Patient confidentiality - Caldicott

This information is primarily aimed at Health Care Professionals.

• More general information and further links

The Caldicott Report (December 1997) and Executive Letter (January 1999) set in motion a process of continuous improvement in medical confidentiality within the National Health Service, including the organisations now comprising the Health Protection Agency (HPA). In accordance with guidance laid out in the report, Caldicott Guardians have been appointed and Security of Information Officers (SIO) identified, whose functions are to ensure that data handling is in accordance with the recommendations of the Caldicott Committee and requirements of the Data Protection Act. These especially affect data with Personal Identifiable Information (PII).

The principles in the Caldicott Report are summarised below:
1. Justify the purpose(s) for using patient data
2. Don't use patient-identifiable information unless it is absolutely necessary
3. Use the minimum necessary patient-identifiable information
4. Access to patient-identifiable information should be on a strict need to know basis
5. Everyone should be aware of their responsibilities to maintain confidentiality
6. Understand and comply with the law, in particular the Data Protection Act

Progress in Communicable Disease Surveillance Centre and Specialist and Reference Microbiology Division at the Centre for Infections, Colindale

Within CDSC and SRMD these issues have been taken up, and a high level of compliance with the recommendations of the Caldicott Report achieved. For example all staff have been familiarised with their responsibilities under the Report (a rolling process as new staff join the Service); data flows have been mapped, and redundant records containing PII are being culled and securely destroyed. In addition all electronic data with PII are secured by password. The premises at Colindale have been reviewed and improvements made in physical security. Auditing performance in this area is ongoing so that continuous improvement is taking place. Staff are frequently reminded, and they remind each other, that PII is sensitive and its security the basis for patients continuing to have confidence in the clinical and surveillance work.

A Health Protection Agency-wide group has now been formed which has the remit of promoting and ensuring compliance with these issues across the whole of the Agency, in the same way as has been achieved within the Centre for Infections.

Conclusion

The HPA is unreservedly committed to preserving medical confidentiality in all aspects of its work, both in its direct contacts with clinicians and patients and in aggregating data for surveillance purposes and research. Its aim and intention is always to be worthy of the trust that, each year, so many patients place in it.

Patient Information Advisory Group (PIAG) Application

In December 2001 the Public Health Laboratory Service applied to PIAG to secure the Secretary of State's support for the use of confidential patient information for the surveillance, control and prevention of communicable diseases. This application covered reporting of non statutorily notifiable infectious diseases, enhanced surveillance for certain diseases including some that are statutorily notifiable and for the surveillance and control of communicable diseases in general. Our application included many examples of the public health surveillance we sought to continue.

• Summary of HPA applications and PIAG updates since original 2001 application 

Frequently Asked Questions on 'Caldicott', patient confidentiality, law and regulation, as they apply to the reporting of infections especially concerning "section 60" regulations.

Q Why were these regulations brought into being?

A Infection reporting is in part covered by statutory notification to the local 'Proper Officer' and chiefly functions around local control measures. In addition other systems of reporting infections exist which are not part of the statutory notifications. In theory at least a clinician or microbiologist reporting such an infection could have been accused of breaking the common law duty of confidence unless the data were anonymised or patient consent obtained.

It is not always possible to obtain consent nor to undertake complete anonymisation. A system of obtaining permission to cover reporting and handling of such data was set up under section 60 of the Health and Social Care Act (2001). The Public Health Laboratory Service and the Cancer Registries were the first applications to be received by the group set up to advise the Secretary of State (Patient Information Advisory Group).

These permissions were passed by both Houses of Parliament under the Health Services (control of Patient Information) Regulations 2002 (Statutory Instrument 2002 No.1438).

Q Do the Regulations make it legal for confidential patient information relating to patients referred with confirmed or suspected diagnoses of infection to be supplied to the Health Protection Agency?

A Yes.

These regulations provide the legal framework under which these transfers may take place. The Health Service (Control of Patient Information) Regulations 2002 were the first regulations to be made under section 60 of this Act, and support the operations of the Public Health Laboratory Services in respect of communicable diseases and other risks to public health. The wording is such that the Health Protection Agency will also be covered under these regulations and in 2004 a more formal application on behalf of the whole Health Protection Agency was made.

These regulations make it both lawful and appropriate to share confidential patient information in the circumstances specified.

Q Do the Regulations make it obligatory for "confidential patient information relating to patients referred for the diagnosis or treatment of infection" to be supplied to the Health Protection Agency?

A For notifiable infections there is a statutory duty to report to the local Proper Officer (usually the CCDC). However many important infections are not statutorily notifiable and enhanced surveillance systems also exist for some of the infections which are statutorily notifiable. It is these where reporting is encouraged by the regulations but it is not statutory ( ie compulsory) to do so. Public health surveillance and understanding of both outbreak situations and how infections are spreading is dependent on the voluntary confidential reporting of such infections.

Q Do these regulations mean that the following data sources can supply "confidential patient information relating to patients referred with confirmed and suspected diagnoses of infection to be supplied to the Health Protection Agency" without needing to obtain explicit informed consent from patients?

NHS Trusts
Private hospitals
NHS laboratories
HPA laboratories
Private laboratories
GPs
Primary Care Trusts

A Yes.

We have now produced a leaflet for surgeries, outpatients etc. which tells people about reporting procedures for infections:
Information and the Health Protection Agency (PDF, 856 KB)
This leaflet describes how the Health Protection Agency uses information to protect your health and protect your identity.

If patients wish to opt out of their data being reported and insist on such action even when the reasons for collecting such data are explained, their patient identifiers should not be reported. Opt-out is not, however, possible for infections which are statutorily notifiable.

Q Do these regulations mean that the HPA can release "confidential patient information relating to patients referred with confirmed or suspected diagnoses of infection" without the individuals requesting the information needing to obtain informed consent from patients?

A These regulations permit the Health Protection Agency to process confidential information without the need for patient consent. However, the release of such data to others is almost always in aggregate (and therefore anonymised) format. One of the exceptions to this is for statutorily notifiable food poisoning when local follow up of individual patients is undertaken by the Local Authority Environmental Health Officers. Consultants in Communicable Disease Control work closely with these professional colleagues to try to identify local outbreaks and prevent their recurrence.

Q Can the HPA release information to PCTs, for cases registered in their practice populations or resident in their defined geographical populations?

A Yes, although release of such information will be in aggregate format and not personally identifiable.

• Patient Information Advisory Group – summary of HPA applications and PIAG updates since original 2001 application
  Added/updated: 12 February 2010
  
• Information and the Health Protection Agency (PDF, 856 KB)
  This leaflet describes how the Health Protection Agency uses information to protect your health and protect your identity.
  Added/updated: 28 October 2009
  
• PIAG application 2003 (PDF, 19 KB)
  PHLS - Update to Section 60 approval granted Dec 2001, and Statutory Instrument June 2002.
  Added/updated: 26 February 2009
  
• PIAG application 2004 (PDF, 57 KB)
  Application for PIAG approval for the Health Protection Agency for 2004/5
  Added/updated: 26 February 2009
  
• PIAG application 2005 (PDF, 45 KB)
  Application for PIAG approval for the Health Protection Agency for 2005/6.
  Added/updated: 26 February 2009
  
• PIAG response to 2004 application (PDF, 98 KB)
  PIAG response to 2004 application in leter dated 20 July 2004.
  Added/updated: 26 February 2009