Draft Consultation Paper - Caldicott Guardians

Introduction

1. In the light of the requirements set out in The Protection and Use of Patient Information issued under HSG(96)18 that person-identifiable information (see Annex C) should only be transferred for justified purposes and that only the minimum necessary information was transferred in each case, the Caldicott Committee was set up to review all patient-identifiable information which passes from NHS organisations in England to other NHS or non-NHS bodies for purposes other than direct care, medical research or where there is a statutory requirement for information.

2. Ministers welcomed the Caldicott Report, published on 9 December, and agreed to the implementation of the sixteen recommendations it contained (see the Executive Summary at Annex B).

3. The Caldicott Committee had found that patient-based information is used to satisfy a range of justifiable and valid service requirements. However, the Committee felt that there were concerns about both the amount of person-identifiable information being transferred and the capacity of the NHS to limit access to those who truly need to know.

4. The NHS Executive has established a programme of work to implement the Caldicott Recommendations. This work will include action to promote use of the new NHS number as a coded identifier and to raise awareness of the importance of confidentiality throughout the NHS, with specific attention being paid to senior managers.

5. A number of the Caldicott recommendations focused directly on the need to develop a new framework for handling the confidential person-identifiable information which is currently used for a range of important, but non-clinical, purposes. Following these recommendations, we need to:

• establish a framework of individual responsibility - under the leadership of Guardians of patient information who will normally be senior health professionals - to safeguard and govern the uses made of patient information within NHS organisations;

• develop national frameworks for local protocols governing multi-agency uses of patient based information.

• hold NHS organisations accountable, through clinical governance, for continuously improving confidentiality and security procedures governing access to and storage of person-identifiable information in accordance with the Caldicott Report.

6. This paper seeks views on guidance for Guardians and on the operation of the Guardian role in different settings.

7. Attached to this paper, at Appendix 1, is an additional consultation document covering the protocols which should govern access to the NHS Strategic Tracing Service by NHS staff, ie use of the NHS number to obtain other patient information such as name and address. These protocols provide a model of access management which can be extended within NHS organisations to cover most business functions. This is clearly extremely relevant to the Guardian role, and the Caldicott Implementation Steering Group would also welcome views and comments on this model.

Caldicott Guardians

8. The principles developed in the Caldicott Report aim to establish the highest practical standards for handling confidential information and therefore apply equally to all routine and ad hoc flows of patient information whether clinical or non-clinical, in manual or electronic format.

9. The Caldicott Report envisages that organisational Guardians should be responsible for agreeing, monitoring and reviewing protocols governing access to person-identifiable information by staff, within their own organisations, wherever there is scope for local flexibility. Guardians should ensure that local protocols address the requirements of national guidance / policy and law. This is the internal Guardian role.

10. The Guardian should also be responsible for agreeing, monitoring and reviewing protocols governing the use of person-based information across organisational boundaries e.g. with social services and other partner organisations contributing to the local provision of care. These protocols should underpin and facilitate the development of the local Health Improvement Programmes heralded in the White Paper 'The New NHS, Modern, Dependable". This is the external Guardian role.

Who should be the Guardian?

11. The Guardian should be, where practicable, a senior health professional with access to the most senior tier of management within an organisation. When making this appointment, it is the responsibility of individual organisations to ensure that the individual selected has the seniority and authority to exercise the necessary influence on policy and strategic planning and carries the confidence of his or her colleagues. In being appointed by, and having direct access to, the chief executive of the organisation, the Guardian should be seen as separated from other management/sectoral influences, thereby engendering confidence in their independence and integrity. When appointing Guardians, organisations should bear in mind the possibility of a conflict of interest arising between the individual's Guardian role and other duties eg where disciplinary proceedings might be involved.

12. Whilst Health Authorities and NHS Trusts should have little difficulty identifying an appropriate Guardian, it is more difficult at the present time to identify appropriate Guardians for other settings, particularly for the primary care sector. However, this guidance applies to health authorities, Trusts and primary care settings equally. Some primary care organisations, e.g. large GP practices, may warrant their own Guardian. The NHS Executive will continue to develop proposals for other settings, and would welcome views as part of this consultation exercise.

