
details will be required so that a patient can be registered (e.g. first
referrals). Subsequent correspondence should not require the full data
set. See rule 2;
Some flows will also be justified because their purpose is to update the
patient-identifiable data held within a patient register, hence name may
be needed to update a patient record. The NHS Central Register is a
good example where patient-identifiable data is not needed for direct
patient contact, but is needed to maintain accurate patient records.
• because of a statutory or nationally mandated requirement;
Patient data must be sent where there is a mandatory requirement to
do so, even if there does not appear to be a genuine need to know.
• when the person’s residence has to be pinpointed to a greater
degree of accuracy than can be obtained from postcode alone
(applies to address only).
For example to determine proximity to a power station for research
purposes.
23. Where a flow recipient has a genuine “need to know” name/address, but the
recipient already holds name and address for the patient, only NHS number
and confirmation data should be sent to identify the patient. Confirmation
data are items like date of birth and postcode that confirm the identity of the
patient. Sending name and address is likely to be justified if:
• the name and address sent may be more current than the recipient’s
source of data;
• retrieving name and address adds an unacceptable administrative
burden for the recipient, particularly if the recipient is a health care
professional; eg nurse, doctor rather than an administrator;
• the recipient’s requirement to make use of personal details is urgent;
• the recipient or sender has not got access to name/address through
another identifier such as the NHS number.
24. In the longer term, the aim should be that the NHS number and confirmation
data are sent electronically and name and address or other patient-identifiable
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Reviewing Information Flows 8
Rule 2: Where there is a “need to know” name and address it should
be retrieved locally wherever possible
data required by the recipient are found on the receiving system and
displayed to the recipient if needed. If a match cannot be found on the
receiving system either a message should be sent back to the sender or the
NHS Strategic Tracing Service used to find the missing data. The functionality
for this search and retrieve should be within the system and invisible to the
user. In the shorter term the NHS should strive to achieve high presence of
the NHS number and improved data quality on all patient registers, so that
when data is exchanged electronically the matching can be done effectively.
25. When tracing records, maximum patient data may be required, for example if
there is a lack of confidence in data quality. When there is a high level of
confidence that a match will be found fewer patient-identifiable data items
are needed. Many instances exist where name and address are currently used
within data flows to verify a patient’s identity, but not needed for other
purposes. In these situations every effort should be made to use other
patient identifiers which are less revealing and remove name and address.
The viability of doing this will depend on many factors: the need for an exact
patient match, data quality, manual or electronic exchange of information etc.
See the publication General Principles in the use of the NHS number
(reference C3228) for further guidance.
26. In some instances this may mean that new data items, such as date of birth,
need to be added to a flow to replace name or that specific measures to
improve the data quality of the NHS number and other confirmation data
items are needed before name can be removed.
27. For each flow proposed for change you should assess the benefit, risk and
cost. When looking at risk, you should take the following indicators into
account:
• the risk of information being inappropriately disclosed;
• the impact of information being disclosed;
• sensitivity of the data;
• the expected life of the information system and the proposed change
(whether manual or computerised);
• the accessibility of the personal data to casual browsing by authorised
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Reviewing Information Flows 9
Rule 3: Where identifiable data is needed to trace a patient, name and
address may be justified in the short term
Rule 4: Flows should be prioritised for change by examining the
extent that the confidentiality gain exceeds the risk and cost
users, and to confidentiality breaches by unauthorised users;
• the volume and frequency of the flow locally;
• the level of user support for the change, and the risk that benefits might
be reduced because of non-compliant users.
28. You should take the following factors into account when estimating cost:
• the one-off costs of changes to the affected system, any dependant
systems and in guidance / training users;
• the potential side-effects of proposed changes, such as risks to patient
care, probity, data quality etc;
• recurring costs resulting from change, if any exist.
29. This rule applies primarily to electronic flows. Where name and/or address
are not needed, but the cost of changing the data flow content is prohibitive
or not worthwhile, particularly in legacy systems, consider removing name
and address from display in the receiving system. Future design of systems
should not include name and address in electronic flows unnecessarily.
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Reviewing Information Flows 10
Rule 5: If the cost of changing a flow exceeds the benefits or is
prohibitive, consider the case for removing name and address
once the data has reached the recipient
Appendix 1: Commissioning Flows
What do we mean by commissioning data flows?
All data flows exchanged to enable monitoring of services for commissioning, both
between providers of services and their commissioners and also data flows exchanged
between departments within provider organisations to assign activities to service
agreements and monitor activity levels against them.
Why look at commissioning data flows?
The Caldicott Report recommended that name and address should not be used in
commissioning data sets because there is rarely a need to identify the individual. It
recommended that where there is a need to link records as part of service agreement
monitoring or when using commissioning data sets for planning and research that NHS
number should be used and that name and address should not be used.
DO look at…
• the compilation of commissioning data sets. Make sure that name and
address are not sent unnecessarily by patient care service departments to
the information or contracting department within trusts to enable
commissioning data sets to be compiled. Points to note include;
• checking if activity could be reported using NHS number and date of
birth only;
• could the data flow be more automated to preserve patient privacy by
providing it on disk or via a direct electronic link?
• data flows to enable verification of service agreement activity levels.
Patient activity data is sometimes sent by the information or contracting
department within a trust to service directorates to check that the activity
levels for specific service agreements are correct. Points to note include:
• checking if monitoring is really required for every activity or if sampling
could be done;
• seeing if contract assignment checking can be automated, so that
operators only see potential errors;
• seeing if the procedure for collecting the commissioning information can
be improved so that checking is not needed;
• commissioning minimum data sets (CMDS) as defined by CRIR. The
DSCN 08/98/P08 stated that name and address should be removed when
the NHS number is present from commissioning data sets exchanged
between service providers and their commissioners from April 1999;
• summary patient activity data sent to primary care groups or general
practices. It is likely that some primary care groups or GPs will still
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Reviewing Information Flows 11
require activity data. Make sure that they actually check every activity
against their records if a full activity list is required. If this is not done
see if aggregate data would suffice.
Examples from piloting
Listing of all pathology tests provided monthly to GPs by Birmingham
Heartlands NHS Trust.
This listing is sent to GPs that have requested it, detailing all pathology requests
within a month. In some instances this is a large quantity of data. A national NHS
number Caldicott primary care workshop found that a number of general practice
managers stated that they received similar data flows, but did not have time to
check each patient and as a result did not use the data at all. In response to this
Birminghams Heartlands have written to all of their GPs asking what their
information requirements will be from April 1999 for primary care groups and
suggesting that they should only seek full activity data listing by patient if they plan
to check each record.
