NHSScotland Caldicott Guardians: Principles into Practice

Foundation manual for NHS Scotland Cadicott Guardians

4. Legislation, Codes of Practice and Protocols

4.1 Caldicott Guardians and those who work closely with them in this dynamic area were not established by a specific Act of Parliament and so have no directly related legal basis for their functions. They do however have a complex framework of legislation, non-statutory Codes of Practice and Protocols which are the supporting mechanisms for everything they do. In this section of the Manual we identify the most important of these and explain in broad terms the duties and obligations they place on individuals and organisations working in or in partnership with the NHS who may have access to the patient record. Where more detailed explanations are given later in this Manual and on the associated website, references have been summarised or have not been included here in their entirety to reduce repetition.

4.2 Many of the benchmarks we talk about in this Manual have a basis in Administrative Law which governs the actions of public authorities. From well-established precedents we know that a public authority cannot do what it intends to do (its public task) unless it has the power to do so. If it does not have the necessary power and acts without it, it is acting outside the law i.e. ultra vires. Even where the powers are thought to exist, a public authority must exercise those powers for the purpose for which they were created or for purposes which are 'reasonably incidental' to the defined purpose.

4.3 These powers do not usually specify the role of the public authority in relation to the disclosure of information. It has therefore become common practice to introduce statutory gateways which deal with this lack of function of which the Data Protection Act 1998 is a good example. In the context of healthcare there is a specific medical purposes condition under Schedule 3 of the Data Protection Act which means that in most cases, where the processing of health information relates to medical and care purposes, explicit patient consent does not have to be obtained.

Where disclosure of patient-identifiable information is not specifically allowed under primary or administrative law then the Common Law Duty of Confidentiality applies.

4.4 Common Law is the law of precedent. It is not written down and relies on the application of the findings in previous Court cases decided by sheriffs/judges.

The Common Law Duty of Confidentiality therefore means that it has been established that, when there is an expectation of confidentiality between two parties (in this case the Health Professional and the Patient), that confidence will not generally be broken without the explicit consent of the patient. In practice all patient information, whether held on paper, computer, video or audio tape, or even when it is simply held in the memory of a Health Professional, must not normally be disclosed to a third party without the consent of the patient.

This duty applies regardless of has age, mental health or capacity.

There are however four sets of circumstances in which the disclosure of confidential information to a third party is lawful:

  • where the patient has given consent
  • where disclosure is in the overriding public interest
  • where there is a legal duty to disclose for example by court order
  • where there is a statutory basis which permits disclosure


Health Professionals are usually aware of their duty of confidentiality in relation to one-to-one consultations and in relation to written health records or consultations; curtains are not sound - proof and other patients or staff are likely to overhear.

The Caldicott Guardian must make sure that colleagues are aware of the need to comply with the common law duty of confidentiality at all times and not just in relation to formal records. On the other hand there will be circumstances where information relating to a patient or patients should and can be released without breaching these principles. It is perfectly acceptable to include patient data which has been anonymised or depersonalised to support research projects or to answer requests for information - the concept of confidentiality of patient identifiable information should not be confused with the use and application of patient data which is not individually identifiable.

4.5 Disclosure in the Public Interest

An American citizen was found to have contracted TB just prior to coming to Europe for his honeymoon. He was strongly advised not to travel but decided to do so, flying first to England and then onto Italy.

Public Health Authorities only discovered what had happened after he had left the United States. They alerted their colleagues in England and Italy and it was decided to publish details of the individual because of the very real danger to the health of a large number of people as this person travelled around, particularly since he was known to be using airlines.

* The circumstances in this case are exceptional but it is the exception which proves the rule. There will occasionally be times when the balance of the public interest demands a breach of confidentiality in the 'interest of the greater good'.

Clearly there will be circumstances in which it will not be possible or appropriate to obtain or rely on the consent of the patient. Where this is not possible an organisation may be able to rely on disclosure being in the overriding public interest. Here a judgement needs to be made between the rights of the patient, in the interest of providing appropriate care, the public interest in maintaining trust in a confidential service, and any overriding pubic interest in disclosure.

The public interest in maintaining trust in a confidential service is a very important principle and should only be breached in exceptional circumstances. Applying the public interest test is not about considering what the public are interested in but about 'the greater good' taking the course of action which is believed to be the least dangerous. Any decision to disclose information without consent must always be capable of a robust defence must be justified on a case-by-case basis and must be fully documented.

If there is any concern at all that such disclosure might be unjustified then disclosure should be refused and the applicant referred to legal remedies which will include application to a Court. Far better to take this course of action than to disclose and realise later that a mistake has been made - once information has been disclosed there is no opportunity to get it back again!

If a disclosure is made which is not permitted by Statute, Common Law or approved process, the patient can bring a legal action against both the organisation and the individual concerned.

