The December 1997 Caldicott Report on the review of patient identifiable information identified weaknesses in the way parts of the NHS handled confidential patient-identifiable data.
Patient identifiable information can include:
- NHS Number
- Casenote number
- Name
- Address
- Postcode
- Date of birth
- Other dates: e.g. death, diagnosis
- Sex
- Ethnic group
- Diagnosis or treatment
One of the report's recommendations was the appointment of Caldicott Guardians, members of staff in the NHS with a responsibility to ensure patient-identifiable data is kept secure and used in accordance with the principles in the information below (these principles apply in addition to the requirements of the Data Protection Act 2018 & GDPR).
Patient identifiable information
- Justify the purpose
- Patient identifiable information
- Use of identifiable info
- Access identifiable information
Every proposed use or transfer of patient-identifiable information within or from an organisation should be clearly defined and scrutinised with continuing uses regularly reviewed by an appropriate guardian.
Patient-identifiable information items should not be used unless there is no alternative.
Where use of patient-identifiable information is considered to be essential, each individual item of information should be justified with the aim of reducing identifiability.
Only those individuals who need access to patient-identifiable information should have access to it and they should only have access to the information items that they need to see.