13. Although it may be desirable for staff to support the Guardian in his/her work, it is implicit that responsibility is not delegated. In particularly large organisations it may be necessary to divide the Guardian responsibilities between two individuals, for example separating the Internal and External Guardian roles but too great a spread of the duties by sharing or delegation would dilute the focus and therefore the effectiveness. In cases where the duties are so split, one Guardian should retain over-arching responsibility.

The Internal Guardian Role

14. It is not intended that the Guardian should assume or have delegated responsibility for all aspects of confidentiality, or for IM&T security. However the Guardian should liaise closely with IM&T Security Managers and others charged with similar responsibilities, to ensure that there is no duplication/omissions of duties. Whilst these roles may be combined in a small organisation, for Health Authorities and NHS Trusts it is essential that the Guardian be a senior health professional with access to the top management tier of the organisation and be in a position to influence policy and strategic direction on information handling and appropriate safeguards.

15. The Guardian should ensure that protocols governing the storage of, and access to, this information are in place when person-identifiable information is received or collected by an NHS organisation, whether for clinical care or other purposes.

16. Guardians should also take into account existing "safe-haven" arrangements in their organisations. The guidance on safe-havens was primarily aimed at creating a physically-secure environment for handling contracting information, but its principles can be applied to the handling of all confidential information (EL(92)60 refers). Annex F gives more detailed information on the "safe-havens" guidance.

Access to Confidential Information: Need to Know

17. Some sensitive person-identifiable information is directly protected by statute, reflecting particular concerns, e.g. the need to ensure that people with certain conditions are not afraid to seek treatment. However, in the interests of patients and the public the Department of Health believes that there are compelling reasons for treating all person-identifiable information as extremely sensitive and that all such information should receive equivalent protection.

18. This creates an extremely important principle which should guide the development of protocols governing the uses of confidential person-identifiable information for purposes other than the direct provision of care, namely that:

- Only those who are involved in the direct provision of care or with broader work concerned with the treatment or prevention of disease in a population should normally have access to items of information which would allow them to identify an individual.

19. The Guardian should determine, for each business process, whether it is concerned with the treatment and prevention of disease in a population. This fundamental judgement should divide business processes, and the staff who are concerned with them, into two clear categories:

i. Access permitted on a controlled basis; and

ii. No access, other than on a closely controlled exception basis (eg data quality officer and other IM&T staff), to information which would enable them to identify individuals.

Access Permitted on a Controlled Basis

20. Once the judgement has been made that a business process justifies access to confidential person-identifiable information on a controlled basis, it is then necessary to determine which items of person-identifiable information (e.g. name, date of birth, NHS Number etc) are essential to the task.

21. The Caldicott Committee supported the use of a simple, but detailed and transparent, assessment which would facilitate monitoring and review. For each business process, it should be possible to justify each individual's or each staff group's access to each individual item of information. Where access cannot be justified, it must not be given and mechanisms should be developed to restrict access. An example assessment is set out in Annex D.

22. A recommended, but not yet finalised, model for structuring access has been developed to govern access to the NHS Strategic Number Tracing Service. The Caldicott Implementation Steering Group is consulting on this model in parallel to consultation on the Guardian role - they are clearly closely linked.

Access not normally permitted

23. Information to satisfy business purposes, where it has been determined that there should be no routine access to person-identifiable information, should be aggregated or anonymised by the removal of identifiers prior to it being made available to staff. Coded identifiers used to distinguish individuals and link records during the operation of these business functions, e.g. the NHS Number, should only be seen by staff who are not routinely permitted access to the facilities for linking the identifier with other person-identifiable information.

24. The Guardian may need to exercise judgement where, for example, two or more closely associated business processes require different access to person-identifiable information but involve the same staff. Where practicable the principle of restricting access within each business function should be followed, particularly where information is held and manipulated electronically, and if this is not practicable the situation should be regularly reviewed.

25. Where there is, on an exceptional basis, a need for staff who do not have routine access to person-identifiable information to temporarily, or intermittently, have access, the process should be approved by the Guardian and closely controlled. This may occur for example when available information is found to be incorrect, incomplete or inconsistent. The minimum necessary person-identifiable items needed to satisfy the need for more detailed information should be accessed. Care should be taken to ensure that staff, in these circumstances, are never able to link the identity of individuals to statutorily protected information. The Guardian will need to investigate and monitor instances where these arrangements have been accessed on an emergency basis without prior approval.

