Tim Baldwin and Ollie Persey highlight problems in health and social care information management resulting from a lack of understanding and gaps in guidance.
Health and social care records contain information concerning individuals who receive care that is often highly confidential and personal. The misuse of such information can result in individuals being distressed and withdrawing from services. Caldicott guardians are responsible for ensuring that this personal information is used ‘legally, ethically and appropriately, and that confidentiality is maintained’ (A manual for Caldicott guardians
, UK Caldicott Guardian Council, 2017, para 11, page 3). The manual suggests that they are the ‘consciences’ of their organisations.
There are more than 22,000 Caldicott guardians in a range of organisations handling health and social care information, including local authorities, NHS trusts, prisons and central government departments such as the Ministry of Defence (‘Dame Fiona Caldicott tribute
’, National Data Guardian for Health and Social Care (NDGHSC) news story, 15 February 2021).
Due to the harm that mishandling of health and social care information may cause, it is important for Caldicott guardians to have the expertise and resources to discharge their roles effectively. In this article, we argue that equality considerations need to be expressly incorporated into a Caldicott guardian’s role, to ensure the effective management of health and social care information of marginalised groups.
The origins and development of Caldicott guardians
Caldicott guardians take their name from a 1997 report, Report on the review of patient-identifiable information
, by Dame Fiona Caldicott. She recommended that ‘[a] senior person, preferably a health professional, should be nominated in each health organisation to act as a guardian, responsible for safeguarding the confidentiality of patient information’ (page iv). That recommendation was accepted and by 1998 every NHS organisation was required to have a Caldicott guardian. By 2002, Caldicott guardians were required in organisations handling social care information (LAC(2002)2
, 31 January 2002).
The 2018 Act requires both public and private bodies that exercise functions in relation to health services, adult social care and adult carer support, who process confidential information about patients or service users, to have regard to the 2021 statutory guidance. The statutory guidance only applies to private bodies in relation to work that is publicly funded.
The 2021 statutory guidance developed the principles that Caldicott guardians are required to follow.
The eight principles for Caldicott guardians are intended ‘to apply to all data collected for the provision of health and social care services where patients and service users can be identified and would expect that it will be kept private’ (The eight Caldicott Principles
, NDGHSC, December 2020):
•Principle 1: justify the purpose(s) for using confidential information.
•Principle 2: use confidential information only when it is necessary.
•Principle 3: use the minimum necessary confidential information.
•Principle 4: access to confidential information should be on a strict need-to-know basis.
•Principle 5: everyone with access to confidential information should be aware of their responsibilities.
•Principle 6: comply with the law.
•Principle 7: the duty to share information for individual care is as important as the duty to protect patient confidentiality.
•Principle 8: inform patients and service users about how their confidential information is used.
This might include symptoms, diagnosis, treatment, names and addresses.
Discharging the role
Caldicott guardians tend to undertake their roles on a part-time basis. For example, a case study in A manual for Caldicott guardians refers to the Caldicott guardian of an NHS trust with 10,000 staff dedicating one day a week to the role alongside being a consultant heart and lung surgeon. In that NHS trust, the Caldicott guardian worked with a senior information risk owner and a three-person information governance team to carry out day-to-day tasks. In smaller organisations, such as hospices, Caldicott guardian responsibilities often take up even less time.
Despite capacity constraints, Caldicott guardians are often responsible for their organisation’s information management strategies, including the design of databases or information-sharing policies. It is also often a Caldicott guardian who makes a decision as to whether a data breach needs to be reported to the Information Commissioner’s Office (ICO). The Caldicott guardian, and an organisation’s compliance with their recommendations, is subject to scrutiny by that organisation’s board as well as the Care Quality Commission and the ICO.
Equality and diversity
Many health and social care service users have additional needs that require sensitivity in the management of their personal information. However, there is no express reference to equality issues in the 2021 statutory guidance for Caldicott guardians, the eight Caldicott Principles or A manual for Caldicott guardians.
Deaf and blind service users have additional barriers to accessing health and social care services. Since August 2016, health and social care organisations have been subject to the Accessible Information Standard
(AIS). The AIS provides for ‘a specific, consistent approach to identifying, recording, flagging, sharing and meeting the information and communication support needs of patients, service users, carers and parents with a disability, impairment or sensory loss’ (Accessible information: specification
, v.1.1, NHS England, August 2017, page 2). However, there is no mention of the AIS in the list of ‘laws, reports and policies’ to which the 2021 statutory guidance refers (on page 5).
