Article Text

Download PDFPDF

The Caldicott report and patient confidentiality
  1. M A Crook
  1. Correspondence to:
 Dr M A Crook, Guy’s, St Thomas’s, and University Hospital Lewisham, London SE13 6LH, UK;martin.crook{at}

Statistics from

Request Permissions

If you wish to reuse any or all of this article please use the link below which will take you to the Copyright Clearance Center’s RightsLink service. You will be able to get a quick price and instant permission to reuse the content in many different ways.

An introduction for the pathologist

In 1997, the Caldicott committee presented its report on patient confidentiality.1 The impetus behind this were concerns about patient information and security.2,3 For example, there had been reports in the press that patient hospital records could be freely accessed and that patient notes had ended up lying around in village streets for all and sundry to read.

The committee came up with six main principles as follows.

  1. One should justify the purpose of holding patient information.

  2. Information on patients should only be held if absolutely necessary.

  3. Use only the minimum of information that is required.

  4. Information access should be on a strict need to know basis.

  5. Everyone in the organisation should be aware of their responsibilities.

  6. The organisation should understand and comply with the law.

National Health Service (NHS) organisations should have Caldicott guardians who have responsibilities to safeguard and govern the use of patient information. The guardian is usually a board level health professional or their deputy. They should develop local protocols for information disclosure, restrict access to patient information by enforcing strict need to know principles, and regularly review and justify the uses of patient information.

The Caldicott committee also came up with recommendations for ensuring patient confidentiality, which are summarised in fig 1.

Figure 1

Recommendations of the Caldicott committee to ensure patient confidentiality.

“National Health Service organisations should have Caldicott guardians who have responsibilities to safeguard and govern the use of patient information”

These principles regarding patient confidentiality are also entrenched in the NHS core plan. Indeed, the NHS plan core principle 10 states that “patient confidentiality will be respected throughout the process of care”. The Data Protection Act 1998 is also relevant in this context. The aim of this act is to uphold an individual’s right to privacy with regard to the processing of personal data. There are eight main principles of this act (fig 2).

Figure 2

The eight main principles of the Data Protection Act.

Where does this lead us as pathologists? First, I suspect that patient confidentiality will feature more and more within the NHS with the associated potential for litigation. Caldicott issues will probably be used as NHS performance indicators based partly upon the Caldicott audit returns. For example, we will need to ensure secure transmission and distribution of our patients’ data, such as accurate faxing of laboratory results to information safe havens, and use password protected computer systems. Information technology security should comply with BS7799 and the Data Protection Act. In addition, we should take particular care of the safety of patient notes and ensure patient consent where necessary regarding confidentiality issues. The only time that patient information can be divulged to a third party is if the patient has given their properly informed consent for this to happen, or if the data are totally anonymised to prevent identification of the patient from the details given.

The General Medical Council statement on confidentiality (September 2000) also remarked that as doctors we hold information about patients, which is private and sensitive. This information must not be given to others unless the patient consents or the disclosure can be justified. We will also need to establish training programmes about patient confidentiality for our staff and help map patient information flows, to name but a few areas. Non-consensual data sharing may be deemed contrary to medical ethics and where possible anonymised patient data should be used.4–7

These aspects of patient confidentiality are summarised as the Caldicott audit points shown in table 1.

Table 1

Caldicott audit points

Section 60 of the Health and Social Care Act, passed by parliament in May 2001, gives the secretary of state for health the power to allow the processing of patient information for medical purposes if these purposes are in the public interest (for example, cancer registries). “Patient information” in this context means any health or medical information about the patient, whether identifiable with an individual or not. The government also agreed to the establishment of a statutory advisory committee (the patient information advisory group) to keep the provisions on confidential data and their use by the secretary of state under review.

In summary, patient information and confidentiality issues will probably gain increasing importance in the following years within the NHS. A balance between individual data privacy and useful information exchange for the benefit of society will need to be struck.8 On that note, do not forget the Caldicott principles’ mnemonic, a reminder of Dame Fiona Caldicott herself:


  • Formal justification of purpose.

  • Information transferred only when absolutely necessary.

  • Only the minimum required.

  • Need to know access controls.

  • All to understand their responsibilities.

  • Comply with and understand the law.

This may help us to focus on patient confidentiality in our clinical work; remembering it to be an important part of risk management and clinical governance.

An introduction for the pathologist


View Abstract