protecting and using patient information - hscic guidance...where local circumstances dictate that...

Protecting and Using Patient InformationA Manual for Caldicott Guardians

A C T I O N

nhs caldicot binder 26/7/01 4:41 pm

ifnw

http://www.dh.gov.uk/assetRoot/04/06/81/36/04068136.pdf

Author Phil Walker

Further copies from Confidentiality Issues

NHS Executive Headquarters

Quarry House

Leeds LS2 7UE

Catalogue Number 15279

Date of issue March 1999

A C T I O N

matters requiring action

Purpose of this document

Action

Protecting and Using Patient InformationA Manual for Caldicott Guardians

Contents

Introduction

• Introduction

• The Caldicott Principles

• The Guardian Work Programme Timetable

HSC 1999/012: Issued 22 January 1999

Introducing Caldicott Guardians into the NHS

• Who should be the Guardian?

• Resources and Support

• The Guardian Role

• Specific tasks in the first year

Management Audits & Improvement Plans

• Management Audit

• Organisational Profile

• Improvement Plans

• Primary Care Groups

Information Protocols

• Protocols Governing the Receipt & Disclosure of Patient/Client

Information

• The Crime and Disorder Act 1998

Controlling Access to Patient/Client Information

• The Guardian as “Gatekeeper”

• Staff Access to Patient Information

• Safe-Haven Procedures

• Access to the NHS Strategic Tracing Service

Reviewing Information Flows

• Mapping and Prioritising Information Flows

• Reviewing Information Flows

• Dataflow Review rules

• Appendices: Key Information Flows

• Review Questionnaire

Summary of Existing Department of Health Guidance

• The Protection and Use of Patient Information

• Ensuring Security & Confidentiality in NHS Organisations

• The Management of Health, Safety and Welfare Issues for NHS Staff

• Handling confidential information in contracting: A Code of Practice

• Video Recording NHS Operations

• Access to Medical Reports Act 1988

Support and Advice for Guardians

• Introduction

• Networking

• Training

• Sources of Advice

Annex A: Core Information to be provided to Patients

Introduction

1. The requirement for NHS organisations to appoint Caldicott Guardians of

patient information is a product of the Government’s commitment to

implementing the recommendations of the Caldicott Committee’s Report on

the Review of Patient-Identifiable Information, published in December 1997.

2. The Caldicott Committee had found that compliance with the full range of

confidentiality and security requirements was patchy across the NHS. Action

to raise awareness was seen to be essential but it was acknowledged that

awareness raising alone would result in progress being slow and variable.

The Caldicott Committee suggested that progress could be facilitated, and to

a degree managed, through the development of a network of Organisational

Guardians. The Caldicott Report called for the Department of Health to take

the development of this role forward in partnership with interested parties.

3. Under the direction of a broad based implementation steering group,

consultation on the Guardian role ran from May through to July 1998.

Guidance, which reflected the comments received, was prepared and tested

out over the autumn period with a range of key professional bodies and

groups. A Health Service Circular (HSC 1999/012 – reproduced in section 2 of

this manual) advising on the requirement to appoint Guardians, and outlining

the Guardian role and responsibilities in brief, was issued on 22 January

1999.

4. An important influence on the development of the Guardian role was the

emergence of proposals for the operation of clinical governance in the NHS.

Consultation on these proposals (A First Class Service: Consultation

Document, DoH 1998), confirmed that the protection and use of information

– largely collected by health professionals from patients, in confidence, to

support the delivery of care – was a part of the overall quality of care and

was therefore an important component of clinical governance.

5. An equally important milestone was the clarification, informed by the

consultation exercise, of the Guardian’s role – strategic, advisory and

facilitative – and the consequent person specification outlined in HSC

1999/012, i.e. that the Guardian should be, in order of priority:

• An existing member of the management board of the organisation

• A senior health professional

• An individual with responsibility for promoting clinical governance

Protecting and Using Patient Information

A Manual for Caldicott Guardians

Introduction 1

6. Where local circumstances dictate that it is not practicable to satisfy all three of

these criteria and this will inevitably be the case for some organisations, a

Guardian should still be appointed but the assignment of responsibility should

be kept under review.

7. It is particularly important for Guardians, their Chief Executives and other

colleagues, to understand the nature of the Guardian role. There needs to be

a clear understanding of where responsibility for protecting and using patient

information actually lies, i.e. with the organisation, headed by the Chief

Executive, and with each individual member of staff.

8. Efforts have been made to minimise the burden of work that will fall to

Caldicott Guardians, particularly where IM&T and other staff effectively

support them, but inevitably Guardians are likely to attract a wide range of

difficult problems and issues. This manual aims to provide straightforward

guidance on the key tasks that need to be addressed in the first year, but

beyond that, the intention is that it should serve as a resource for Guardians.

Summaries of key guidance are provided and addresses included for

Guardians to obtain source documents if required. Contact points are listed

for Guardians to obtain advice on particular subjects.

9. It is intended that the manual will be updated whenever new information

becomes available, when new guidance is written, when the law changes or

is clarified in particular areas and when Guardians flag up particular issues

which need to be addressed on a national basis.

The Caldicott Principles

10. The Caldicott Committee were conscious that, though they reviewed the key

flows of patient information that were in existence at the early mapping stage

of the review, this was nothing more than a snapshot of what is a constantly

evolving picture. In recognition of this, the Committee developed a set of

general principles that, in essence, capture the direction of travel promoted

by the Caldicott Report.



Introduction 2

Timetable of work 1999/2000

11. Although it is intended that each organisation should determine the pace at

which it addresses the work programme that was outlined in HSC 1999/012,

and described in more detail in this manual, there is an important element of

sequencing which the following suggested timetable of work illustrates.



Introduction 3

APRIL – MAY Conduct initial management audit, present first annual

stock-take report and proposed improvement plan to the

organisation’s Management Board (Trust Board, HA

Board, PCG Board etc.)

MAY – SEPT Develop and agree protocols to govern information

sharing with partner organisations

JUNE Agree and initiate work programme to implement the

improvement plan. Submit stock-take report and

improvement plan to the Regional Office (Trusts &

Health Authorities) or to the Health Authority (PCGs)

JUNE – SEPTEMBER Determine Access Registration Levels for the Strategic

Number Tracing Service

OCTOBER Update Management Board on progress against the

Improvement Plan

NOVEMBER – JANUARY Review of current organisational information flows

FEBRUARY – MARCH Conduct management audit and prepare first annual out-

turn report for the Management Board. Also prepare the

improvement plan for 2000/20001

APRIL Agree and initiate work programme to implement the

improvement plan. Submit out-turn report and

improvement plan to the Regional Office (Trusts &

Health Authorities) or to the Health Authority (PCGs)

HSC 1999/012: Caldicott GuardiansThe text of HSC 1999/012, issued on 22 January 1999 for action by Chief Executives

of all Health Authorities, Special Health Authorities, NHS Trusts and Primary Care

Groups, is reproduced here for information.

Private Summary

A key recommendation of the Caldicott Report published in December 1997 was

the establishment of a network of Caldicott Guardians of patient information

throughout the NHS. This circular advises on the appointment of Guardians,

outlines the first year work programme for improving the way each organisation

handles confidential patient information and identifies the resources, training and

other support for Guardians.

Action

Each Health Authority, Special Health Authority, NHS Trust and Primary Care Group

should appoint a Caldicott Guardian by no later than 31 March 1999. Ideally the

Guardian should be at Board level, be a senior health professional and have

responsibility for promoting clinical governance within the organisation.

The attached documentation should be made available to the Caldicott Guardian

but should also be copied to all Board members and discussed if this is felt

appropriate at a subsequent Board meeting. It outlines the action that each

organisation should take during 1999/2000, as well as the Guardian’s role and

responsibilities. This action will include:

• A management audit of current practice and procedures

• Annual plans for improvement that will be monitored through the clinical

governance framework

• The introduction of registered access authorisation to certain patient

information held outside of the organisation (i.e. through the NHS Strategic

Tracing Service)

• The development of clear protocols to govern the disclosure of patient

information to other organisations

Resources

Support for Guardians and the work to improve the protection and use of patient

information may be drawn, where necessary, from the modernisation funds that are

being made available to implement Information for Health. Action in this area, and

planned resource allocation, should be outlined in the Local Implementation Strategy

that each organisation is required to prepare (HSC 1998/999). Training seminars are

being organised by the NHS Executive for Guardians and supporting staff – details

can be found in the attached paper.



HSC 1999/012: Caldicott Guardians 1

Caldicott Guardians in the NHS

Summary

1. NHS organisations are required, on receipt of this circular and by no later than

31 March 1999, to appoint a Caldicott Guardian. The Guardian’s name and

address for correspondence, including e-mail address, should be sent to Raj

Kaur, NHS Executive, 3E58 Quarry House, Leeds LS2 7UE (Fax: 0113 254

6114).

2. This circular provides a broad overview of the Guardian role in the NHS.

Detailed guidance on specific actions to be addressed in 1999/2000 by NHS

organisations and by Guardians will be made available prior to 31 March 1999.

Training seminars will be held in each NHS Executive Region from March

onwards for Guardians and the staff who will most closely support them (see

Annex A).

3. The appointment of Guardians and, in general terms, work to improve

confidentiality and security, should be included in local IM&T implementation

plans (HSC 1998/25 refers). Resources to support Guardians and work

generally on confidentiality and security matters can be allocated from the

IM&T modernisation funds made available to support the implementation of

Information for Health.

Background

4. In its Report, published in December 1997, the Caldicott Committee made a

number of recommendations aimed at improving the way that the NHS

handles and protects patient information. These recommendations received

widespread support and the programme of work established to implement

them underpins many aspects of the NHS information strategy: Information

for Health.

5. A key recommendation of the Caldicott Report was the establishment of a

network of organisational Guardians to oversee access to patient-identifiable

information.

6. It is intended that Caldicott Guardians will be central to the development of a

new framework for handling patient information in the NHS. Other Caldicott

recommendations identified actions which should be undertaken by NHS

organisations in support of the Guardian, namely to:

• develop local protocols governing the disclosure of patient information

to other organisations

• restrict access to patient information within each organisation by

enforcing strict need to know principles

• regularly review and justify the uses of patient information

• improve organisational performance across a range of related areas:

database design, staff induction, training, compliance with guidance etc.




7. Responses to consultation on the introduction of Caldicott Guardians and the

implementation of the Caldicott recommendations emphasised the need to

introduce change at a pace that would not prove disruptive, whilst ensuring

that we support and sustain momentum. This support and emphasis will be

provided by the clinical governance initiative:

• NHS organisations will be held accountable, through clinical

governance, for continuously improving confidentiality and security

procedures in accordance with the Caldicott Report. Annual

improvement plans and outcome reports will be mandatory.

Who should be the Guardian?

8. The Guardian should be, in order of priority:

• an existing member of the management board of the organisation

• a senior health professional

• an individual with responsibility for promoting clinical governance

within the organisation

Where it is not practicable to satisfy the criteria listed above, assignment of

Guardian responsibility should be kept under review.

9. It is particularly important that the Guardian have the seniority and authority

to exercise the necessary influence on policy and strategic planning and carry

the confidence of his or her colleagues. Obvious candidates include:

Health Authority: Director of Public Health

NHS Trust: Board level clinician

Primary Care Group: Board member with clinical governance

responsibilities

10. Other organisations that share NHS patient information, such as Special

Health Authorities, the National Blood Authority, PHLS, Cancer Registries,

research bodies etc should also nominate a senior officer to fulfil the

Guardian’s role.

11. It is recognised that a degree of flexibility is required to accommodate the

organisational structure and complexity of Primary Care Groups. There

should be a single Guardian appointed by each Primary Care Group, but

within each practice there should be a nominated lead person for

confidentiality and security issues.




Resources and Support for Guardians

12. Preserving the confidentiality of patient information, specifically through

implementation of the Caldicott recommendations, is a cornerstone of the NHS

information strategy. Action in this area, including the appointment of

Guardians, should be specified as part of each organisation’s local information

strategy implementation plan. The modernisation funds that are being made

available to support local implementation could legitimately be used to support

Caldicott Guardians and/or broader work on confidentiality and security.

13. The requirement for a senior member of an organisation to act as the

Caldicott Guardian will raise concerns about workload and priorities.

Nevertheless, this is an extremely important role and Guardian responsibilities

must only be delegated within a clear framework. Guidance for Guardians

will identify key Guardian responsibilities which should not be delegated, and

which aspects might be actioned by other staff under the Guardian’s

direction. Wherever possible, tasks will build on existing procedures and

requirements. This clarity of focus should minimise the additional workload

resulting from Guardian responsibilities.

14. It is not intended or even desirable that the Guardian should have

responsibility for all aspects of confidentiality, or IM&T security, though this

may be the pragmatic solution in small organisations. However, the Guardian

should liaise closely with IM&T Security Officers, Data Protection Officers and

others charged with similar responsibilities, to ensure that there is no

duplication / omission of duties.

15. Local networks of Guardians may find it advantageous to discuss issues, share

best practice and identify training needs. The Regional Offices of the NHS

Executive should facilitate this local networking.

16. Training seminars for Guardians and supporting staff will be run in each

Region from March 1999 onwards. Details of these seminars and an

application form can be found in Annex A to this paper (not attached – see

Support and Advice)). These will cover the actions required by each

organisation in the first year (see para 24 below), the wider responsibilities of

Guardians and the sources of advice that are available to Guardians. The NHS

Executive will shortly be consulting on the need for, and possible remit of, a

national body that might provide a focal point for advice, good practice

guidance and uniform standards in this area. Advice on specific issues should,

in the interim, be sought by e-mail to [email protected] or by writing to

the contact address provided at the end of this circular.

17. Detailed guidance will be available on the specific tasks that will need to be

addressed by NHS organisations and their Guardians in the first year.

Additional material will draw together, from existing sources, relevant

guidance on a wide spectrum of confidentiality and security related issues.

This additional consolidated guidance will be updated periodically and will

form a valuable reference tool both for Guardians and other staff.




The Guardian Role

18. The creation of a network of Caldicott Guardians in the NHS is a key

component of work to establish the highest practical standards for handling

patient information in the NHS. NHS performance in this area will be

monitored against annual improvement plans developed locally by each

organisation.

19. This emphasis on year on year improvement, at a pace that the NHS is able

to sustain, is of paramount importance. Pressure for improvement must be

balanced by a realistic appraisal of what is practicable each year. The specific

tasks for NHS organisations and Guardians outlined later in this paper take

account of this balance and should be addressed by all NHS organisations.

However, we recognise that some organisations have already made

improvements in this area and it is not intended that this limited approach

should constrain those able to achieve more.

20. Guardians will be responsible for agreeing and reviewing internal protocols

governing the protection and use of patient-identifiable information by the

staff of their organisation. Guardians will need to be satisfied that these

protocols address the requirements of national guidance / policy and law and

that their operation is monitored.

21. Guardians will also be responsible for agreeing and reviewing protocols

governing the disclosure of patient information across organisational

boundaries, e.g. with social services and other partner organisations

contributing to the local provision of care. These protocols should underpin

and facilitate the development of cross boundary working, health

improvement programmes and other changes heralded in the White Paper

‘The New NHS: Modern, Dependable’.

22. Guardians will have a strategic role, developing security and confidentiality

policy, representing confidentiality requirements and issues at Board level,

advising on annual improvement plans, and agreeing and presenting annual

outcome reports.

23. Local issues will inevitably arise and be referred to the Guardian for

resolution. It will be important in these circumstances for the Guardian to

know when and where to seek advice. This may be either on the particular

issue or on the alternative and perhaps more appropriate ways of handling

the issue e.g. referral on to the NHS Complaints Procedures, to the local

Research Ethics Committee or to the Data Protection Commissioner.

Specific Tasks in the First Year

24. The following section briefly outlines the action that each NHS organisation is

required to undertake during 1999-2000. Caldicott Guardians will have an

important role in developing policy and “signing off” many of these actions

as having been satisfactorily completed. However, safeguarding confidentiality




should be seen as an organisational responsibility – the Guardian’s role is

essentially advisory even though in some organisational settings he/she may

be closely involved in implementation.

25. The initial task for each organisation will be to conduct a management audit

of existing procedures for protecting and using patient-identifiable

information. This management audit will inform an initial ‘stock-take’ report

for the Guardian to present to the organisation’s senior management team.

Detailed guidance on conducting the management audit and the required

content of the stock-take report will be made available shortly, but it will

cover the following core areas:

• an overall “health-check” assessment of the organisation, including

existing codes of conduct, induction procedures, training needs, IM&T

risk management, operational and environmental security, quality of

information supplied to the public etc

• a review of existing flows of patient-identifiable information

• a review of database construction and management where patient-

identifiable information is stored

• a review of procedures for handling patient-identifiable information

collected by or transferred to the organisation, and of procedures for

disclosing information to other organisations.

26. This stock-take will itself inform the development of an improvement plan that

will begin to address any identified deficiencies. Again, detailed guidance on

the content of improvement plans and the standards that all NHS organisations

are expected to achieve in 1999/2000 will be available shortly, but key

requirements will include:

• Procedures to control staff access to the NHS Strategic Tracing Service

to be put in place in advance of this service being made available

• Protocols governing the receipt, collection and disclosure of patient-

identifiable information to be locally agreed and complied with.

