Caldicott and Confidentiality Policy

1.1 Policy statement

This policy explains and enforces the obligations of Caldicott, confidentiality and non-disclosure among the employees of Victoria Medical Centre. This applies to information generated, held and processed by the organisation.

Furthermore, it outlines the principles that are to be adhered to by all staff at this organisation to understand the requirement for effective controls of personal confidential data (formerly patient identifiable information).

The Caldicott principles are derived from the Dame Fiona Caldicott Information Governance Review in 2013 which now forms the Caldicott Guardian guidance from the National Data Guardian (NDG). All staff are to fully understand the requirement to adhere to the Caldicott principles which are designed to safeguard and govern the use of patient information in all health and social care organisations.

The NHS Confidentiality Policy and the NHS Confidentiality Code of Practice state that all staff working in the NHS are bound by a legal duty of confidence to protect personal information they may encounter during their work.

This is not purely a requirement of their contractual responsibilities; it is also a requirement within the common law duty of confidence. Staff are to be reminded that information classed as objective knowledge relates to the affairs of the organisation. This may include information regarding:

Partners
Contractual arrangements
Employees
Dealings
Patients
Transactions
Contractors
Policies and procedures
Business associates
Decisions
Suppliers
Technology and systems
Market information
Any other organisational confidential matter

The reputation and continuing ability of the organisation to work effectively in the position of trust and responsibility it holds (which is also reflected in the trust and responsibility held by those persons engaged by the organisation to work on its behalf) rely on confidential information being held as confidential.

Further information on the wider spectrum of confidentiality and data management and their supporting policies can be found in the Confidentiality and Data Protection Handbook.

Legislation and national guidance documents relating to both confidentiality and Caldicott can be found at Annex A. Caldicott and confidentiality, Consent, GDPR – The Perfect Practice, Information Governance and Data Security, UK General Data Protection Regulation (UK GDPR) eLearning are available in the HUB.

1.2 Status

The organisation aims to design and implement policies and procedures that meet the diverse needs of our service and workforce, ensuring that none are placed at a disadvantage over others, in accordance with the Equality Act 2010. Consideration has been given to the impact this policy might have regarding the individual protected characteristics of those to whom it applies. This document and any procedures contained within it are non-contractual and may be modified or withdrawn at any time.

For the avoidance of doubt, it does not form part of your contract of employment. Furthermore, this document applies to all employees of the organisation and other individuals performing functions in relation to the practice such as agency workers, locums and contractors.

2 Caldicott

2.1 Caldicott principles

The Caldicott Principles are as detailed within the NDG document titled The Eight Caldicott Principles.

2.2 Caldicott Guardian role

A Caldicott Guardian’s role, as outlined within the Manual for Caldicott Guardians, is a senior person within a health or social care organisation who ensures that personal information about those who use its services is used legally, ethically and appropriately and that confidentiality is maintained.

The Caldicott Guardian’s main concern is information relating to individuals and their care. Additionally, this need for confidentiality also extends to other individuals and this includes relatives, staff and others.

Further information with regard to the role of the Caldicott Guardian and who organisations need to appoint and the expected competencies can be sought in the NDG document Guidance about the appointment of Caldicott Guardians, their role and responsibilities.

2.3 Caldicott Guardian and/or Information Governance Lead

Practices are required to have their own Caldicott Guardian, and this is usually a senior clinician. This role is usually also given an additional title of Information Governance (or IG) Lead. Should a non-clinical person be appointed as the Caldicott Guardian, they should be supported by an appropriate clinician.

Further guidance on Caldicott Guardianship can be found at this Gov.uk site, although the Manual for Caldicott Guardians should be the starting point for those who are newly appointed or as a reference point for existing Caldicott Guardians.

All staff are to be aware of who the Caldicott Guardian/Information Governance lead is. This information should be added to the Responsible persons list and made freely available.

2.4 Caldicott Guardian registration

The UKCGC states that all organisations that are required to have a Caldicott Guardian should ensure their up-to-date details are on the Caldicott Guardian Register.