HISS print out of renal dialysis contract assignment sent from Birmingham
Heartlands Business Development Unit to the Renal Directorate.
This listing is needed because there are two renal contracts and confusion does
arise in assigning patient activity to the correct contract. Currently name and
hospital number are included. Steps are being taken to populate the renal register
with the NHS number so that this can be used in conjunction with hospital number
in the future. The unit is also considering exchanging the data on disk and
automating the checking to lessen the operator intervention.
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Reviewing Information Flows 12
Appendix 2: Clinical audit
What do we mean by clinical audit?
Clinical audit departments carry out clinical audit projects where, put simply, they
investigate whether the right things are being done in the right way. It is also
worth looking at other things that clinical audit departments take responsibility for,
such as research, that may be outside of the strict definition of audit, but are still
likely to include patient-identifiable data like name, address, and date of birth.
Why look at clinical audit?
It is an area where a lot of patient-identifiable data are exchanged that is not part of
the direct clinical care process. This presents opportunities for improving patient
confidentiality by omitting unnecessary patient information.
When are patient-identifiable data needed?
The National Centre for Clinical Audit (NCCA) and a group of clinical audit
representatives from different NHS organisations concluded that patient-identifiable
data are only required in limited circumstances. The table overleaf shows what
data are justified for various clinical audit purposes.
DO look at...
• standard forms used in the health care process that are copied and
sent to clinical audit
• printed patient labels: these often contain more patient data than
needed
• use of faxes: this is not a confidential way to communicate and can
easily be mis-directed
• whether you use date of birth where you could use year of birth and
address where you could use postcode
• whether you unnecessarily put the title of the audit on patient listings
(e.g. review of patients with a history of mental illness) thereby
revealing confidential patient information
DON’T look at...
• national audit flows to bodies like the National Confidential Enquiry
into Peri-Operative Deaths (NCEPOD). Such flows are under review
and the relevant bodies will inform you of any changes.
The following table can be used when reviewing clinical audit flows to identify
whether the amount of patient data used is excessive for purpose.
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Reviewing Information Flows 13
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Reviewing Information Flows 14
Clinical audit purpose Example Patient data typically required
Linking clinical audit patient data A nurse records data about One of the following: NHS
back to another data set where a selected cancer patients using the number, hospital number, or an
certain match can be made. casenotes and sends it to clinical identifier created specifically for
audit. An identifier, like hospital the study.
number, is sent to provide a link
back to the set of cancer patient
records.
Tracing and matching across An audit of patient outcomes for NHS number plus a confirmation
patient data sets where making a emergency patients in one data item such as hospital
match is not certain. Trust involves using a patient number, date of birth, or
identifier to match patient data postcode.
collected by ambulance drivers
against patient data collected by
the accident and emergency
department.
Auditing, where data are relevant Ethnic group and sex are used in Year of birth, postcode,
to the audit itself (e.g. date of a study investigating equality of occupation, sex, ethnic group.
birth is relevant when reviewing access to health care services.
perinatal deaths).
Enabling direct contact to be Name and address are needed to Name, address,
made with the patient or their send a questionnaire to patients telephone number,
representative. that have left hospital in order to postcode, sex, year of birth.
assess clinical outcomes.
Following standards / legal Patient name is required by law Various.
requirements (e.g. completing an on abortion notifications
abortion notification). (note, this is now under review).
Appendix 3: Information Department
What do we mean by the Information department?
A functional area of an NHS organisation that collects, analyses and disseminates
information on behalf of the organisation.
Why look at the Information Department
This is a good area to review because it is the focus for many dataflows about
patients, but not directly related to delivering patient care.
DO look at…
• flows to information from sections/departments providing direct patient
services.
• all flows from information departments that contain patient-identifiable
data.
• ad-hoc requests for information. Information departments are frequently
asked for one off information to support research, audit or planning
purposes. Often lists of patient details are requested, when in fact all
that is needed is aggregated data, anonymised data or possibly
individual patient data given a meaningless identifier. Many staff
requesting data prefer to be given the raw data so that they can
manipulate it as they like, rather than allowing the information
department to do the analysis for them. Procedures should exist to
govern when information department staff should provide patient-
identifiable data. This should include the requirement for a justification
for any requests for named data. This procedure should be applied,
even if the request has been approved by the local ethics committee,
as it is possible that such committees focus their attention on whether
the data flow is justified without examining the detail of individual data
items requested.
• other areas managed within the information department that are listed
in this appendix. It is likely that a number of other functional areas
highlighted for review, such as clinical coding and medical records will
be managed within the remit of the information department. Hence
this is a very good starting point that enables review of a number of
functional areas.
DON’T look at…
• any analysis of aggregated data that does not contain patient
identifiable data.
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Reviewing Information Flows 15
Appendix 4: Clinical coding
What do we mean by clinical coding?
Clinical coding encompasses the function of assigning coding classifications to
clinical diagnosis and procedures for each episode of care undertaken. The staffing
structure to support this varies between trusts. Some have dedicated clinical coding
departments and others having designated coders within individual patient service
areas. The data flows to support this function should be reviewed, regardless of
how the function is structured.
Why look at clinical coding?
A significant amount of patient-identifiable data flows from clinicians to clinical
coders to support clinical coding. The National Centre for Clinical Coding
recommends that coding is done directly from patient case notes. However only
about 50% of the NHS do this. The other 50% use various proformas for coding,
such as the KMR1 forms, discharge letters and discharge summaries. It is the use of
proformas for coding which you should review.
When are patient identifiable data needed?
Clinical coders need enough data on coding proformas to ensure that they locate
the correct episode on the master patient index. Research undertaken by
Birmingham Heartlands NHS Trusts suggests that patient tracing can be achieved
using a combination of hospital number, NHS number, episode number, episode
date, and date of birth. The trust found that even if two or three data items were
missing for each patient, that an accurate match could be made, especially as the
details of the diagnosis and procedures within each episode also help to verify that
the correct patient is selected on the master patient index. This suggests that name
and address could be removed from coding proformas. However it is likely that
this will not be possible because the proforma serves multiple purposes some of
which require name and address:
Birmingham Heartlands found that the proformas were used by medical secretaries
who referred to them in the casenotes to find the patients address when writing out
to them. The secretaries viewed the KMRI forms as being the most reliable source
of up to date data.
Other trusts use their discharge letters as coding proformas and produced up to
four part forms for the GP, the patient, the case notes and clinical coding. Hence
whilst clinical coding do not need name and address other uses justified their
presence. See section 3.8 regarding how to handle multi-part stationary.
