Welcome to the Role of the Caldicott Guardian in General Practice module produced by the Information Governance Policy Team of NHS Connecting for Health. My name is ****** and I will be taking you through the slides and helping you understand the role of the Caldicott or confidentiality lead in accordance with the guidance provided by the Department of Health This module is aimed at those who have responsibility for Caldicott or patient confidentiality issues in General Practice. If approached continuously this module should take up to *************** to complete. However, the advantage of this training package is that you can stop and pick up from where you left off at any time. This will enable you to learn at your own pace and take breaks when you need to.
In this module: I’ll briefly cover the background to the Caldicott initiative and its relationship to NHS Information Governance I’ll discuss the type of person who should ideally be allocated the role of Caldicott or confidentiality lead I’ll define the role giving a clear specification of the related responsibilities and duties. I’ll provide a brief overview of the Information Management and Technology Directed Enhanced Service, or IM&T DES for short, and the relationship with Information Governance and Information Governance Toolkit assessment. I’ll cover aspects of the National Programme for IT which may impact on the evolution of the Caldicott Lead role. I’ll also run through the additional guidance and support available to Caldicott Leads to assist them in fulfilling their role. When you have completed this, you may feel that further training is required and if so, there are some recommendations for further learning. But before we go any further, I’d like to make you aware that at the end of this session there will be an assessment to complete if you wish to obtain a certificate for completing this module, you need to pass this assessment and a certificate of achievement will be awarded to you.
The 1997 Caldicott report was the outcome of a Committee chaired by Dame Fiona Caldicott to review patient identifiable information processing. The report expressed concern about the way patient identifiable information was handled within the NHS, and in particular about the security of patient information in transit. The Caldicott Committee made 16 recommendations to improve the security and confidentiality of patient identifiable information and a process of Caldicott Management Audits was implemented in NHS organisations. One of the recommendations was for… … the establishment and appointment of the Caldicott Guardian role in each NHS organisation to safeguard access to patient identifiable information. This was mandated by a Health Service Circular: HSC 1999/012, which you can access via the link on screen. The requirements to have a Caldicott Guardian and to carry out Caldicott Management Audits was later rolled out to Councils with Social Services Responsibilities, mandated by Local Authority Circular: LAC 2002/2, which you can access via the link on screen . For a number of years, the Department of Health recommended that there should be a Caldicott lead within each Practice. This was formalised in the 2004 GMS contract, where it was specified that each Practice must have a patient confidentiality lead. The 2006 contract negotiations focussed on the IT modernisation agenda, and introduced a Directed Enhanced Service, or DES, payment to facilitate the delivery of the National Programme for IT. This made reference to an appropriately trained Caldicott ‘function’ in each Practice. Whoever is appointed as Caldicott lead in your Practice should have sufficient experience and authority to promote confidentiality policy within the Practice, and carry the confidence of their colleagues. There needs to be strong clinical input, though the lead role need not necessarily be assigned to a clinician. The Caldicott lead also needs to have protected time in order to become familiar with guidance and sources of advice. There needs to be a commitment to addressing this important agenda, and this is perhaps best signalled by regular reports at management meetings.
The key underpinning philosophy of the Caldicott Report was encapsulated in the Caldicott Principles, which require that every use or flow of confidential information is regularly justified and routinely tested against the following six principles. Firstly, the purpose for using confidential information should be justified, which means making sure there is a valid reason for using it to carry out that particular purpose. The use of confidential information must be absolutely necessary to carry out the stated purpose. If it is necessary to use confidential information, it should include only the minimum that’s needed to carry out the purpose. Before confidential information is accessed, a quick assessment should be made to determine whether it is (emphasis) actually needed for the stated purpose. If the intention is to share the information, it should only be shared with those who need it to carry out their role. Everyone should understand their responsibility for protecting information, which generally requires that training and awareness sessions are put in place. If the intention is to share the information, those people must also be made aware of their own responsibility for protecting information and they must be informed of the restrictions on further sharing. There are a range of legal obligations to consider. The key obligations for Caldicott leads are provided by the common law duty of confidentiality and under the Data Protection Act 1998. Both must be complied with to ensure that the use of confidential information for the stated purpose is lawful.