Any legal proceedings notified to public authorities relating to a request for patient-identifiable information should be urgently referred to legal advisers so that the interests of the public authority and, separately if appropriate, the patient, may be represented in any proceedings.

4.6 Disclosure by Court Order

The case of R ( TB) v Stafford Crown Court and others was about a patient's clinical records and whether a NHS hospital trust should disclose them for the purpose of criminal proceedings. The Court held that where a disclosure application is made, the patient should herself be invited to respond to it.

The patient, a 14 year old girl referred to as ' TB', was a witness at the trial of a man changed with various sexual offences. The man, W, wanted to see her medical records, in order to look for information that might undermine her credibility. He was allowed to do so following a hearing of which TB was unaware and at which she was not represented.

The Divisional Court said TB should have been notified of the original disclosure hearing so that she could object to disclosure of her records; the judge had failed to take into account TB's Article 8 EHRC right to confidentiality. It was unreasonable to leave it to the NHS trust to present her arguments to court.

4.7 Research and Audit

Wherever possible patient-identifiable information should not be used for such purposes and would not therefore normally involve the disclosure of patient-identifiable information. Research Ethics Committees now routinely require patient information to be anonymised or pseudonymised. However, particular care should be taken with 'small number data' when even with anonymisation or depersonalisation it may still be possible to identify the patient. Further guidance relating to 'small number data' is available from the Office of National Statistics. The ISD Statistical Disclosure Protocol provides information regarding assessing and mitigation of the risk of identifying individuals in statistical publications.

Exceptionally it is necessary to use patient-identifiable or potentially identifiable information and responsibility for decisions regarding the appropriate use of such information lie with the data controller and their Caldicott Guardians. Scotland has no law defining acceptable purposes in these situations. The current approach is informed by 'Protecting Patient Confidentiality', the Report of the Confidentiality and Security Advisory Group 2002. In England acceptable purposes are defined in Section 251 of the NHS Act 2006 and advice on each case is provided to the relevant data controllers by the Ethics and Confidentiality Committee of the National Information Governance Board.

Currently there is no standard source of advice or procedure to assist data controllers in decisions regarding the use of information throughout Scotland. The NSS Privacy Advisory Committee advises NHS National Services Scotland regarding appropriate use of the national datasets. Researchers wishing to use these datasets apply to the Committee. Researchers who wish to use datasets controlled in other boards apply to each Caldicott Guardian individually where local procedures will apply.

Each NHS Board sets a programme of prioritised clinical audit for the year. The Clinical Governance Committee approves and monitors achievement of the clinical audit programme. Progress against the audit programme will also be used as an indicator of performance and as a basis for external monitoring/assessment.

Clinical audit is an ongoing cycle of continuous improvement. As a tool it suggests a number of questions about practice to help reflect, review and act to resolve problems and make changes to improve patient care. Clinical audit is often represented as an audit cycle or spiral.

audit cycle or spiral

Clinical audit is used to compare current practice with evidence of good practice. It can be used to make changes that improve the delivery of care. It can:

  • Provide evidence of current practice against national SIGN guidelines or NHS Quality Improvement Scotland ( NHSQIS) standards
  • Provide information about the structures, the processes or outcomes of a healthcare service
  • Assess how closely local practice resembles recommended practice
  • Check "Are we actually doing what we think we are doing?"
  • Provide evidence about the quality of care in a service to establish confidence amongst all of its stakeholders - staff, patients, carers, managers.

Clinical audit happens at different levels within an organisation. Audits can:

  • Identify major risk, resource and service development implications in an NHS Board
  • Reinforce implementation of evidence-based practice
  • Influence improvements to individual patient care
  • Provide assurance on the quality of care.

4.8. The NHS Code of Practice on Protecting Confidentiality: At a time when the emphasis is on sharing information, the Caldicott Guardian will need to ensure patients understand in what circumstances information is and where specific and informed consent will be sought.. This is of great importance and in Scotland guidance has been made available to all those dealing with confidentiality through the NHS Code of Practice on Protecting Confidentiality.

4.9. This Code of Practice recognises that while the provision and development of ever better healthcare is reliant on full, clear and accurate records, there will also be an ever-increasing requirement to share information. It reinforces the need for patients to be informed of the extent to which and with whom their information is being shared, their right to exercise choice over whether to give consent, and the importance of restricting such sharing of confidential information to those directly involved in their care.

This Code of Practice sets out four main requirements which must be met:

  • Look after a patient's information
  • Allow individuals to decide, where appropriate, whether their information can be disclosed or used in particular ways.
  • Always look for better ways to protect inform and provide choice.
  • Ensure that patients are aware of how their information will be used.

4.10. The Data Protection Act 1998

The Data Protection Act 1998 establishes a framework of rights and duties which are designed to safeguard personal data. This framework balances the legitimate needs of organisations to collect and use personal data for business and other purposes against the right of individuals to respect for the privacy of their personal details.