The External Guardian Role

26. There is a degree of tension between the need to safeguard confidential person-identifiable information and the need to ensure that confidentiality does not itself become a barrier to the effective and seamless provision of appropriate care (including healthcare, social care, and public health initiatives). This tension can be minimised if all those involved in the provision of care have a clear and shared understanding of the way in which confidential person-identifiable information should be transferred, safeguarded and used.

27. The external Guardian should also ensure that procedures are in place governing emergency/exceptional requirements for the transfer of personal-identifiable information. An example of this is interprofessional warnings where there is a potential danger to the public. In such instances, if the Guardian is not available to give prior authorisation for the release of the information, the incident should be logged for subsequent review by the Guardian.

28. A sample protocol, based on existing good practice, was developed for the Caldicott Committee and included within their final Report. This is reproduced at Annex E. This protocol, adapted and expanded as necessary to accommodate local circumstances, should be used as the basis for local dialogue between NHS and non-NHS bodies. This process may be facilitated by the local Health Authority as part of its responsibility for leading on the development of local Health Improvement Programmes as set out in the White Paper "The New NHS". Protocols which build confidence in the information sharing process should underpin the operation of the Health Improvement Programme. The Guardian should be responsible for agreeing, monitoring and reviewing all locally agreed protocols governing the sharing of confidential person-identifiable information. Non-NHS organisations should be encouraged to identify an individual in their organisation whose responsibilities would mirror those of the NHS Guardian and who would be able to ensure that their side of the protocol was honoured.

General Responsibilities

29. All staff are legally required to keep information confidential, and the appointment of a Guardian does not diminish this responsibility. If the Guardian identifies any weaknesses in skills or lack of awareness of guidance in staff that could be strengthened by training, he should ensure that this is brought to the attention of the appropriate senior management in the same way as any other procedural failing.

INITIAL ACTION TO BE TAKEN

30. The Chief Executive or senior manager of each organisation to appoint/identify a Guardian and agree responsibilities, authority and reporting procedures, by 31 October 1998.

31. Upon appointment, the Guardian, working with the IM&T security manager and others involved with confidentiality and IT security in the organisation, to carry out an audit of existing procedures for handling confidential person-identifiable information and of the purposes for which it is used.

32. This management audit will inform an initial stocktake report for the consideration of senior management covering the following core areas:

- overall confidentiality "health-check" assessment of the organisation, including existing codes of conduct, induction procedures, training needs, risk assessment, IT physical security, quality of information supplied to public and patients etc;

- review of existing flows of person-identifiable information, the purpose(s) for which they flow, and, where there is no national requirement or guidance which applies, the justification for using each item of person-identifiable information etc, applying the principles developed by Caldicott;

- review of database construction and management where person-identifiable information is stored, in the light of the principles developed by Caldicott;

- proposals for staff group access levels to the NHS Number Strategic Tracing Service (see NSTS consultation paper);

- details of existing protocols governing exchange of person-identifiable information with other organisations and areas where such protocols are needed;

- an action plan to address any deficiencies identified.

33. Once the report has been signed off by the senior management/Board, copies should be sent to the individual, located at either the Health Authority or the NHS Executive Regional Office, who is responsible for monitoring clinical governance activity in the organisation.

PROPOSED DUTIES AND RESPONSIBILITIES OF THE GUARDIAN

The Guardian should be responsible for the establishment of procedures governing access to, and the use of, person-identifiable information within the organisation, and, where local flexibilities exist, the transfer of such information from the organisation to other bodies. In agreeing local procedures and protocols the Guardian should ensure consistency with any relevant central requirements and guidance.

The Guardian should understand and take account of the principles developed in the Caldicott Report, the codes of conduct provided by professional bodies, and guidance on the Protection and Use of Patient information and on IM&T security disseminated by the Department of Health.

• All routine uses of person-identifiable information should be documented and justified. Ad hoc requests for information, for non-clinical purposes, should be rigorously scrutinised and justified.

• All access to person-identifiable information by any staff should be governed by procedures and protocols agreed by the Guardian and made clear to all staff. Monitoring arrangements should be put in place e.g. as the responsibility of the IM&T Security Manager.

• Access should be on a strict need to know basis, and access to each item of information e.g. name or date of birth, should be robustly justified to the Guardian's satisfaction.