The Caldicott Lead is responsible for agreeing and reviewing policies governing the protection of patient or personally identifiable information and ensuring that all clinical and non-clinical staff understand what is required of them. They should act as the ‘conscience’ of the Practice and advise on the lawful and ethical processing of confidential information, and Help to resolve local issues impacting on the Caldicott, confidentiality and IG agenda. It is recommended that Caldicott Leads keep a record of issues of resolved Caldicott issues. This should detail the issue, decision taken, and the time and resources taken to resolve the issue. This should prove useful if a similar issue is raised in future, might usefully be shared at networking meetings with Leads from other Practices, and may provide helpful evidence when making the case for adequate time or resource to carry out the role. There is an emerging new responsibility that will most likely sit with Practice Caldicott Leads, and that is to undertake the work required to demonstrate that the Practice is working to appropriate Information Governance standards to achieve the IM&T Directed Enhanced Service, which I’ll tell you more about later in this session. Soon Practices requiring an N3 connection will have to meet certain IG standards as part of the terms and conditions under the Statement of Compliance. More about this on the next screen. It is advisable that the Caldicott Lead taps into the local PCT’s IG network and work programme, as there is potential for sharing best practice and guidance documentation and adapting them to fit the Practice setting. This will save the Lead time on producing supporting evidence for the IG Toolkit assessment. Exemplar materials are also available in the Knowledge Base Library or Guidance Sheets of the IG Toolkit website. It may even be an idea to join forces with other Caldicott Leads in General Practice and share working practices and knowledge, to improve standards across the region. This could be an addition to Practice Manager meetings for example. Also, if your Practice has a Health Informatics Service available, there may be Information Governance expertise and work groups, which the Practice could participate in and benefit from.
The Caldicott Lead may also be responsible for demonstrating to third parties that the Practice meets appropriate Information Governance standards, e.g. for the IM&T DES, of the NHS Connecting for Health Statement of Compliance. More recently, for those Practices undertaking the IM&T Directed Enhanced Service, it is mandatory to engage with the IG Toolkit assessment process. Engage, means to register the Practice with the online assessment tool, carry out a baseline self assessment to see how the Practice complies against the standards and to provide the local PCT handling IM&T DES applications with the summary report of results. However, Practices should be aware that there is NO Pass or Fail with this process. The aim is to encourage Practices in making a progressive and gradual improvement in meeting IG standards which will put them in good stead for the new way of working with the National Programme and will also enhance their current services. Additionally, all organisations, including General Practices, that request an N3 Connection are required to carry out an IG Toolkit assessment on a sub-set of the requirements. The sub-set contains standards that an organisation must attain to complete the Statement of Compliance in order to obtain or maintain a connection for NHS Connecting for Health applications. This sub set lies within requirement 118 for General Practice. Further information on the Statement of Compliance can be found on the website displayed on the screen.
As part of the changes to the GMS contract for April 2006, a directed enhanced service, or DES, was developed to facilitate the use of information management and technology (IM&T), supporting the delivery of the National Programme for IT. A key objective of this DES is to support practices in achieving accredited data quality standards that are acceptable for sharing in the NHS Care Records Service. The actual accreditation is a three-part process: Practice submission Quantitative analysis of data taken from the practice Visits to provide necessary qualitative analysis Information Governance compliance and engagement with IG Toolkit is required under Component 1 of IM&T DES process For further information on the IM&T DES please go to the link on the screen.
The NHS Information Governance Toolkit sets out a range of standards for information handling that encompass the entire IG agenda. A set of standards have been produced specifically for General Practice. These standards form the basis for Practices to assure themselves that they are handling information in accordance with the legal requirements, best practice and central guidance, for example from the Department of Health. The IG Toolkit includes guidance and resource materials, a clear framework for assurance and controls, and an on-line tool for efficient performance assessment reporting.
For General Practice, there are currently 14 standards, covering key elements of the Information Governance agenda, for example One of the requirements asks that the Practice assigns responsibility for Information Governance standards to an appropriate member or members of staff. Another requirement asks the Practice to ensure that they have a documented IG policy, which sets out how patient information will be handled in the Practice and the IG standards expected of all staff. A further requirement asks the Practice to ensure that all correspondence, faxes, email, telephone messages, transfer of patient records and other communications are conducted in a secure and confidential manner. There is a requirement for Practices to put in place robust procedures so that patients are effectively informed about how their information will be used, and any choices they may have about that use, for example, the ability to restrict sharing of the information to organisations outside of the Practice. Practices are also required to ensure that all staff handling patient information receive appropriate training, to ensure they are effectively informed of the IG standards they must comply with. A complete list of the standards can be found at the link to the IG Toolkit shown on the screen by selecting the Requirements section form the left-hand menu and clicking on General Practice
So, who can view Practice assessments? Practice staff who are authorised users can view their Practice's assessment by using their authorised organisation code, login and password. If required, additional users can be set up by the Practice. The NHS CFH IG Policy Team also have the ability to view all Practice assessments, at any stage of completion And, as work in progress, the IG Policy Team are looking to provide a facility whereby PCTs will be able to vie all the IG assessments for General Practices in their patch, using the Tracking Database. The purpose of this is to allow PCT’s to complete the sign-off process confirming that Practices have completed an IG assessment for the IM&T DES. Although not available at present, look out for updates on the IG Toolkit “What’s New” page as to when the facility will be available.