DO look at…
• whether clinical coding proformas are used and if they serve multiple
purposes.
• the opportunities to separate data collected for clinical coding from
other data flows so that name and address need not be collected. For
example by automating the clinical coding process. As you develop
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Reviewing Information Flows 16
the electronic patient record and move towards more direct inputting
by clinicians of diagnosis and procedure information you should be
able to automate the coding process so that coding is done directly
from data within the system. Build in access controls that provide the
clinical data to the coders, or data entry clerks if coding done by the
clinicians, without displaying name and address on the screens that
they routinely review.
DON’T look at…
• clinical coding if coding is done directly from the case notes or by
clinicians, as access to name, address etc is then unavoidable.
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Reviewing Information Flows 17
Appendix 5: Medical Records
What do we mean by medical records?
Most trusts have one or more departments that are the custodian of medical records.
They take overall responsibility for the records and store and retrieve them for use by
other trust staff. This function typically covers other activities such as supporting
clinics, collecting bed state information and admitting patients.
Why look at medical records?
The medical records function typically gets large quantities of requests from all areas
of the trust to pull individual patient records. In most cases maximum patient-
identifiable data are likely to be provided to assist in tracing the correct set of records.
However as the Caldicott principles are more widely applied over time there should
be scope to improve patient privacy by using hospital number or NHS number, date
of birth and postcode to trace patient records and exclude name. The benefit in
doing this is not in preserving patient privacy within the medical records department,
whose staff will see patient name on the records as soon as they are pulled anyway,
but to preserve patient privacy on other dataflows which may require medical records
to be pulled as a secondary purpose.
For example NCEPOD, the National Confidential Enquiry into Peri-Opertive Deaths
has asked that notifications to them include the NHS number instead of name. For
each peri-operative death reported the notifying consultant is subsequently asked to
provide more details about the death. From now on, NCEPOD will only correspond
back to the relevant consultant using the patient’s NHS number. Therefore to
preserve patient privacy throughout the chain of information exchange it would be
preferable if the request for the records from medical records could be made using
NHS number.
Medical records departments will have to look hospital number up on the master
patient index if records are requested using the NHS number before they can search
for the case notes. This requires the ability to search the master patient index using
NHS number. Any systems which cannot do this should be changed urgently as this
requirement has now been in place for three years.
DO look at…
• requests for records where the patient’s identity is known.
• patient lists/statistics produced by medical records and sent to other
departments.
• the implications for medical records when reviewing data flows within
other functional areas and whether a privacy gain made on another data
flow can be extended to include requests for records that may be
required as a secondary data flow.
• the different types of requests for records routinely made. If these could
be categorised by their purpose, rather than the source of the request it
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Reviewing Information Flows 18
may be that some categories lend themselves to being selected using
less patient-identifiable data. Once grouped together findings can be
applied across a number of specialties making similar types of
requests.
• improving confidentiality if records are filed alphabetically by patient
name. This does not aid patient privacy and should be changed.
DON’T look at…
• flows supporting direct patient contact, for example clinic lists.
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Reviewing Information Flows 19
Appendix 6: Patient Care Services
What do we mean by patient care services?
Service areas, such as directorates, departments and teams, that are responsible for
providing direct services to patients. This includes health care teams providing
mental health, community and acute services through doctors, nurses and
paramedical professionals. It applies to all service areas where care is provided
directly to patients, so it excludes specimen pathology but includes radiology.
Why look at patient care services?
Patient care services are at the centre of health care activity, these service areas
generate many flows within and outside the NHS that contain patient-identifiable
data. Reviews carried out within Birmingham Heartlands and Solihull NHS Trust,
Enfield Community Care NHS Trust and Bradford Community NHS Trust suggested
that most of these flows are justified. However, some flows do not relate directly to
the care being provided to individual patients, and it is these flows that should be
reviewed.
When are patient-identifiable data needed?
Most of the data flows in these areas directly support individual patient care, and
need full patient-identifiable data (including name and address), particularly at
initial referral. These data are needed to enable patient contact (face-to-face, letters,
telephone etc.) and to enable proper patient records to be maintained. Such flows
need not be reviewed. Full patient data may not be necessary in other flows
around the “edges” of patient care, and these should be reviewed against the
review rules to ensure that the recipient has a genuine need for the patient data
received.
DO look at...
• flows to support research and audit;
• flows to regional bodies;
• flows to voluntary bodies (e.g. patient support organisations - consent
may be necessary);
• flows to information and contracting functions;
• clinical coding flows;
• flows to multiple recipients (e.g. discharge notifications);
• clinic lists;
• flows to public health;
• flows to update patient records - could they be made electronic?;
• flows to and from other organisations (although whether a flow is
internal or external does not affect justification);
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Reviewing Information Flows 20
• flows supporting payment of domiciliary consultations;
• preparation and issuing of statistics;
• flows supporting service planning and monitoring;
• waiting list flows;
• flows relating to patient monies and property;
• patient complaints processing
It is not necessary to look at
• flows to clinicians and patients relating to direct patient care;
• referrals and patient service requests (e.g. patient transport requests);
• patient admission / registration forms;
• assessments, reviews and care plans;
• central returns and statutory flows;
• flows to medical records requesting patients to be traced;
• death notifications;
• notifications of infection.
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Reviewing Information Flows 21
Appendix 7: Pathology
What do we mean by pathology?
Any organisation, or part of an organisation, that accepts human specimen test
requests, analyses specimens and returns reports and test results. This excludes
tests carried out on people (e.g. radiology), rather than specimens.
Why look at pathology?
Pathology is part of the direct clinical care process, but it does not involve direct
contact with patients, which is the prime reason for needing patient-identifiable data
like name and address. A lot of patient-identifiable data are sent, but are not all of
these are required throughout the pathology process. This makes pathology a good
area to investigate.
When are patient-identifiable data needed?
Most items of patient-identifiable data are needed at some stage, but not
throughout, the pathology process. Pathologists provide clinical opinions about
patients and may need patient name for their records or when discussing a case
with another clinician. When processing test requests from community clinics, it is
sometimes necessary to submit patient address so that it may be forwarded to the
health authority, so that they may update their records with what may be a more
up-to-date address. Date of birth and sex are used to inform a pathologist’s clinical
judgment.
DO look at...
• whether address can be removed from internal Trust flows (e.g. ward
to laboratory).
• whether name and other patient-identifiable details are removed /
concealed from specimen labels during the analysis process (it is
common practice for laboratories to assign a unique number to the test
request when received, and these provides a link back to the patient).