The register is used by NHS to store and update Caldicott Guardians’ details and by the UK Caldicott Guardian Council to facilitate contact and the dissemination of information.

2.5 UK Caldicott Guardian Council (UKCGC)

The UK Caldicott Guardian Council (UKCGC) is the national body for Caldicott Guardians within the UK. The UKCGC provides support for Caldicott Guardians and others fulfilling the Caldicott function within the organisation. The UKCGC helps to uphold the eight Caldicott principles.

3 Confidentiality

3.1 Requirement

All employees must, from the date of the commencement of employment or other form of engagement, and thereafter, observe strict confidentiality in respect of any information held by the organisation and by each individual working on behalf of the organisation. This includes dealings, transactions, procedures, policies, decisions, systems and other matters of a confidential nature concerning the organisation and its affairs.

Other than in the proper course of their duties, employees must not, either during or at any time after the termination of their employment, exploit or disclose confidential information.

In addition, employees must not, through negligence, wilful misconduct, or inadvertence, allow the use, exploitation or disclosure of any confidential information relating to the affairs of the organisation, its patients, partners, employees, contractors, business partners or suppliers.

3.2 NHS Confidential Code of Practice

All staff are to adhere to the principles of confidentiality outlined in the NHS Confidentiality Code of Practice:

Person-identifiable or confidential information must be effectively protected against improper disclosure when it is received, stored, transmitted or disposed of
Access to person-identifiable or confidential information must be on a need-to-know basis
Disclosure of person-identifiable or confidential information must be limited to the purpose for which it is required
Recipients of disclosed information must respect that it is given to them in confidence
If the decision is taken to disclose information, that decision must be justified and documented
Any concerns about the disclosure of information must be discussed with a line manager
Patients are to be informed of the intended use of their information and this organisation will adhere to the detailed requirements shown at Annex A to the code

This organisation will ensure that the requirements within the above Code of Practice are strictly followed, and that staff will immediately report any breaches of confidence or potential risks to the Caldicott Guardian or IG Lead.

3.3 Non-disclosure of information

All employees must, from the beginning of their employment with the organisation and after the termination of their employment with the organisation, observe strict confidentiality and non-disclosure in respect of any information held by the organisation, except when required or authorised to disclose such information by the organisation or by law.

It is an obligation upon all employees during employment, or engaged under other contractual arrangements, to maintain information in confidence and not, directly or indirectly, disclose it other than for the purposes it was gathered. Any such information in the possession of an individual, either in electronic format or hard copy, shall be returned to the organisation before or at the point in time that employment ceases, however such cessation occurs.

Following the cessation of employment, or other contractual engagement with the organisation, an individual must not, directly or indirectly, use for gain, discuss or pass on to others confidential information that can be classed as objective knowledge in that it has been gained during the course of their employment.

This includes information relating to that as previously listed at Section 1.1.

NOTES:

While information must not be improperly disclosed and must be used only for the purpose for which it was gathered, nothing prevents an employee or other individual making a protected disclosure under the Public Interest Disclosure Act 1998 in respect of any malpractice or unlawful conduct.
At this organisation, share personal information relating to staff is managed and stored and the same standards are applied to their information as are applied to the confidentiality of patient information.

3.4 Breach of confidential information

Any breach of confidentiality, particularly involving data, could have major negative consequences for this organisation and the individual. The organisation will therefore take the appropriate disciplinary action against any employee who commits a breach of confidentiality by reporting it to the organisation’s Data Protection Officer (DPO).

If it is a serious breach, the DPO will be bound to recommend that it is reported to the Information Commissioner’s Office (ICO) who may, in turn, institute criminal proceedings against the individual and, if found to be negligent, the organisation itself. The individual, if found guilty, will be required to pay a fine and acquire a criminal record and the organisation may be heavily fined if found guilty.

There must be no attempt to use any confidential information in a manner that may either directly or indirectly cause, or be calculated to cause, injury or loss to the organisation. Further reading can be sought from the Information Governance Breach Reporting Policy.