I’ll now briefly provide an overview of the National Programme for IT, referred to throughout this module, which has added further dimension to the role of Caldicott Lead. The National Programme has pulled together a series of new systems and software products which aim to introduce the NHS to a modernised electronic way of working. NHS Connecting for Health are an agency of the Department of Health responsible for the delivery of this programme. Some of the products that have been or will be implemented are: The NHS Care Records Service, this is c urrently being developed. This will be an electronic store of over 50 million health and care records which can be accessed by health professionals where and when they are needed. It will also give patients secure Internet access to their own health record. A number of Primary Care Trusts (PCTs) will be the first to adopt and create Summary Care Records as part of work to deliver the NHS Care Records Service (NHS CRS). At first, the Summary Care Record will contain basic information, such as date of birth and address and details of allergies, current prescriptions and bad reactions to medicines. Choose and Book is already in use, it allows patients, in partnership with health and care professionals, to book first outpatient appointments at the most appropriate date, time and place for them. The Electronic Prescription Service or EPS allows a patient’s prescription to be sent electronically from their GP to a Pharmacy. When fully operational patients will be able to nominate a Pharmacy for prescriptions to be sent automatically. Eventually, Pharmacies will be able to submit reimbursement claims electronically to a reimbursement authority. A new fast, broadband communications national network called N3 is already in use. It is delivered by BT and replaces the existing private NHS network, NHSnet. Many organisations are already benefiting from Picture Archiving and Communications Systems or PACS. This sys tem enables images such as X-rays and scans to be stored and sent electronically so that doctors and other health professionals can access the information with the touch of a button. Also already in place is t he Quality Management and Analysis System, known as QMAS, which is a national IT system which gives GP practices and Primary Care Trusts objective evidence and feedback on the quality of care delivered to patients. GP practices are rewarded financially according to the quality of care they provide. NHSmail is a secure national email and directory service, that has been developed specifically to meet NHS and British Medical Association requirements for clinical email between NHS organisations. As you will appreciate Information Governance is central to all of these new systems to ensure security, confidentiality, fair processing and the quality of information in the healthcare service. The Caldicott Lead therefore has a key role to play in ensuring that all the best practice, standards and principles of law mentioned in this module are applied to these new ways of working. For further information about the products and the programme see the website link displayed on this screen.
As we have almost reached the end of this module, I would like to make you aware of support and guidance that will help the you in your role. The local PCT’s IG Lead or Caldicott Guardian may be able to offer you valuable experience and guidance with the role of a Caldicott Lead and in completing the IG Toolkit assessment, as PCTs have been doing this for the last few years. You always have the option to contact the IG Helpdesk Team of NHS Connecting for Health with any queries regarding the content or practical use of the IG Toolkit. Details will appear on the next screen. The IG Policy Team’s website is also full of resources and useful information. Contact and website details on the next screen. Another port of call is the UK Council of Caldicott Guardians website, shown on the next screen. The Council is an elected body made up of Caldicott Guardians from health and social care. It was formed, in late 2004, following work carried out by Janine Brooks, Caldicott Guardian of the former NHS Information Authority. The Council’s objectives are: To be the national body for Caldicott Guardians To promote the roles and activities of Caldicott Guardians within the United Kingdom To be a forum for the exchange of information, views and experience amongst all Caldicott Guardians To seek, consider and to represent the views of Caldicott Guardians on matters of policy relating to the organisation and delivery of Information Governance To be a channel of communication upon Caldicott matters with national organisations concerned with the NHS, the independent health sector, local government and health and social care professionals To act as a resource centre, provide support and arrange learning opportunities for Caldicott Guardians, both current and of the future. For further information about the UK Council of Caldicott Guardians, you can access their website which contains minutes of past meetings, dates for future meetings and further resources.
