Covid-19 has made us all think very carefully about how confidential information is used by healthcare providers. The Caldicott Principles (the “Principles”) which determine how confidential information is handled and shared in healthcare services already provide some protection to patients.
The Principles, which were established in 1997 by Dame Fiona Caldicott in her role as National Data Guardian, are as follows:
- Justify the purpose for using confidential information;
- Do not use personal confidential data unless it is absolutely necessary;
- Use the minimum necessary personal confidential data;
- Access to personal confidential data should be on a strictly need-to-know basis;
- Everyone with access to personal confidential data should be aware of their responsibilities;
- Understand and comply with the law; and
- The duty to share information can be as important as the duty to protect patient confidentiality.
Following a consultation earlier this year, the Principles have recently been revised and expanded. Revisions include a definition of what constitutes “confidential information” as well as the “creation of an additional principle to emphasise the importance of there being no surprises for patients and service users with regard to how their confidential information is used.” The new Principle is intended to “be consistent with the direction that the courts have taken in making an individual’s reasonable expectations of privacy the touchstone of the duty of confidentiality” and “align with the General Data Protection Regulation (GDPR) emphasis on transparency and data subject rights”.
Guidance will also be given as to the role and responsibilities of Caldicott Guardians although this is not expected to be published before the end of the financial year 2020-2021. This may be after the end of Dame Caldicott’s term in March 2021 when she will step down from her role.
Louise Prince, Senior Associate in the Firm’s Reputation Protection and Privacy team said “The new Principle is a welcome move towards further transparency as to how confidential information is handled by healthcare professionals. The link made with the GDPR and law of privacy is not surprising given the nature of the subject matter. Time will tell as to how the new Principle and Guidance will be implemented in practice.”
You can read further information on this issue here.
If you would like advice on data protection, privacy and reputation protection issues, please contact one of our lawyers here.