3.5 Third-party requests for information

Any employee approached by a third party, including any media source, and asked to make comments or provide information relating to the organisation and its affairs (or the affairs of its patients, partners, employees, contractors or any business associate) must not, under any circumstances, respond without having sought permission and guidance from the Practice Manager. The Practice Manager will then discuss the request with the partners and consider asking for assistance from the press information/media officer at the ICB.

3.6 Whistleblowing or protected disclosures

In respect of any malpractice or unlawful conduct, any employee is entitled to submit a protected disclosure under the Freedom to Speak Up Policy and Procedure (or Whistleblowing Policy). This states that protected disclosures can be made to a Partner, Practice Manager or the nominated Freedom to Speak up Guardian (FSUG).

Legislation in the UK was enacted by the Public Interest Disclosure Act 1998 to enable employees and other persons such as agency temporary workers to disclose genuine concerns, especially those that seem to involve unlawful conduct or malpractice. This also protects them from any form of victimisation arising from making such a disclosure.

Further guidance can be sought from the NHS E document Freedom to Speak Up.

3.7 Disclosing information

The GMC offers guidance in the document titled Disclosing patients’ personal information: a framework. Supporting information can also be found in Consent Guidance and the Infection Prevention Control (IPC) Handbook where Annex L provides a list of notifiable diseases that are required to be disclosed.

3.8 Protected information under the Gender Recognition Act

Section 22 of the Gender Recognition Act 2004 states that it is an offence for a person who has acquired protected information in an official capacity to disclose the information to any other person.

This is classified as protected information and is defined in Section 22(2) as information relating to a person who has applied for a Gender Recognition Certificate (GRC) under the Act, and which concerns that application (or a subsequent application by them), or their gender prior to being granted a full GRC.

While Section 22 is a privacy measure that prevents officials from disclosing that a person has a trans history, there are exemptions for medical professionals as detailed within Statutory Instrument 2005 No.635 (Section 5) provided all of the following circumstances apply:

The disclosure is made to a health professional

The disclosure is made for medical purposes; and
The person making the disclosure reasonably believes that the subject has given consent to the disclosure or cannot give such consent

3.9 Trans status

Patients should never be asked to produce a GRC to ‘prove’ their trans status. The GRC is not a requirement, and many trans people simply choose not to have one while others may not yet meet the eligibility criteria.

As a precautionary measure, it is good practice to apply the Section 5 criteria set out in Section 3.8 to all disclosures of information about the trans status of a patient. The reason being is that it may not be accurately known whether the person has a GRC or not.

Additionally, the general protocols on medical confidentiality and information governance apply to all patients whether they have a GRC or not.

NOTE:

Pride in Practice has advised that good information governance around this subject is essential because unlawful and unwarranted disclosures of a person’s trans status leave organisations open to legal proceedings and, in doing so, can have serious and unforeseen consequences in ‘outing’ trans people.

3.10 Confidentiality and non-disclosure agreement

All persons engaged to work for and on behalf of the organisation will be required to sign the confidentiality and non-disclosure agreement to be found at Annex B. A signed copy will be held on the individual’s personnel file.

Visitors to the organisation will also be expected to sign a confidentiality agreement and this document also incorporates fire safety and risk awareness for visitors. The Third-party confidentiality agreement incorporating fire safety and risk awareness for visitors can be used.

3.11 National data opt-out

The national data opt-out or (NDO-O) is a service that allows patients to opt out of their confidential patient information being used for research and planning.

NDO-O was introduced in England along with the Data Protection Act 2018 and GDPR on 25 May 2018. This followed recommendations from the NDG that patients should be able to opt-out of their personal confidential data being used for purposes other than their direct medical care.

Further reading to support the Data Security and Protection Toolkit (DSPT) can be sought from NHS E National data opt-out guidance.

3.12 Abuse of privilege

The NHS Confidentiality Policy states the following:

It is strictly forbidden for employees to knowingly browse, search for or look at any personal or confidential information relating to themselves, their own family, friends or other persons without a legitimate purpose. Action of this kind will be viewed as a breach of confidentiality and of the Data Protection Act 2018.
When dealing with person-identifiable or confidential information of any nature, staff must be aware of their personal responsibility and contractual obligations and must undertake to abide by the policies and procedures of NHS England.

