Home > About Us > Managing your information > Confidentiality and Caldicott Principles

Confidentiality and Caldicott Principles

The Common Law Duty of Confidentiality and Caldicott Principles

Common law (case law) is law that has developed through the courts making decisions in cases on legal points and creating binding precedents—in contrast to statutory law, which is determined by acts of parliament. Common law may be used to fill a gap in statutory provision or to interpret what the statute might mean in particular circumstances, but there is no statutory provision which sets out a duty of confidence as such.

The legal obligation for confidentiality is one of common law, which means it will change as case law evolves. The so-called common law duty of confidentiality is complex: essentially it means that when someone shares personal information in confidence it must not be disclosed without some form of legal authority or justification. In practice this will often mean that the information cannot be disclosed without that person’s explicit consent unless there is another valid legal basis. It is irrelevant whether the individual is old or has mental health issues or indeed lacks capacity: the duty still applies.

When an individual has died, information relating to that individual remains confidential under the common law. Whilst the Data Protection Act and the UK GDPR only apply to living individuals, the Caldicott Principles (see below) also apply to records and information regarding the deceased. The Access to Health Records Act 1990 gives certain individuals formal rights to access the medical records of the deceased: there is no comparable legislation permitting access to their social care records, although the Caldicott principles may still be applied.

Common law requires there to be a lawful basis for the use or disclosure of personal information that is held in confidence, for example:

  • where the individual has capacity and has given valid informed consent
  • where there is a statutory basis or legal duty to disclose, e.g. by court order
  • where disclosure is in the overriding public interest.

Statutory or other legal duty mandating sharing

The holder of the confidential information may have a statutory obligation to share or disclose the confidential information or the one seeking to obtain the information may have a statutory basis to demand it. For example, health protection legislation includes a requirement to notify cases of infections or contamination which could present a significant risk to human health.

The courts may issue orders that can be challenged but must generally be complied with. A range of bodies have legal authority to obtain confidential information in support of their duties and functions e.g. the Care Quality Commission.

NHS Digital collects some specific health and care data to check how the health and care service is performing and to improve everyone’s care.

Example – Legislation allowing sharing Section 251 of the NHS Act 2006

This legislation provides the Secretary of State for Health with the authority to make regulations that set aside legal obligations of confidentiality (though not other legal requirements). Support can be granted for a specific range of activities, e.g. anonymising information, accessing records to contact people for the purposes of gaining consent for research, geographical analysis, linkage, validation and clinical audit.

Further guidance on s.251 and the application process to the Confidentiality Advisory Group (CAG) is available from the Health Research Authority (HRA). Generally, support is permissive i.e. it allows data sharing for the particular purpose but does not mandate it. Where the Secretary of State is asked to exercise his discretion to approve the release of information he seeks advice from the independent CAG which is hosted by the HRA and makes decisions with respect to research. The Secretary of State will continue to make decisions in relation to all other purposes. In addition, organisations seeking information that might identify individuals for research purposes must have approval from either a local Research Ethics Committee or a multi-centre Research Ethics Committee as appropriate.  Existing regulations support work related to cancer and to public health risks and surveillance and provide the Secretary of State with the discretion to support bodies wishing to access identifiable confidential information for other medical purposes, including medical research.

Understanding data in health and care – NHS England Digital

Health Research Authority (HRA)

Guidance on the research governance framework for health and social care

Legal permissions, allowing sharing

Some legislation falls short of creating a duty to share confidential information or a power to collect it, though it may make it possible for organisations to share confidential information. This may be in a form that provides a legal gateway to share confidential information where this might otherwise be prevented, or it may simply set the common law obligation of confidentiality aside. Such confidential information sharing must be necessary and proportionate to the purpose.

Example – The public interest allowing the common law duty of confidentiality to be set aside

Public interest:This applies when the holder of the information believes that the public good that would be served by sharing the information outweighs both the obligation of confidentiality owed to the individual and the public good of protecting trust in a confidential service. The circumstances of each individual to whom the information relates need to be considered on a case by case basis. Whilst serious crimes such as murder and rape would normally justify sharing with appropriate bodies e.g. the police, other areas may require professional experience and judgement. There may be circumstances where sharing of limited information might be proportionate to the seriousness of the issue.

The Caldicott Principles are eight principles to ensure people’s information is kept confidential and used appropriately.

The principles are intended to apply to all data collected for the provision of health and social care services where patients and service users can be identified and would expect that it will be kept private. This may include for instance, details about symptoms, diagnosis, treatment, names and addresses.

They are primarily intended to guide organisations and their staff, but it should be remembered that patients, service users and/or their representatives should be included as active partners in the use of confidential information.

Where a novel and/or difficult judgment or decision is required, it is advisable to involve a Caldicott Guardian.

Principle 1: Justify the purpose(s) for using confidential information

Every proposed use or transfer of confidential information should be clearly defined, scrutinised and documented, with continuing uses regularly reviewed by an appropriate guardian.

Principle 2: Use confidential information only when it is necessary

Confidential information should not be included unless it is necessary for the specified purpose(s) for which the information is used or accessed. The need to identify individuals should be considered at each stage of satisfying the purpose(s) and alternatives used where possible.

Principle 3: Use the minimum necessary confidential information

Where use of confidential information is considered to be necessary, each item of information must be justified so that only the minimum amount of confidential information is included as necessary for a given function.

Principle 4: Access to confidential information should be on a strict need-to-know basis

Only those who need access to confidential information should have access to it, and then only to the items that they need to see. This may mean introducing access controls or splitting information flows where one flow is used for several purposes.

Principle 5: Everyone with access to confidential information should be aware of their responsibilities

Action should be taken to ensure that all those handling confidential information understand their responsibilities and obligations to respect the confidentiality of patient and service users.

Principle 6: Comply with the law

Every use of confidential information must be lawful. All those handling confidential information are responsible for ensuring that their use of and access to that information complies with legal requirements set out in statute and under the common law.

Principle 7: The duty to share information for individual care is as important as the duty to protect patient confidentiality

Health and social care professionals should have the confidence to share confidential information in the best interests of patients and service users within the framework set out by these principles. They should be supported by the policies of their employers, regulators and professional bodies.

Principle 8: Inform patients and service users about how their confidential information is used

A range of steps should be taken to ensure no surprises for patients and service users, so they can have clear expectations about how and why their confidential information is used, and what choices they have about this. These steps will vary depending on the use: as a minimum, this should include providing accessible, relevant and appropriate information – in some cases, greater engagement will be required.