Go to the links on the screen for further information on: The UK Council of Caldicott Guardian The NHS Connecting for Health IG Policy Team resources and services The Information Governance Toolkit And the contact details for the IG Helpdesk service.
The material in this module is based in part on the Caldicott Guardian Manual produced by the Council and the Department of Health in 2006. You can download copies of this and of the Confidentiality NHS Code of Practice and the Records Management NHS Code of Practice by clicking on the links on screen. A new addition to this series of guidance is the Information Security Management: NHS Code of Practice which is available on the DH website.
These websites link to the relevant legislation such as the Data Protection Act 1998 and the Freedom of Information Act 2000. You will find useful guidance on data protection on the Information Commissioner’s website. The Department for Constitutional Affairs has the policy lead for Freedom of Information, and advice and guidance on this area is available on their website. You can find out more about Information Governance from the Department of Health site.
Recommended further Training for Caldicott Leads would be: Relevant IG Training Tool materials such as: Introduction to Information Governance Introducing the Information Governance Toolkit Information Governance Toolkit for General Practice The Records Management: NHS Code of Practice Foundation module The Corporate Records Management module The Caldicott Guardian Guide – Protecting and sharing Information Alternatively external academic courses are available for Caldicott Leads in either Confidentiality, FOI, DPA or Caldicott Guardianship. These generally cost a fee. Where possible attend national conferences which offer further training to assist in the day to day fulfilment of the Caldicott Lead role. This module is now complete. If you would like to attain a certificate of achievement for this module please go on to complete the assessment. Read the questions carefully as there is only one correct answer to be selected for each question. If you successfully pass the assessment you will be able to obtain a certificate of achievement. Further instructions will appear on the screen. I would like to thank you for your participation and I hope you found this module useful. Finally, to help us develop our training materials further we would appreciate your feedback so please complete the evaluation form attached and return to the email address displayed on the screen
The Caldicott role in GeneralPracticeInformation Governance Policy TeamNHS Connecting for Health
Key Learning Points The background to Caldicott and how it has evolved into NHS Information Governance Who should be the Caldicott or confidentiality lead? The role of the Caldicott Lead The IM&T Directed Enhanced Service and IG Toolkit assessment The National Programme for IT Support and guidance Recommended further training
Background 1997 Caldicott Committee reported Caldicott Report Recommendations Appointment of NHS Caldicott Guardians ( HSC1999_012 Caldicott Guardians) Appointment of Social Care Caldicott Guardians (LAC(2002)2_Caldicott Guardians) The new GMS contract has sought to extend the Caldicott role into General Practice
Caldicott Principles1. Justify the purpose for using confidential information2. Only use it when absolutely necessary3. Use the minimum required4. Access should be on a strict need-to-know basis5. Everyone must understand their responsibilities6. Everyone must understand and comply with the law
The Caldicott Lead is responsible for: Agreeing and reviewing policies and ensuring the Practice satisfies the highest practical confidentiality standards Acting as the ‘conscience’ of the Practice and advising on lawful and ethical processing of information Resolving local Practice issues and ensuring a record of issues is kept Tapping into the broader Information Governance function across the PCT
The Caldicott Lead may also beresponsible for: Demonstrating to third parties that the Practice meets appropriate Information Governance standards, e.g. for the IM&T DES or the NHS CFH Statement of Compliance The IG Toolkit assessment: Mandated for General Practices involved in the IM&T Directed Enhanced Service A subset of standards for the Statement of Compliance applications for an N3 connection www.connectingforhealth.nhs.uk/soc
IM&T DES Fact sheetDirected Enhanced Service (DES) was developed to facilitate the use of information management and technology (IM&T), supporting the delivery of the National Programme for IT.A key objective of this DES is to support practices in achieving accredited data quality standards that are acceptable for sharing in the NHS Care Records Service.The actual accreditation is a three-part process:6. Practice submission7. Quantitative analysis of data taken from the practice8. Visits to provide necessary qualitative analysis Information Governance compliance and engagement with the IG Toolkit is required under component 1 of IM&T DES process See www.primis.nhs.uk/data-accreditation/ for more information
The Information Governance Toolkit#1 The NHS IG Toolkit sets out a range of standards encompassing the entire IG agenda for General Practices Basis for the Practice to assure information handling in accordance with the law, guidance and best practice. Includes guidance and resource materials, a clear framework for assurance and controls, and an on-line tool for efficient performance assessment reporting
The Information Governance Toolkit#2 14 requirements for General Practice Clear responsibility for IG standards A documented IG Policy Secure and confidential transfer of patient records Robust procedures for informing patients about how their information is used and their choices Appropriate training for all staff www.igt.connectingforhealth.nhs.uk
The Information Governance Toolkit#3Who can view the Practices assessment(s)? The Practice can view their own assessment only The NHS CFH IG Policy Team can view all Practice assessments Work in progress - Tracking Database
The National Programme for IT Modern information technology (IT) products which will give staff the information they need at the touch of a button, meaning better care for patients. NHS Connecting for Health are an agency of the Department of Health responsible for delivering NPfIT. Programme of work includes: • NHS Care Records Service • Choose and Book • Electronic Prescription Service (EPS) • National Networks for the NHS (N3) • Picture Archiving and Communications Systems (PACS) • IT Supporting GPs • NHSmail www.connectingforhealth.nhs.uk
Support and Guidance forCaldicott Leads Local PCT NHS Connecting for Health IG Policy Team The UK Council of Caldicott Guardians
Further guidance and useful linksThe UK Council of Caldicott www.connectingforhealth.nhs.uk/iGuardianNHS Connecting for Health IG www.connectingforhealth.nhs.uk/iPolicy websiteInformation Governance www.igt.connectingforhealth.nhs.uToolkit WebsiteIG Helpdesk Tel: 01392 251289 email: firstname.lastname@example.org
Further guidance and useful linksThe Caldicott Guardian www.connectingforhealth.nhs.uk/iManual 2006Confidentiality NHS Code of DH: Confidentiality NHS Code ofPracticeRecords Management NHS DH: Records Management NHSCode of PracticeSecurity Management NHS DH: Security Management NHS CCode of Practice …continued
Further guidance anduseful linksThe Data Protection Act 1998 www.opsi.gov.uk/acts/acts1998The Information Commissioner: for www.ico.gov.uk/guidance on data protectionThe Freedom of Information Act www.opsi.gov.uk/acts/acts20002000The Department for Constitutional www.foi.gov.uk/Affairs: for guidance onfreedom of informationDepartment of Health website www.dh.gov.uk/en/Home
Recommended further training for CaldicottLeads Other relevant NHS Connecting for Health ‘IG Training Tool’ modules External academic courses for Caldicott Guardians (GP specific) in either Confidentiality, FOI, DPA or Caldicott Guardianship. (these may incur a fee) Attend national conferences which offer further training to assist in the day to day fulfilment of the Caldicott Guardian role. Please send your completed evaluation form to email@example.com Click here for form:-
Assessmentselect one answer for each question.Further instructions will appear ifyou are successful or not. 1. Which of the following are one of the 16 recommendations made by the Caldicott Committee to improve security and confidentiality of patient identifiable information? • The establishment and appointment of a Freedom of Information Lead in each NHS organisation • The establishment and appointment of the Caldicott Guardian role in each NHS organisation • The establishment of a Caldicott Guardian Committee in each NHS organisation? 2. Which of the following is one of the 6 Caldicott Principles? Justify the purpose for accepting confidential information Justify the purpose for transferring information outside of the EEA (European Economic Area) Justify the purpose for using confidential information
Assessment 1. Which of these statements could be identified as part of the Caldicott Lead’s role in General Practice? Acting as the ‘conscience’ of the Practice and advising on lawful and ethical processing of information The Caldicott Lead is responsible for agreeing and reviewing policies governing the protection of all NHS information of any form. The Caldicott Lead is responsible for helping the organisation resolve local issues impacting on the Corporate and Financial agenda 2. What involvement should the Practice have with the IG Toolkit Assessment Tool when carrying out the IM&T DES process? • The Practice should complete a full assessment and have an external auditor sign off the assessment • The Practice should engage and prove engagement with the IG Toolkit assessment tool for purposes of the IM&T DES. • The Practice should only complete the requirements they feel are applicable to them and submit this to the PCT for sign off.
Assessment1. What does the abbreviation QMAS stand for? • Quantitative Management and Analysis System • Quarterly Management Analysis System • Quality Management and Analysis System2. Which of the following support and guidance documents do NOT exist? • The Caldicott Guardian Manual 2006 • The Caldicott Information: NHS Code of Practice • The UK Council of Caldicott Guardians