• reports printed from laboratory systems to see if they unnecessarily
contain name and other patient-identifiable details.
• increasing the presence and accuracy of the NHS number in laboratory
systems (both standalone and those linked to patient administration
systems) since, in the medium to long term, the NHS number could
enable patient-identifiable data to be retrieved locally rather than from
the request.
DON’T look at...
• removing name from test requests and removing name from results
returned to the test requestor until you are sure that the data quality
supports accurate matching without them.
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Reviewing Information Flows 22
Appendix 8: HA/GP Communications
What do we mean by HA/GP communications?
This area covers all dataflows that support the delivery of primary care, including
the management of GP patient registration and items of service claims.
When are patient-identifiable data needed?
In theory many exchanges of data between GPs and Health Authorities which relate
to patient management and GP funding could take place using the NHS number
and confirmation data items and excluding name and address. The NHS number is
used as the primary key on the Health Authority patient register and on all GP
registers and considerable effort is undertaken routinely to ensure that the GP and
Health Authority patient registers are kept in harmony.
However in practice very few flows can be changed. This is because a small
minority of GP practices are still not computerised or only hold very minimal details
on their computer. Such practices do not have easy access to the NHS number and
still rely on patient name as their main matching tool. Unfortunately this minority
has prevented a number of flows from being changed, because the Health
Authorities do not have the capability to split a data flow and send named data to
manual practices and unnamed to computerised practices. This is why this business
area is low priority for your data flow review.
There are a number of steps that can be taken in the primary care area to help
prepare this area for change in the future. You should work with the Health
Authority Patient Registration Manager to:
• increase the use of registration and IOS links;
• increase automatic claims processing for IOS linked practices;
• improve data quality within automatic IOS claims;
• increase the presence of the NHS number on manual IOS claims;
• review GPs information requirements for primary care groups and
ensuring that activity data is not sent unnecessarily.
DON’T look at
• individual patient data flows to primary care.
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Reviewing Information Flows 23
Appendix 9
QuestionnaireHow to complete this questionnaire
Who should complete it?
The person responsible for reviewing dataflows in each NHS organisation, reporting
to the Caldicott Guardian, should use the questionnaire to record the information
provided by key recipients of data.
What is the purpose of the questionnaire?
To assist NHS organisations to identify where they can remove unnecessary patient-
identifiable information in data flows.
Why do we need this information?
The Caldicott committee made many recommendations about protecting the privacy
of patients. They found that some data flows within the NHS contain unnecessary
data about patients. They suggested that the NHS should review these dataflows
and remove any unnecessary information that was not strictly required. (Later in this
questionnaire we provide a summary of situations which justify including patient-
identifiable information).
How do you complete this questionnaire?
We suggest that you proceed as follows:
• Read the section on Reviewing Information Flows in the Caldicott
Guardians manual: Protecting and using information
• Follow the recommended work-plan to identify data flows for review
• Use the questionnaire for each recipient of each data flow you select
for review
• Meet with each recipient to complete section 1 of the questionnaire
• Complete section 2 of the questionnaire for each flow where there is a
question mark about some or all of the identifiable data items
contained
• Refer back to the Caldicott manual when you have completed the
questionnaires, for next steps
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Reviewing Information Flows 24
Questionnaire completed by: ............……………………………………………………..
Date completed: ................................................................................................................
.............................................................……………………………………………………..
Data flow name: ................................................................................................................
............................................................……………………………………………………...
Data flow originated by (Name /department):
(i.e. who creates the dataflow?) .......……………………………………………………...
Purpose(s) of the data flow:
(Describe in your own words what the flow is for)
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
Recipients name and department: Please list all known recipients and tick box to
indicate which recipients the completed questionnaire relates to.
……………………………………………………..□
……………………………………………………..□
……………………………………………………..□
……………………………………………………..□
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Reviewing Information Flows 25
Section 1
Q1. What is the purpose of the patient identifiable data items in the data
flow you receive? Please tick as many boxes as apply
Q2. Which of the following patient-identifiable data are contained in the
data flow you receive?
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Reviewing Information Flows 26
Reason for requiring patient identifiable information tick box
A To contact a patient □
B To visit or write to the patient □
C To use in epidemiological research □
D To aid decision making about the patient’s care □
E To confirm the area of residency of the patient □
F To set up or update a patient record/registration □
G To comply with statutory requirements □
H To use as a matching tool to link with existing patient data sets □
I Other, please specify □
□
□
Please tick as many boxes as apply
Forename □
Surname □
Address □
Postcode □
NHS number □
Date of birth □
Others (please specify if you think it may be relevant to your review) □
□
The table below lists the items that are suggested should be used for the purposes
outlined in Q1.
Q3. Is the inclusion of all of the patient-identifiable information in the
flow that you are reviewing justified? Compare the data items used with
those recommended in the above table and, more generally, apply the review
rules outlined in the guidance on Reviewing Information Flows.
Please tick box
Q4. If your response to Q3 is Yes, can name or address be retrieved locally
to avoid having to send them in the data flows? If you obtain patient-
identifiable data locally rather than from data flows there is less
likelihood of the patient-identifiable information being seen.
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
(If your response to Q3 is No, section 2 of the questionnaire will need
to be completed.)
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Reviewing Information Flows 27
Reason for requiring patient- Patient-identifiable informationidentifiable information that should support this use
A To contact a patient Names
B To visit or write to the patient Names, address, NHS number, post code
C To use in epidemiological research Names, address, dob, post code
D To aid decision making about the Dobpatient’s care
E To confirm the area of residency Post codeof the patient
F To set up or update a patient Names, address, post code, dobrecord/registration
G To comply with statutory Names, address, dob, NHS number,requirements
H To use as a matching tool to link NHS number, dob, post codewith existing patient data sets
Yes □ No □ Unsure □
SECTION 2
Q5. If your response to Question 3 was No or Unsure, What data items are
possibly not justified?
Q6. What steps could you take to remove the items identified in Question
5? Apply the review rules in the guidance.
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
Q7. How desirable is it that you make change in the data flows to remove
the information you have identified as unjustified. (Apply review rule 4).
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Reviewing Information Flows 28
Item not (or possibly not) justified See notes below. Please tick
Forename □
Surname □
Address □
Postcode □
NHS number □
Date of birth □
Others (please specify) □
Q8. What is the cost justification? (Apply rule 4).
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
Q9. What are your conclusions on changes which could be made to
remove patient-identifiable information from the data flow. Summarise
here your specific recommendations about what are the specific items of
patient-identifiable information data which you believe could be removed
from the data flows you receive?