3.13 Confidentiality awareness and informing

To ensure that any user of our services, our staff and potential employees are aware of the confidentiality obligations within this organisation, privacy notices are available.

The practice privacy notice explains to patients the ways in which the organisation gathers, uses, discloses and manages a patient’s data. It fulfils a legal requirement to protect a patient’s privacy.

Other privacy notices are provided for the following:

Children
Employee
Candidates applying for work

4 Compliance

4.1 Good practice

To support the NHS Code of Practice, the following actions will be undertaken to ensure that confidentiality is maintained:

Person-identifiable information will be anonymised so far as is reasonably practicable, while being mindful of not compromising the data
Access to consulting rooms, administrative areas and record storage areas will be restricted
All staff should always maintain a clear desk routine. No patient confidential information is to be left unattended in any unsecured area, at any time
All IT equipment is to be shut down at the end of the working day except any that is required to remain left on such as server equipment
Smartcards are to be removed from the computer whenever the user leaves their workstation. The Smartcard Policy details the need for, and terms and conditions of, use of the NHS Smartcard
Confidential waste is shredded or disposed of appropriately and as per the Confidential Waste Policy
Staff will not talk about patients or discuss confidential information in areas where they may be overheard

The Communication Policy provides advice on disclosing information electronically or via telephone to a patient, proxy or third party

4.2 Data Security and Protection Toolkit (DSPT)

There is a requirement to undertake an annual DSPT assessment to demonstrate that the organisation can be trusted to maintain the confidentiality and security of personal information.

To demonstrate compliance, this organisation is required to submit the assessment by 30 June annually.

Further information can be found on the NHS E Data Security and Protection Toolkit webpage and the DSPT staff awareness questions for the current year’s standards to ensure the practice achieves a successful outcome for the assessment.

Further information is available within the DSPT Handbook and UK GDPR Policy.

4.3 Audit

Regular audits must be undertaken to ensure compliance. This will ensure that access to confidential information is gained only by those who are required to access it in the course of their normal duties.

At this organisation, all staff at have a responsibility to participate in such audits and to comply with the subsequent recommendations.

Audit guidance and relevant templates can be found at Annex C and Annex D. Audits can be logged and managed within Audits Manager which is a tool within The Compliance Package in the HUB.

4.4 Additional compliance tools

In addition to audit, there are further tools that can be used to support such as:

All members of the organisation will undergo annual confidentiality training
A confidentiality quiz detailing different scenarios is available at Annex E.
A poster is available here

Annex A – Legislation and guidance

The following legislation and guidance documents support both Caldicott and confidentiality:

* EU GDPR as incorporated in English law by the EU (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (the “UK GDPR”)

Annex B – Confidentiality and non-disclosure agreement

[To be signed by all individuals employed or otherwise engaged by the organisation] I [insert person’s name] confirm that I have read and understand the Caldicott and Confidentiality Policy and agree to abide by it.

I understand that any breach of this agreement could result in sensitive and confidential data being disclosed to the public or other interested parties and may result in my summary dismissal under the organisation’s disciplinary procedure.

Furthermore, any such conduct on my part which results in an unauthorised disclosure of confidential personal data may render me liable to being reported to the Information Commissioner’s Office (ICO). The ICO may, in turn, institute criminal proceedings against me and, if I am found guilty by a court of law, I could be fined, and this may also result in a criminal record.

Signed
Name (Printed)
Position
Date

Annex C – Audit guidance

Introduction

The purpose of a confidentiality audit is to identify if:

Any confidentiality issues exist and, if so, to detail what they are
Systems are at risk through deliberate misuse
Existing controls are adequate and provide the necessary safeguards

The audit will also review:

Local controls and processes regarding the access to, and use of, electronic data
Local controls and processes regarding the access to, and use of, manual records
Staff knowledge and awareness of their responsibilities and extant legislation regarding confidentiality

The organisation will ensure that there are appropriate confidentiality procedures in place to monitor access to personal confidential data.

