Why Caldicott Principles and Caldicott Guardians are still relevant in 2020
National Data Guardian Dame Fiona Caldicott discusses the outcome of her consultation about Caldicott Principles and Caldicott Guardians and the use of data during the pandemic.
Today we have published the outcomes of a consultation that we held earlier this year about the Caldicott Principles and the role of Caldicott Guardians. The consultation response contains a revised – and expanded – set of 8 Caldicott Principles. It also confirms our intention to issue guidance in 2021 that will increase the number (and type) of organisations which should appoint a Caldicott Guardian.
I am coming to the end of my term in March as National Data Guardian for Health and Care in England, and also my career in the NHS. In this period of reflection, I look back with some satisfaction that 23 years after their inception, Caldicott Principles and Caldicott Guardians are still considered valuable and useful. It still seems strange to me that they bear my name, as that was definitely not my recommendation or intention.
The principles were introduced in 1997 as part of a review I led into patient-identifiable information, which was motivated by concerns about patient confidentiality at a time of rapidly expanding use of information technology in the service. We proposed six principles based on common sense to safeguard confidentiality.
The same review also introduced Caldicott Guardians in the NHS, and subsequently in local authorities. We thought that all organisations handling patient and service users’ health data should have a senior person with a specific responsibility for protecting the confidentiality of that information. Today this role is very well-established; there are now more than 18,000 Caldicott Guardians – and not just in health and care: some organisations in other sectors, such as prisons, police and the armed forces appoint them too.
There has been much change since the role was first established, and we wanted to obtain a clear understanding of people’s current views on its value. In particular, the introduction of additional information governance (IG) roles into health and care settings, such as data protection officers (DPOs) and senior information risk owners (SIROs) has changed the landscape. Considering this, we wanted to ‘test the temperature’: did people on the ground still feel the role was as helpful? And did people feel that patients and service users across a broader range of settings would benefit from the services of Caldicott Guardians?
What we heard was a resounding ‘yes’. This reinforced my firm belief that where health and care data is being used, Caldicott Guardians can bring something nuanced and very specific to discussions and decision-making. Their deep understanding of how health and care data is different to other data (in many cases because they are clinicians and care providers themselves) positions them as knowledgeable advocates for patients. Whilst the other IG roles are equally valuable in terms of ensuring that the legality and technical protections are as they should be, Caldicott Guardians have a different ‘flavour’ and, rightly, are often referred to as the conscience of their organisations.
I believe that even well-established principles and conventions should be reviewed from time to time. It has been seven years since we last revised the Caldicott Principles by adding a seventh principle to encourage better information sharing, and so this seemed a good time to reconsider them. Many discussions in recent years had led my Panel and me to conclude that the principles would benefit from an addition – a new tenet that would serve as a simple guide for frontline workers making data sharing decisions.
This new principle focuses on ensuring that expectations of patients and care users are considered and met when decisions about data sharing are made. Working with them and the public to ensure that data use aligns with expectations has been a mainstay of my work.
It was this belief, for instance, that led us to develop the proposal for the National Data Opt-out. We listened carefully to what people said they wanted and recommended an opt-out scheme because we heard that an important element of building trust was to give people a real choice about the use of their data.
And only by demonstrating that health and social care can be trusted to be respectful and do the right thing with people’s data will we earn the goodwill to use their data.
The roll-out of the National Data Opt-out across health and care organisations is on pause until March. This is so that health and care organisations which had not yet implemented it could concentrate on tackling the pandemic, rather than introducing this change. But the reasons for the opt-out remain as important as ever. I am a keen advocate of data use and have not opted out myself. However, by providing people with a mechanism to do, we show that we uphold the commitment that we made and respect people’s decisions.
The remaining months of my term as NDG fall in a period when it will be important for the system to consider how to deal with the emergency measures that were introduced in response to the pandemic. No assumption should be made that what is put in place during a public health crisis will be appropriate when the level of threat to public health recedes. There are many innovations and changes that should be kept. Equally, others do not remain appropriate outside of the context of a pandemic.
For example, to slow the spread of coronavirus, the Government has passed a law that makes failing to isolate when required, or giving false information to contact tracers, a criminal offence. Regulations have been introduced so that NHS Test and Trace may set aside the duty of confidence to share information with police to enforce this law in individual cases. It is vital that we all obey the rules to control the spread of the virus, and I understand that this is the purpose of these newly identified offences. We were glad to see that a memorandum of understanding sets out that minimum information should be passed to law enforcement, and that no data is passed to the police from the COVID-19 app. Nonetheless, I am concerned that the current arrangement may also have the unintended consequence of reducing people’s readiness to seek care, and would not want this to be seen as a precedent for sharing health and care information with the police beyond this pandemic.
Meanwhile, we have also seen a constructive coming together both within and outside the sector as people have joined forces to both manage the pandemic and keep our health and care system operating effectively. In a blog post that I wrote in April, I said how reassuring I had found it to see so many examples of rapid and focussed action and problem solving. This momentum has never slowed, despite the many challenges; this makes me feel extremely proud of – and thankful for – the dedication of those who work in our health and care services.
Over the last few weeks, we have had some wonderful news about vaccine development: a light at the end of the tunnel. This breakthrough gives us some hope that we can now start to think about – and plan for – a time beyond the current crisis. And as we do consider that, and think about what data use should look like in a post coronavirus landscape, we must continue to listen to the public. We have already begun to see emerging evidence which suggests that people are becoming more knowledgeable about the importance of health and care data, and more accepting of its use. We now have an opportunity to build on this growing awareness. And at this time, transparency will be key to providing the reassurance that earns confidence. We must make a concerted effort to engage with the people whose data we hold before making important decisions about it.
You can read more about our consultation response in our press release