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
Q10. What are the next steps? Describe here what actions need to be taken to
make the changes you have identified.
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
Thank you for assisting with the review and helping to remove unnecessary
patient-identifiable information from data flows.
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Reviewing Information Flows 29
Summary of Existing GuidanceIntroduction
1. Although there is considerable guidance available on different aspects of how
the NHS should go about protecting and using confidential patient
information, it is not always easy to locate the relevant guidance on a
particular issue. This section of the manual provides an overview of
Department of Health guidance and is intended as a navigation aid for
Guardians. There is no escaping the fact, however, that this is a complex and
often controversial area. Guardians are advised to err on the side of caution
and to seek advice on issues if they are uncertain (see Support and Advice).
Conflicting Guidance
2. Reflecting a lack of legal clarity, complex ethical dimensions and the different
viewpoints of different sections of society, the guidance on some issues may
reflect the perspective of the issuing body and conflict, at least in part, with
guidance issued by other bodies. The Department of Health consults widely
prior to issuing guidance and its official publications aim to reflect a balanced
and legally defensible viewpoint. At the end of the day however, guidance is
simply guidance and responsibility for decisions made inevitably rests with
individual organisations.
Key issue: The Common Law Duty ofConfidence
3. In general, any personal information given or received in confidence for one
purpose may not be used for a different purpose or passed to anyone else
without the consent of the provider of the information. This duty of
confidence is long established at common law, but there are conflicting legal
views on how the common law might apply in particular circumstances. The
Department of Health is working with the General Medical Council, the
Medical Research Council, the Data Protection Commissioner and other key
interests to clarify how the law should be interpreted in the health sector.
4. The Department of Health’s guidance to the NHS is that, with proper
safeguards, the duty of confidence need not be construed so rigidly that,
when applied to the NHS or related services, there is a risk of it operating to
the disadvantage of a patient or to the public generally. The underlying
principle is that it is in everyone’s interests that the NHS functions efficiently
and effectively and makes best use of the resources available to it.
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Summary of Existing Guidance 1
Existing Guidance
Department of Health Publications
5. The Protection and Use of Patient Information, issued under cover of
HSG(96)18 in March 1996, provides guidance on how the common law duty of
confidence impacts upon those working in the NHS. Copies of this guidance
can be obtained from:
Confidentiality Issues
Room 3E58
NHS Executive HQ
Quarry House
Leeds LS2 7UE
6. Ensuring Security and Confidentiality in NHS Organisations, issued by
the NHS Executive’s Security and Data Protection Section in February 1999.
This replaces the IM&T Security Manual issued in 1996, but additionally
contains guidance on implementing an awareness programme for staff and
specific guidance on IM&T Security for the Nursing Profession. Copies of this
guidance can be obtained from:
Security and Data Protection Programme
NHS Executive HQ
15 Frederick Road
Edgbaston
Birmingham
B15 1JD
7. The Management of Health, Safety and Welfare Issues for NHS Staff,
issued under cover of HSC 1998/64 on 30 April 1998, provides guidance on the
specific issues facing Occupational Health staff. Copies of this guidance can be
obtained from:
Employment Issues Branch
NHS Executive HQ
Quarry House
Leeds LS2 7UE
8. Handling confidential patient information in contracting: A Code of
Practice, issued under cover of EL(92)60 in 1992, provides guidance on the
operation of safe-havens but includes sections on the use of fax machines
and telephones.
9. Guidance on Video Recording NHS Operations: issued by the NHS
Executive in December 1996 under cover of a letter from the Chief Executive.
This guidance outlines best practice in respect of filming NHS procedures.
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Summary of Existing Guidance 2
10. Access to Medical Reports Act 1988: the NHS Executive has not previously
provided guidance on this Act, which is a relatively straightforward piece of
legislation, but a summary of its provisions are included here.
11. Guidance on Public Access to Medical Records is in preparation as this is
now covered by the Data Protection Act 1998. Guidance on the wider
provisions of this Act is also in preparation and will be issued shortly by the
Department of Health.
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Summary of Existing Guidance 3
The Protection and Use of PatientInformation
12. This guidance relates primarily to the impact of the common law but includes
many useful references. The headings used in this summary reflect the
chapter headings in the document.
Basic Principles
13. The guidance outlines basic principles underlying the need to safeguard
confidentiality, including the common law, Data Protection legislation and
professional ethical duties of confidence. Patients need to be fully informed
of the planned uses of information but it is neither practicable nor necessary
to seek specific consent each time information needs to be passed on for a
particular purpose.
14. Information may be passed to someone else:
• With the patient’s consent for a particular purpose
• For NHS purposes, including the provision of care and the effective
and efficient management of healthcare services
• It is a statutory requirement or is in response to a court order
• The public interest in passing the information on outweighs the duty
of confidence to the patient and the public interest in the NHS
preserving confidentiality.
Keeping Patients Informed
15. All NHS bodies must have an active policy for informing patients of the kind
of purposes for which information about them is collected and the categories
of people or organisations to which information may need to be passed. The
process by which this may be achieved is described (see also the relevant
part of the section on Organisational Performance in this manual). Consent to
sharing information for NHS purposes can be implied if a patient has been
informed and does not object. Keeping patients informed is good practice
even where the public interest in information being shared outweighs other
considerations.
16. Patients’ right of access to their own health records is also briefly described,
though the references are mainly to the Data Protection Act 1984, the
Access to Health Records Act 1990 and the Access to Personal Files Act
1987 (relevant to local authority social services). These three Acts will be
replaced by the Data Protection Act 1998 during the second quarter of
1999 (Guidance on this new Act is in preparation and will be sent to
Guardians when available). Reference is also made to the Access to
Medical Reports Act 1988 which will remain in force when the new Data
Protection Act comes into force (guidance on this Act is included within this
manual).
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Summary of Existing Guidance 4
Safeguarding Information
17. Every NHS organisation, all staff and all those carrying out work on behalf of
the NHS have a legal duty of confidence to patients. Health professionals also
have professional codes and ethical duties of confidence. Data Protection
legislation criminalises some activities and there are statutory restrictions
relating to fertility treatment and sexually transmitted diseases.
18. Individual organisations remain responsible for decisions to disclose
information and they should take particular care to respect patient’s wishes
unless there are overriding considerations (disclosure required by law, the
court, or where the public interest is sufficiently weighty).
19. Unauthorised disclosure of information by members of staff or by people
working under contract to the NHS is a serious matter. Disciplinary action
should be considered, legal action may result and health professionals may
be subject to action by their regulatory bodies. In their own interests and
those of patients, all staff must be made aware of the possibly severe
consequences of breaching patient confidence.
