Caldicott2 Home

The Caldicott2 Review Recommendations and the IG Toolkit

The Caldicott2 Review Panel made a series of recommendations that were subsequently accepted by the Department of Health (DH) in a report titled "information to share or not to share - government response to the caldicott review". the dh placed a number of expectations on all health and care organisations regarding the below recommendations. organisations will be supported to implement the recommendations via changes to the ig toolkit (a dh policy vehicle) where relevant. the ig toolkit was updated for the version 13 assessment. many of the updates initially apply only to nhs trust provider organisations (acute, ambulance and mental health trusts), but the intention is that where appropriate, the changes will be rolled out to other organisation-types.

Recommendation 1 - People must have the fullest possible access to all the electronic care records about them, across the whole health and social care system, without charge.

An audit trail that details anyone and everyone who has accessed a patient’s record should be made available in a suitable form to patients via their personal health and social care records. The Department of Health and NHS Commissioning Board should drive a clear plan for implementation to ensure this happens as soon as possible.

IG Toolkit: the changes require that organisations consult service users to establish how they would like to be able to access information about their care and treatment; and take steps to ensure that all systems holding confidential personal information have audit trails that detail anyone and everyone that has accessed a record, evidenced with audit trails and system logs.

Recommendation 2 - For the purposes of direct care, relevant personal confidential data should be shared among the registered and regulated health and social care professionals who have a legitimate relationship with the individual.

Health and social care providers should audit their services against NICE Clinical Guideline 138, specifically against those quality statements* concerned with sharing information for direct care.

IG Toolkit: a new IG Toolkit requirement requires that organisations put measures in place to support and promote information sharing for coordinated and integrated care, and systems to establish, respect and review patients' preferences for sharing information with partners, family members and/or carers. Organisations should evidence their arrangements with a report of audits against Statements 12 and 13 of the NICE Clinical Guideline 138, Quality Standard 15; and provide details of any improvements made to arrangements following the audits.

Recommendation 4 - Direct care is provided by health and social care staff working in multi-disciplinary care teams’. The Review Panel recommends that registered and regulated social workers be considered a part of the care team. Relevant information should be shared with members of the care team, when they have a legitimate relationship with the patient or service user. Providers must ensure that sharing is effective and safe. Commissioners must assure themselves on providers’ performance.

Care teams may also contain staff that are not registered with a regulatory authority and yet undertake direct care. Health and social care provider organisations must ensure that robust combinations of safeguards are put in for these staff with regard to the processing of personal confidential data.

IG Toolkit: a new IG Toolkit requirement requires that organisations take a lead role in promoting appropriate information sharing for integrated care, and provide evidence to demonstrate that they are doing so; put arrangements in place to support and promote information sharing for coordinated and integrated care, and provide their staff with clear guidance on sharing information for care in an effective, secure and safe manner.

Recommendation 5 - In cases when there is a breach of personal confidential data, the data controller, the individual or organisation legally responsible for the data, must give a full explanation of the cause of the breach with the remedial action being undertaken and an apology to the person whose confidentiality has been breached.

IG Toolkit: the incident reporting requirement requires that where there is a breach of confidential personal data, affected individuals are provided with a full explanation of the cause, are given an apology and informed of the remedial action being undertaken to prevent recurrence.

Recommendation 6 - The processing of data without a legal basis, where one is required, must be reported to the board, or equivalent body of the health or social care organisation involved and dealt with as a data breach. There should be a standard severity scale for breaches agreed across the whole of the health and social care system. The board or equivalent body of each organisation in the health and social care system must publish all such data breaches. This should be in the quality report of NHS organisations, or as part of the annual report or performance report for non-NHS organisations.

IG Toolkit: organisations are required to ensure that any uses or sharing of information without a clear legal basis are treated as data breaches and are reported to the Board and to NHS Digital via the IG SIRI Incident Reporting Tool.

Recommendation 7 - All organisations in the health and social care system should clearly explain to patients and the public how the personal information they collect could be used in de-identified form for research, audit, public health and other purposes. All organisations must also make clear what rights the individual has open to them, including any ability to actively dissent (i.e. withhold their consent).

IG Toolkit: organisations are required to have documented fair processing materials that set out how personal information is used and shared and which explain the rights of individuals including the right to object to the sharing or use of confidential information recorded about them. Additionally, organisations should gather feedback from service users to identify whether service users believe that the organisation’s fair processing arrangements are satisfactory.

Recommendation 12 - The boards or equivalent bodies in the NHS Commissioning Board, clinical commissioning groups, Public Health England and local authorities must ensure that their organisation has due regard for information governance and adherence to its legal and statutory framework.

An executive director at board level should be formally responsible for the organisation’s standards of practice in information governance, and its performance should be described in the annual report or equivalent document.

Boards should ensure that the organisation is competent in information governance practice, and assured of that through its risk management. This mirrors the arrangements required of provider trusts for some years.

IG Toolkit: minor changes were made to several requirements to reinforce the need for Board level responsibility across the IG agenda.

Recommendation 15 - The Department of Health should recommend that all organisations within the health and social care system which process personal confidential data, including but not limited to local authorities and social care providers as well as telephony and other virtual service providers, appoint a Caldicott Guardian and any information governance leaders required, and assure themselves of their continuous professional development.

IG Toolkit: an update was made to make clear that the Caldicott Guardian should be appropriately trained and supported in their role.

Recommendation 19 - All health and social care organisations must publish in a prominent and accessible form:

  • a description of the personal confidential data they disclose;
  • a description of the de-identified data they disclose on a limited basis;
  • who the disclosure is to; and
  • the purpose of the disclosure.

IG Toolkit: organisations are required to have documented fair processing materials that set out how personal information is used and shared and which explain the rights of individuals including the right to object to the sharing or use of confidential information recorded about them. Additionally, organisations should gather feedback from service users to identify whether service users believe that the organisation’s fair processing arrangements are satisfactory.


Page Processing Time: 0.05 seconds
Page Render Time:  seconds
Supported By: SOCITM society logo SOCITM Local CIO Council logo Directors of adult social services logo