Frequency

Confidentiality audits are to be undertaken through spot checks and questionnaires on a quarterly basis, and reports produced and retained for assurance purposes.

The table overleaf explains the criteria, assurances and evidence required for confidentiality audits.

It can be used to assist with ensuring that the organisation and its staff are compliant in data security and protection. It is a useful tool when carrying out an audit of confidentiality as per the Data Security and Protection Toolkit.

Report template

Annex D gives an example of a confidentiality report template.

Level	Criterion for Confidentiality Audit	Assurance Required	Source of Assurance or Evidence
1	There are documented confidentiality audit procedures in place that include the assignment of responsibility for monitoring and auditing access to confidential personal information. The procedures have been approved by senior management or committee and have been made available throughout the organisation.	Auditors require assurance that: – There are documented confidentiality audit procedures in place which include the assignment of responsibility for monitoring and auditing access to confidential personal information – The procedures have been approved by senior management or committee and have been made available throughout the organisation	– Policy on confidential patient information – Standard procedures for monitoring and auditing access to patient information – Management approval of procedures (e.g., meeting minutes or other papers recording approval) – Documented assignment of responsibilities to job roles – Corresponding job descriptions – Publication of procedures throughout the organisation
2	All staff members with the potential to access confidential personal information have been made aware of the procedures. The procedures have been implemented and appropriate action is taken where confidentiality processes have been breached.	Auditors require assurance that: – The training provided for staff who are conducting audits and investigating alerts is comprehensive, clear and unambiguous about the action to be taken – The written procedures for confidentiality audit and monitoring are implemented in the organisation – Appropriate disciplinary and remedial actions are taken where confidentiality processes have been breached – All staff members with the potential to access confidential patient information are aware of the audit procedures; and The audit procedures are widely accessible	As above, plus: – Training records for staff carrying out audits and investigations – Descriptions of training provided – Corporate security and human resources procedures – Incident log of confidentiality alerts – Reports of the subsequent disciplinary actions taken – Minutes detailing committee reviewing confidentiality issues and performance – Availability of organisation’s confidentiality, security and employment procedures to relevant staff – Methods used to make relevant current staff aware of the confidentiality audit procedures and disciplinary sanctions. This might take many forms, such as awareness sessions, as part of mandatory training, team discussions or distributions to staff – For relevant new joiners, evidence of induction training on confidentiality requirements and audit
3	Access to confidential personal information is regularly reviewed. Where necessary, measures are put in place to reduce or eliminate frequently encountered confidentiality incidents or events.	Auditors require assurance that: – The procedures for confidentiality audits and monitoring are regularly reviewed for scope and depth – Identified vulnerabilities are recorded, solutions are identified, and problems resolved; and – Staff effectiveness in relation to confidentiality audits and monitoring is maintained, e.g., by appropriate ongoing training	As above, plus: – Reports from reviewing the audit and monitoring process – Security incidents and events relating to confidentiality – Risk register including identified confidentiality vulnerabilities – Reports of procedural and/or security changes, resulting from alerts or identified risks – Updated procedures and policy from lessons learned

Section	Details	Additional Details
[Insert organisation name]	Date of audit:	Audit reference no: [01/24]
Page [1] of [2]	Summary of audit:	Name of auditor(s):
Date audit conducted:	Date audit closed:
[Insert organisation name]	Date of audit:	Audit reference no: [01/24]
Page [2] of [2]	Summary of observations:	Observation reference:
Description of observation:	Summary of agreed actions:	Reference: Action required: By whom and date:
Agreed follow-up/review:	Name and signature of auditor(s): Date closed:	Additional comments:
Name and signature of auditor(s):	Final closure date:

Annex E – Confidentiality quiz

Scenario 1:

A male patient finishes his consultation with the ANP and, as he is leaving, he asks the
reception team if it is OK for him to pick up his 16-year-old daughter’s prescription.

How do you respond?

Could there be any medication that the daughter may not want her father to see? You are not permitted to let the patient collect his daughter’s prescription without her explicit consent. You have a duty to protect confidential information. There may be contraception medication that the daughter does not want her father to know about.

