Caldicott Review

Caldicott Review

The Caldicott Review was a series of high-profile independent examinations of health and social care information governance led initially by Dame Fiona Caldicott. The reviews shaped policy across the National Health Service and influenced frameworks used by bodies such as the Department of Health and Social Care, National Data Guardian for Health and Social Care, and parliamentary committees. The work interfaced with legal instruments like the Data Protection Act 1998 and later the Data Protection Act 2018, and engaged stakeholders including the General Medical Council, British Medical Association, and Information Commissioner's Office.

Background and origin

The first review arose from concerns following high‑profile inquiries and incidents that intersected with institutions such as NHS Trusts, the House of Commons, and the Home Office, and drew attention from figures in the Royal College of Physicians, the Royal College of General Practitioners, and the King's Fund. Dame Fiona Caldicott, then affiliated with St George's Hospital, was commissioned by the Ministry of Health-level ministers and senior officials to examine the use and transfer of patient-identifiable information between organizations like Community Health Councils, Primary Care Trusts, and specialist services such as Child and Adolescent Mental Health Services and Accident and Emergency Departments. The review connected with debates in the House of Lords and allied with inquiries into clinical governance promoted by the NHS Executive and overseen by panels including representatives from the Royal College of Nursing and the British Psychological Society.

Key principles and recommendations

The original review produced a set of principles that became widely adopted by bodies including the NHS Confederation, the British Medical Journal, and the Health and Social Care Information Centre (later NHS Digital). Recommendations covered roles such as local Caldicott Guardian appointments (often senior clinicians or managers drawn from trusts like Guy's and St Thomas' NHS Foundation Trust or Manchester University NHS Foundation Trust), protocols for data transfer between services like pathology laboratories, maternity services, and mental health trusts, and balancing duties outlined in statutes such as the Human Rights Act 1998 and the Freedom of Information Act 2000. The guidance emphasized minimization of identifiable information, robust audit trails used by entities like Clinical Commissioning Groups and the National Institute for Health and Care Excellence, and clear governance for projects involving partners such as Local Authorities and independent providers like Bupa or Spire Healthcare.

Implementation and impact

Implementation of the principles was led through structures in NHS England, directives from the Department of Health and Social Care, and oversight by regulators including the Care Quality Commission and the Information Commissioner's Office. Organizations from tertiary centres like University College London Hospitals NHS Foundation Trust to community providers such as Blue Light Services adopted Caldicott Guardian roles and produced policies aligned with standards set by agencies including the National Data Guardian and the Health Research Authority. The reviews influenced national programmes like the Care.data initiative, electronic health record deployments at vendors akin to Tpp and EMIS Health, and interoperability standards championed by bodies such as HL7 and NHSX. Internationally, the work informed debates involving the European Commission and intergovernmental forums where nations such as Canada, Australia, and New Zealand compared approaches to patient confidentiality.

Subsequent reviews and updates

A second major review in 2013 reaffirmed and updated the principles, responding to technological changes exemplified by mobile device use at trusts like Royal Free London NHS Foundation Trust and cloud services provided by multinational firms such as Microsoft and Amazon Web Services. A third review in 2016 introduced the role of the National Data Guardian for Health and Social Care and aligned guidance with the General Data Protection Regulation and later national enactments like the Data Protection Act 2018. These updates engaged stakeholders across academia—institutions such as Oxford University and Imperial College London—and policy think tanks like the Nuffield Trust and Health Foundation, and were debated in committees within the House of Commons Health and Social Care Committee and the House of Lords Select Committee.

Criticism and controversies

Critics from organizations including the Open Rights Group, research groups at universities like University of Edinburgh, and commentators in outlets such as the Guardian and the British Medical Journal argued the reviews sometimes had tensions with initiatives like Care.data and with commercial partnerships involving vendors akin to Palantir Technologies. Debates also intersected with litigation involving parties governed by the Information Commissioner's Office and cases adjudicated in courts such as the High Court of Justice and appellate tribunals. Concerns raised by clinicians represented by the British Medical Association and patient groups such as Mind and Age UK focused on potential barriers to research carried out under frameworks administered by the Medical Research Council and the National Institute for Health Research, while privacy advocates including Big Brother Watch warned of mission creep when large datasets were linked across institutions like Department for Work and Pensions records and local Clinical Commissioning Groups.

Category:Health informatics