Caldicott and Data Protection

For every patient visit to the hospital, as an inpatient or outpatient, data is stored on computer systems and added to medical records. This allows our clinicians and other medical staff to make informed decisions about each individualís condition and treatment in respect to their healthcare history. It is vital to maintain the accuracy of this information as a record of their care if it is to be useful in the future. It is also essential that these records, both written and digital, are kept secure and access is restricted to specific staff members.

The Caldicott review and the Data Protection Act 1998 enforce strict legal guidelines to the storage, maintenance and access to patient information. The Freedom of Information Act 2000 and the Information Governance initiative both support the need to maintain the principles of effective confidential data control.

In this section, we have reproduced the guidance from the NHS Surrey Health Community with regard to these issues. Each staff member is given this guide at their induction to the Trust and this is supported by regular events to promote good practice.
What is Caldicott?

The review committee, chaired by Dame Caldicott, into the use of patient information in the NHS recommend six principles to improve the handling and protection of these records. Dr Mike Baxter is the Caldicott Guardian for Ashford and St Peter's Hospitals NHS Trust.

Whilst the information management principles are not a legal requirement, they are seen as essential to support the requirements of Data Protection Act.

The six Caldicott principles are:
  1. Justify the purpose(s) of using confidential information
  2. Only use it when absolutely necessary
  3. Use the minimum that is required
  4. Access should be on a strict need-to-know basis
  5. Everyone must understand his or her responsibilities
  6. Understand and comply with the law

What is the Data Protection Act 1998?

In March 2000, the Data Protection Act 1998 became law and applies to all organisations. It covers computer and manual records across all departments where patient information may be collected and used. The Act sets standards that must be satisfied when personal data is:
There are eight data protection principles where personal data must be:
  1. Processed fairly and lawfully

    This means that the data subject should be informed about why their information is being collected, what is going to be done with it and how it may be shared.
  2. Processed only for specified purposes

    This is a requirement to only use the information for the purpose under which it was obtained.
  3. Adequate, relevant and not excessive

    Only collect the information you require and know how it is to be used.
  4. Accurate and kept up-to-date

    Input information carefully to ensure it is accurate and have appropriate mechanisms in place to check that it is up-to-date.
  5. Not kept for longer than necessary

    Follow the retention and disposal guidelines as detailed in the Trust's Records Management Policy.
  6. Processed in accordance with the rights of data subjects

    The subject of the data has rights to access, prevention of processing, and compensation if their rights are not maintained.
  7. Protected by appropriate security

    Each organisation needs good information management practices and guidelines on IT security. This includes staff training and confidentiality clauses in employment or other contracts where security may be an issue. Access and disposal policies should be maintained in line with existing regulations.
  8. Not transferred outside the European Economic Area without adequate protection

    Only send personal information outside the EEA if consent has been obtained and it is adequately protected (this includes websites).


In conclusion, the principles stated above mean the information must be: