Table 1

Caldicott audit points

Audit pointsAudit level 0Audit level 1Audit level 2
1Information for patients/clients on the proposed uses of information about themNo information provided, or limited to simple posters and leaflets in waiting rooms, etcAn active information campaign is in place to promote patient understanding of NHS information requirementsAn active information campaign is supported by comprehensive arrangements for patients with special/different needs
2Staff code of conduct in respect of confidentialityNo code exists, or staff not generally aware of itCode of conduct exists and all staff aware of itCode regularly reviewed and updated as required
3Staff induction proceduresNo mention of confidentiality and security requirements in induction for most staffBasic requirements outlined as part of induction processComprehensive awareness raising exercise undertaken and comprehension checked
4Confidentiality and security training needs assessmentTraining needs not assessed systematically for most staffTraining needs only considered as a consequence of organisational or systems changesSystematic assessment of staff training needs and evaluation of training that has occurred
5Training provision (confidentiality and security)No training available to most staffTraining opportunities broadcast with take up left to line management discretionIn house training provided for staff; for example, comparable to health and safety training provision
6Staff contractsNo reference to confidentiality requirements in staff contractsConfidentiality requirements included in contracts for some staffContractual requirements included in all staff contracts
7Contracts placed with other organisationsNo confidentiality requirements includedBasic agreements of undertaking are signed by contractorsFormal contractual arrangements exist with all contractors and support organisations
8Reviewing information flows containing patient identifiable informationInformation flows have not been comprehensively mappedInformation flows have been mapped and senior management has been informedProcedures are in place for the regular review of information flows and the justification of purposes
9Internal information/data “ownership” establishedInformation/data “ownership” has not been established for all information/data sets“Ownership” established for all information/data sets and register establishedAll “owners” justifying purposes and agreeing staff access restrictions with the guardian
10Safe haven procedures in place to safeguard information flowing to and from the organisationNo safe haven procedures usedSafe haven procedures used for some information flowsSafe haven procedures in place for all patient identifiable information
11Protocols governing the sharing of patient identifiable information with other organisations locally agreedNo locally agreed protocols in placePartner organisations clearly identified and information requirements understoodAgreed protocols in place to govern the sharing and use of confidential information
12Security policy documentNo security policy availableSecurity policy exists but not reviewed within last 12 monthsSecurity policy reviewed annually and reissued if appropriate
13Security responsibilitiesNo information security officer appointed, or existing officer is not appropriately trainedAn appropriately trained information security officer is in postResponsibility for information security identified in various staff roles, coordinated by the security officer
14Risk assessment and managementNo programme of information risk management existsA risk management programme is under way and reports are availableA formal programme exists with regular reviews, outcome reports, and recommendations provided for senior management
15Security incidentsNo incident control or investigation procedures existThe security officer handles incidents as they ariseProcedures are documented and accessible to staff to ensure incidents reported and investigated promptly
16Security monitoringNo monitoring or reporting of security effectiveness or incidents takes placeBasic reporting of major incidents or problem areas onlyThere are regular reports made to senior management on the effectiveness of information security
17User responsibilitiesNo guidance issued to staff for password managementUsers encouraged to change passwords regularly but this is at their discretionPassword changes are enforced on a regular basis
18Controlling access to confidential patient informationStaff vigilance, and/or an “honour” system control access. Some physical controls, lockable rooms, etc, may existAccess for many staff controlled by “all or nothing” systems. Staff groups requiring access identified and agreed with the guardianAll staff have defined and documented access rights agreed by the guardian. Access is controlled, monitored and audited