Research conducted by a coalition of charities1SignHealth, Royal National Institute of Blind people, Sense, the Royal Association for Deaf people, Learning Disability England, Visionary, Macular Society, the Royal National Institute for Deaf People and Healthwatch England.
and published by SignHealth shows that there are systemic failures to implement the AIS (Review of the NHS Accessible Information Standard
, February 2022). This included a third of health and social care providers being unaware or unsure about the existence of the AIS (page 2). Information accessibility and confidentiality are interlinked issues. For example, Strictly Come Dancing champion Rose Ayling-Ellis, who is Deaf, told the BBC:
Many individuals with health and social care needs do not speak English. Therefore, sensitivity is required in how information is communicated, and there are duties under the Equality Act 2010 (not referenced in the 2021 statutory guidance) and the Human Rights Act 1998 (which is referenced in the 2021 statutory guidance) to ensure non-discriminatory access to health and social care services.
We have seen instances of health and social care providers refusing to provide translations of key documents. For example, refusing to translate an education, health and care plan (EHCP) undermines a parent’s ability to ensure that education, health and social care provision is being secured. A failure to translate an EHCP also substantially increases the risk of sensitive personal information being inappropriately shared as a parent might be forced to seek assistance to translate the document from someone whom they would prefer did not know personal information about their disabled child.
Data shows that 2,086 women were admitted to hospital after suffering sexual, physical or mental abuse at the hands of a partner between April 2015 and March 2020 (Harriet Clugston, ‘Domestic violence: hundreds of women end up in hospital from domestic abuse every year, new NHS figures reveal
’, NationalWorld, 6 April 2021). Developing policies governing what personal information is provided to a partner who accompanies an injured woman to hospital would often fall within the remit of a Caldicott guardian, who is responsible for the ‘ethical’ and ‘appropriate’ sharing of personal information. However, the 2021 statutory guidance (page 5) makes no reference to the Domestic Abuse Act 2021 in the list of legislation that Caldicott guardians should consider in discharging their duties.
There are complex privacy issues for transgender people accessing health and social care services. Gender Recognition Act 2004 s22 addresses the disclosure of ‘protected information’ for transgender people with gender recognition certificates (GRCs). Section 22(1) makes it a criminal offence ‘for a person who has acquired protected information in an official capacity to disclose the information to any other person’. Section 22(2) provides that, once a GRC is issued, protected information includes information which ‘concerns the person’s gender before it becomes the acquired gender’. Section 22(3) defines the acquisition of such information in an official capacity in such a way as to cover health and social care professionals. There are exemptions: s22(4) and the Gender Recognition (Disclosure of Information) (England, Wales and Northern Ireland) Order 2005 SI No 635 provide for circumstances in which disclosure is not an offence. This is a complex statutory regime that concerns information management; however, there is no reference to it in the 2021 statutory guidance.
In recent years, there has been a growth in litigation concerning people who lack capacity to make decisions as to their welfare inclusive of contact with other persons and the use of the inherent jurisdiction of the High Court. Such proceedings may also be linked to safeguarding enquiries by local authorities under Care Act 2014 s42. Within the Care and support statutory guidance
(Department of Health and Social Care, last updated 27 January 2022), there is specific guidance on information sharing and record keeping at paras 14.180–14.186 and on confidentiality at paras 14.187–14.196. This guidance is distinct from that when considering information sharing under chapter 16 of the Mental Capacity Act 2005 code of practice
(Office of the Public Guardian, 22 July 2013), where there is no explicit reference to Caldicott guardians. Within the care and support guidance, at paras 14.187–14.188, there is reference to agencies drawing up a common agreement as to information sharing, which should be consistent with the Caldicott Principles, and the possible involvement of Caldicott guardians in information-sharing decisions, ensuring that:
•information will only be shared on a ‘need to know’ basis when it is in the interests of the adult;
•confidentiality must not be confused with secrecy;
•informed consent should be obtained but, if this is not possible and other adults are at risk of abuse or neglect, it may be necessary to override the requirement;
•it is inappropriate for agencies to give assurances of absolute confidentiality in cases where there are concerns about abuse, particularly in those situations when other adults may be at risk.
This is clear guidance for the management of confidential information in safeguarding proceedings. There are two questions that arise. First, how often and how effectively is this guidance used? Second, to what extent could it be expanded or developed as a model to ensure the privacy and confidentiality of marginalised groups, including those discussed above? Addressing these questions could improve the effectiveness of Caldicott guardians in discharging their duties to all health and social care service users, including those with additional needs.
Caldicott guardians are an important part of health and social care information governance. However, it is difficult to see how they can be effective without having an in-depth understanding of the additional needs of marginalised groups. Unfortunately, there is a lacuna in the government’s guidance which means that these issues are not being adequately addressed.