GS001-F01v1.2 – Caldicott Application Form
Caldicott Guardian Approval Application
(For patient identifiable data leaving NHS Lothian)
NB. If your study involves more than 1 Health Board in Scotland, you will need to apply for National
Caldicott Approval – contact the R&D Department for details.
You must address the 6 Caldicott Principles when submitting this request for data
1. Project Title:
2. Name of Organisation receiving data :
3. What patient identifiable information is leaving NHS Lothian?
CHI Number
Forename
Surname
Initials
Age
Date of Birth
Gender
Address
Postcode
Other, please specify …
Yes
Yes
Yes
Yes
*Yes
*Yes
*Yes
Yes
Yes
Telephone no.
4. Purpose for which data are to be transferred and requirement to transfer identifiable
data and use each data field above:
(See Principles 1,2, & 3 below):
5. Detail how data is being transferred:
1
GS001-F01v1.2 – Caldicott Application Form
6. Outline access to information at receiving organisation – who, where, when, how….
(See Principle 4 below):
Declaration
I agree to abide by the Caldicott Principles, NHS Lothian IT and Data Security Policy
outlined below. I confirm that the study will comply with the legal requirements and
the responsibilities and obligations to respect patient confidentiality.
Name:
Job Title:
Signature:
Date:
Once the form is complete, please email or send to:
Karen.Haggart@nhslothian.scot.nhs.uk
Karen Haggart
Research Governance Manager
Research & Development Department, Room 4F/2/070
Western General Hospital
Crewe Road South
Edinburgh
EH4 2XU
0131 537 2912
You will receive either approval, or advice on required changes, within 48 hours.
2
GS001-F01v1.2 – Caldicott Application Form
CALDICOTT PRINCIPLES
Principle 1 - Justify the purpose(s)
Every proposed use or transfer of patient-identifiable information within or from an
organisation should be clearly defined and scrutinised, with continuing uses regularly
reviewed, by an appropriate guardian.
Principle 2 - Don't use patient-identifiable information unless it is absolutely
necessary
Patient-identifiable information items should not be included unless it is essential for the
specified purpose(s) of that flow. The need for patients to be identified should be considered
at each stage of satisfying the purpose(s).
Principle 3 - Use the minimum necessary patient-identifiable information
Where use of patient-identifiable information is considered to be essential, the inclusion of
each individual item of information should be considered and justified so that the minimum
amount of identifiable information is transferred or accessible as is necessary for a given
function to be carried out.
Principle 4 - Access to patient-identifiable information should be on a strict need-toknow basis
Only those individuals who need access to patient-identifiable information should have
access to it, and they should only have access to the information items that they need to
see. This may mean introducing access controls or splitting information flows where one
information flow is used for several purposes.
Principle 5 - Everyone with access to patient-identifiable information should be aware
of their responsibilities
Action should be taken to ensure that those handling patient-identifiable information - both
clinical and non-clinical staff - are made fully aware of their responsibilities and obligations to
respect patient confidentiality.
Principle 6 - Understand and comply with the law
Every use of patient-identifiable information must be lawful. Someone in each organisation
handling patient information should be responsible for ensuring that the organisation
complies with legal requirements.
3
GS001-F01v1.2 – Caldicott Application Form
NHS Lothian
Guidance to Research staff on data management best practice
Introduction
All staff employed within NHS Lothian processing personal data whilst carrying out clinical research
are required to comply with the Common Law on Confidentiality, The Data Protection Act (1998), the
Caldicott Principles and any other legislation, current guidance or good practice protocols supported
by NHS Lothian. It should be noted that this guidance applies to all data that can identify a ‘living
individual’, including ‘anonymised’ data where individuals can be identified by cross-referring to a
separately held database within the same network.
Personal (patient) data
1. All personal data must be processed in accordance with the NHS Lothian Data Protection and
eHealth Security policies.