20. Aggregated and anonymised information should be used wherever
practicable in preference to identifiable information, but disclosure should
still only be for justifiable purposes.
21. The guidance provides specific advice on patients unable to give consent,
children and young people, co-ordinating care with social services and other
agencies, patients who are offenders, patients receiving social security
benefits, protecting public health, teaching and research.
Passing on Information for Other Purposes
22. Information should only be passed to relatives, friends and carers with the
permission of the patient. NHS staff should ensure that patients understand
the implications of not sharing information with those who provide care.
23. Statutory requirements and the powers of the High Court to require
disclosure are outlined. Disclosure in the public interest is considered (NB in
the public interest, not of interest to the public), including conditions that
should be satisfied before disclosing information to the police.
Supplementary material
24. The annexes to the guidance provide the core information that should be
passed on to patients (reproduced in the annexes to this manual), references
to certain statutory restrictions on passing on information and the definition
of “serious” crime taken from the Police and Criminal Evidence Act 1984.
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Summary of Existing Guidance 5
Ensuring Security and Confidentiality in NHSOrganisations
25. Although a variety of useful material is included in this resource pack for
those required to run IM&T security awareness raising programmes, the key
guidance is set out in the section titled the NHS IM&T Security Manual.
26. The guidance sets out, in some detail, the roles and responsibilities of
different staff groups in relation to information security. It examines the role
of senior management in setting objectives and developing an information
strategy and looks at the elements of a supporting information security policy.
An example of an information security policy is included.
27. The information security policy should provide a clear operating framework
for the organisation. Its key elements include security management
responsibilities, an assessment of threats and vulnerabilities, counter-measures
adopted and security incident management procedures.
28. Implementation of the information security policy should be the responsibility
of an information security officer and the core responsibilities of this post are
clearly defined.
29. The guidance provides detailed advice on a wide range of, mainly technical,
topics including:
• Assets Inventory
• Risk Assessment
• Counter-Measures
• Equipment Security
• Access Control – including physical access, logical access, data
ownership, user registration, and password control
• Security Incidents
• Virus Controls
• Business Continuity
• Housekeeping
• Monitoring & Review
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Summary of Existing Guidance 6
The Management of Health, Safety andWelfare Issues for NHS Staff
30. Occupational Health staff should develop an Occupational Health policy
with their colleagues in personnel/human resources to be made widely
available throughout the organisation. Local policies should be consistent
with guidance published by the Department of Health and should include
explicit references to the guidance relating to confidentiality provided by the
GMC and UKCC. Occupational Health Service’s (OHS’s) will find it useful to
include the confidentiality principles published by the GMC in their policy
statement so that staff and colleagues are aware of the constraints placed on
the service.
31. In certain circumstances it may be necessary to disclose information in the
interests of others. Disclosure may be necessary in the public interest where
a failure to disclose information may expose a patient, or others, to risk of
death or serious harm. In such circumstances you should disclose information
promptly to an appropriate person or authority. Such circumstances may
arise, for example, where:
• a colleague who is also a patient is placing patients at risk as a result
of illness or other medical condition.
• Disclosure is necessary for the prevention or detection of a serious
crime.
32. Every effort should be made to try to persuade the individual to be honest
about their medical condition or whatever matter is causing the concern, or
at least to give the occupational health professional permission to speak of it.
If the individual cannot be persuaded to give permission, where there is a
foreseeable risk of serious harm or death, it will be necessary to breach
confidentiality. In all such cases the reasons for reaching the decision should
be fully documented and, if practicable, a Consultant Occupational Physician
should be involved in the decision making process. Employers should have
in place agreed processes for dealing with such circumstances.
Seeking more detailed information prior to recruitment
33. In the small number of cases where the amount or nature of sickness
absence, or other factors, suggests that the applicant may be unsuitable for
the post offered, and further information is required concerning past medical
history this may be obtained from the applicant’s GP. This process will
require the applicant’s signed consent and they must be told precisely what
information is being requested and why before their fully informed consent
can be obtained. A copy of the person’s consent together with a copy of
their Occupational Health questionnaire should be sent to the GP with the
request for specific information.
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Summary of Existing Guidance 7
34. The OHS should make clear what information they are seeking from the
applicant’s GP, taking account of the Access to Medical Reports Act 1988
and the Data Protection Act 1998 (which will repeal the relevant sections of
the Access to Health Records Act 1990), advising the applicant of their
rights and respecting confidentiality of any clinical information obtained.
Because this service falls outside the provision of general medical services,
GPs can be expected to charge employers for this service. Direct
arrangements for meeting these fees must be clear.
Retention of Records
35. Information given by a patient or obtained from previous employers or
education providers (with the applicant’s consent) about medical history
including sickness absence, relevant hospital admissions and medications
should be recorded. This information should, if the person is recruited, form
part of the OH record.
36. OH records should be markedly different from other hospital records and
should be stored in a secure place preferably within the OH department.
Each employee must have an individual record that includes immunisation
history, responses to vaccination, health monitoring activities and referrals. It
is recommended that records be kept for a minimum of 10 years after the
date of the last entry or longer if required by particular legislation (for
example, Asbestos Regulations stipulate 40 years for exposure over a certain
level; Ionising Radiation Regulations 50 years).
37. It is recommended that copies of clinical OH records held by a previous
employer or institution are, where necessary, obtained by the OH
Department with the written consent of a new employee. Continuity of
records is very important in the context of Occupational Health and requests
for OH records, where the individual employee has provided written consent,
should be satisfied as quickly as is practicable.
38. For further information and guidance on the provision of Occupational
Health services please contact the Employment Issues Branch of the NHS
Executive, Quarry House, Leeds LS2 7UE.
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Summary of Existing Guidance 8
Handling confidential information incontracting: A Code of Practice
39. Although this guidance was issued specifically to safeguard the transfer of
confidential information in the contracting environment, the Code of Practice
relates to the operation of safe-havens – designated contact points through
which confidential information should pass when being transferred from
organisation to organisation (see Controlling Access for more detail).
40. Additionally, the Code includes guidance on the use of paper mail, fax
machines and telephones.
Fax Machines
41. The guidance recommends that:
• Fax machines should be placed in a secure location, preferably within
the boundaries of a safe-haven, and the room housing the machine
must be locked when unattended.
• Outside of normal working hours, fax machines should be switched off
or locked in cupboards whilst still switched on. Alternatively, a
password protected computer could be used to receive and store faxed
data.