• Emergency procedures for overriding access restrictions, e.g. during Public Health emergencies, should be clearly understood by all staff and occasions where they are invoked should be documented and subsequently monitored by the Guardian.

• Protocols governing the sharing of person-identifiable information with other organisations should be signed off by the Guardian. Monitoring arrangements should be put in place.

• Confidentiality "health-checks" should be carried out annually and a report prepared for the most senior management tier of the organisation. This should be monitored externally by those responsible for monitoring clinical governance activity.

i) In the light of the requirements in The Protection and Use of Patient Information (DoH, 1996) and taking into account work undertaken by a joint Department of Health and British Medical Association Working Group which has been considering NHS Information Management and Technology (IM&T) security and confidentiality, the Chief Medical Officer established the Caldicott Committee to review all patient-identifiable information which passes from National Health Service (NHS) organisations in England to other NHS or non-NHS bodies for purposes other than direct care, medical research, or to satisfy statutory requirements for information.

ii) The purpose was to ensure that patient identifiable information is only transferred for justified purposes and that only the minimum necessary information is transferred in each case. Where appropriate, the Committee was asked to advise whether action to minimise risks of breach of confidentiality would be desirable.

iii) The work of the Committee was carried out in an open and consultative manner. Written submissions were sought from many organisations to identify existing concerns, and members of the Committee have met with representatives of a number of key bodies. Working groups containing a wide range of health professionals and managers were established to consider related groups of information flows and to take sounding on emerging findings.

iv) Some 86 flows of patient identifiable information were mapped relating to a wide range of planning, operational or monitoring purposes. Some of these flows were exemplars, representing locally diverse information flows with broadly similar characteristics and purposes.

v) The Committee was greatly encouraged to discover that, within the context of current policy, all of the flows identified were for justifiable purposes. However, a number of the flows currently use more patient-identifiable information than is required to satisfy their purposes. Also many of the patient-identifiers currently used (eg name and address) could be omitted if a reliable, but suitably controlled, coded identifier could be used to support identification.

vi) It was recognised that some flows of information were likely to be missed and that flows commence, evolve or are discontinued with such frequency that specific recommendations could soon date. Although specific recommendations have been included where appropriate, in general the recommendations reflect this evolving picture by developing a direction of travel, outlining good practice principles and calling for regular reviews of activity within a clear framework of responsibility.

vii) Good Practice Principles:

viii) Summary of Recommendations

Recommendation 1: Every dataflow, current or proposed, should be tested against basic principles of good practice. Continuing flows should be re-tested regularly.

Recommendation 2: A programme of work should be established to reinforce awareness of confidentiality and information security requirements amongst all staff within the NHS.

Recommendation 3: A senior person, preferably a health professional, should be nominated in each health organisation to act as a guardian, responsible for safeguarding the confidentiality of patient information.

Recommendation 4: Clear guidance should be provided for those individuals/bodies responsible for approving uses of patient-identifiable information.

Recommendation 5: Protocols should be developed to protect the exchange of patient identifiable information between NHS and non-NHS bodies.

Recommendation 6: The identity of those responsible for monitoring the sharing and transfer of information within agreed local protocols should be clearly communicated.

Recommendation 7: An accreditation system which recognises those organisations following good practice with respect to confidentiality should be considered.

Recommendation 8: The NHS number should replace other identifiers wherever practicable, taking account of the consequences of errors and particular requirements for other specific identifiers.

Recommendation 9: Strict protocols should define who is authorised to gain access to patient identity where the NHS number or other coded identifier is used.

Recommendation 10: Where particularly sensitive information is transferred, privacy enhancing technologies (e.g. encrypting identifiers or "patient identifying information") must be explored.

Recommendation 11: Those involved in developing health information systems should ensure that best practice principles are incorporated during the design stage.

Recommendation 12: Where practicable, the internal structure and administration of databases holding patient identifiable information should reflect the principles developed in this report.

Recommendation 13: The NHS number should replace the patient's name on Items of Service Claims made by General Practitioners as soon as practically possible.

Recommendation 14: The design of new systems for the transfer of prescription data should incorporate the principles developed in this report.

Recommendation 15: Future negotiations on pay and conditions for General Practitioners should, where possible, avoid systems of payment which require patient identifying details to be transmitted.