2. All data processed during the course of a researcher’s duties remains under the ‘ownership’ of
the Data Controller. In the vast majority of cases, this will be NHS Lothian, however there are
limited circumstances where the Data controller will be University of Edinburgh or there may be a
Joint Data Controller arrangement. Please refer to the appended ‘Data Controller’ flowchart for
further guidance.
3. Databases containing personal data must be registered with the Data Protection Officer.
4. Regardless of who is identified as Data Controller, all personal data must be processed in
accordance with this guidance and the eight principles of the Data Protection Act 1998.
5. NHS Scotland is committed to using the CHI (Community Health Index) number on all clinical
systems as a means to link across all local and national systems. This number can only be used
as a patient identifier within the NHS and may only be shared with other agencies under strict
protocols that must be agreed in advance of any information sharing.
6. To ensure ‘fair and lawful’ processing, research subjects must be provided with a ‘privacy notice’
and given the opportunity to raise any queries as part of the consent process. The privacy notice
must include the name of the Data Controller(s), the purpose(s) for which the personal data is
going to be processed and any other information required to ensure fair processing from the
research subject’s perspective. This may include how long the data will be held, whether the
data is being shared with other organisations (and if known, to whom) and whether the data is
being transferred overseas for collaborative purposes.
7. In the instance of overseas transfer of data, the researcher must contact the NHS Lothian Data
Protection Officer for further guidance, as the receiving country must meet certain levels of
‘adequacy’. This is particularly important when transferring to non-EU countries.
8. Researchers should carefully consider the data that they hold. Identifiable data should be
adequate, relevant and not excessive (DPA Principle 3). Particular care must be taken when
analysing data to ensure that the underlying data cannot identify individuals. Best practice is to
separate the identifiable data items from the other data, and link tables (look up table) only when
absolutely necessary.
4
GS001-F01v1.2 – Caldicott Application Form
9. Where a separate database is used to identify research subjects from the remainder of the data
set, it should be held securely, and destroyed at the end of the project. The end of the project is
defined as the length of time the data will be held in the privacy notice. Section 33 of the Data
Protection Act enables researchers to keep personal data indefinitely, provided the data is not
used for direct healthcare purposes and any subsequent data analysis does not identify, or cause
substantial distress, to the research subject.
10. The R&D department and/or NHS Lothian Data Protection Officer will provide best practice advice
to researchers wishing to securely store paper or computerised data on completion of a research
project.
11. In the event a researcher leaves their post, they must not take any personal data collected
during their employment with NHS Lothian or University of Edinburgh to their new post without
the explicit permission of the R&D Manager.
IT Security
1. Research data must be held in a secure environment. Where practical, it should be stored on the
research server provided by NHS Lothian R&D department. Alternatively, it should be stored on
a secure network drive requiring password access and is regularly backed up.
2. Research data must never be exclusively stored on a laptop or PC hard drive. When it is not
possible for data to be saved to a secure network environment, the following procedures must be
taken:
a. The local hard disk/USB device must be suitably encrypted. Standard password protection
of software packages, i.e., Microsoft Office, does not meet the required standard.
b. Research data must be backed-up on suitable media upon completion of the data
processing.
3. Only NHS computing equipment, including PCs, laptops, PDAs and memory sticks may be
connected to the NHS network. Researchers should be aware that the NHS networks can readily
identify non-NHS hardware and will take any breaches very seriously.
4. NHS Lothian Data can be securely accessed and processed on non-NHS computers using F5
Firepass, which connects authorised staff to the NHS Lothian network using an Internet
connection. Further guidance on use of this utility is available from the NHS Lothian IT Security
Manager.
5. Emailing of personal information via the Internet is not permitted. This includes email sent from
an NHS email account to a University email account. If a researcher wishes to send information
electronically, they should seek further guidance from the NHS Lothian IT Security Manager for
advice on suitable encryption methods and secure methods of transferring data.
For further information, or clarification on any of the above, please contact:
Karen Haggart, R&D Department: 0131 537 2912. karen.haggart@nhslothian.scot.nhs.uk
Elaine Downie, Data Protection Officer: 0131 465 5444. elaine.downie@nhslothian.scot.nhs.uk
5