The December 1997 Caldicott  Report on the review of patient identifiable information identified weaknesses in the way parts of the NHS handled confidential patient-identifiable data.

Patient identifiable information can include:

  • NHS Number 
  • Casenote number 
  • Name
  • Address 
  • Postcode 
  • Date of birth 
  • Other dates: e.g. death, diagnosis 
  • Sex
  • Ethnic group 
  • Diagnosis or treatment

One of the report's recommendations was the appointment of Caldicott Guardians, members of staff in the NHS with a responsibility to ensure patient-identifiable data is kept secure and used in accordance with the principles in the information below (these principles apply in addition to the requirements of the Data Protection Act 2018 & GDPR).

Patient identifiable information

Justify the purpose

Every proposed use or transfer of patient-identifiable information within or from an organisation should be clearly defined and scrutinised with continuing uses regularly reviewed by an appropriate guardian.

Patient identifiable information

Patient-identifiable information items should not be used unless there is no alternative.

Use of identifiable info

Where use of patient-identifiable information is considered to be essential, each individual item of information should be justified with the aim of reducing identifiability.

Access identifiable information

Only those individuals who need access to patient-identifiable information should have access to it and they should only have access to the information items that they need to see.