Further Information

27. Any enquiries about the content of this circular or further information on

related subjects should be addressed to:

RC Walker

NHS Executive

Room 3E58

Quarry House

Leeds LS2 7UE




Management Audits and Improvement Plans1. It is essential that all organisations take stock of their current performance

across a wide range of confidentiality and security measures. This should serve

to highlight areas where improvement is needed and provide a benchmark for

evaluating progress over time.

2. Upon appointment, the Guardian, working with the information security officer

or other support staff, should carry out an audit of existing systems, procedures

and organisational capabilities relating to confidentiality and security in the

organisation.

3. Using this audit as a measure of the current organisational baseline, i.e. current

performance, an improvement plan should be developed to begin the process

of year on year improvement. At the end of the year, an out-turn report should

be prepared to measure whether planned improvements have been achieved.

This out-turn report is effectively the management audit that will underpin the

following year’s improvement plan.

INITIAL MANAGEMENT AUDIT

YEAR 1 IMPROVEMENT PLAN

OUT-TURN REPORT (MANAGEMENT AUDIT)

YEAR 2 IMPROVEMENT PLAN

The Management Audit

4. A straightforward audit tool is provided in this manual. It provides a simple and

effective assessment of organisational performance and capacity by rating

current performance from 0 – 2 against eighteen broad headings to construct an

organisational profile.

5. It should be stressed that this tool has been developed to facilitate year on year

improvement at a pace that is challenging but locally sustainable. It should not

to be used for comparison purposes and calculating a score from 0-36 for each

organisation will not provide a meaningful measure of comparative

performance.



Management Audits and Improvement Plans 1

6. Additional headings can be added to the audit tool at local discretion and, if

there is a logical or practical need to do so, existing headings can be sub-

divided to facilitate achievable target setting.

The Improvement Plan

7. At its simplest, an improvement plan should have the following components:

• The most recent Management Audit Organisational Profile

• Realistic targets agreed by the management board e.g. to raise

performance from level 0 to 1 in one or more specified categories

• Details of how the improvement is to be achieved, resource

requirements and likely milestones etc

8. Inevitably however, some improvements may necessitate far more detailed

planning and project management techniques are likely to be required to

deliver change for any but the smallest organisations.

The Out-Turn Report

9. As noted above, the out-turn report serves the dual purpose of assessing

progress against the improvement plan and providing the new performance

baseline for the following year’s improvement plan. It should therefore be

based around the management audit organisational profile supported by an

objective assessment of successes, failures and issues.

In-Year Monitoring

10. Although in many organisations the actual work to audit organisational

performance and implement agreed improvements will fall to the information

security officer or to other staff in support of the Guardian, the Guardian

should ensure that he/she is kept up to date on progress and problems. If

necessary, the Guardian should draw the attention of the management board

to significant problems and, if practicable, suggest options for addressing

them.




Clinical Governance

11. Although all staff have a legal duty to keep information confidential, the

nature of the clinician-patient relationship, and the fact that most patient

information is provided in confidence to clinicians, means that there is an

important clinical governance element to safeguarding confidentiality. The

handling of information provided in confidence is an important aspect of the

quality of care.

12, The acceptance that organisational performance in this area must be

addressed through continuous improvement necessitates a degree of

monitoring and, where appropriate, performance management. This has to be

supported by effective reporting arrangements. Management Audit/Out-Turn

Reports and Improvement Plans should therefore be signed off by the

organisation’s Chief Executive and submitted to the NHS Executive Regional

Office or, in the case of PCGs, to the Health Authority. It must be stressed

that the objective is to secure year on year improvements at a realistic but

challenging pace, and the commitment to achieving this is the key aspect of

performance that should be pursued by monitoring bodies.




The Management Audit OrganisationalProfile




LEVEL 0 LEVEL 1 LEVEL 2

Information for patients/clients No information provided, or An active information campaign An active information campaign on the proposed uses of limited to simple posters and is in place to promote patient is supported by comprehensive information about them leaflets in waiting rooms etc understanding of NHS arrangements for patients with

information requirements special/different needs

Staff code of conduct in respect No code exists, or staff not Code of conduct exists and all Code regularly reviewed and of confidentiality generally aware of it staff aware of it updated as required

Staff Induction Procedures No mention of confidentiality Basic requirements outlined as Comprehensive awareness and security requirements in part of induction process raising exercise undertaken and induction for most staff comprehension checked

Confidentiality & Security Training needs not assessed Training needs only considered Systematic assessment of staff Training needs assessment systematically for most staff as a consequence of training needs and evaluation

organisational or systems of training that has occurredchanges

Training Provision No training available to the Training opportunities broadcast In house training provided for (confidentiality & security) majority of staff with take-up left to line staff e.g. comparable to health

management discretion and safety training provision

Staff Contracts No reference to confidentiality Confidentiality requirements Contractual requirements (see explanatory note 22) requirements in staff contracts included in contracts for included in all staff contracts

some staff

Contracts placed with other No confidentiality Basic agreements of Formal contractual organisations requirements included undertaking are signed by arrangements exist with all

contractors contractors and support Organisations

Reviewing information flows Information flows have not Information flows have been Procedures are in place to containing patient-identifiable been comprehensively mapped and senior regularly review information information mapped management has been flows and justify purposes

informed

Internal information/data Information/data “ownership” “Ownership” established for All “owners” justifying “ownership” established has not been established for all information/data sets and purposes and agreeing staff

all information/data sets register established access restrictions with the Guardian




LEVEL 0 LEVEL 1 LEVEL 2

Safe Haven procedures in No Safe Haven procedures Safe Haven procedures used Safe Haven procedures in place to safeguard information used for some information flows Place for all patient-flowing to and from the identifiable informationorganisation

Protocols governing the No locally agreed protocols Partner organisations clearly Agreed protocols in place to sharing of patient-identifiable in place identified and information govern the sharing and use of information with other requirements understood confidential informationorganisations locally agreed

Security Policy Document No Security Policy available Security Policy exists but not Security Policy reviewed reviewed within last 12 months annually and reissued if

appropriate

Security Responsibilities No information security officer An appropriately trained Responsibility for information appointed, or existing officer is information security officer is security identified in various not appropriately trained in post staff roles, co-ordinated by

the security officer

Risk Assessment and No programme of information A risk management A formal programme exists Management risk management exists programme is underway and with regular reviews,

reports are available outcome reports and recommendations provided for senior management

Security Incidents No incident control or The security officer handles Procedures are documented investigation procedures exist incidents as they arise and accessible to staff to

ensure incidents reported and investigated promptly

Security Monitoring No monitoring or reporting of Basic reporting of major There are regular reports security effectiveness or incidents or problem areas made to senior management incidents takes place only on the effectiveness of

information security

User Responsibilities No guidance issued to staff for Users encouraged to change Password changes are password management passwords regularly but this is enforced on a regular basis

at their discretion

Controlling access to Staff vigilance, and/or an Access for many staff All staff have defined and confidential patient “honour” system control access. controlled by ‘all or nothing’ documented access rights information Some physical controls, systems. Staff groups requiring agreed by the Guardian.

lockable rooms etc may exist access identified and agreed Access is controlled, with the Guardian monitored and audited

Explanatory Notes

Information for Patients/Clients

13. All NHS bodies must have an active policy for informing patients of the kind

of purposes for which information about them is collected and the categories

of people or organisations to which information may need to be passed.

Patients also need to be made aware of their rights, particularly their rights of

access to their records.

14. Subject to some important common elements (see Annex A) the precise

arrangements for informing patients are for local decision, taking account of

views expressed by community health councils, local patient groups, staff,

and partner organisations. As a general rule, patients should be informed

about prospective uses of information in advance of the information actually

being used. Local arrangements should also provide, wherever practicable,

for people whose first language is not English or who have restricted vision

or reading skills.

15. Methods of providing information to patients include:

• Leaflets which may be provided on registration with a GP, during A&E

triage, enclosed with appointments letters or provided when

prescriptions are dispensed.

• Posters on waiting room walls supported by leaflets distributed by

means of dispensers in waiting rooms are unlikely to be sufficient on

their own.

• Routinely providing patients with appropriate information as a part of

care planning.

• Identifying someone able to provide detailed information if patients want

it.

Code of Conduct

16. All staff in the NHS need to be aware of their responsibilities for safeguarding

confidentiality and preserving information security. NHS organisations may

address this by developing staff codes of conduct, based on legal

requirements and best practice, which are tailored to the needs of different

staff groups. Although this need not be in the form of a stand alone code,

such a code facilitates review and updating procedures and can be

distributed as part of induction or with pay slips etc.

17. The core content of a confidentiality code of conduct should be drawn from

the Department of Health guidance booklet on the Protection and Use of

Patient Information, supplemented as necessary by material drawn from

other sources (See Support and Advice).




Staff Induction Procedures

18. It is particularly important that new members of staff are provided with clear

guidelines on their responsibilities in respect of confidentiality and security,

and more importantly, that the understand how these responsibilities impact

on their behaviour and working procedures.

Confidentiality and Security Training Needs

19. It is inevitable that the staff of even small organisations have different levels

of awareness of their responsibilities for safeguarding confidentiality and

preserving information security. It is also difficult for many staff, particularly if

they are busy and have well-established routines and habits, to convert

theory and guidance into practical work procedures.

20. This needs to be addressed by regular and systematic assessment of training

needs, consideration of these might best be met, and evaluation of any

training that has been undertaken.

Training Provision

21. This is closely linked to the previous heading but looks more to the support

that an organisation provides for its staff. The way in which an organisation

addresses the provision of training is largely dependent upon numbers of

staff, their access to confidential information and their assessed training

needs. The Resource Pack: Ensuring Security and Confidentiality in NHS

Organisations (see Support and Advice) provides guidance and supporting

materials for running an awareness campaign on IM&T security. The level 0 –

2 classifications need to be interpreted intelligently here, and organisations

may wish to amend the profile descriptions, e.g. to indicate that staff have (0)

considerable unmet training needs, (1) key staff are receiving appropriate

training and (2) All staff are appropriately trained.

Staff Contracts

22. NHS staff have a legal duty of confidence to patients and it should be made

clear to them that breaching patient confidence can be a serious disciplinary

offence. This can best be supported by the inclusion of a duty of confidence

requirement in employment contracts or other documents setting out terms

and conditions. These requirements should also include a clear statement

emphasising that staff have a rights and a duty to raise concerns about health

service issues with their managers. Under no circumstances should staff who

express their concerns in accordance with current guidance be penalised.

The duty of confidence staff have to patients, including contractual

requirements, may be overridden where there is a strong case for disclosure

in the public interest.




Contracts Placed with Other Organisations

23. Where a non-NHS agency or individual is contracted to carry out or support

NHS functions, the contract must specify appropriate confidentiality and

security requirements. The standards specified in the contract should be

consistent with the best practice expected of NHS organisations and, in

particular, should require that patient information is treated and stored

according to specified security standards and used only for purposes

consistent with the terms of the contract. Action in the event of confidence

being breached should also be specified (e.g. termination of contract). NB

The Data Protection Act 1998 makes it a legal requirement that effective

contractual arrangements exist where data is processed by a third party.


24. The Caldicott Committee recommended that every flow of patient-identifiable

information should be regularly justified and routinely tested against the

principles developed in the Caldicott Report.

• Principle 1 - Justify the purpose(s) for using confidential

information

• Principle 2 - Only use it when absolutely necessary

• Principle 3 - Use the minimum that is required

• Principle 4 - Access should be on a strict need-to-know basis

• Principle 5 - Everyone must understand his or her

responsibilities

• Principle 6 - Understand and comply with the law

25. It is recognised that this can be a major task for large organisations with

complex and often only partially mapped flows of information that have

been put in place on an ad hoc basis to satisfy business needs. Guidance on

the Review Process, and particularly on setting priorities for action, will be

sent to Caldicott Guardians for incorporation in this manual when piloting

work has been completed (expected to be April/May 1999).

Information/Data “Ownership”

26. See the section in this manual on Controlling Access.

Safe Haven Procedures

27. See the section in this manual on Protocols.

Protocols to Govern Information Sharing

28. See the section in this manual on Protocols.




Security Policy

29. Work in this area is largely the responsibility of information security staff, and

detailed guidance can be found in the Resource Pack: Ensuring Security and

Confidentiality in NHS Organisations (see Support and Advice).

Security Responsibilities

Risk Assessment and Management

Security Incidents

Security Monitoring

User Responsibilities

Detailed guidance on headings 25 – 29 can be found in the NHS IM&T Security

Manual included in the Resource Pack: Ensuring Security and Confidentiality

in NHS Organisations (see Support and Advice).

Access Controls

30. See the section in this manual on Controlling Access.






Management Audits and Improvements Plans 1

PCG Guardians

1. Each PCG is required to appoint a Caldicott Guardian who should be, in

order of priority:

• a member of the PCG Board

• a senior health professional

• an individual with responsibility for promoting clinical governance

within the PCG

2. For the purposes of the Caldicott work programme, the PCG should be

regarded as a distinct organisation, composed of the HQ element plus the

constituent GP practices etc. However, the extent to which the PCG Guardian

and Board will need the assistance of the Health Authority, particularly IM&T

specialist staff, to address the Caldicott work programme will depend upon

local circumstances. NHS Executive guidance on the Information

Management and Technology Requirements to support Primary Care Groups

makes it clear that Health Authorities and PCGs should collaborate on

Caldicott related work, that support for PCG Guardians should be provided

where necessary and that PCG requirements in this area should be taken into

consideration when developing arrangements for shared Health Informatics

Services.

3. It is not essential for each part of the PCG to possess its own Guardian – this

would likely prove wasteful of time and resources, but a lead individual

should be identified in each part of the PCG, e.g. each GP practice, for

confidentiality and Caldicott issues. This individual may or may not be a GP,

nurse or other clinician – depending upon role and responsibilities, a practice

manager might prove a suitable lead individual. The development of this

supporting network is an important early task for the PCG. Where dentists,

pharmacists and opticians are being included within the work programme

similar principles should apply.

Timetable of Work

4. It is recognised that many PCGs are, through no fault of their own, beginning

to address the required Caldicott work programme somewhat later in the day

than the majority of Health Authorities and NHS Trusts. The work programme

for the current year (to 31 March 2000) must therefore be approached

sensibly with the aim of ensuring, at the very least, that the PCG is prepared

to address the full cycle of work next year. This preparation should include:

• the appointment of a Guardian

• establishing a supporting network of confidentiality leads in each practice

• developing an understanding of how all components of the PCG are

performing in key areas (the management audit)

• a plan for improving performance in at least some of the key areas (the

improvement plan).

5. Where practicable, the improvement plan should be for the current year. This

would then support an out-turn report at the end of the year – basically a

revised management audit accompanied by a description/explanation of the

progress made – which in turn can form the baseline for the next year’s

improvement plan. However, it is preferable for the PCG to conduct a

thorough management audit and to develop a challenging but realistic and

locally supported improvement plan for next year, than to hit this year’s

deadlines through rushed and possibly superficial activity.

Management Audit

6. PCGs need to undertake a management audit of current standards and

practice and to construct an easily understood organisational profile. An

improvement plan that targets one or more of the audited aspects of

organisational performance then needs to be agreed by the PCG Board. As

suggested earlier, it is unhelpful and largely meaningless for these purposes to

view the PCG HQ function as part of the Health Authority – the different

component parts of the PCG should be considered together.

7. The PCG audit is simplified by the relatively small size of the organisation in

comparison with NHS Trusts, but is complicated by the evolving nature of

PCGs and the independent contractor status of the constituent practitioners.

The 18 areas to be audited also map more neatly on to larger organisations

and need to be adapted to meet the profile and needs of PCGs. The

management audit was purposely designed to provide organisations with a

flexible tool that can easily be adapted for these purposes.

The Audit Process

8. Two alternative models may be adopted. The first of these is to audit the PCG

as a single entity with the resulting organisational profile being determined by

the part of the PCG that scores the lowest in each area. Alternatively, each

part of the PCG, e.g. each GP practice, can be audited separately and be

given its own organisational profile (the HQ function should also be audited

separately in this case). Whichever model is adopted, the work required is

essentially the same, as the performance of each component must be

determined to construct the organisational profile and subsequently the PCG

improvement plan. The audit process will be greatly facilitated where an

internal network of confidentiality leads has been put in place as suggested

earlier in this guidance.




9. The first model has the advantage that the PCG is perceived as a single

organisation. The text that accompanies the audit report can identify, if

appropriate, those parts of the PCG that are operating at a higher level than the

profile suggests.

10. The second model permits each part of the PCG to retain a separate identity. This

model may need to be adopted out of necessity in extreme cases where, for

example, it proves impossible to audit a particular GP practice. Such cases should

be rare, as improving the protection and use of patient information should be the

goal of all parts of the health service. However, in these exceptional cases the

audit report should clearly identify the parts of the PCG for which no information

is available and provide a brief explanation of the reasons why.