Recommendation 16: Consideration should be given to procedures for General Practice claims and payments which do not require patient-identifying information to be transferred, which can then be piloted.

ANNEX C

Person-Identifiable Information

The Caldicott Committee suggested that the key items of information which could be used to establish a person's identity were:

• NHS Number

• Local Identifier (i.e. hospital or GP Practice Number)

• Name

• Address

• Postcode

• Date of Birth

• Other Dates (i.e death, diagnosis)

• Sex

• Ethnic Group

• Diagnosis/treatment

Other items of information may, in exceptional circumstances, be combined to identify an individual, but for most routine purposes these are the items which need to be safeguarded. However, items of information fall within a spectrum of identifiability based on the nature of the item and the context. The NHS Number is a better identifier than all but the most unusual of names if the observer has access to the NHS Strategic Tracing Service or other database containing further details. Without this access, and lacking other information, it does not function as an identifier.

Name and address are very strong identifiers, particularly when both are available, and the presence of either in a data set should be thoroughly justified when the business function is not the direct provision of care. The other items of information are individually not capable of identifying a specific person in all but the most exceptional circumstances, but when combined with other items of information the likelihood may increase significantly.

A test of reasonableness should be imposed when considering whether access to particular items of information is likely to result in an individual's identity becoming apparent. Staff should not, without the authorisation of the organisational guardian, have access to information which relates to a living individual:

- who can be identified from that information (or from that and any other information in his possession) by any means likely to be available to them; or

- whom the staff are likely to identify from information likely to be provided to them by any other person.

Contracting & Commissioning- Admitted Patient Care General Episode

SAMPLE FRAMEWORK FOR THE SHARING OF PERSONAL INFORMATION BETWEEN NHS AND NON-NHS BODIES THROUGH ORAL REPORTS, WRITTEN RECORDS AND COMPUTER SYSTEMS

1.1 This framework document contains six sections:

• Objectives of a locally agreed protocol

• General Principles governing the sharing of personal information

• Setting Parameters for sharing personal information

• Defining Purposes for which personal information is required

• Holding personal information, access and security

• Ownership of information and the rights of individuals

2. Objectives

2.1 To set parameters for the sharing of information between agencies which contribute to the health or social care of an individual.

2.2 To define the purposes for holding personal information within each agency.

2.3 To define how personal information should be held within each agency and who should have access to this information.

2.4 To define which information is designated as health services information and which is designated as social services information and to specify the rights of access to each for individuals as required by legislation.

3. General Principles

3.1 Whilst it is vital for the proper care of individuals that those concerned with that care have ready access to the information that they need, it is also important that service users and their carers can trust that personal information will be kept confidential and that their confidentiality rights are respected.

3.2 All staff have an obligation to safeguard the confidentiality of personal information. This is governed by law, their contracts of employment, and in many cases by professional codes of conduct. All staff should be made aware that breach of confidentiality could be a matter for disciplinary action and provides grounds for complaint and legal action against them.

3.3 Although it is neither practicable nor necessary to seek an individual's specific consent each time that information needs to be passed on for a particular purpose that has been defined within this protocol, this is contingent on individuals having been fully informed of the uses to which information about them may be put. All agencies concerned with the care of individuals should satisfy themselves that this requirement is met.

3.4 Clarity about the purposes to which personal information is to be put is essential, and only the minimum identifiable information necessary to satisfy that purpose should be made available. Access to such information should be on a strict need to know basis.

3.5 If an individual wants information about themselves to be withheld from someone, or some agency, which might otherwise have received it, the individual's wishes should be respected unless there are exceptional circumstances. Every effort should be made to explain to the individual the consequences for care and planning, but the final decision should rest with the individual.[But see also para 4.5 below].

3.6 The exceptional circumstances which override an individual's wishes arise when the information is required by statute or court order, where there is a serious public health risk or risk of harm to other individuals, or for the prevention, detection or prosecution of serious crime. The decision to release information in these circumstances, where judgement is required, should be made by a nominated senior professional within the agency, and it may be necessary to take legal or other specialist advice.

3.7 Where information on individuals has been effectively aggregated or anonymised, it is not governed by this protocol. However, care should be taken to ensure that individuals cannot be identified from this type of information, as it is often possible to identify individuals from anonymised information when combined with other limited data eg age and post code may be sufficient.

