Arrangements
The role of the Caldicott Guardian is evolving, particularly in light of the National Programme for IT. At the same time as the workload is increasing, the recent Training Needs Analysis and Survey for Caldicott Guardians revealed that the majority of Guardians were able to devote only half a day or less per week to their Caldicott function. Additionally, many Guardians were not supported in their Caldicott role by dedicated staff.
The IG Policy team at NHS Connecting for Health is collating evidence about Caldicott and Information Governance arrangements within organisations to determine:
- management and accountability structures.
- organisational and reporting arrangements.
- roles and responsibilities devoted to supporting Caldicott Guardians.
- whether the job role and numbers of supporting staff have an appreciable effect on IG toolkit scores.
- whether there are any "best practice" arrangements in place.
- whether PCTs are sufficiently resourced to support General Practices to migrate to the new Statement of Compliance.
It is hoped that the information will also assist organisations to review and where necessary update their own internal arrangements for supporting the Caldicott Guardian and improving Information Governance. A report will also be shared with the National IG Board so that if extra resource is allocated it can be appropriately targeted. A questionnaire is being developed, which will be posted on the IG website and advertised via the mailing list.
To kick-start the process, below are some of the arrangements within Council members' organisations.
Special health board in Scotland
An acute foundation trust
Managerial and accountability arrangements
The Caldicott Guardian is also the Trust Medical Director and lead for Information Governance. There is a full time Information Governance Manager (who is employed by the Foundation Trust but also works in an advisory capacity for the local PCTs and the Mental Health Trust).
Organisational and reporting arrangements
The Caldicott Guardian presents an Annual Report on Information Governance to the Trust Board, timed to coincide with the date for central submission of the completed annual IG toolkit assessment. The Guardian chairs bi-monthly meetings of the Trust's Information Governance Group with membership comprising managers from clinical and corporate directorates and including representatives from the IT and Computer Services Department and the Clinical Records Department as well as a representative from the Patient Advice and Liaison Service (PALS) and the Trust's Risk Manager.
Responsibilities
The Caldicott Guardian has responsibilities for the organisational aspects of the maintenance of confidentiality of patient identifiable information. In addition, wider Executive responsibilities for Information Governance including aspects of Research Governance; compliance with the Data Protection Act 1998 and the Freedom of Information Act 2000.
An acute trust
Managerial and accountability arrangements
The Caldicott Guardian is the associate medical director. The Guardian is supported by but has no managerial responsibility for the IT manager, the data quality manager, the librarian, who acts as the archivist for the Trust and the Trust Secretary, who records Information Governance Steering Group meetings.
Organisational and reporting arrangements
The Guardian has established a group called QUIP (quality of information and management) with representatives from clinical, administration and management from across the Trust. QUIP has effectively highlighted tensions and problems, as well as assisted in forwarding the Caldicott Guardian agenda. The Guardian sits on the National Programme for IT (NPfIT) steering group as Caldicott Guardian, and is closely involved with the Trust change team. The Caldicott Guardian chairs the Information Governance Steering Group, which includes two executive Trust Board members and is supported by the Trust secretarial service
Responsibilities
As Chair of the IG Steering Group, the Guardian ensures that all parties take responsibility for the IG toolkit return. The Guardian is involved in the development of information sharing agreements, the Trust's IG policy, and the rollout of National Programme products and services in the Trust. On-going work includes ensuring research and audit information requests comply with guidance and new clinical databases are secure.
A mental health trust
Managerial and accountability arrangements
The Caldicott Guardian is also the Medical Director and lead for Information Governance. There is a fulltime Information Governance Manager and two fulltime Patient Records Managers who have postgraduate qualifications including aspects of Caldicott, data protection etc. This team provide the main support to the Guardian although other experienced senior clinical staff members deal with many of the day to day questions.
Organisational and reporting arrangements
The Trust has an Information Governance Committee that reports to the Risk Committee of the Board. There is a Caldicott Group that meets quarterly and reports to the Information Governance Committee. The Caldicott Group comprises the people above, plus two associate medical directors, deputy directors of nursing, other patients' records staff, the head of IT and links staff in each area of the Trust.
Responsibilities
The Caldicott Group oversees the confidentiality and data protection action plan, addresses questions that arise in the organisation, provides advice e.g. on information sharing protocols, discusses reported information security beaches and ensures dissemination of lessons learned, and acts as an updating\ongoing development group.
A social care organisation
Managerial and accountability arrangements
The Caldicott Guardian for Social Care is also the Information Governance Manager for Adults & Older People's Services (A&OP). The Guardian has no directly managed staff but the manager of the Client Record Support Team deputises for the Guardian in his absence.
The Guardian works closely with the corporate Chief Information Officer, the corporate Data Protection Manager, Client Record Support staff for A&OP and Safeguarding Children, Quality Assurance, Performance Management staff in A&OP and the Children's Directorate. Access to legal expertise is via a lawyer from the corporate Legal Department who specialises in Data Protection and Freedom of Information.
Organisational and reporting arrangements
The Guardian provides reports to the Assistant Director of A&OP Support Services and has direct access to the Director of A&OP (Director of Social Care) and the Director of Children's Services.
The Guardian serves on a number of project boards and task groups, some in his capacity of Caldicott Guardian but mainly as the IG Manager. These boards include the Electronic Social Care Record System, Integrated Children's System, Contact Point, eCAF and eSAP. A recent proposal has been that an Information Compliance Panel is established to provide the Council with a corporate vehicle for the specific assessment of legal risks (and other risks including risk to reputation) associated with information management and processing. This will involve the Chief Information Officer, Corporate Information Security Compliance Manager, a member of legal services and the Caldicott Guardian.
Responsibilities
The Caldicott Guardian is involved in the development of information sharing procedures for adults and children's services, for criminal justice purposes and for critical incident planning. The Guardian also participates in security issues such as ensuring feedback from penetration testing is acted upon, reviewing role based access controls, establishing a registration authority and overseeing investigations into security breaches. Advice on Freedom of Information issues is also given.
A special health board in Scotland
Managerial and accountability arrangements
There is a Caldicott Guardian that oversees all divisions of the Board, and each division also has its own Guardian. The divisional Guardians meet quarterly to discuss issues and share information. Each of the divisions has a different function and therefore structures their Caldicott requirements differently. Each division also has its own Information Governance lead.
Organisational and reporting arrangements
There is an Information Governance group that has representation from Data Protection, IT security, Records Management, Freedom of Information and Caldicott. This group communicates with the Caldicott Guardians and the Information Governance leads to co-ordinate activity.
Responsibilities
The Information Governance leads are responsible for co-ordinating the Information Governance programme and the Caldicott Guardians co-operate with this.