Adapting the Audit Tool

11. The audit tool was developed to provide a straightforward and useful measure

of performance in respect of confidentiality and security. Although some of the

areas to be audited are more applicable to larger organisations than small, the

audit tool can be adapted in a relatively simple manner, with the approval of

the PCG Board, to the needs of the PCG. Perhaps the most straightforward way

of addressing this is to take a view on the applicability of each of the 18

identified performance areas. The Board may, for example, take the view that

the optimum level of performance in a particular area should be less than level

2. It is also possible that the Board may wish to introduce additional areas for

assessment.

12. It is recognised that the language used in the audit tool, necessarily a form of

short hand and in parts technical, may not be easily accessible to those

unfamiliar with IM&T security and data protection. This may not be a problem

where, for example, a single individual or team carries out the whole of the

audit. If, however, it is intended that each component part of the PCG, e.g.

each GP practice, conducts its own audit and supplies the results to the PCG

Guardian/Board, then it may prove helpful to use a questionnaire which sets

out the information required in a more accessible way. An example is included

in this section of the Guardian manual.

The Improvement Plan

13. The improvement plan should be based around the final form of the

management audit as agreed by the PCG Board. The improvement plan should

cover the following points:

• the performance areas targeted for improvement should be clearly

identified

• the work required to deliver the improvements should be clearly

described




• those responsible for undertaking the work should be clearly identified

• milestones and deadlines should be set where applicable

• the resources required and where they are to be obtained from should

be clearly stated

Out-turn Reports

14. At the year-end, the Management Audit should be repeated with a particular

emphasis on establishing what progress was made against the improvement

plan and the reason for any particular success or failure. The revised

Organisational Profile that results from this audit process should be used as

the basis for developing the following year’s improvement plan.

Health Authority Monitoring

15. The Health Authority is required to monitor the performance of PCGs to

ensure that thorough audits are carried out and realistic but challenging

improvement plans are drawn up and implemented. Given the degree of

support that most Health Authorities will be providing PCGs in the area of

Health Informatics, it is likely that a collaborative and facilitative relationship

will prove most productive. It is important however that improvements are

made year on year, and that these improvements are documented as

components of local action to implement both clinical governance and the

NHS IM&T strategy. Management Audits, Improvement Plans and Out-turn

Reports are mandatory. PCG documentation should be submitted to the

Health Authority which will, in turn, be asked for a simple report on current

standards and progress by the appropriate Regional Office.

Information Sharing Protocols

16. Whilst each PCG should be a signatory to any local protocols governing the

disclosure or exchange of patient information with other organisations, the

NHS Executive guidance on the Information Management and Technology

Requirements to support Primary Care Groups makes it clear that Health

Authorities should lead on their development in collaboration with the local

PCGs and partner agencies. It would not be a good use of resources for each

PCG to independently draw up its own protocols, though it is important that

all the component parts of the PCG agree, understand and adhere to the

protocols that are put in place. The basic framework that is provided in the

Guardian manual should provide a useful starting point. Once the Health

Authority, PCGs and other organisations agree the key components of a local

protocol, it may be found desirable to adapt the protocol to the particular

circumstances of individual PCGs. However, it is strongly recommended that

all of the components of each PCG adhere to the same protocols and that

variation at the practice level should not occur.




Caldicott AuditQuestionnaireORGANISATION: ..............................................................................................................

1. Information for patients/clients on the proposed uses of information

about them.

Telling patients about the ways in which information collected about them,

e.g. in their medical records, will be used may be required under law

(although the law isn’t entirely clear on this point it is safest to assume that

this requirement exists) and is considered to be an essential part of best

practice in handling patient information by the Department of Health and the

Professional Regulatory Bodies.

Audit

Level

Does your organisation inform patients

about how their information will be used? Yes □. No □If ‘No’, go to 2 below. 0

If ‘Yes’, is the information provided limited to

posters and leaflets which patients may

ask for or look at e.g. in waiting rooms

if they are interested? Yes □. No □If ‘Yes’, go to 2 below. 0

If ‘No’, please outline how the information is provided.

The PCG will need to agree a standard for proactively informing

patients. If your organisation’s approach meets this standard the

audit level will be 1

Is the information provided tailored for

patients with special/different needs

(e.g. those who cannot read English)? Yes □. No □

If ‘No’, go to 2 below. If ‘Yes’, please outline the steps taken to ensure such

needs are identified and met.

The PCG will need to agree a standard for assessing needs. If your

organisation’s approach meets this standard and the standard for

informing patients, the audit level will be 2




2. Staff Code of Conduct in respect of Patient Confidentiality

All staff in the NHS need to be aware of their responsibilities for safeguarding

confidentiality and preserving information security. Organisations may best

address this by developing staff codes of conduct, based on legal

requirements and best practice, tailored to their own working practices and

circumstances.

Audit

Level

Does your organisation have in place

a code of conduct in respect of

Confidentiality? Yes □. No □If ‘No’, go to 3 below. 0

If ‘Yes’, are all staff aware of and familiar

with the code of conduct? Yes □. No □If ‘No’, go to 3 below. 0

Please attach a copy of the code for review by the PCG. The PCG will

need to agree a standard for organisational codes of conduct and

if your code meets this standard it will be audited as level 1

If ‘Yes’, is the code regularly reviewed

(at least annually), and updated as necessary? Yes □. No □

If ‘Yes’ and the code meets the agreed PCG standard, the audit

level will be 2

3. Staff Induction Procedures

It is particularly important that new members of staff are provided with clear

guidelines on their responsibilities in respect of confidentiality and security,

and more importantly, that the understand how these responsibilities impact

on their behaviour and working procedures.

Are all new members of staff provided

with a clear understanding of their

responsibilities in respect of confidentiality

and security? Yes □. No □If ‘No’, go to 4 below. : 0

If ‘Yes’, are new staff provided with

written guidelines, e.g. a code of conduct? Yes □. No □If ‘No’, go to 4 below. 1




Audit

Level

If ‘Yes’, are the common confidentiality

and security issues that staff will face

explained, discussed and their

understanding checked? Yes □. No □If ‘No’, go to 4 below.

If ‘Yes’, the audit level will be 2

4. Confidentiality and Security Training Needs

It is inevitable that the staff of even small organisations have different levels

of awareness of their responsibilities for safeguarding confidentiality and

preserving information security. It is also difficult for many staff, particularly if

they are busy and have well-established routines and habits, to convert

theory and guidance into practical work procedures. This needs to be

addressed by regular and systematic assessment of training needs,

consideration of how these might best be met, and evaluation of any training

that has been undertaken.

Does your organisation take any action to

establish training needs in respect of

confidentiality and security? Yes □. No □If ‘No’, go to 5 below. 0

If ‘Yes’, are needs only reviewed when

an individual’s job changes or new

IT is introduced? Yes □. No □If ‘Yes’, go to 5 below. 1

If ‘No’, are the training needs of all staff in

egularly assessed e.g. as part of an annual

appraisal cycle? Yes □. No □If ‘Yes’, the audit level is 2

5. Training Provision

This is closely linked to the previous heading but looks more to the support

that an organisation provides for its staff and the way that identified training

needs are met. The way in which an organisation addresses the provision of

training is largely dependent upon numbers of staff, their access to

confidential information and their assessed training needs.

Is there any training available to the staff

in your organisation on confidentiality and

security requirements? Yes □. No □If ‘No’, go to 6 below. 0




Audit

Level

If ‘Yes’, is the training provided routinely

for all staff ? Yes □. No □If ‘No’, go to 6 below. 1

If ‘Yes’, the Audit Level is 2

6. Staff Contracts

NHS staff have a legal duty of confidence to patients and it should be made

clear to them that breaching patient confidence can be a serious disciplinary

offence. This can best be supported by the inclusion of a duty of confidence

requirement in employment contracts or other documents setting out terms

and conditions.

Do any of the staff in your organisation have

contracts which contain confidentiality

requirements? Yes □. No □If ‘No’, go to 7 below. 0

If ‘Yes’, do all staff members have contracts

which contain appropriate confidentiality

requirements? Yes □. No □If ‘No’, go to 7 below. 1

If ‘Yes’, the Audit Level is 2

7. Contracts Placed with Other Organisations

Where a non-NHS agency or individual is contracted to carry out or support

NHS functions, the contract must specify appropriate confidentiality and

security requirements. This may include cleaners, IM&T support etc – anyone

who might gain access to confidential material.

Are confidentiality requirements

routinely included in contracts? Yes □. No □If ‘No’, go to 8 below. 0

If ‘Yes’, do the contracts meet an agreed

PCG standard? Yes □. No □If ‘No’, go to 8 below. 1

If ‘Yes’, audit level is 2




Audit

Level

8. Reviewing Information Flows

The Caldicott Committee recommended that every flow of patient-identifiable

information should be regularly justified and routinely tested against the

principles developed in the Caldicott Report.

Has your organisation fully mapped

all flows of patient information, in to

and out of the organisation, and all data

bases holding such information? Yes □. No □If ‘No’, go to 9 below. 0

If ‘Yes’, has the senior management

team been provided with full details? Yes □. No □If ‘No’, go to 9 below. 1

If ‘Yes’, have the flows been tested

against the Caldicott principles and

a rolling program of review

established? Yes □. No □If ‘No’ go to 8 below. 1

If ‘Yes’, the audit level is 2

9. Information/Data “Ownership”

Data ownership may not be necessary within a single GP practice. However,

if the PCG is being audited as a whole, each practice might be a ‘data owner’

and large practices might find it helpful to assign ownership to, for example,

their paper based filing system. This is largely a means of delegating

responsibility for the data held and of controlling access to it.

Has ‘data ownership’ been assigned

for at least some of the patient data

held? Yes □. No □If ‘No’, go to 10 below. 0

If ‘Yes’, has ownership been assigned

for all such data and a register of

those with authorised access created? Yes □. No □If ‘No’, go to 10 below. 1

If ‘Yes’, do all data owners work with

their Caldicott Guardian to justify the

purposes for holding data and agreeing

staff access levels? Yes □. No □If ‘No’, go to 10 below.

If ‘Yes’, the audit level is: 2




Audit

Level

10. Safe Haven Procedures

Safe Haven procedures aim to ensure that all confidential information which

enters or leaves an organisation is handled and accessed in a controlled and

transparent manner.

Are safe haven procedures used to

safeguard at least some of the information

flowing in and out of the organisation? Yes □. No □If ‘No’, go to 11 below. 0

If ‘Yes’, do the procedures cover all

routine flows of confidential material? Yes □. No □If ‘No’, go to 11 below. 1


11. Protocols to Govern Information Sharing

Information sharing protocols aim to ensure that confidential information is

shared in a controlled manner subject to agreed best practice standards. The

development of protocols will be best handled at the PCG level, though each

practice will need to understand and agree to the standards and procedures

that are adopted.

Have all routine partner organisations

been identified? Yes □. No □If ‘No’, go to 12 below. 0

If ‘Yes’, are the purposes for which

each partner organisation needs

patient information understood and

documented? Yes □. No □If ‘No’, go to 12 below. 1

If ‘Yes’, have protocols governing

information sharing been agreed and

put in place?

If ‘No’, go to 12 below. 1





Audit

Level

12. Security Policy

Security policy should be documented and reviewed regularly. This is needed

if an organisation is to understand and satisfy security needs, detect and

resolve security breaches and ensure that staff and management

responsibilities are made clear.

Does your organisation have a

documented security policy? Yes □. No □If ‘No’, go to 13 below. 0

If ‘Yes’, has the policy been reviewed

in the last 12 months? Yes □. No □If ‘No’, go to 13 below.

If ‘Yes’, does the policy meet the

standard agreed by the PCG? Yes □. No □If ‘No’, go to 13 below. 1


13. Security Responsibilities

It is important that lead responsibility for information security is assigned in a

transparent manner, and that the lead individual – IM&T Security Officer – is

effectively trained and able to co-ordinate other staff to meet their

responsibilities for information security. Whilst this might be addressed at

PCG level, there should be a lead individual to support the Security Officer in

each practice.

Has your organisation got an

IM&T Security Officer? Yes □. No □If ‘No’ go to 14 below. 0

If ‘Yes’, is he/she trained to a

PCG agreed standard? Yes □. No □If ‘No’, go to 14 below.

If ‘Yes’, is the Security Officer

supported by other staff whose

roles include an element of

responsibility for IM&T security? Yes □. No □If ‘No’, go to 14 below. 1

If ‘Yes’, audit level is: 2




Audit

Level

14. Risk Assessment and Management

Risk assessment and management is a formal methodology for identifying

and countering possible threats to information security.

Does your organisation undertake and

record risk assessments and risk

management strategies? Yes □. No □If ‘No’, go to 15 below. 0

If ‘Yes’, is the process of assessment

and management comprehensive and

well documented? Yes □. No □If ‘No’, go to 15 below. 1

If ‘Yes’, are outcomes and

recommendations routinely flagged for

senior management attention? Yes □. No □If ‘No’ go to 15 below.


15. Security Incidents

It is important that an organisation has clear and well understood procedures

for identifying and investigating security incidents, with the aim of ensuring

that, wherever practicable, they do not reoccur.

Does your organisation have security

incident control and investigation

procedures? Yes □. No □If ‘No’, go to 16 below. 0

If ‘Yes’, are procedures documented

and understood by all staff? Yes □. No □If ‘No’, go to 16 below. 1





Audit

Level

16. Security Monitoring

Senior management need to be made aware of incidents, the effectiveness of

security measures and areas of particular concern.

Is the effectiveness of IM&T security

routinely monitored and are all staff

familiar with incident reporting

procedures? Yes □. No □If ‘No’, go to 17 below. 0

If ‘Yes’, are regular reports on

security effectiveness and serious

incidents considered by senior

management? Yes □. No □If ‘No’, go to 17 below. 1

If ‘Yes’ the audit level is: 2

17. User Responsibilities

Computer password management is a key user responsibility and the

effective use of passwords can considerably enhance computer security.

Is guidance issued to all staff on

computer password management? Yes □. No □If ‘No’, go to 18 below. 0

If ‘Yes’, are staff encouraged to

change their passwords regularly? Yes □. No □If ‘No’ go to 18 below. 0

If ‘Yes’, are password change

enforced on a regular basis? Yes □. No □If ‘No’, go to 18 below. 1

If ‘Yes’ audit level is: 2

18. Access Controls

Access control is essential to ensure that only authorised persons have

physical or electronic access to computer hardware and equipment, manual

files or computer files and databases. There are many ways that this can be

achieved and gauging current organisational performance in this area is not

readily addressed by a straightforward questionnaire approach. Could you

please therefore describe current procedures and capacity to control access to

IT equipment and confidential patient information.




Protocols Governingthe Receipt and Disclosure of Patient/Client Information1. Ideally, the transfer of all confidential person-identifiable information should

be governed by clear and transparent protocols that satisfy the requirements

of law and guidance and regulate working practices in both the disclosing

and receiving organisations. It is particularly important that those asked to

transfer patient information can be confident that the highest standards,

agreed in advance, will apply and that the information will only be used for

agreed and legitimate purposes.

2. The Guardian has an important role in agreeing the protocols that should

govern the disclosure of patient/client information to other organisations, and

the receipt of information from them. The extent to which the Guardian will

need to become involved in the development of protocols, and any

necessary discussions with other organisations, will depend upon local

circumstances. The Guardian should satisfy him/herself that all routine flows

of information to and from other organisations have been identified.

3. Protocols need to be agreed both by the Guardian, on behalf of his/her

organisation, and by an appropriately senior individual in the organisation to

which information is to be disclosed. Where possible, best practice would be

to develop a protocol to cover all partner organisations. Information is

generally received as well as disclosed and the protocol should apply equally

to each signatory organisation.

4. The main priority is to identify all partner organisations that are involved in

the development of the local Health Improvement Programme and to ensure

that protocols are agreed and adhered to in support of seamless care. The

local family is likely to include:

• The Health Authority

• NHS Trusts

• Primary Care Groups

• Social Services

• Education Services



Protocols Governing the Receipt and Disclosure of Patient/Client Information 1

• Voluntary Sector Providers

• Private Sector Providers

What Should a Protocol Cover?

5. There are five core sections that should be included within a protocol. Other

sections should be added locally as needed. The core sections are:

• Objectives of the protocol

• General Principles

• Agreed Parameters

• Defined Purposes

• Access and Security

Objectives

6. The objectives of the protocol should be clearly identified, understood and

agreed by all of the organisations to which it is to apply. These should

include:

• To set parameters for the sharing of information between agencies

which contribute to the health or social care of an individual.

• To define the purposes for holding personal information within each

agency.

• To define how personal information should be held within each

agency and who should have access to this information.

General Principles

7. Whilst it is vital for the proper care of individuals that those concerned with

that care have ready access to the information that they need, it is also

important that service users and their carers can trust that personal

information will be kept confidential and that their privacy is respected.

8. All staff have an obligation to safeguard the confidentiality of personal

information. This is governed by law, often by contracts of employment, and

in many cases by professional codes of conduct. All staff should be made

aware that breach of confidentiality could be a matter for disciplinary action

and provides grounds for complaint against them.