4. Setting Parameters

4.1 There should be a nominated senior professional, within each agency covered by this protocol, responsible for agreeing amendments to the protocol, monitoring its operation, and ensuring compliance.

4.2 Personal information should be transferred freely between the agencies who have agreed and are complying with this protocol, for the purposes it defines. A regularly updated register of individuals who need access to personal information, and the defined purpose for which they need this access, shall be made available to each agency concerned.

4.3 If appropriate, service level agreements can be used to establish standards for sharing information, e.g. speed of response.

4.4 Specific consent is required prior to personal information being transferred for purposes other than those defined in this protocol, unless there are exceptional circumstances as outlined above.

4.5 Where individuals are unable to give consent, the decision should be made on the individual's behalf: in the case of minors, depending on their age and ability to understand, by their parents; for others by those responsible for providing care, taking into account the views of patients and carers, with the individual's best interests being paramount. Where practicable, advice should be sought from the nominated senior professional and the reasons for the final decision should be clearly recorded.

5. Defining Purposes

5.1 There will be a range of justifiable purposes to be locally agreed. The following list is not exhaustive and covers internal NHS purposes only:

• delivering personal care and treatment

• assuring and improving the quality of care and treatment

• monitoring and protecting public health

• managing and planning services

• contracting for NHS services

• auditing NHS accounts and accounting for NHS performance

• risk management

• investigating complaints and notified or potential legal claims

• teaching

• statistical analysis

• medical or health services research

6. Holding information, access and security

6.1 Staff should only have access to personal information on a need-to-know basis, in order to perform their duties in connection with one or more of the purposes defined above. Clinical and professional details should be available to all those, but only those, involved in the care of the individual.

6.2 Each agency will ensure that they have mechanisms in place to enable them to address the issues of physical security, security awareness and training, security management, systems development, site specific information systems security policies, and systems specific security policies.

6.3 Each agency will take all reasonable care and safeguards to protect both the physical security of information technology and the data contained within it.

6.4 All information systems will be effectively password protected and users will not divulge their password nor leave systems active whilst absent.

6.5 All personal files and confidential information must be kept in secure, environmentally controlled locations when unattended, e.g. in locked storage cabinets, security protected computer systems etc.

6.6 Keys to lockable storage cabinets should be held only by staff who require regular access to the information they contain. Keys must be held in a secure place.

7. Ownership of information and the rights of individuals

7.1 Whilst written and computerised records will be regarded as shared between the agencies, an individual's right of access to the information contained in the records differs when it has been provided by a health professional from when it has been provided by Social Services staff.

7.2 Any health professional contribution to records maintained by Social Services staff, whether a letter, a case record or a report, must be clearly marked as such, and where practicable, kept in a closed part of the file. Social Services staff cannot grant access to this information without written authorization, from the appropriate health professional.

7.3 The reverse also applies. NHS staff cannot grant access to Social Services information without written authorization.

Introduction

1. Guidance on the operation of "safe-haven" arrangements for safeguarding information transferred for contracting purposes was sent out under cover of EL(92)60.

2. Although intended to support contracting procedures, this guidance can be extended to cover all procedures for transferring person-identifiable information between organisations. Guardians are strongly recommended to consider how this might be achieved in their particular organisational setting.

3. The key principles, updated to incorporate the Guardian role, are summarised below.

• Each organisation should establish "safe-haven" administrative arrangements to safeguard confidential person-identifiable information.

• "Safe-haven" procedures should be comprehensive and cover:

- Management arrangements

- Staff roles and responsibilities

- Physical location

- Procedures for handling information

- Controls on disclosure of information

- Storage, archiving and destruction of information

• "Safe-haven" procedures should be approved by the Guardian and fully documented. Overall responsibility for ensuring that the procedures are adhered to rests with the Senior Manager/Chief Executive.

• All members of staff (including, for example switchboard operators and post room staff) should be made aware, at least in general terms, of the policies and procedures surrounding safe-haven access.

• All confidential person-identifiable information should enter and leave the organisation via the "safe-haven". The access controls agreed by the Guardian should dictate which members of staff internally may have access to which parts of this information, and the Guardian agreed protocols for sharing information should govern all external transfers and access.