• Measures should be taken to minimise the risk of mis-dialling e.g.
programming frequently used numbers into fax machines and always
checking that numbers are up to data and entered correctly.
• Clinical information should, wherever possible be faxed without
accompanying patient administrative details, with a linking identifier,
either the NHS Number or a local identifier, being used to make the
link. If all the information needs to be faxed, confirmation should be
sought that the first part of the information is in the right hands prior
to faxing the remainder.
• It is good practice to always seek confirmation that a fax has been
received.
Telephones
42. The guidance recommends that:
• It is important to establish the type of information that may be
disclosed or received over the telephone and how it should be
recorded.
• The risk of disclosing information to the wrong person must be
minimised. The use of call back procedures using published telephone
numbers should be considered.
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Summary of Existing Guidance 9
Guidance on Video Recording NHSOperations
43. There are a number of legitimate reasons for videoing NHS operations,
including:
• when the video is an essential part of a patient’s record;
• when the video is to be used as a training aid for health professionals
and medical students;
• when the video is intended to provide public information in support of a
clearly understood NHS purpose.
44. It is not intended that these legitimate recordings be curtailed in any way -
context and the judgement of clinicians must remain paramount - but every
care must be taken to ensure that guidelines on confidentiality are followed
and that the informed consent of patients and medical staff is obtained where
appropriate. Wherever possible, consent should be obtained in writing.
Operational Procedures
45. All staff, whether medical or administrative, should be aware of the policies
and procedures of the organisation which aim to protect patient information
and the uses to which it may legitimately be put. (Guidance on “The Protection
and Use of Patient Information” refers).
46. A contract should be drawn up and signed by the filmmaker and an
appropriate representative of the Trust - e.g. the Head of the Department
involved. This should provide a clear statement of the Trust’s arrangements to
protect patient confidentiality, should clarify which individuals will be filmed
and put in place the necessary safeguards to ensure that informed consent is
obtained. The contract should detail the legitimate purpose of the video and
provide the following controls:
i. control over the process of making the film, e.g. what access the film
maker has to wards or operating theatres;
ii. control over the final version of the film. This is especially important if
the film is being made for public information;
iii. clear restrictions, or if appropriate prohibitions, on the “selling on” or
secondary usage of video footage.
47. Authority to grant permission for a film crew to enter Trust premises should
rest with an appropriately senior member of the Trust, and permission should
only be given after a contract has been signed.
48. In some instances, regular preparation of video recordings can be anticipated, for
example as part of training in interview skills for health care professionals. Trusts
may wish to develop a model contract for use in specified circumstances.
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Summary of Existing Guidance 10
Access to Medical Reports Act 1988
49. This Act was introduced “to establish a right of access by individuals to reports
relating to themselves provided by medical practitioners for employment or
insurance purposes and to make provision for related matters”.
50. An individual has the right, subject to certain exemptions specified in the Act,
to access any medical report relating to him or herself which is to be, or has
been, prepared by a medical practitioner for employment or insurance
purposes. The individual if he wishes to exercise this right must, before the
report is supplied to a third party, tell the practitioner of his intent.
51. The patient always has the right to stop the practitioner from supplying the
report to a third party. If the patient does not ask to see the report before it
is sent he or she is considered to have given implicit consent for the supply
of the report to a third party. Similarly, if the patient asks in advance to see
the report (ie before it is supplied) but then 21 days elapse without the
individual contacting the practitioner, then implicit consent is considered to
have been given. However, if the individual does view the report within the
21 day time limit he may stop the supply of that report to a third party.
52. The individual is entitled, before giving consent to the supply of the report,
to request the medical practitioner to amend any part of the report which the
individual considers to be incorrect or misleading. In this eventuality, two
courses of action are open to the practitioner:
• to accede to the request, and amend the report accordingly, or
• to refuse to amend the report, in which case a statement of the
individual’s views in respect of the report shall be attached to the
report.
53. The Act specifies exemptions to the patient’s right of access which, rarely,
might require that access to part or all of a report may be denied. Most
importantly, if any information contained in the report would, in the opinion
of the medical practitioner, be likely to cause serious harm to the physical or
mental state of the individual, or to others, the practitioner is within his rights
not to give the individual access to parts or all of the report in question. In
addition, any part of the report that would be likely to reveal information
about another person who has supplied information to the practitioner about
the individual, cannot be disclosed to the individual unless:
• he person supplying the information has consented, or
• the person supplying the information is a health professional and the
information was supplied in that capacity.
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Summary of Existing Guidance 11
54. Practitioners should, in the context of reports to third parties, provide medical
facts only and should not speculate about a patient’s lifestyle. Doctors should
respond to such questions by referring the third party back to the patient. It
is particularly important that this is applied to all requests for information
from employers and insurance companies to ensure that groups of patients
are not categorised by default.
55. Some medical facts are protected by specific legislation and should not be
relayed to third parties on the basis of implicit consent as described in
paragraph 3. Information relating to treatments governed by the Human
Fertilisation and Embryology Act 1990, the NHS (Venereal Diseases)
Regulations 1974 and the NHS Trusts (Venereal Diseases) Directions 1991,
should not be included in reports without the explicit written consent of the
individual concerned. Where a practitioner considers such information to be
relevant to the third party’s request, he should seek the consent of the
individual to its inclusion and should abide by the individual’s wishes unless
there are strong public interest reasons for breaching confidentiality.
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Summary of Existing Guidance 12
Support & Advice for GuardiansIntroduction
1. This manual aims to provide straightforward guidance on the key tasks that
need to be addressed by NHS organisations, but beyond that, the intention is
that it should serve as a resource for Guardians, identifying and summarising
key guidance, flagging up sources of advice and highlighting training
opportunities. It is also intended that the manual should be updated regularly
when new material becomes available.
2. A dedicated Caldicott web site is also being developed to act as a repository
of important material and a notice board for new developments. Guardians
will be informed of the web site address when it is available. The possibility
of a discussion/news group service is also being considered.
Networking
3. Guardians may wish to establish local networks either within Health Authority
areas or more widely. These may productively be Health Authority based with
all PCGs and local NHS Trusts being included. Social Services and other
partner organisation should also be included once they have equivalent
Guardian structures in place.
4. Wider networking may also prove desirable, e.g. between Health Authorities
and across Health Authority boundaries for NHS Trusts. The NHS Executive
Regional Offices will facilitate and support Guardian networking if required.
5. Networking will enable Guardians to share best practice, obtain the advice of
their peers on pressing problems and identify whether issues are likely to be
national significance.
Training for Guardians
6. Training seminars have been arranged by the NHS Executive to provide
Guardians with an opportunity to familiarise themselves with their new role and
the tasks that need to be completed in the first year. A schedule of planned
events is on the next page.