9. Although it is neither practicable nor necessary to seek an individual’s

specific consent each time that information needs to be passed on for a

particular purpose that has been defined within the protocol, this is

contingent on individuals having been fully informed of the uses to which

information about them may be put. All agencies concerned with the care of

individuals should satisfy themselves that this requirement is met.

10. Clarity about the purposes to which personal information is to be put is

essential, and only the minimum identifiable information necessary to satisfy

that purpose should be made available. Access to personal information

should be on a strict need to know basis.

11. If an individual wants information about them to be withheld from someone,

or some agency, which might otherwise have received it, the individual’s

wishes should be respected unless there are exceptional circumstances. Every

effort should be made to explain to the individual the consequences for care

and planning, but the final decision should rest with the individual.

12. The exceptional circumstances which override an individual’s wishes arise

when the information is required by statute or court order, where there is a

serious public health risk or risk of harm to other individuals, or for the

prevention, detection or prosecution of serious crime. The decision to release

information in these circumstances, where judgement is required should be

made by a nominated senior professional within the agency, and it may be

necessary to take legal or other specialist advice.

13. Where information on individuals has been aggregated or anonymised, it

should still only be used for justified purposes. Care should be taken to

ensure that individuals cannot be identified from this type of information, as

it is frequently possible to identify individuals from limited data e.g. age and

post code may be sufficient.

Setting Parameters

14. There should be a nominated senior professional within each agency covered

by the protocol (Caldicott Guardians in NHS organisations), responsible for

agreeing amendments to the protocol, and mechanisms should be put in

place to monitor its operation, and ensure compliance.

15. Personal information should be transferred freely between the agencies that

have agreed and are complying with the protocol, for the purposes it defines.

Where practicable, a regularly updated register of individuals who need

access to personal information, and the defined purpose(s) for which they

need this access, should be made available to each agency concerned.

16. If appropriate, service level agreements can be used to establish standards for

sharing information, e.g. speed of response.

17. Specific consent is required prior to personal information being transferred

for purposes other than those defined in the protocol, unless there are

exceptional circumstances as outlined above.




18. Where individuals are unable to give consent, the decision should be made

on the individual’s behalf by those responsible for providing care, taking into

account the views of patients and carers, with the individual’s best interests

being paramount. Where practicable, advice should be sought from the

nominated senior professional and the reasons for the final decision should

be clearly recorded.

Defining Purposes

19. There will be a range of justifiable purposes to be locally agreed. The

following list is not exhaustive and covers internal NHS purposes only:

• delivering personal care and treatment

• assuring and improving the quality of care and treatment

• monitoring and protecting public health

• managing and planning services

• contracting for NHS services

• auditing NHS accounts and accounting for NHS performance

• risk management

• investigating complaints and notified or potential legal claims

• teaching

• statistical analysis

• medical or health services research

20. Some purposes may require additional safeguards to be specified, e.g.

teaching or research that directly involves an individual should only proceed

with the individual’s informed and explicit consent. The requirement for NHS

organisations to obtain clearance from Local Research Ethics Committees

prior to releasing information for research purposes should also be made

explicit.

Holding information, access and security

21. The Protocol should specify how each organisation is to meet agreed

standards, e.g.:

• Staff should only have access to personal information on a need-to-

know basis, in order to perform their duties in connection with one or

more of the purposes defined above. Clinical and professional details

should be available to all those, but only those, involved in the care of

the individual.




• Each agency will ensure that they have mechanisms in place to enable

them to address the issues of physical security, security awareness and

training, security management, systems development, site-specific

information systems security policies, and systems-specific security

policies.

• Each agency will take all reasonable care and safeguards to protect

both the physical security of information technology and the data

contained within it.

• All information systems will be effectively password protected and

users will not divulge their password nor leave systems active whilst

absent.

• All personal files and confidential information must be kept in secure,

environmentally controlled locations when unattended, e.g. in locked

storage cabinets, security protected computer systems etc.

• Keys to lockable storage cabinets should be held only be staff who

require regular access to the information they contain. Keys must be

held in a secure place.

Conclusion

22. The purpose(s) for which information is required by different organisations

will clearly differ and each needs to be sensitive to the particular

requirements of others in respect of confidentiality. E.g. whilst the emphasis

placed upon the clinician/patient relationship within the healthcare

environment is sometimes poorly understood by other organisations, the

importance of protecting records from access by staff who may be friends,

relatives or neighbours of a patient, is extremely important from a social

services perspective and unlikely to be fully appreciated by health

professionals.






Protcols Governing the Receipt and Disclosure of Patient/Client Information 6

Crime and DisorderAct 1998: ProtocolsIntroduction

1. The Crime and Disorder Act 1998 introduces a number of measures to reduce

crime and disorder, including the introduction of local crime partnerships

based around local authority boundaries to formulate and implement

strategies for reducing crime and disorder in the local area. The new

measures include Youth Offending Teams, anti-social behaviour orders, sex

offender orders and local child curfew schemes. All of these measures

depend upon close co-operation, including the proper exchange of

information, and the NHS clearly has an important role to play.

2. The Crime and Disorder Act supports and facilitates this exchange of

information but does not in itself constitute a statutory requirement for NHS

organisations to disclose patient information to other agencies. In the absence

of such a requirement, it is essential that NHS organisations, whilst

contributing as fully as they are able to their local crime partnership, continue

to operate within the constraints provided by common and statute law.

Lawful & Proper Information Exchange

3. Section 115 of the Crime and Disorder Act 1998 provides that any person has

the power to lawfully disclose information, for the purposes of the Act, to

the police, local authorities, probation service or health authorities (or

persons acting on their behalf), where they do not otherwise have this

power. However, whilst section 115 ensures that all agencies have a power to

disclose, it does not impose a requirement on them to exchange information

and responsibility for disclosure remains with the agency that holds the data.

4. Any disclosure of patient based information, almost always provided to NHS

staff in confidence by patients, must therefore have regard to both the

common law duty of confidence, and statutory restrictions on disclosure. NB.

The Courts have recently ruled that the common law duty of confidence does

not apply to information that has been effectively anonymised so that

individuals cannot be identified. There is thus no barrier to the sharing of

effectively anonymised data.

5. In the absence of a statutory requirement to disclose patient identifiable

information (or a court order requiring disclosure), a decision to disclose must

therefore be justified. This necessitates that the disclosing agency be confident:

• that there are no statutory restrictions on disclosure (e.g. those

provided by the Human Fertilisation and Embryology Act 1990);

• that the subject of the information has been informed of the proposed

disclosure and has consented to it; or

• that on balance, there is an overriding public interest in the disclosure.

6. The latter requires a balancing judgement to be made on a case by case

basis. Specific measures to prevent crime, reduce the fear of crime, detect

crime, protect vulnerable persons, maintain public safety, or divert young

offenders from re-offending are clearly in the public interest. It is the

responsibility of the holder of the confidential information to determine

whether the duty of confidence to the individual, the harm that could result

from disclosure and the public interest in maintaining the confidential nature

of the clinician/patient relationship is outweighed by the public interest

arguments for disclosure. If in doubt, NHS organisations should seek legal

advice.

Protocols

7. The best way of ensuring that disclosure is properly handled is to operate

within a carefully worked out information sharing protocol. Protocols should

be supported by all the agencies involved and should be made available to

the public. The Home Office, in guidance aimed largely at the police, has

promoted this approach. There remains a need however, for NHS

organisations to ensure that the particular sensitivities that apply to health

information are appropriately reflected. It is recommended therefore that the

following principles and associated good practice should be incorporated in

all Crime and Disorder Protocols and that all signatories are made aware of

the context within which NHS organisations must work.

Designated officers

8. It is usually suggested by the police that signatories to a C&D Protocol

should nominate designated officers to regulate, monitor and act as the

channel through which requests for information are made and handled. The

Department of Health supports this approach and it is recommended that the

Caldicott Guardian should be the designated individual for NHS

organisations.

Scope of C&D Protocols

9. Protocols should provide operational guidelines for signatory agencies on the

exchange of personal information (as defined and regulated by the Data

Protection Act 1998) and also effectively anonymised information to:

• help local partnerships to implement the provisions of the Crime and

Disorder Act,

• facilitate the work of youth offending teams.




10. Protocols should govern the exchange of information to obtain the following

Orders

• Anti-Social Behaviour Orders,

• Sex Offender Orders,

• Child Safety Orders,

• Child Curfew Orders

11. Protocols should also apply to the exchange of information following a

conviction by a Court. It will therefore be relevant to:

• Drug Treatment and Testing Orders,

• Reparation Orders,

• Action Plan Orders,

• Supervision Orders,

• Detention and Training Orders,

• Parenting Orders.

12. Finally, protocols should apply to any other exchange of information that is

intended to support action under any other provision of the Crime and

Disorder Act.

General Principles

13. Section 115 of the Crime and Disorder Act provides a power to exchange

information where disclosure is necessary to support the local strategy to

reduce crime and disorder, the youth justice plan, or another provision of the

Act. However, although the Act creates a situation where the exchange of

information may be lawful, the duty of confidentiality will still apply to

personal health data. The Act does not provide a statutory authority to

disclose such information, though the duty of partnership requires that

signatories do all they can within the restrictions imposed by law. Data

Protection legislation, in the form of the 1998 Act is also relevant to the

sharing of “personal data” (as defined in the Act), and signatories should

obtain a copy of the guidance provided by the Data Protection Registrar’s

Office Crime and Disorder Act 1998: data protection implications for

information sharing.

14. It is clearly necessary for protocols to distinguish between effectively

anonymised information and information which remains capable of

identifying individuals. It is also necessary to distinguish between personal

information that is held in confidence and that which is not. A further




distinction, generally of less importance, is between personal information

relating to the living and that relating to the deceased. The following matrix

illustrates the applicability of key legislation (and the common law) to the

various categories of information. A version of this matrix, expanded to cover

other legislation governing the use of information by each of the signatory

agencies, might usefully be included within the protocol.

1. It is not clear under law whether the Common law duty of confidence extends to

information provided in confidence by those who have subsequently died. However, the

Department of Health and the professional regulatory bodies advise that best practice is to act

as if the duty does continue after death.

Points to be included in C&D Protocols

General

• Protocols should commit signatories to ensuring, as best they are able,

that they are informed about and comply with all legal requirements –

e.g. Data Protection legislation and the common law duty of confidence

– and key responsibilities in this area should be flagged.

• It should be explicitly stated and agreed that all information received

under the protocol should only be used for the purposes defined and

listed in the protocol. Signatories must agree that they will not disclose

information received under the protocol to another agency without

seeking the consent of the agency that provided the information in the

first instance.

• The protocol should record agreed procedures for retention and

destruction of information. Information should be retained no longer

than is necessary and should be protected by adequate security

measures that should be outlined at least in brief within the protocol.




Common Law Data Computer Human NHS Other?Duty of Protection Act Misuse Act Fertilisation & (Venereal Confidence 1998 1990 Embryology Diseases)

Act 1990 Regulation & Directions1974 & 1991

Anonymised/ No No Yes No NoInformation

Personal health Yes Yes Yes Yes Yesinformation (living individuals)

Personal health Yes1 No Yes Yes Yesinformation (deceased)

• The protocol should make it clear that only the minimum information

necessary to satisfy the purposes defined in the protocol should be

provided.

• The protocol should clearly outline the procedures that will apply

when individuals exercise their legal rights to have access to and

copies of any personal data held about them.

• The Protocol should make it clear that personal data relating to third

parties, e.g. a relative, victim, informant or witness should only be

disclosed to partner agencies in circumstances permitted by the Data

Protection Act 1998.

Confidential Personal Information

• The protocol should make it clear that where information is held in

confidence e.g. as is the case with personal information provided to

the NHS by patients, the consent of the individual concerned should

normally be sought prior to information being disclosed.

• Where consent is withheld or is unobtainable, the protocol should

require an agency to assess, on a case by case basis, whether a

disclosure is necessary to support action under the Crime and Disorder

Act and whether the public interest arguments for disclosure are of

sufficient weight to over-ride the duty of confidentiality.

• The protocol should require a formal record to be kept of the basis for

disclosure of confidential personal information – consent or the public

interest – and where the public interest is relied upon the grounds

should be documented.

• The protocol should make it clear that an agency receiving confidential

personal information from another agency under a Crime and Disorder

Protocol is itself bound by the common law duty of confidence and

also may need to comply with Data Protection legislation.




Controlling Access

The Guardian as Gatekeeper

1. Once an organisation has procedures and systems in place to control access

to patient information, the Guardian should have responsibility for agreeing

who should have access to what. Although it is necessary to be realistic

about the pace at which existing systems and procedures can be changed if

there are significant resource implications, the introduction of new

procedures e.g. to control access to the new NHS Strategic Tracing Service

(NSTS), can provide an opportunity to set high standards from the outset.

This section provides an outline of key access control concepts and

recommended good practice. It also provides an overview of the proposals

for NSTS operation and associated Guardian responsibilities.

Access Control

2. Access control is essential for ensuring that only authorised persons have:

• physical access to computer hardware and equipment;

• access to computer system utilities capable of over-riding system and

application controls;

• access to manual files containing confidential information about

individuals;

• access to computer files and databases containing confidential

information about individuals

3. Whilst the introduction of appropriate procedures and systems is likely to fall

to information security officers, facilities management and building security

etc, it is important that the Guardian be aware of current organisational

capacity and intentions, through the management audit (see relevant section

of this guidance).



Controlling Access 1

Detailed guidance on access controls can be found in the

Resource Pack Ensuring Security and Confidentiality in the

NHS Organisations (see Support & Advice)

Physical Access Controls

4. Physical security protection should be based on defined physical perimeters

and achieved through a series of strategically located barriers throughout the

organisation. Critical installations should be protected, at the minimum, by

lock and key with only authorised staff permitted access.

Access to Systems Utilities

5. This is primarily a concern for the information security officer and is covered

in detail in Ensuring Security and Confidentiality in NHS Organisations.

Access to Confidential Information aboutIndividuals

6. Access to person identifiable information should be restricted to those staff

who have a justifiable need to know in order to effectively carry out their

jobs. The Caldicott Principles underpin the approach that NHS organisations

should develop and introduce at a pace that is sustainable locally.

• Principle 1 - Justify the purpose(s) for using confidential

information

• Principle 2 - Only use it when absolutely necessary

• Principle 3 - Use the minimum that is required

• Principle 4 - Access should be on a strict need-to-know basis

• Principle 5 - Everyone must understand their responsibilities

• Principle 6 - Understand and comply with the law

7. Registered access levels can be used to further limit the access of authorised

persons to the minimum information that they need to carry out a task or

function. This is particularly relevant to information held electronically, but

the principles apply to all records, e.g. staff who need access to manual files

for filing purposes should not need to access the information already

contained within the files.

8. There are also legal restrictions on who may see certain patient-identifiable

information, notably sexually transmitted diseases including HIV/AIDS. Only

staff whose responsibilities include the treatment of individual patients with

such diseases or who are involved more widely with the treatment or

prevention of disease, such as those employed by public health departments,




should be permitted access to such information. Organisations should

therefore develop procedures for filtering out and/or anonymising relevant

records (see the section on safe-havens below).

Information/Data “Ownership”

9. It is best practice for each physical set of information, e.g. manual files, or

logically discrete set of electronically held information e.g. a database, to be

assigned an “owner”. The information security officer should keep an up to

date register of data “owners” and the Guardian should be provided with a

copy. A number of responsibilities should be associated with ownership,

including:

• identifying all the information/data in the set

• identifying, and justifying to the satisfaction of the Guardian, how the

information/data can be used

• agreeing with the Guardian who can access the information/data, and

what type of access each user is permitted

10. Details of the other responsibilities of “data owners” - e.g. data classification,

security measures and compliance with Data Protection legislation - can be

found within Ensuring Security and Confidentiality in NHS Organisations.

Access Levels and Registration

11. There should be formal and documented user registration and de-registration

procedures, for access to all person-identifiable information held in

confidence, where multiple users need access. Again, although this is mainly

applicable to electronically held information, the principles extend to manual

files.

12. It is particularly important that it is clear, at any point in time, just who

should have access to what information. It should be possible to immediately

change or remove the access rights of individuals who have changed jobs or

left the organisation and a formal process to regularly review users’ access

rights should be established. For information held in electronic form, each

user should have a unique identifier (user-ID) for their personal and sole use.

A unique user-ID ensures that all activities on the system can be traced to the

individual responsible and audits of activity undertaken. Each user should

also have a password. As long as they are kept secret, passwords are an

effective and easily introduced security measure. Detailed guidance on the

use and management of passwords, aimed primarily at information security

officers, is included within Ensuring Security and Confidentiality in NHS

Organisations.




13. Ideally, systems should permit users to be given different levels of access,

and this requirement should be carefully born in mind when introducing new

systems or upgrading old ones. The example given above of the access

required by a filing clerk demonstrates that the principle can be applied to

manual records as easily as to that held on a computer. Procedures for

checking that the level of access granted to an individual is appropriate and

justifiable, in the context of the business purpose, should be put in place and

the Guardian’s approval sought (see Information “Ownership” above).

