In the current health climate and the fight against COVID-19, access to health data is essential, but should not come at the expense of protecting patients' confidential information. In line with this, a consultation is underway in relation to revising and expanding the Caldicott Principles by the National Data Guardian for Health and Social Care (NDG). The consultation seeks to clarify the use of, and access to, confidential information within the health and social care sector and between health and social care organisations, third party organisations and, most importantly, patients.
The Caldicott Principles (named after Dame Fiona Caldicott, following her 1997 report into patient-identifiable information) set out the minimum standards that organisations must adhere to when processing patient personal data. The NDG recognises the ongoing importance and application of the existing Caldicott Principles whilst acknowledging that they should be expanded to encompass all patient data (personal or otherwise). In addition, they should provide the public with greater guidance, clarity and transparency as to their rights and expectations when dealing with the NHS or Local Authority adult social care providers, and private companies or charities which are delivering services to them.
The consultation proposes a number of revisions to the existing Caldicott Principles, in addition to the current general recommendation that a health professional is nominated at each health organisation to act as a Caldicott Guardian and be responsible for safeguarding the confidentiality of patient data.
The proposed amendments to the Caldicott Principles include:
- replacing "personal data" references with "confidential information", broadening the application of the existing Principles and providing greater uniformity with other NHS and patient data sharing requirements and guidance; and
- introducing an eighth Principle focused on transparency and the importance of informing patients and service users about how their confidential information is to be used so that their expectations can be managed and met.
The proposed new eighth Principle takes into account the development of the law of confidence, and the notion of a "reasonable expectation of privacy" since the passing of the Human Rights Act 1998. It appears to be closely related to the concepts of "fairness" and "transparency" in data protection law.
Data has been critical in the response to COVID-19, from being the basis of Government advice on lockdowns and quarantine, to understanding how COVID-19 affects different societal groups. In order to enhance the search for a vaccine, NHS organisations have given third-party organisations access to NHS-held data which has resulted in public interest in how the Government and third parties use and share patient data.
The consultation is not only timely but also an important means of engaging with, informing, and empowering the public and health professionals. When processing patient information, fairness and transparency are crucial and, in this moment of increased public interest, the NDG has a unique opportunity to embed trustworthy governance and practices in how NHS-held data is managed.