The Caldicott2 Review Recommendations and the IG Toolkit
The Caldicott2 Review Panel made a series of recommendations that were subsequently accepted by the Department of Health (DH)
in a report titled "information to share or not to share - government response to the caldicott review". the dh placed a number
of expectations on all health and care organisations regarding the below recommendations. organisations will be supported to
implement the recommendations via changes to the ig toolkit (a dh policy vehicle) where relevant. the ig toolkit was updated
for the version 13 assessment. many of the updates initially apply only to nhs trust provider organisations
(acute, ambulance and mental health trusts), but the intention is that where appropriate, the changes will be rolled out to other
Recommendation 1 - People must have the fullest possible access to all the electronic care records
about them, across the whole health and social care system, without charge.
An audit trail that details anyone and everyone who has accessed a patient’s record should be made available in a suitable form
to patients via their personal health and social care records. The Department of Health and NHS Commissioning Board should drive
a clear plan for implementation to ensure this happens as soon as possible.
IG Toolkit: the changes require that organisations consult service users to establish how they would
like to be able to access information about their care and treatment; and take steps to ensure that all systems holding confidential
personal information have audit trails that detail anyone and everyone that has accessed a record, evidenced with audit trails
and system logs.
Recommendation 2 - For the purposes of direct care, relevant personal confidential data should
be shared among the registered and regulated health and social care professionals who have a legitimate relationship
with the individual.
Health and social care providers should audit their services against NICE Clinical Guideline 138, specifically against those
quality statements* concerned with sharing information for direct care.
IG Toolkit: a new IG Toolkit requirement requires that organisations put measures in place to
support and promote information sharing for coordinated and integrated care, and systems to establish, respect and review patients'
preferences for sharing information with partners, family members and/or carers. Organisations should evidence their arrangements
with a report of audits against Statements 12 and 13 of the NICE Clinical Guideline 138, Quality Standard 15; and provide details
of any improvements made to arrangements following the audits.
Recommendation 4 - Direct care is provided by health and social care staff working in multi-disciplinary
care teams’. The Review Panel recommends that registered and regulated social workers be considered a part of the care team.
Relevant information should be shared with members of the care team, when they have a legitimate relationship with the patient
or service user. Providers must ensure that sharing is effective and safe. Commissioners must assure themselves on providers’
Care teams may also contain staff that are not registered with a regulatory authority and yet undertake direct care. Health and
social care provider organisations must ensure that robust combinations of safeguards are put in for these staff with regard to
the processing of personal confidential data.
IG Toolkit: a new IG Toolkit requirement requires that organisations take a lead role in promoting
appropriate information sharing for integrated care, and provide evidence to demonstrate that they are doing so; put arrangements
in place to support and promote information sharing for coordinated and integrated care, and provide their staff with clear
guidance on sharing information for care in an effective, secure and safe manner.
Recommendation 5 - In cases when there is a breach of personal confidential data, the data controller,
the individual or organisation legally responsible for the data, must give a full explanation of the cause of the breach with
the remedial action being undertaken and an apology to the person whose confidentiality has been breached.
IG Toolkit: the incident reporting requirement requires that where there is a breach of confidential
personal data, affected individuals are provided with a full explanation of the cause, are given an apology and informed of the
remedial action being undertaken to prevent recurrence.
Recommendation 6 - The processing of data without a legal basis, where one is required, must be
reported to the board, or equivalent body of the health or social care organisation involved and dealt with as a data breach.
There should be a standard severity scale for breaches agreed across the whole of the health and social care system. The
board or equivalent body of each organisation in the health and social care system must publish all such data breaches. This
should be in the quality report of NHS organisations, or as part of the annual report or performance report
for non-NHS organisations.
IG Toolkit: organisations are required to ensure that any uses or sharing of information without
a clear legal basis are treated as data breaches and are reported to the Board and to NHS Digital via the IG SIRI
Incident Reporting Tool.
Recommendation 7 - All organisations in the health and social care system should clearly explain
to patients and the public how the personal information they collect could be used in de-identified form for research,
audit, public health and other purposes. All organisations must also make clear what rights the individual has open to them,
including any ability to actively dissent (i.e. withhold their consent).
IG Toolkit: organisations are required to have documented fair processing materials that set out
how personal information is used and shared and which explain the rights of individuals including the right to object to
the sharing or use of confidential information recorded about them. Additionally, organisations should gather feedback
from service users to identify whether service users believe that the organisation’s fair processing arrangements
Recommendation 12 - The boards or equivalent bodies in the NHS Commissioning Board, clinical
commissioning groups, Public Health England and local authorities must ensure that their organisation has due regard
for information governance and adherence to its legal and statutory framework.
An executive director at board level should be formally responsible for the organisation’s standards of practice in
information governance, and its performance should be described in the annual report or equivalent document.
Boards should ensure that the organisation is competent in information governance practice, and assured of that through
its risk management. This mirrors the arrangements required of provider trusts for some years.
IG Toolkit: minor changes were made to several requirements to reinforce the need for Board level
responsibility across the IG agenda.
Recommendation 15 - The Department of Health should recommend that all organisations within
the health and social care system which process personal confidential data, including but not limited to local authorities
and social care providers as well as telephony and other virtual service providers, appoint a Caldicott Guardian and any
information governance leaders required, and assure themselves of their continuous professional development.
IG Toolkit: an update was made to make clear that the Caldicott Guardian should be appropriately
trained and supported in their role.
Recommendation 19 - All health and social care organisations must publish in a prominent and accessible form:
- a description of the personal confidential data they disclose;
- a description of the de-identified data they disclose on a limited basis;
- who the disclosure is to; and
- the purpose of the disclosure.
IG Toolkit: organisations are required to have documented fair processing materials that set out how
personal information is used and shared and which explain the rights of individuals including the right to object to the sharing
or use of confidential information recorded about them. Additionally, organisations should gather feedback from service users to
identify whether service users believe that the organisation’s fair processing arrangements are satisfactory.
Page Processing Time: 0.05 seconds
Page Render Time: seconds