Incidents and Security Breaches

14. Detailed guidance on the management of security incidents is included within

Ensuring Security and Confidentiality in NHS Organisations, and is largely

the responsibility of the Information Security Officer. Guardians should

ensure, however, that all security incidents involving the unauthorised

disclosure of confidential personal information are reported both to

themselves and to the Chief Executive of the organisation. Where

appropriate, advice on the handling of such breaches of confidence should

be sought from the NHS Executive HQ or the Regional Office (see the

section on Support & Advice).

Safe-Havens

. To support the introduction of access controls within an organisation and

adherence to legal restrictions on the disclosure of certain information

(HIV/AIDS etc), a useful model to adopt for routine flows of information is

the use of designated safe-havens. This model requires confidential

information to be disclosed or accepted through designated safe-haven

contact points.

16. When information is received, access controls and registered access levels

agreed by the Guardian, should then determine which staff within the

organisation should have access to what information (see Controlling Access).

When information is disclosed by a designated safe-haven point to an

equivalent point in another organisation, staff can be confident that agreed

protocols will govern the use of the information from that point on.

17. Where it is not practicable for patient information to be routed in this way,

the staff involved must be made aware of any relevant protocols and take

responsibility both for adhering to them and for drawing the attention of

others to the standards that should apply. This is particularly relevant when

information is shared to directly support patient/client care as a perception

that another organisation does not adhere to the same rules of confidentiality

can put barriers in the way of information sharing and undermine the

effective provision of seamless care.




18. Safe-haven arrangements originated to support contracting procedures, and

detailed guidance was provided in EL(92)60 (See Summary of Existing

Guidance). The safe-haven model should, over time, be extended to cover all

procedures for transferring confidential patient/client information between

organisations when the purpose is not directly related to the provision of

care. Guardians should work with the information security officer and staff

familiar with safe-haven procedures to consider how the wider use of these

procedures might be promoted across the organisation.

19. The key principles, updated to incorporate the Guardian role, are that:

• Each organisation should establish safe-haven administrative

arrangements to safeguard confidential person-identifiable information.

This includes having one designated contact point per physical site.

Ideally, all information exchanged between NHS organisations should

pass between safe-haven contact points.

• All members of staff (including, for example, switchboard operators

and post room staff) should be made aware, at least in general terms,

of the policies and procedures surrounding safe-haven access.

• Safe-haven procedures should be fully documented, approved by the

Guardian and agreed by senior management.

• Safe-haven procedures should be comprehensive and cover:

• Management arrangements

• Staff roles and responsibilities

• Physical location and security

• Procedures for handling information

• Controls on disclosure of information

• Storage, archiving and destruction of information

Access to the NHS Strategic Tracing Service(NSTS)

20. The introduction of the Strategic Tracing Service - a new service for the NHS

- provides a clear opportunity to implement the high standards called for in

the Caldicott Report. Guardians will have an important gatekeeper role when

their organisations are signed up to access this new service, authorising

different levels of access as described below.




21. The NSTS will provide the NHS with a core set of administrative information

about people, places and organisations. The NSTS will provide administrative

information that:

• is accessible to a wide range of NHS organisations;

• is accurate and up to date;

• is sufficient to support NHS business

22. The NSTS will provide a range of functions to support NHS organisations,

including aggregate population analysis, updating local patient registers and

the ability to call up the full range of patient administrative details for an

individual.

23. Access to the NSTS is governed by strict security protocols, including the

ability to restrict access according to security clearance. The Guardian is the

only individual entitled to register, amend registration or de-register

members of staff.

24. The NSTS will recognise six different levels of access, with level 6 providing

access to all the information held. Each of the 5 restricted levels of access is

further sub-divided into three further categories, A, B or C each of which

provides a slightly greater degree of access than the previous. Whilst there is

a general trend from minimum to maximum information, on the 1 to 6 scale,

there are irregularities that have been introduced to support specific NHS

functions so care should be taken when assigning levels to staff groups.

Access may also be restricted according to other criteria e.g. to records

belonging to individuals residing in a particular geographical area.

25. Each organisation permitted access to the NSTS must assign an access profile

to each member of staff permitted access. This access profile will be

registered with the NSTS provider and will define both the permitted level of

access and any geographical or other restrictions.

26. Access levels should be set initially by business function unless there is a

need to vary this in special cases, and should be agreed following Caldicott

Principles of justification of purpose, need to know parameters and

consideration of precise information requirements.




NSTS Access Levels and what they permit access to:

ACCESS LEVEL (Y = ACCESS PERMITTED)




LEVEL LEVEL LEVEL LEVEL LEVEL LEVEL

NTS FIELD 1 2 3 4 5 6

A B C A B C A B C A B C A B C

DATE OF BIRTH Y Y Y Y Y Y Y Y Y Y Y Y Y Y

DATE OF DEATH Y Y Y Y Y Y Y Y Y

NHS NO. (OLD) Y Y Y Y Y Y Y

NHS NO. (NEW) Y Y Y Y Y Y Y Y Y Y Y Y Y

SURNAME Y Y Y Y Y Y Y Y Y

FORENAME 1 Y Y Y Y Y Y Y Y Y

FORENAME 2 Y Y Y Y Y Y

TITLE Y Y Y Y

SEX Y Y Y Y Y Y Y Y Y Y Y Y

ADDRESS Y Y Y Y Y Y

POSTCODE Y Y Y Y Y Y Y Y Y Y Y

ADDRESS IS MAIN / Y Y Y Y

TEMPORARY ETC

TELEPHONE NO. Y Y Y

GEOGRAPHIC AREA Y Y Y Y Y Y Y Y

REGISTERED GP Y Y Y Y Y Y Y Y

GP PRACTICE Y Y Y Y Y Y Y Y

ALIASES Y Y Y Y

LOCAL/OTHER Y Y Y Y

IDENTIFIER

ORGANISATION LINKS Y Y Y Y Y Y

27. The access control points outlined at the beginning of this section are clearly

relevant and it will be important for Guardians to be confident that any

supporting staff are familiar with the more detailed guidance that is available.

28. Local organisations will quite rightly have considerable flexibility as to the

access level assigned to different members of staff. The access levels

suggested in the following list cover a range of common functions and it is

recommended that they are adopted. However, no attempt has been made to

classify functions down to the A, B and C sub-classifications. This is a matter

for local discretion.

Recommended

Level

Patient Registration (NHS Trust) 5

Patient Registration (GP) 5

Set-up of New Patient Registers 5

NHS Number Tracing 3

Data Cleaning of Patient Registers 5

Waiting List Cleaning/Review 5

Set-up and Maintenance of Disease Related Registers 5

Health Improvement Programmes 1

Epidemiological Studies 2

Screening Programmes 5

Resource Allocation 1

Validation of Payment Claims by GPs 4

Post-payment validation 2

Person Tracing 5

29. More detailed guidance on the operation of the NSTS will be issued by the

NHS Executive later this year. This will include guidelines for auditing the use

of the NSTS by staff – each time that the NSTS is accessed the details are

logged – and Guardians will have an important role to play in monitoring

and signing off the audit procedures.




Review of Current Information Flows

30. It is important that NHS Organisations and their Guardians develop a

thorough understanding of how information is being used within the

organisation and ensure that each use is justified to the Guardian’s

satisfaction. Additional guidance on this review process will be made

available shortly.




Reviewing InformationFlows within NHSOrganisations1. The Caldicott Report recommended that every flow of patient-identifiable

information within, and from, an organisation should be tested against the

Caldicott principles. The continuation of a flow and, where a flow serves a

necessary purpose, the inclusion of each item of information capable of

identifying an individual should be justified. Continuing or routine flows of

information should be re-tested regularly and routinely. This is potentially a

significant task for a large and busy organisation the first time it is

undertaken, and it is essential that the work is tackled sensibly and at a pace

that is locally sustainable. This work should fall into three key stages:

Stage 1: Mapping information flows

Stage 2: Prioritising mapped flows for review purposes

Stage 3: Rolling program of review (2, 3, 4 or 5 year program)

2. The term patient-identifiable information or, alternatively, patient-identifiable

data means any data item or combination of data items by which a patient’s

identity may be established. The main patient-identifiable data items that you

should review are:

• forename;

• surname;

• date of birth;

• sex;

• address;

• postcode.

3. In this context, an information flow is a set of data that is sent by one party

to one or more other parties. Examples of this include:

• routinely sent free-text correspondence, eg hand written, word

processed;

• manually completed forms;



Reviewing Information Flows 1

• print outs from systems;

• electronically exchanged data (both structured and unstructured

messages).

4. The aim of removing patient-identifiable data items is to enhance patient

privacy, e.g. by lessening the chances of people inadvertently recognizing

someone they know when reviewing patient data. If sufficient items can be

removed, individual patients may no longer be identifiable and the

information will no longer be classed as personal data and be regulated by

Data Protection legislation. However, it will rarely be possible to do more

than enhance privacy and thus support wider work on improving the security

and confidentiality of data flows.

5. It is important to note that the requirements of data protection legislation are

only satisfied when the amount of patient-identifiable information used for

any particular purpose is adequate, relevant and not excessive in relation to

that purpose, so each item of patient-identifiable data retained should be

justified.

Mapping and prioritising information flows

6. Pilot work has confirmed that within any sizeable NHS organisation there are

a large number of data flows that contain patient-identifiable data items.

Small organisations may find that they are able to map all existing

information flows in the initial mapping exercise. However, where this

appears to be too demanding a task, activity should be mapped in terms of

functional areas with the mapping exercise itself becoming part of the longer-

term process of the rolling program of review. If this approach is adopted,

the review task in the management audit/improvement plan section of this

manual should be sub-divided accordingly to demonstrate the continuous

improvements that are being made (e.g. to demonstrate that level 1 or 2 has

been achieved for functional areas X & Y).

7. Functional areas should themselves be assigned a priority rating for review –

high, medium or low and this should be reflected in the rolling review

program. Information staff who have a good understanding of the full

spectrum of data flowing around an organisation may be able to identify

functional areas with significant numbers of patient related flows that are not

related to the direct provision of patient care. Care delivery areas should

generally be assigned a lower priority for review and are likely to genuinely

need patient information, e.g. name and address, due to contact with the

patient.

8. To assist in this task the following table identifies the functional areas that

were identified during piloting and assigns priority levels to them. This list is

not exhaustive, but should guide you. More detailed explanation as to why

these areas are proposed and what flows to review are provided as

appendices to this section of the Guardian manual as noted in the table.




Proposed review areas

9. The appendices indicated in the table above suggest flows to look at and

flows to avoid for each functional area. Local circumstances may change the

way that information is used so these should be seen as examples rather than

fully inclusive models. A comprehensive map of information use should be

built up locally for each functional area.




Functional Areas Health Authority Trusts See Appendices

and Primary Care

Groups

High priority areas

Commissioning 3 3 1

Clinical audit 3 3 2

Information department 3 3 3

Clinical coding 3 4

Medium priority areas

Medical records 3 5

Patient care services (e.g. surgery, 3 6

mental health care teams)

Pathology 3 7

Low priority areas

Health Authority /General 3 8

Practitioner communications

Other areas 3 3


10. It is important that the review of information flows should be addressed in

‘bite sized chunks’. For example, if reviewing a very large area such as

medical records, select part of the function to review, perhaps by selecting all

flows from one specialty. You may subsequently be able to apply findings

more widely if you identify flows that are common across specialties.

11. Information that is flowing into the functional area may prove the most

straightforward to review, simply because the recipient of the information will

know why they receive it, what they do with it and the decisions they make

with it. Those conducting the review might best determine this by

interviewing key staff to establish what patient related information they

routinely receive, hold and send, both electronically and on paper. Those

flows containing patient-identifiable information should be noted and

examples of the forms or printouts used should be copied. Outputs from

computerised systems should be reviewed by contacting the system manager

to find out what outputs/reports are regularly run. Note that outputs that

provide listings of multiple patients are less likely to need name and address

than outputs that relate to an individual patient’s care.

12. Included with this section of the Guardian manual, at Appendix 9, is a blank

questionnaire. Section 1 of the blank questionnaire can be copied. Make sure

you have enough copies to complete one for every data flow to be reviewed.

Read the guidance notes within the questionnaire carefully and make sure that

you understand what the questions mean.

13. For data flows which routinely go to other organisations you will need to set

up meetings with the relevant staff within those organisations. This might

usefully be done alongside meetings to discuss protocols for sharing

information or as part of the work of confidentiality groups put in place to

support local work on Information for Health. It is not sufficient to simply

interview the sender of the data flow about its purpose, because it may be

that more patient-identifiable data is sent than necessary because the sender

has a different understanding of why the data is exchanged than the receiver.

It is the receiver’s use of the data that should govern its content.

14. A separate section 1 of the questionnaire should be completed for each role

receiving a data flow, even if you identify that two roles are receiving the

same data flow. This is important because it is the individual role’s use of the

data flow that will govern what data items are required and these may not be

the same for multiple users of the data flow. A sample form/print out of the

data flow should be attached to the questionnaire for reference.

15. The piloting identified that thorough completion of a questionnaire is

imperative if others are to approve findings. If the detail of the flow is not

presented clearly, approvers are likely to respond with lots of questions about

the flow. So remember that whilst some information you gather may seem

very obvious to you if you are familiar with the functional area, it may not be

to others and hence needs recording.




16. Section 2 of the questionnaire should be photocopied and completed for any

flows that are seen to hold more patient-identifiable data than needed. This

is likely to be a relatively small proportion of the total number of flows you

review. The purpose of section 2 of the questionnaire is to help establish

whether a flow should be changed. Further interviews are likely to be

needed with the sender of the data flow and any other recipients to establish

what other users of the data flow require and to identify possible means of

changing the flow. As many options for change as possible should be

identified. These may include:

• redesigning system print outs, reports and screens to hide

unnecessary data;

• changing message definitions in electronically exchanged flows.

This will require both the sending and receiving system to be changed

and will need to be co-ordinated and may also be costly. Suppliers

and user groups should be consulted and if costs cannot be justified

then changes should be logged for inclusion in future upgrades;

• redesigning printed forms to remove name and address or other

unused patient identifiers, replacing them with less revealing

identifiers, such as NHS Number. The fact that an NHS number may

not be known for a small minority of patients should not prevent such

changes from being made. Guidance on forms can state ‘provide

name if NHS Number is not known’. The cost of changing forms can

be minimised by making the change when a reprint is required, rather

than discarding existing forms;

• leaving the flow unchanged, but improve the security of the flow

(eg. not using faxes);

• stopping the flow from going to recipients that do not need it;

• splitting flows that go to multiple recipients so that each one only

gets the data they need. Carbonated forms can be used and

unnecessary data items blocked on copies for some recipients;

• possible options for longer term strategic action to change the

flow include:

• implementation of electronic links for the data flow area. This

may negate the need to remove unjustified data items from the flow by

hiding the data items from the recipient or enable data to be more

easily selected locally from within the receiving system, without

impacting the user;

• revisiting the procedures and systems supporting the whole

business area. This may provide an opportunity to remove or totally

change the nature of the data flows supporting the business area, but

could only be done as part of a larger review, perhaps in preparation

for procuring new systems or merging business functions together.




17. Individual judgement should be used to ascertain if the improvement in

privacy that would be gained be removing data items outweighs the cost, risk

and impact of making the change. Bear in mind that it is a Data Protection

Act requirement that data should only be exchanged if it serves a purpose and

that the aim of the Caldicott review is to improve patient privacy. If it is not

justifiable to change a flow in current circumstances, perhaps because the

impact on staff is too great or the cost is prohibitive, consideration should be

given to what actions can be taken so that the flow can be reviewed for

change at a later point.

18. For each data flow recommended for change a more detailed proposal should

be drawn up. Develop the preferred option identified in the questionnaire

and gather more information to substantiate your view, such as better

estimates of costs. Agreement to the proposal should be sought from the:

• Sender;

• recipient(s);

• Caldicott Guardian;

• senior management (if appropriate).

19. If the sender or recipient of the data flow is from another organisation

negotiations will need to take place. It is recommended that the Caldicott

Guardian should lead negotiations by consulting with their counterpart in the

sending organisation. For data flows agreed for change, an implementation

plan detailing who needs to take what action and when, should be prepared.

In some instances the plan may need to be drawn up by another organisation,

typically where they are the sender. If so, there is still a need to negotiate to

make sure that it happens.




Dataflow Review Rules

Introduction

20. The aim of the process of reviewing patient-identifiable data, as set out in

this document, is to ensure that NHS organisations are applying the Caldicott

principles to all patient based data flows. To assist in applying these general

principles to the data flows that you review, a set of rules for reviewing

patient-identifiable data flows has been established. These aim to identify the

types of data flows where name and address are justified, unjustified or

acceptable given certain circumstances. These rules have been applied to the

design of the questionnaire and should be read before interviews commence

to complete questionnaires for individual data flows.

21. The personal data included within a data flow should be adequate, relevant

and not excessive for the recipient’s purpose(s). In particular, access to name

and address should be on a strict “need to know” basis. But all patient-

identifiable data should be reviewed to ensure that it is justified. Where a

flow has multiple purposes, the recipient’s “need to know” for each purpose

should be confirmed. It is not acceptable to hold more data than is adequate

for the current purpose of a flow in anticipation that additional data may be

needed later for secondary purposes.