Scenario 2:

A 15-year-old girl has attended a GP appointment for a review of her asthma. During the consultation she asks the GP for advice about oral contraception and, when questioned about sexual activity, she advises that she is sexually active but has not told her Mum or Dad.

Can the GP breach her confidence and, if so, why?

Yes, on child protection/safeguarding grounds. However, if the GP deems the patient has shown maturity and fully understands the consequences of her request and subsequent actions, her confidence should be upheld.

Scenario 3:

You work in a rural practice, and it is a very close-knit community with everyone helping one another. You notice your neighbour in the waiting room and after his appointment he appears upset and leaves without saying anything.

Can you check his clinical record to see if there is anything you can do to help?

No, as you have no legitimate purpose for doing so. If you were to search their record this would constitute a breach of confidentiality and a breach of the Data Protection Act 2018.

Scenario 4:

You have arranged for a patient to collect a printed copy of their medical notes for an insurance matter. You are off to lunch in five minutes and decide to leave the notes (not in an envelope) on the reception desk.

Is this appropriate?

No, you are failing to protect against improper disclosure and this goes against the NHS Code of Practice 2003. Leaving the notes in such a position means they would be visible to other staff members and patients. You must never leave patient confidential information in an unsecured area at any time.

Scenario 5:

A male patient aged 14 attends the practice and asks for a copy of his medical records.

How do you respond?

Patients under the age of 16 are entitled to see or be given a copy of their records if they have the competence to understand the nature of the request. However, they need to be deemed Gillick competent and, as such, need to be assessed by a healthcare professional before being given a copy of their notes.

Scenario 6:

You are handing over to your colleague at reception who is covering your lunch break. You tell them that earlier in the morning you were advised that a patient who had been with the practice for 55 years had passed away. You wanted to let them know as you knew they had known the patient for a long time.

Is it OK to do so?

Staff do need to know of deceased patients as this prevents unnecessary phone calls being made or letters being sent thereby causing further upset to the family of the deceased. However, staff must not talk about patients or confidential information in areas where they may be overheard.

Scenario 7:

You answer the phone, and the caller asks for the results of their latest cholesterol test.

What do you need to do?

You should ask the patient to confirm their name, address and date of birth. You can also ask them when they had the test done. Additionally, you could ask further questions to confirm the ID of the caller such as when they were last in the practice before their blood test appointment.
This helps you to ascertain whether it is the patient calling or if it is someone else. If there is any doubt, tell the caller you will ring them back.

Scenario 8:

Your practice is holding a group consultation for diabetic patients, and this is the first group consultation at your practice. The ANP calls from the meeting room upstairs and asks you to send the six patients who are waiting.

How do you do this?

All six patients would have consented to attend a group consultation but there will be other patients in the waiting room, and you need to protect the confidentiality of the patients. So, rather than saying ‘those who are here for the diabetic clinic, please proceed to the meeting room’, you could say, ‘all patients here for the group consultation, please proceed to the meeting room’.

You have called no names out nor disclosed what the group consultation is about and have therefore maintained confidentiality so far as is reasonably practicable.

Scenario 9:

You take a call from patient who wants to confirm their appointment with the visiting mental health nurse, but it is a bad line.

What do you do?

Option A: Try to confirm the patient’s details including name, date of birth, address and who their appointment is with by repeating this information to the patient.

Option B: Advise the patient that they need to call back as you are unable to hear them.

Option B – If you were to repeat everything, all the patients in the waiting area may hear you and they would know the patient’s personal details and that they had mental health issues.

Scenario 10

The father of an eight-year-old patient pops into the practice and asks for a copy of the child’s vaccination record as they are going travelling for a month in the summer. You know the parents are divorced and the child lives with Mum.

Can you give Dad a copy of the vaccination record?

Parents do not lose parental responsibility if they divorce or separate and you should allow both parents reasonable access to their children’s health records. The practice does not have to seek consent from the other parent, nor tell the other parent that they have received the request.

NB – Parental responsibility can be restricted by the courts.