7. Anyone interested in attending a seminar should contact Helen Williams,
Security and Data Protection Programme, NHS Information Management Centre,
15 Frederick Road, Edgbaston, Birmingham B15 1JD. Tel. 0121 625 1997.
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Support and Advice for Guardians 1
8. The training seminars aim to provide delegates with an opportunity to ask
questions and explore issues with fellow Guardians.
• By the end of the session the delegates will:
• Understand the strategic nature of the Guardian role
• Appreciate the scope and extent of Guardian responsibilities
• Know when and where to seek support and advice
• Understand what is required of Guardians and their organisations in
the first year in terms of:
• The first management audit of current practice and procedures
• Preparing the first annual improvement plan
• Introducing registered access to the NHS Strategic Tracing
Service
• Developing clear protocols to govern the disclosure of patient
information to other organisations
Schedule of Seminars: Caldicott Guardians
9. Places will be allocated on each seminar on a first come first served basis, but
additional seminars will be arranged if the demand is sufficient. The possibility
of running additional seminars for Scotland and Wales is currently being
discussed with the Scottish Office and the Welsh Office respectively.
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Support and Advice for Guardians 2
VENUE 1 2 3 4
Taunton 16 March 26 April 29 April 20 May
Chesterfield 25 March 13 April 4 May 25 May
Milton Keynes 17 March 7 April 15 April 22 April
Birmingham 18 March 8 April 14 April 26 May
Darlington 23 March 20 April 6 May 19 May
Wigan 21 April 5 May 12 May 18 May
South Thames 15 March 30 March 1 April 27 April
North Thames 31 March 28 April 11 May 27 May
10. A second round of seminars is provisionally planned for early in the year 2000
– at the present time it is thought that these might focus on specific issues that
have arisen during the year.
Sources of Advice for Guardians
Subjects
Confidentiality Issues Section i. General Confidentiality Issues
NHS Executive HQ ii. Implementing the Caldicott
Quarry House Recommendations
Leeds LS2 7UE iii The Role of Guardians
iv. Access to Health Records
National Confidentiality Forum 1 i. Issues, concerns and problems
C/O Confidentiality Issues Section that need to be resolved at a
NHS Executive HQ national level
Quarry House
Leeds LS2 7UE
Security and Data Protection Programme i. General IM&T Security Issues
Information Management Centre ii. NHS IM&T Security Manual
NHS Executive HQ iii. Running IM&T Security
15 Frederick Road Awareness Programmes
Edgbaston
Birmingham B15 1JD
Departmental Records Officer i. Retention of Health Records
Department of Health
Skipton House
80 London Road
London SE1 6LH
Data Protection Commissioner i. Data Protection Act Issues
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
1 The Confidentiality Forum is an interim body that is currently taking stock of the issues and concerns
that need to be resolved at a national level. It was set-up at the request of the Clinical Systems Group,
a committee chaired jointly by the CMO and the CNO that represents many key bodies and groups,
pending the result of consultation on the need for a new National Advisory Body for confidentiality
and security issues. The Forum includes the chairs of three existing groups, the Caldicott
Implementation Steering Group, the Security and Encryption Programme Board and the Security and
Confidentiality Advisory Group.
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Support and Advice for Guardians 3
Professional Standards
11. The bodies that regulate the activities of health professionals produce codes
of Practice and guidance on standards.
For Doctors:
The General Medical Council
178 Great Portland Street
London W1N 6JE
For Nurses, Midwives and Health Visitors:
The United Kingdom Central Council for
Nursing, Midwifery and Health Visiting
23 Portland Place
London W1N 4JT
For the Professions Supplementary to Medicine:
Council for Professions Supplementary to Medicine
Park House
184 Kennington Park Road
London SE11 4BU
For Dentists:
General Dental Council
37 Wimpole Street
London W1M 8DQ
For Opticians:
General Optical Council
41 Harley Street
London W1N 2DJ
For Pharmacists
Royal Pharmaceutical Society of Great Britain
1 Lambeth High Street
London SE1 7JN
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Support and Advice for Guardians 4
Annex A
Core Information for Patients
We ask you for information so that you can receive proper care and treatment.
We keep this information, together with details of your care, because it may be
needed if we see you again.
We may use some of this information for other reasons: for example, to help us
protect the health of the public generally and to see that the NHS runs efficiently,
plans for the future, trains its staff, pays its bills and can account for its actions.
Information may also be needed to help educate tomorrow’s clinical staff and to
carry out medical and other health research for the benefit of everyone.
Sometimes the law requires us to pass on information: for example, to notify a birth.
The NHS Central Register for England & Wales contains basic personal details of all
patients registered with a general practitioner. The Register does not contain clinical
information.
You have a right of access to your health records
EVERYONE WORKING FOR THE NHS HAS A LEGAL DUTY TO KEEP
INFORMATION ABOUT YOU CONFIDENTIAL.
You may be receiving care from other people as well as the NHS. So that we
can all work together for your benefit we may need to share some
information about you. We only ever use or pass on information about you
if people have a genuine need for it in your and everyone’s interests.
Whenever we can we shall remove details which identify you.
Anyone who receives information from us is also under a legal duty to keep
it confidential.
If you agree, your relatives, friends and carers will be kept up to date with
the progress of your treatment.
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Annex A 1
THE MAIN REASONS FOR WHICH YOUR INFORMATION MAY BE NEEDED
ARE:
• giving you health care and treatment
• looking after the health of the general public
• managing and planning the NHS. For example:
• making sure that our services can meet patient needs in the
future
• paying your doctor, nurse, dentist, or other staff, and the
hospital which treats you for
• the care they provide
• auditing accounts
• preparing statistics on NHS performance and activity (where
steps will be taken to ensure you cannot be identified)
• investigating complaints or legal claims
• helping staff to review the care they provide to make sure it is of
the highest standard
• training and educating staff (but you can choose whether or not to
be involved personally)
• research approved by the Local Research Ethics Committee. (If
anything to do with the research would involve you personally, you
will be contacted to see if you are willing )
[ If at anytime you would like to know more about how we use your
information you can speak to the person in charge of your care or to ......]
[The list of reasons for which information is needed should incorporate all
the information uses included within protocols agreed with partner
organisations (see Protocols)]
Protecting and Using Patient Information
A Manual for Caldicott Guardians
Annex A 2
© Crown CopyrightProduced by Department of Health15279 5088 1P 2k Mar 99 (MPS)
CHLORINE FREE PAPER
top related