22. There are four reasons to need to know name and/or address :

• to have direct contact (meet, telephone or correspond) with the

person or their representative / relative (e.g. GP, carer, social

worker, parent);

Patients want to be known by their name, not a number when

receiving care.




Rule 1: Personal data sent should not be excessive for purpose

Rule 2: Where there is a “need to know” name and address it should

be retrieved locally wherever possible

Rule 3: Where identifiable data is needed to trace a patient, name and

address may be justified in the short term

Rule 4: Flows should be prioritised for change by examining the

extent that the confidentiality gain exceeds the risk and cost

Rule 5: If the cost of changing a flow exceeds the benefits or is

prohibitive, consider the case for removing name and address

once the data has reached the recipient

Rule 1: Personal data sent should not be excessive for purpose

• because of a responsibility to maintain health records;

Most healthcare providers maintain their own register of patients they

treat. Hence when a patient first presents to a service, full patient

details will be required so that a patient can be registered (e.g. first

referrals). Subsequent correspondence should not require the full data

set. See rule 2;

Some flows will also be justified because their purpose is to update the

patient-identifiable data held within a patient register, hence name may

be needed to update a patient record. The NHS Central Register is a

good example where patient-identifiable data is not needed for direct

patient contact, but is needed to maintain accurate patient records.

• because of a statutory or nationally mandated requirement;

Patient data must be sent where there is a mandatory requirement to

do so, even if there does not appear to be a genuine need to know.

• when the person’s residence has to be pinpointed to a greater

degree of accuracy than can be obtained from postcode alone

(applies to address only).

For example to determine proximity to a power station for research

purposes.

23. Where a flow recipient has a genuine “need to know” name/address, but the

recipient already holds name and address for the patient, only NHS number

and confirmation data should be sent to identify the patient. Confirmation

data are items like date of birth and postcode that confirm the identity of the

patient. Sending name and address is likely to be justified if:

• the name and address sent may be more current than the recipient’s

source of data;

• retrieving name and address adds an unacceptable administrative

burden for the recipient, particularly if the recipient is a health care

professional; eg nurse, doctor rather than an administrator;

• the recipient’s requirement to make use of personal details is urgent;

• the recipient or sender has not got access to name/address through

another identifier such as the NHS number.

24. In the longer term, the aim should be that the NHS number and confirmation

data are sent electronically and name and address or other patient-identifiable




Rule 2: Where there is a “need to know” name and address it should

be retrieved locally wherever possible

data required by the recipient are found on the receiving system and

displayed to the recipient if needed. If a match cannot be found on the

receiving system either a message should be sent back to the sender or the

NHS Strategic Tracing Service used to find the missing data. The functionality

for this search and retrieve should be within the system and invisible to the

user. In the shorter term the NHS should strive to achieve high presence of

the NHS number and improved data quality on all patient registers, so that

when data is exchanged electronically the matching can be done effectively.

25. When tracing records, maximum patient data may be required, for example if

there is a lack of confidence in data quality. When there is a high level of

confidence that a match will be found fewer patient-identifiable data items

are needed. Many instances exist where name and address are currently used

within data flows to verify a patient’s identity, but not needed for other

purposes. In these situations every effort should be made to use other

patient identifiers which are less revealing and remove name and address.

The viability of doing this will depend on many factors: the need for an exact

patient match, data quality, manual or electronic exchange of information etc.

See the publication General Principles in the use of the NHS number

(reference C3228) for further guidance.

26. In some instances this may mean that new data items, such as date of birth,

need to be added to a flow to replace name or that specific measures to

improve the data quality of the NHS number and other confirmation data

items are needed before name can be removed.

27. For each flow proposed for change you should assess the benefit, risk and

cost. When looking at risk, you should take the following indicators into

account:

• the risk of information being inappropriately disclosed;

• the impact of information being disclosed;

• sensitivity of the data;

• the expected life of the information system and the proposed change

(whether manual or computerised);

• the accessibility of the personal data to casual browsing by authorised




Rule 3: Where identifiable data is needed to trace a patient, name and

address may be justified in the short term

Rule 4: Flows should be prioritised for change by examining the

extent that the confidentiality gain exceeds the risk and cost

users, and to confidentiality breaches by unauthorised users;

• the volume and frequency of the flow locally;

• the level of user support for the change, and the risk that benefits might

be reduced because of non-compliant users.

28. You should take the following factors into account when estimating cost:

• the one-off costs of changes to the affected system, any dependant

systems and in guidance / training users;

• the potential side-effects of proposed changes, such as risks to patient

care, probity, data quality etc;

• recurring costs resulting from change, if any exist.

29. This rule applies primarily to electronic flows. Where name and/or address

are not needed, but the cost of changing the data flow content is prohibitive

or not worthwhile, particularly in legacy systems, consider removing name

and address from display in the receiving system. Future design of systems

should not include name and address in electronic flows unnecessarily.




Rule 5: If the cost of changing a flow exceeds the benefits or is

prohibitive, consider the case for removing name and address

once the data has reached the recipient

Appendix 1: Commissioning Flows

What do we mean by commissioning data flows?

All data flows exchanged to enable monitoring of services for commissioning, both

between providers of services and their commissioners and also data flows exchanged

between departments within provider organisations to assign activities to service

agreements and monitor activity levels against them.

Why look at commissioning data flows?

The Caldicott Report recommended that name and address should not be used in

commissioning data sets because there is rarely a need to identify the individual. It

recommended that where there is a need to link records as part of service agreement

monitoring or when using commissioning data sets for planning and research that NHS

number should be used and that name and address should not be used.

DO look at…

• the compilation of commissioning data sets. Make sure that name and

address are not sent unnecessarily by patient care service departments to

the information or contracting department within trusts to enable

commissioning data sets to be compiled. Points to note include;

• checking if activity could be reported using NHS number and date of

birth only;

• could the data flow be more automated to preserve patient privacy by

providing it on disk or via a direct electronic link?

• data flows to enable verification of service agreement activity levels.

Patient activity data is sometimes sent by the information or contracting

department within a trust to service directorates to check that the activity

levels for specific service agreements are correct. Points to note include:

• checking if monitoring is really required for every activity or if sampling

could be done;

• seeing if contract assignment checking can be automated, so that

operators only see potential errors;

• seeing if the procedure for collecting the commissioning information can

be improved so that checking is not needed;

• commissioning minimum data sets (CMDS) as defined by CRIR. The

DSCN 08/98/P08 stated that name and address should be removed when

the NHS number is present from commissioning data sets exchanged

between service providers and their commissioners from April 1999;

• summary patient activity data sent to primary care groups or general

practices. It is likely that some primary care groups or GPs will still




require activity data. Make sure that they actually check every activity

against their records if a full activity list is required. If this is not done

see if aggregate data would suffice.

Examples from piloting

Listing of all pathology tests provided monthly to GPs by Birmingham

Heartlands NHS Trust.

This listing is sent to GPs that have requested it, detailing all pathology requests

within a month. In some instances this is a large quantity of data. A national NHS

number Caldicott primary care workshop found that a number of general practice

managers stated that they received similar data flows, but did not have time to

check each patient and as a result did not use the data at all. In response to this

Birminghams Heartlands have written to all of their GPs asking what their

information requirements will be from April 1999 for primary care groups and

suggesting that they should only seek full activity data listing by patient if they plan

to check each record.

HISS print out of renal dialysis contract assignment sent from Birmingham

Heartlands Business Development Unit to the Renal Directorate.

This listing is needed because there are two renal contracts and confusion does

arise in assigning patient activity to the correct contract. Currently name and

hospital number are included. Steps are being taken to populate the renal register

with the NHS number so that this can be used in conjunction with hospital number

in the future. The unit is also considering exchanging the data on disk and

automating the checking to lessen the operator intervention.




Appendix 2: Clinical audit

What do we mean by clinical audit?

Clinical audit departments carry out clinical audit projects where, put simply, they

investigate whether the right things are being done in the right way. It is also

worth looking at other things that clinical audit departments take responsibility for,

such as research, that may be outside of the strict definition of audit, but are still

likely to include patient-identifiable data like name, address, and date of birth.

Why look at clinical audit?

It is an area where a lot of patient-identifiable data are exchanged that is not part of

the direct clinical care process. This presents opportunities for improving patient

confidentiality by omitting unnecessary patient information.

When are patient-identifiable data needed?

The National Centre for Clinical Audit (NCCA) and a group of clinical audit

representatives from different NHS organisations concluded that patient-identifiable

data are only required in limited circumstances. The table overleaf shows what

data are justified for various clinical audit purposes.

DO look at...

• standard forms used in the health care process that are copied and

sent to clinical audit

• printed patient labels: these often contain more patient data than

needed

• use of faxes: this is not a confidential way to communicate and can

easily be mis-directed

• whether you use date of birth where you could use year of birth and

address where you could use postcode

• whether you unnecessarily put the title of the audit on patient listings

(e.g. review of patients with a history of mental illness) thereby

revealing confidential patient information

DON’T look at...

• national audit flows to bodies like the National Confidential Enquiry

into Peri-Operative Deaths (NCEPOD). Such flows are under review

and the relevant bodies will inform you of any changes.

The following table can be used when reviewing clinical audit flows to identify

whether the amount of patient data used is excessive for purpose.







Clinical audit purpose Example Patient data typically required

Linking clinical audit patient data A nurse records data about One of the following: NHS

back to another data set where a selected cancer patients using the number, hospital number, or an

certain match can be made. casenotes and sends it to clinical identifier created specifically for

audit. An identifier, like hospital the study.

number, is sent to provide a link

back to the set of cancer patient

records.

Tracing and matching across An audit of patient outcomes for NHS number plus a confirmation

patient data sets where making a emergency patients in one data item such as hospital

match is not certain. Trust involves using a patient number, date of birth, or

identifier to match patient data postcode.

collected by ambulance drivers

against patient data collected by

the accident and emergency

department.

Auditing, where data are relevant Ethnic group and sex are used in Year of birth, postcode,

to the audit itself (e.g. date of a study investigating equality of occupation, sex, ethnic group.

birth is relevant when reviewing access to health care services.

perinatal deaths).

Enabling direct contact to be Name and address are needed to Name, address,

made with the patient or their send a questionnaire to patients telephone number,

representative. that have left hospital in order to postcode, sex, year of birth.

assess clinical outcomes.

Following standards / legal Patient name is required by law Various.

requirements (e.g. completing an on abortion notifications

abortion notification). (note, this is now under review).

Appendix 3: Information Department

What do we mean by the Information department?

A functional area of an NHS organisation that collects, analyses and disseminates

information on behalf of the organisation.

Why look at the Information Department

This is a good area to review because it is the focus for many dataflows about

patients, but not directly related to delivering patient care.

DO look at…

• flows to information from sections/departments providing direct patient

services.

• all flows from information departments that contain patient-identifiable

data.

• ad-hoc requests for information. Information departments are frequently

asked for one off information to support research, audit or planning

purposes. Often lists of patient details are requested, when in fact all

that is needed is aggregated data, anonymised data or possibly

individual patient data given a meaningless identifier. Many staff

requesting data prefer to be given the raw data so that they can

manipulate it as they like, rather than allowing the information

department to do the analysis for them. Procedures should exist to

govern when information department staff should provide patient-

identifiable data. This should include the requirement for a justification

for any requests for named data. This procedure should be applied,

even if the request has been approved by the local ethics committee,

as it is possible that such committees focus their attention on whether

the data flow is justified without examining the detail of individual data

items requested.

• other areas managed within the information department that are listed

in this appendix. It is likely that a number of other functional areas

highlighted for review, such as clinical coding and medical records will

be managed within the remit of the information department. Hence

this is a very good starting point that enables review of a number of

functional areas.

DON’T look at…

• any analysis of aggregated data that does not contain patient

identifiable data.




Appendix 4: Clinical coding

What do we mean by clinical coding?

Clinical coding encompasses the function of assigning coding classifications to

clinical diagnosis and procedures for each episode of care undertaken. The staffing

structure to support this varies between trusts. Some have dedicated clinical coding

departments and others having designated coders within individual patient service

areas. The data flows to support this function should be reviewed, regardless of

how the function is structured.

Why look at clinical coding?

A significant amount of patient-identifiable data flows from clinicians to clinical

coders to support clinical coding. The National Centre for Clinical Coding

recommends that coding is done directly from patient case notes. However only

about 50% of the NHS do this. The other 50% use various proformas for coding,

such as the KMR1 forms, discharge letters and discharge summaries. It is the use of

proformas for coding which you should review.

When are patient identifiable data needed?

Clinical coders need enough data on coding proformas to ensure that they locate

the correct episode on the master patient index. Research undertaken by

Birmingham Heartlands NHS Trusts suggests that patient tracing can be achieved

using a combination of hospital number, NHS number, episode number, episode

date, and date of birth. The trust found that even if two or three data items were

missing for each patient, that an accurate match could be made, especially as the

details of the diagnosis and procedures within each episode also help to verify that

the correct patient is selected on the master patient index. This suggests that name

and address could be removed from coding proformas. However it is likely that

this will not be possible because the proforma serves multiple purposes some of

which require name and address:

Birmingham Heartlands found that the proformas were used by medical secretaries

who referred to them in the casenotes to find the patients address when writing out

to them. The secretaries viewed the KMRI forms as being the most reliable source

of up to date data.

Other trusts use their discharge letters as coding proformas and produced up to

four part forms for the GP, the patient, the case notes and clinical coding. Hence

whilst clinical coding do not need name and address other uses justified their

presence. See section 3.8 regarding how to handle multi-part stationary.

DO look at…

• whether clinical coding proformas are used and if they serve multiple

purposes.

• the opportunities to separate data collected for clinical coding from

other data flows so that name and address need not be collected. For

example by automating the clinical coding process. As you develop




the electronic patient record and move towards more direct inputting

by clinicians of diagnosis and procedure information you should be

able to automate the coding process so that coding is done directly

from data within the system. Build in access controls that provide the

clinical data to the coders, or data entry clerks if coding done by the

clinicians, without displaying name and address on the screens that

they routinely review.

DON’T look at…

• clinical coding if coding is done directly from the case notes or by

clinicians, as access to name, address etc is then unavoidable.




Appendix 5: Medical Records

What do we mean by medical records?

Most trusts have one or more departments that are the custodian of medical records.

They take overall responsibility for the records and store and retrieve them for use by

other trust staff. This function typically covers other activities such as supporting

clinics, collecting bed state information and admitting patients.

Why look at medical records?

The medical records function typically gets large quantities of requests from all areas

of the trust to pull individual patient records. In most cases maximum patient-

identifiable data are likely to be provided to assist in tracing the correct set of records.

However as the Caldicott principles are more widely applied over time there should

be scope to improve patient privacy by using hospital number or NHS number, date

of birth and postcode to trace patient records and exclude name. The benefit in

doing this is not in preserving patient privacy within the medical records department,

whose staff will see patient name on the records as soon as they are pulled anyway,

but to preserve patient privacy on other dataflows which may require medical records

to be pulled as a secondary purpose.

For example NCEPOD, the National Confidential Enquiry into Peri-Opertive Deaths

has asked that notifications to them include the NHS number instead of name. For

each peri-operative death reported the notifying consultant is subsequently asked to

provide more details about the death. From now on, NCEPOD will only correspond

back to the relevant consultant using the patient’s NHS number. Therefore to

preserve patient privacy throughout the chain of information exchange it would be

preferable if the request for the records from medical records could be made using

NHS number.

Medical records departments will have to look hospital number up on the master

patient index if records are requested using the NHS number before they can search

for the case notes. This requires the ability to search the master patient index using

NHS number. Any systems which cannot do this should be changed urgently as this

requirement has now been in place for three years.

DO look at…

• requests for records where the patient’s identity is known.

• patient lists/statistics produced by medical records and sent to other

departments.

• the implications for medical records when reviewing data flows within

other functional areas and whether a privacy gain made on another data

flow can be extended to include requests for records that may be

required as a secondary data flow.

• the different types of requests for records routinely made. If these could

be categorised by their purpose, rather than the source of the request it




may be that some categories lend themselves to being selected using

less patient-identifiable data. Once grouped together findings can be

applied across a number of specialties making similar types of

requests.

• improving confidentiality if records are filed alphabetically by patient

name. This does not aid patient privacy and should be changed.

DON’T look at…

• flows supporting direct patient contact, for example clinic lists.




Appendix 6: Patient Care Services

What do we mean by patient care services?

Service areas, such as directorates, departments and teams, that are responsible for

providing direct services to patients. This includes health care teams providing

mental health, community and acute services through doctors, nurses and

paramedical professionals. It applies to all service areas where care is provided

directly to patients, so it excludes specimen pathology but includes radiology.

Why look at patient care services?

Patient care services are at the centre of health care activity, these service areas

generate many flows within and outside the NHS that contain patient-identifiable

data. Reviews carried out within Birmingham Heartlands and Solihull NHS Trust,

Enfield Community Care NHS Trust and Bradford Community NHS Trust suggested

that most of these flows are justified. However, some flows do not relate directly to

the care being provided to individual patients, and it is these flows that should be

reviewed.


Most of the data flows in these areas directly support individual patient care, and

need full patient-identifiable data (including name and address), particularly at

initial referral. These data are needed to enable patient contact (face-to-face, letters,

telephone etc.) and to enable proper patient records to be maintained. Such flows

need not be reviewed. Full patient data may not be necessary in other flows

around the “edges” of patient care, and these should be reviewed against the

review rules to ensure that the recipient has a genuine need for the patient data

received.

DO look at...

• flows to support research and audit;

• flows to regional bodies;

• flows to voluntary bodies (e.g. patient support organisations - consent

may be necessary);

• flows to information and contracting functions;

• clinical coding flows;

• flows to multiple recipients (e.g. discharge notifications);

• clinic lists;

• flows to public health;

• flows to update patient records - could they be made electronic?;

• flows to and from other organisations (although whether a flow is

internal or external does not affect justification);




• flows supporting payment of domiciliary consultations;

• preparation and issuing of statistics;

• flows supporting service planning and monitoring;

• waiting list flows;

• flows relating to patient monies and property;

• patient complaints processing

It is not necessary to look at

• flows to clinicians and patients relating to direct patient care;

• referrals and patient service requests (e.g. patient transport requests);

• patient admission / registration forms;

• assessments, reviews and care plans;

• central returns and statutory flows;

• flows to medical records requesting patients to be traced;

• death notifications;

• notifications of infection.




Appendix 7: Pathology

What do we mean by pathology?

Any organisation, or part of an organisation, that accepts human specimen test

requests, analyses specimens and returns reports and test results. This excludes

tests carried out on people (e.g. radiology), rather than specimens.

Why look at pathology?

Pathology is part of the direct clinical care process, but it does not involve direct

contact with patients, which is the prime reason for needing patient-identifiable data

like name and address. A lot of patient-identifiable data are sent, but are not all of

these are required throughout the pathology process. This makes pathology a good

area to investigate.


Most items of patient-identifiable data are needed at some stage, but not

throughout, the pathology process. Pathologists provide clinical opinions about

patients and may need patient name for their records or when discussing a case

with another clinician. When processing test requests from community clinics, it is

sometimes necessary to submit patient address so that it may be forwarded to the

health authority, so that they may update their records with what may be a more

up-to-date address. Date of birth and sex are used to inform a pathologist’s clinical

judgment.

DO look at...

• whether address can be removed from internal Trust flows (e.g. ward

to laboratory).

• whether name and other patient-identifiable details are removed /

concealed from specimen labels during the analysis process (it is

common practice for laboratories to assign a unique number to the test

request when received, and these provides a link back to the patient).

• reports printed from laboratory systems to see if they unnecessarily

contain name and other patient-identifiable details.

• increasing the presence and accuracy of the NHS number in laboratory

systems (both standalone and those linked to patient administration

systems) since, in the medium to long term, the NHS number could

enable patient-identifiable data to be retrieved locally rather than from

the request.

DON’T look at...

• removing name from test requests and removing name from results

returned to the test requestor until you are sure that the data quality

supports accurate matching without them.




Appendix 8: HA/GP Communications

What do we mean by HA/GP communications?

This area covers all dataflows that support the delivery of primary care, including

the management of GP patient registration and items of service claims.


In theory many exchanges of data between GPs and Health Authorities which relate

to patient management and GP funding could take place using the NHS number

and confirmation data items and excluding name and address. The NHS number is

used as the primary key on the Health Authority patient register and on all GP

registers and considerable effort is undertaken routinely to ensure that the GP and

Health Authority patient registers are kept in harmony.

However in practice very few flows can be changed. This is because a small

minority of GP practices are still not computerised or only hold very minimal details

on their computer. Such practices do not have easy access to the NHS number and

still rely on patient name as their main matching tool. Unfortunately this minority

has prevented a number of flows from being changed, because the Health

Authorities do not have the capability to split a data flow and send named data to

manual practices and unnamed to computerised practices. This is why this business

area is low priority for your data flow review.

There are a number of steps that can be taken in the primary care area to help

prepare this area for change in the future. You should work with the Health

Authority Patient Registration Manager to:

• increase the use of registration and IOS links;

• increase automatic claims processing for IOS linked practices;

• improve data quality within automatic IOS claims;

• increase the presence of the NHS number on manual IOS claims;

• review GPs information requirements for primary care groups and

ensuring that activity data is not sent unnecessarily.

DON’T look at

• individual patient data flows to primary care.




Appendix 9

QuestionnaireHow to complete this questionnaire

Who should complete it?

The person responsible for reviewing dataflows in each NHS organisation, reporting

to the Caldicott Guardian, should use the questionnaire to record the information

provided by key recipients of data.

What is the purpose of the questionnaire?

To assist NHS organisations to identify where they can remove unnecessary patient-

identifiable information in data flows.

Why do we need this information?

The Caldicott committee made many recommendations about protecting the privacy

of patients. They found that some data flows within the NHS contain unnecessary

data about patients. They suggested that the NHS should review these dataflows

and remove any unnecessary information that was not strictly required. (Later in this

questionnaire we provide a summary of situations which justify including patient-

identifiable information).

How do you complete this questionnaire?

We suggest that you proceed as follows:

• Read the section on Reviewing Information Flows in the Caldicott

Guardians manual: Protecting and using information

• Follow the recommended work-plan to identify data flows for review

• Use the questionnaire for each recipient of each data flow you select

for review

• Meet with each recipient to complete section 1 of the questionnaire

• Complete section 2 of the questionnaire for each flow where there is a

question mark about some or all of the identifiable data items

contained

• Refer back to the Caldicott manual when you have completed the

questionnaires, for next steps




Questionnaire completed by: ............……………………………………………………..

Date completed: ................................................................................................................

.............................................................……………………………………………………..

Data flow name: ................................................................................................................

............................................................……………………………………………………...

Data flow originated by (Name /department):

(i.e. who creates the dataflow?) .......……………………………………………………...

Purpose(s) of the data flow:

(Describe in your own words what the flow is for)

_________________________________________________________________________

_________________________________________________________________________

_________________________________________________________________________

_________________________________________________________________________

_________________________________________________________________________

_________________________________________________________________________

_________________________________________________________________________

_________________________________________________________________________

Recipients name and department: Please list all known recipients and tick box to

indicate which recipients the completed questionnaire relates to.

……………………………………………………..□

……………………………………………………..□

……………………………………………………..□

……………………………………………………..□




Section 1

Q1. What is the purpose of the patient identifiable data items in the data

flow you receive? Please tick as many boxes as apply

Q2. Which of the following patient-identifiable data are contained in the

data flow you receive?




Reason for requiring patient identifiable information tick box

A To contact a patient □

B To visit or write to the patient □

C To use in epidemiological research □

D To aid decision making about the patient’s care □

E To confirm the area of residency of the patient □

F To set up or update a patient record/registration □

G To comply with statutory requirements □

H To use as a matching tool to link with existing patient data sets □

I Other, please specify □

□

□

Please tick as many boxes as apply

Forename □

Surname □

Address □

Postcode □

NHS number □

Date of birth □

Others (please specify if you think it may be relevant to your review) □

□

The table below lists the items that are suggested should be used for the purposes

outlined in Q1.

Q3. Is the inclusion of all of the patient-identifiable information in the

flow that you are reviewing justified? Compare the data items used with

those recommended in the above table and, more generally, apply the review

rules outlined in the guidance on Reviewing Information Flows.

Please tick box

Q4. If your response to Q3 is Yes, can name or address be retrieved locally

to avoid having to send them in the data flows? If you obtain patient-

identifiable data locally rather than from data flows there is less

likelihood of the patient-identifiable information being seen.

––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

(If your response to Q3 is No, section 2 of the questionnaire will need

to be completed.)




Reason for requiring patient- Patient-identifiable informationidentifiable information that should support this use

A To contact a patient Names

B To visit or write to the patient Names, address, NHS number, post code

C To use in epidemiological research Names, address, dob, post code

D To aid decision making about the Dobpatient’s care

E To confirm the area of residency Post codeof the patient

F To set up or update a patient Names, address, post code, dobrecord/registration

G To comply with statutory Names, address, dob, NHS number,requirements

H To use as a matching tool to link NHS number, dob, post codewith existing patient data sets

Yes □ No □ Unsure □

SECTION 2

Q5. If your response to Question 3 was No or Unsure, What data items are

possibly not justified?

Q6. What steps could you take to remove the items identified in Question

5? Apply the review rules in the guidance.

––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

Q7. How desirable is it that you make change in the data flows to remove

the information you have identified as unjustified. (Apply review rule 4).

––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––




Item not (or possibly not) justified See notes below. Please tick

Forename □

Surname □

Address □

Postcode □

NHS number □

Date of birth □

Others (please specify) □

Q8. What is the cost justification? (Apply rule 4).

––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

Q9. What are your conclusions on changes which could be made to

remove patient-identifiable information from the data flow. Summarise

here your specific recommendations about what are the specific items of

patient-identifiable information data which you believe could be removed

from the data flows you receive?

––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

Q10. What are the next steps? Describe here what actions need to be taken to

make the changes you have identified.

––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

Thank you for assisting with the review and helping to remove unnecessary

patient-identifiable information from data flows.




Summary of Existing GuidanceIntroduction

1. Although there is considerable guidance available on different aspects of how

the NHS should go about protecting and using confidential patient

information, it is not always easy to locate the relevant guidance on a

particular issue. This section of the manual provides an overview of

Department of Health guidance and is intended as a navigation aid for

Guardians. There is no escaping the fact, however, that this is a complex and

often controversial area. Guardians are advised to err on the side of caution

and to seek advice on issues if they are uncertain (see Support and Advice).

Conflicting Guidance

2. Reflecting a lack of legal clarity, complex ethical dimensions and the different

viewpoints of different sections of society, the guidance on some issues may

reflect the perspective of the issuing body and conflict, at least in part, with

guidance issued by other bodies. The Department of Health consults widely

prior to issuing guidance and its official publications aim to reflect a balanced

and legally defensible viewpoint. At the end of the day however, guidance is

simply guidance and responsibility for decisions made inevitably rests with

individual organisations.

Key issue: The Common Law Duty ofConfidence

3. In general, any personal information given or received in confidence for one

purpose may not be used for a different purpose or passed to anyone else

without the consent of the provider of the information. This duty of

confidence is long established at common law, but there are conflicting legal

views on how the common law might apply in particular circumstances. The

Department of Health is working with the General Medical Council, the

Medical Research Council, the Data Protection Commissioner and other key

interests to clarify how the law should be interpreted in the health sector.

4. The Department of Health’s guidance to the NHS is that, with proper

safeguards, the duty of confidence need not be construed so rigidly that,

when applied to the NHS or related services, there is a risk of it operating to

the disadvantage of a patient or to the public generally. The underlying

principle is that it is in everyone’s interests that the NHS functions efficiently

and effectively and makes best use of the resources available to it.



Summary of Existing Guidance 1

Existing Guidance

Department of Health Publications

5. The Protection and Use of Patient Information, issued under cover of

HSG(96)18 in March 1996, provides guidance on how the common law duty of

confidence impacts upon those working in the NHS. Copies of this guidance

can be obtained from:

Confidentiality Issues

Room 3E58

NHS Executive HQ

Quarry House

Leeds LS2 7UE

6. Ensuring Security and Confidentiality in NHS Organisations, issued by

the NHS Executive’s Security and Data Protection Section in February 1999.

This replaces the IM&T Security Manual issued in 1996, but additionally

contains guidance on implementing an awareness programme for staff and

specific guidance on IM&T Security for the Nursing Profession. Copies of this

guidance can be obtained from:

Security and Data Protection Programme

NHS Executive HQ

15 Frederick Road

Edgbaston

Birmingham

B15 1JD

7. The Management of Health, Safety and Welfare Issues for NHS Staff,

issued under cover of HSC 1998/64 on 30 April 1998, provides guidance on the

specific issues facing Occupational Health staff. Copies of this guidance can be

obtained from:

Employment Issues Branch

NHS Executive HQ

Quarry House

Leeds LS2 7UE

8. Handling confidential patient information in contracting: A Code of

Practice, issued under cover of EL(92)60 in 1992, provides guidance on the

operation of safe-havens but includes sections on the use of fax machines

and telephones.

9. Guidance on Video Recording NHS Operations: issued by the NHS

Executive in December 1996 under cover of a letter from the Chief Executive.

This guidance outlines best practice in respect of filming NHS procedures.




10. Access to Medical Reports Act 1988: the NHS Executive has not previously

provided guidance on this Act, which is a relatively straightforward piece of

legislation, but a summary of its provisions are included here.

11. Guidance on Public Access to Medical Records is in preparation as this is

now covered by the Data Protection Act 1998. Guidance on the wider

provisions of this Act is also in preparation and will be issued shortly by the

Department of Health.




The Protection and Use of PatientInformation

12. This guidance relates primarily to the impact of the common law but includes

many useful references. The headings used in this summary reflect the

chapter headings in the document.

Basic Principles

13. The guidance outlines basic principles underlying the need to safeguard

confidentiality, including the common law, Data Protection legislation and

professional ethical duties of confidence. Patients need to be fully informed

of the planned uses of information but it is neither practicable nor necessary

to seek specific consent each time information needs to be passed on for a

particular purpose.

14. Information may be passed to someone else:

• With the patient’s consent for a particular purpose

• For NHS purposes, including the provision of care and the effective

and efficient management of healthcare services

• It is a statutory requirement or is in response to a court order

• The public interest in passing the information on outweighs the duty

of confidence to the patient and the public interest in the NHS

preserving confidentiality.

Keeping Patients Informed

15. All NHS bodies must have an active policy for informing patients of the kind

of purposes for which information about them is collected and the categories

of people or organisations to which information may need to be passed. The

process by which this may be achieved is described (see also the relevant

part of the section on Organisational Performance in this manual). Consent to

sharing information for NHS purposes can be implied if a patient has been

informed and does not object. Keeping patients informed is good practice

even where the public interest in information being shared outweighs other

considerations.

16. Patients’ right of access to their own health records is also briefly described,

though the references are mainly to the Data Protection Act 1984, the

Access to Health Records Act 1990 and the Access to Personal Files Act

1987 (relevant to local authority social services). These three Acts will be

replaced by the Data Protection Act 1998 during the second quarter of

1999 (Guidance on this new Act is in preparation and will be sent to

Guardians when available). Reference is also made to the Access to

Medical Reports Act 1988 which will remain in force when the new Data

Protection Act comes into force (guidance on this Act is included within this

manual).




Safeguarding Information

17. Every NHS organisation, all staff and all those carrying out work on behalf of

the NHS have a legal duty of confidence to patients. Health professionals also

have professional codes and ethical duties of confidence. Data Protection

legislation criminalises some activities and there are statutory restrictions

relating to fertility treatment and sexually transmitted diseases.

18. Individual organisations remain responsible for decisions to disclose

information and they should take particular care to respect patient’s wishes

unless there are overriding considerations (disclosure required by law, the

court, or where the public interest is sufficiently weighty).

19. Unauthorised disclosure of information by members of staff or by people

working under contract to the NHS is a serious matter. Disciplinary action

should be considered, legal action may result and health professionals may

be subject to action by their regulatory bodies. In their own interests and

those of patients, all staff must be made aware of the possibly severe

consequences of breaching patient confidence.

20. Aggregated and anonymised information should be used wherever

practicable in preference to identifiable information, but disclosure should

still only be for justifiable purposes.

21. The guidance provides specific advice on patients unable to give consent,

children and young people, co-ordinating care with social services and other

agencies, patients who are offenders, patients receiving social security

benefits, protecting public health, teaching and research.

Passing on Information for Other Purposes

22. Information should only be passed to relatives, friends and carers with the

permission of the patient. NHS staff should ensure that patients understand

the implications of not sharing information with those who provide care.

23. Statutory requirements and the powers of the High Court to require

disclosure are outlined. Disclosure in the public interest is considered (NB in

the public interest, not of interest to the public), including conditions that

should be satisfied before disclosing information to the police.

Supplementary material

24. The annexes to the guidance provide the core information that should be

passed on to patients (reproduced in the annexes to this manual), references

to certain statutory restrictions on passing on information and the definition

of “serious” crime taken from the Police and Criminal Evidence Act 1984.




Ensuring Security and Confidentiality in NHSOrganisations

25. Although a variety of useful material is included in this resource pack for

those required to run IM&T security awareness raising programmes, the key

guidance is set out in the section titled the NHS IM&T Security Manual.

26. The guidance sets out, in some detail, the roles and responsibilities of

different staff groups in relation to information security. It examines the role

of senior management in setting objectives and developing an information

strategy and looks at the elements of a supporting information security policy.

An example of an information security policy is included.

27. The information security policy should provide a clear operating framework

for the organisation. Its key elements include security management

responsibilities, an assessment of threats and vulnerabilities, counter-measures

adopted and security incident management procedures.

28. Implementation of the information security policy should be the responsibility

of an information security officer and the core responsibilities of this post are

clearly defined.

29. The guidance provides detailed advice on a wide range of, mainly technical,

topics including:

• Assets Inventory

• Risk Assessment

• Counter-Measures

• Equipment Security

• Access Control – including physical access, logical access, data

ownership, user registration, and password control

• Security Incidents

• Virus Controls

• Business Continuity

• Housekeeping

• Monitoring & Review




The Management of Health, Safety andWelfare Issues for NHS Staff

30. Occupational Health staff should develop an Occupational Health policy

with their colleagues in personnel/human resources to be made widely

available throughout the organisation. Local policies should be consistent

with guidance published by the Department of Health and should include

explicit references to the guidance relating to confidentiality provided by the

GMC and UKCC. Occupational Health Service’s (OHS’s) will find it useful to

include the confidentiality principles published by the GMC in their policy

statement so that staff and colleagues are aware of the constraints placed on

the service.

31. In certain circumstances it may be necessary to disclose information in the

interests of others. Disclosure may be necessary in the public interest where

a failure to disclose information may expose a patient, or others, to risk of

death or serious harm. In such circumstances you should disclose information

promptly to an appropriate person or authority. Such circumstances may

arise, for example, where:

• a colleague who is also a patient is placing patients at risk as a result

of illness or other medical condition.

• Disclosure is necessary for the prevention or detection of a serious

crime.

32. Every effort should be made to try to persuade the individual to be honest

about their medical condition or whatever matter is causing the concern, or

at least to give the occupational health professional permission to speak of it.

If the individual cannot be persuaded to give permission, where there is a

foreseeable risk of serious harm or death, it will be necessary to breach

confidentiality. In all such cases the reasons for reaching the decision should

be fully documented and, if practicable, a Consultant Occupational Physician

should be involved in the decision making process. Employers should have

in place agreed processes for dealing with such circumstances.

Seeking more detailed information prior to recruitment

33. In the small number of cases where the amount or nature of sickness

absence, or other factors, suggests that the applicant may be unsuitable for

the post offered, and further information is required concerning past medical

history this may be obtained from the applicant’s GP. This process will

require the applicant’s signed consent and they must be told precisely what

information is being requested and why before their fully informed consent

can be obtained. A copy of the person’s consent together with a copy of

their Occupational Health questionnaire should be sent to the GP with the

request for specific information.




34. The OHS should make clear what information they are seeking from the

applicant’s GP, taking account of the Access to Medical Reports Act 1988

and the Data Protection Act 1998 (which will repeal the relevant sections of

the Access to Health Records Act 1990), advising the applicant of their

rights and respecting confidentiality of any clinical information obtained.

Because this service falls outside the provision of general medical services,

GPs can be expected to charge employers for this service. Direct

arrangements for meeting these fees must be clear.

Retention of Records

35. Information given by a patient or obtained from previous employers or

education providers (with the applicant’s consent) about medical history

including sickness absence, relevant hospital admissions and medications

should be recorded. This information should, if the person is recruited, form

part of the OH record.

36. OH records should be markedly different from other hospital records and

should be stored in a secure place preferably within the OH department.

Each employee must have an individual record that includes immunisation

history, responses to vaccination, health monitoring activities and referrals. It

is recommended that records be kept for a minimum of 10 years after the

date of the last entry or longer if required by particular legislation (for

example, Asbestos Regulations stipulate 40 years for exposure over a certain

level; Ionising Radiation Regulations 50 years).

37. It is recommended that copies of clinical OH records held by a previous

employer or institution are, where necessary, obtained by the OH

Department with the written consent of a new employee. Continuity of

records is very important in the context of Occupational Health and requests

for OH records, where the individual employee has provided written consent,

should be satisfied as quickly as is practicable.

38. For further information and guidance on the provision of Occupational

Health services please contact the Employment Issues Branch of the NHS

Executive, Quarry House, Leeds LS2 7UE.




Handling confidential information incontracting: A Code of Practice

39. Although this guidance was issued specifically to safeguard the transfer of

confidential information in the contracting environment, the Code of Practice

relates to the operation of safe-havens – designated contact points through

which confidential information should pass when being transferred from

organisation to organisation (see Controlling Access for more detail).

40. Additionally, the Code includes guidance on the use of paper mail, fax

machines and telephones.

Fax Machines

41. The guidance recommends that:

• Fax machines should be placed in a secure location, preferably within

the boundaries of a safe-haven, and the room housing the machine

must be locked when unattended.

• Outside of normal working hours, fax machines should be switched off

or locked in cupboards whilst still switched on. Alternatively, a

password protected computer could be used to receive and store faxed

data.

• Measures should be taken to minimise the risk of mis-dialling e.g.

programming frequently used numbers into fax machines and always

checking that numbers are up to data and entered correctly.

• Clinical information should, wherever possible be faxed without

accompanying patient administrative details, with a linking identifier,

either the NHS Number or a local identifier, being used to make the

link. If all the information needs to be faxed, confirmation should be

sought that the first part of the information is in the right hands prior

to faxing the remainder.

• It is good practice to always seek confirmation that a fax has been

received.

Telephones

42. The guidance recommends that:

• It is important to establish the type of information that may be

disclosed or received over the telephone and how it should be

recorded.

• The risk of disclosing information to the wrong person must be

minimised. The use of call back procedures using published telephone

numbers should be considered.




Guidance on Video Recording NHSOperations

43. There are a number of legitimate reasons for videoing NHS operations,

including:

• when the video is an essential part of a patient’s record;

• when the video is to be used as a training aid for health professionals

and medical students;

• when the video is intended to provide public information in support of a

clearly understood NHS purpose.

44. It is not intended that these legitimate recordings be curtailed in any way -

context and the judgement of clinicians must remain paramount - but every

care must be taken to ensure that guidelines on confidentiality are followed

and that the informed consent of patients and medical staff is obtained where

appropriate. Wherever possible, consent should be obtained in writing.

Operational Procedures

45. All staff, whether medical or administrative, should be aware of the policies

and procedures of the organisation which aim to protect patient information

and the uses to which it may legitimately be put. (Guidance on “The Protection

and Use of Patient Information” refers).

46. A contract should be drawn up and signed by the filmmaker and an

appropriate representative of the Trust - e.g. the Head of the Department

involved. This should provide a clear statement of the Trust’s arrangements to

protect patient confidentiality, should clarify which individuals will be filmed

and put in place the necessary safeguards to ensure that informed consent is

obtained. The contract should detail the legitimate purpose of the video and

provide the following controls:

i. control over the process of making the film, e.g. what access the film

maker has to wards or operating theatres;

ii. control over the final version of the film. This is especially important if

the film is being made for public information;

iii. clear restrictions, or if appropriate prohibitions, on the “selling on” or

secondary usage of video footage.

47. Authority to grant permission for a film crew to enter Trust premises should

rest with an appropriately senior member of the Trust, and permission should

only be given after a contract has been signed.

48. In some instances, regular preparation of video recordings can be anticipated, for

example as part of training in interview skills for health care professionals. Trusts

may wish to develop a model contract for use in specified circumstances.




Access to Medical Reports Act 1988

49. This Act was introduced “to establish a right of access by individuals to reports

relating to themselves provided by medical practitioners for employment or

insurance purposes and to make provision for related matters”.

50. An individual has the right, subject to certain exemptions specified in the Act,

to access any medical report relating to him or herself which is to be, or has

been, prepared by a medical practitioner for employment or insurance

purposes. The individual if he wishes to exercise this right must, before the

report is supplied to a third party, tell the practitioner of his intent.

51. The patient always has the right to stop the practitioner from supplying the

report to a third party. If the patient does not ask to see the report before it

is sent he or she is considered to have given implicit consent for the supply

of the report to a third party. Similarly, if the patient asks in advance to see

the report (ie before it is supplied) but then 21 days elapse without the

individual contacting the practitioner, then implicit consent is considered to

have been given. However, if the individual does view the report within the

21 day time limit he may stop the supply of that report to a third party.

52. The individual is entitled, before giving consent to the supply of the report,

to request the medical practitioner to amend any part of the report which the

individual considers to be incorrect or misleading. In this eventuality, two

courses of action are open to the practitioner:

• to accede to the request, and amend the report accordingly, or

• to refuse to amend the report, in which case a statement of the

individual’s views in respect of the report shall be attached to the

report.

53. The Act specifies exemptions to the patient’s right of access which, rarely,

might require that access to part or all of a report may be denied. Most

importantly, if any information contained in the report would, in the opinion

of the medical practitioner, be likely to cause serious harm to the physical or

mental state of the individual, or to others, the practitioner is within his rights

not to give the individual access to parts or all of the report in question. In

addition, any part of the report that would be likely to reveal information

about another person who has supplied information to the practitioner about

the individual, cannot be disclosed to the individual unless:

• he person supplying the information has consented, or

• the person supplying the information is a health professional and the

information was supplied in that capacity.




54. Practitioners should, in the context of reports to third parties, provide medical

facts only and should not speculate about a patient’s lifestyle. Doctors should

respond to such questions by referring the third party back to the patient. It

is particularly important that this is applied to all requests for information

from employers and insurance companies to ensure that groups of patients

are not categorised by default.

55. Some medical facts are protected by specific legislation and should not be

relayed to third parties on the basis of implicit consent as described in

paragraph 3. Information relating to treatments governed by the Human

Fertilisation and Embryology Act 1990, the NHS (Venereal Diseases)

Regulations 1974 and the NHS Trusts (Venereal Diseases) Directions 1991,

should not be included in reports without the explicit written consent of the

individual concerned. Where a practitioner considers such information to be

relevant to the third party’s request, he should seek the consent of the

individual to its inclusion and should abide by the individual’s wishes unless

there are strong public interest reasons for breaching confidentiality.




Support & Advice for GuardiansIntroduction

1. This manual aims to provide straightforward guidance on the key tasks that

need to be addressed by NHS organisations, but beyond that, the intention is

that it should serve as a resource for Guardians, identifying and summarising

key guidance, flagging up sources of advice and highlighting training

opportunities. It is also intended that the manual should be updated regularly

when new material becomes available.

2. A dedicated Caldicott web site is also being developed to act as a repository

of important material and a notice board for new developments. Guardians

will be informed of the web site address when it is available. The possibility

of a discussion/news group service is also being considered.

Networking

3. Guardians may wish to establish local networks either within Health Authority

areas or more widely. These may productively be Health Authority based with

all PCGs and local NHS Trusts being included. Social Services and other

partner organisation should also be included once they have equivalent

Guardian structures in place.

4. Wider networking may also prove desirable, e.g. between Health Authorities

and across Health Authority boundaries for NHS Trusts. The NHS Executive

Regional Offices will facilitate and support Guardian networking if required.

5. Networking will enable Guardians to share best practice, obtain the advice of

their peers on pressing problems and identify whether issues are likely to be

national significance.

Training for Guardians

6. Training seminars have been arranged by the NHS Executive to provide

Guardians with an opportunity to familiarise themselves with their new role and

the tasks that need to be completed in the first year. A schedule of planned

events is on the next page.

7. Anyone interested in attending a seminar should contact Helen Williams,

Security and Data Protection Programme, NHS Information Management Centre,

15 Frederick Road, Edgbaston, Birmingham B15 1JD. Tel. 0121 625 1997.



Support and Advice for Guardians 1

8. The training seminars aim to provide delegates with an opportunity to ask

questions and explore issues with fellow Guardians.

• By the end of the session the delegates will:

• Understand the strategic nature of the Guardian role

• Appreciate the scope and extent of Guardian responsibilities

• Know when and where to seek support and advice

• Understand what is required of Guardians and their organisations in

the first year in terms of:

• The first management audit of current practice and procedures

• Preparing the first annual improvement plan

• Introducing registered access to the NHS Strategic Tracing

Service

• Developing clear protocols to govern the disclosure of patient

information to other organisations

Schedule of Seminars: Caldicott Guardians

9. Places will be allocated on each seminar on a first come first served basis, but

additional seminars will be arranged if the demand is sufficient. The possibility

of running additional seminars for Scotland and Wales is currently being

discussed with the Scottish Office and the Welsh Office respectively.




VENUE 1 2 3 4

Taunton 16 March 26 April 29 April 20 May

Chesterfield 25 March 13 April 4 May 25 May

Milton Keynes 17 March 7 April 15 April 22 April

Birmingham 18 March 8 April 14 April 26 May

Darlington 23 March 20 April 6 May 19 May

Wigan 21 April 5 May 12 May 18 May

South Thames 15 March 30 March 1 April 27 April

North Thames 31 March 28 April 11 May 27 May

10. A second round of seminars is provisionally planned for early in the year 2000

– at the present time it is thought that these might focus on specific issues that

have arisen during the year.

Sources of Advice for Guardians

Subjects

Confidentiality Issues Section i. General Confidentiality Issues

NHS Executive HQ ii. Implementing the Caldicott

Quarry House Recommendations

Leeds LS2 7UE iii The Role of Guardians

iv. Access to Health Records

National Confidentiality Forum 1 i. Issues, concerns and problems

C/O Confidentiality Issues Section that need to be resolved at a

NHS Executive HQ national level

Quarry House

Leeds LS2 7UE

Security and Data Protection Programme i. General IM&T Security Issues

Information Management Centre ii. NHS IM&T Security Manual

NHS Executive HQ iii. Running IM&T Security

15 Frederick Road Awareness Programmes

Edgbaston

Birmingham B15 1JD

Departmental Records Officer i. Retention of Health Records

Department of Health

Skipton House

80 London Road

London SE1 6LH

Data Protection Commissioner i. Data Protection Act Issues

Wycliffe House

Water Lane

Wilmslow

Cheshire SK9 5AF

1 The Confidentiality Forum is an interim body that is currently taking stock of the issues and concerns

that need to be resolved at a national level. It was set-up at the request of the Clinical Systems Group,

a committee chaired jointly by the CMO and the CNO that represents many key bodies and groups,

pending the result of consultation on the need for a new National Advisory Body for confidentiality

and security issues. The Forum includes the chairs of three existing groups, the Caldicott

Implementation Steering Group, the Security and Encryption Programme Board and the Security and

Confidentiality Advisory Group.




Professional Standards

11. The bodies that regulate the activities of health professionals produce codes

of Practice and guidance on standards.

For Doctors:

The General Medical Council

178 Great Portland Street

London W1N 6JE

For Nurses, Midwives and Health Visitors:

The United Kingdom Central Council for

Nursing, Midwifery and Health Visiting

23 Portland Place

London W1N 4JT

For the Professions Supplementary to Medicine:

Council for Professions Supplementary to Medicine

Park House

184 Kennington Park Road

London SE11 4BU

For Dentists:

General Dental Council

37 Wimpole Street

London W1M 8DQ

For Opticians:

General Optical Council

41 Harley Street

London W1N 2DJ

For Pharmacists

Royal Pharmaceutical Society of Great Britain

1 Lambeth High Street

London SE1 7JN




Annex A

Core Information for Patients

We ask you for information so that you can receive proper care and treatment.

We keep this information, together with details of your care, because it may be

needed if we see you again.

We may use some of this information for other reasons: for example, to help us

protect the health of the public generally and to see that the NHS runs efficiently,

plans for the future, trains its staff, pays its bills and can account for its actions.

Information may also be needed to help educate tomorrow’s clinical staff and to

carry out medical and other health research for the benefit of everyone.

Sometimes the law requires us to pass on information: for example, to notify a birth.

The NHS Central Register for England & Wales contains basic personal details of all

patients registered with a general practitioner. The Register does not contain clinical

information.

You have a right of access to your health records

EVERYONE WORKING FOR THE NHS HAS A LEGAL DUTY TO KEEP

INFORMATION ABOUT YOU CONFIDENTIAL.

You may be receiving care from other people as well as the NHS. So that we

can all work together for your benefit we may need to share some

information about you. We only ever use or pass on information about you

if people have a genuine need for it in your and everyone’s interests.

Whenever we can we shall remove details which identify you.

Anyone who receives information from us is also under a legal duty to keep

it confidential.

If you agree, your relatives, friends and carers will be kept up to date with

the progress of your treatment.



Annex A 1

THE MAIN REASONS FOR WHICH YOUR INFORMATION MAY BE NEEDED

ARE:

• giving you health care and treatment

• looking after the health of the general public

• managing and planning the NHS. For example:

• making sure that our services can meet patient needs in the

future

• paying your doctor, nurse, dentist, or other staff, and the

hospital which treats you for

• the care they provide

• auditing accounts

• preparing statistics on NHS performance and activity (where

steps will be taken to ensure you cannot be identified)

• investigating complaints or legal claims

• helping staff to review the care they provide to make sure it is of

the highest standard

• training and educating staff (but you can choose whether or not to

be involved personally)

• research approved by the Local Research Ethics Committee. (If

anything to do with the research would involve you personally, you

will be contacted to see if you are willing )

[ If at anytime you would like to know more about how we use your

information you can speak to the person in charge of your care or to ......]

[The list of reasons for which information is needed should incorporate all

the information uses included within protocols agreed with partner

organisations (see Protocols)]



Annex A 2

© Crown CopyrightProduced by Department of Health15279 5088 1P 2k Mar 99 (MPS)

CHLORINE FREE PAPER

protecting and using patient information - hscic guidance...where local circumstances dictate that...

Documents