4.10.1 What are personal data?

The Data Protection Act ( DPA) 1998 relates to personal data, which is defined as data that relates to a living individual from which that individual could be identified either from that data alone or from that data in conjunction with other information in the possession of the Data Controller or information which would be reasonably accessible to anyone else.

Personal data includes such information as an individual's name, address, age, race, religion, gender and information relating to the individual's physical or mental health. The definition of personal data also includes expressions of opinions about individuals and indications of the intentions of persons in relation to individuals.

4.10.2 Overview

The Data Protection Act sets out a number of conditions which must be met before data can be processed. These are set out in Schedules 2 and 3 of the Act. To process any personal data a condition in Schedule 2 of the DPA needs to be met.

The Act goes further identifying certain kinds of data as Sensitive Personal Data which includes Health Records and introduces additional conditions for processing such data. These are set out in Schedule 3 of the DPA and the Data Protection (Processing of Sensitive Personal Data) Order 2000.

The Schedules and Order can be found under the Legislation section of the website processing of the data can take place.

4.10.3 The Data Controller

The Data Controller is the person who determines how and why personal information is processed. This is an organisational function but in practice the responsibility will lie with the Chief Executive or a GP or Dental Practice or an Opticians or Pharmacist, who acts on behalf of the organisation. For detail is available at:

It is an offence under the Data Protection Act to process personal data (including, patient-identifiable data) in any way until you have completed a Notification to the Information Commissioner. Notifications to the Information Commissioner form part of the Public Register of Data Controllers which is accessible via the Commissioner's website:

4.10.4 Eight Principles underpin compliance with the Data Protection Act 1998

1. Personal data must be processed fairly and lawfully.

2. Personal data must be obtained for one or more specified and lawful purposes in any manner incompatible with that purpose.

3. Personal data must be adequate, relevant and not excessive.

4. Personal data must be accurate and, where necessary, kept up to date.

5. Personal data processed for any purpose or purposes must not be kept for longer than is necessary for that purpose and those purposes.

6. Personal data shall be processes in accordance with the rights of data subjects under this Act.

7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to personal data.

8. Personal data shall not be transferred to a country or territory outside the European Economic Community Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

These principles promote openness and fairness in the processing of personal information and they of course apply to patient-identifiable information.

4.10.5 Rights of the Data Subject

The Data Protection Act 1998 also grants rights to an individual in respect of information held about them by others. These are:

  1. the rights of subject access - individuals can ask for information held about them and find out how information may be used and the likely recipients of such information
  2. the right to prevent processing likely to cause unwarranted, substantial damage or distress
  3. the right to prevent processing for the purposes of direct marketing
  4. rights in relation to automated decision making
  5. the right to take action to rectify, block, erase or destroy inaccurate personal information
  6. the right to make a request to the Information Commissioner for an assessment to be made as to whether any provision of the Data Protection Act 1998 has been contravened.

4.11 Health Rights Information Scotland - Public Information Leaflets

Health Rights Information Scotland ( HRIS) is funded by the Scottish Government Health Directorates to produce information for patients in Scotland about their rights and responsibilities when using the NHS.

HRIS has produced a set of core NHSS leaflets on rights and responsibilities when using the NHS these include:

There are separate versions of the leaflets for children and young people:

Information is also available relating to the emergency care summary.

All of the information is produced by consulting with stakeholders including the public to make sure that it's as useful and useable as possible. The leaflets are also available in a variety of languages and formats and can be viewed at:

4.12 If such information is being processed, as in a health record, the individual has the right to:

  • be given a description of the information being processed
  • be told the purposes for which the information is being processed
  • and be told those to whom such information has been or may be disclosed.

4.13 The individual also has the right to:

  • have communicated to them the personal information held about them
  • have communicated to them any information available to the Data Controller about the source of the information
  • be informed by the Data Controller of the criteria built into any automated decision-making processes which use personal information.

4.14 Fees under the Data Protection Act

Under the Data Protection Act 1998 (Fees and Miscellaneous Provisions Regulations 2000), an individual can be charged to view their health records, or to be provided with a copy of them.

Record Type

Max Fee

View Only

< 40 days


>40 days


All Electronic



Part Electronic and other media

Core Notes inc X-Rays


All paper

Core Notes inc X-Rays


A statutory time limit is imposed by the Act, in most cases requests for access to health records must be completed within 40 calendar days.

It is essential that before personal information is disclosed in response to a subject access request all possible avenues are explored to ensure that no other prohibition applies. Among these might be orders under S30 of the Data Protection Act 1998 which limit subject access to information relating to some health, education and social work records which may be restricted or denied under Subject Access Modification Orders. There will also be circumstances where information has been provided with expectations of confidence by other third parties. In such circumstances and if appropriate the view of the third party involved should be sought and considered before any such information is disclosed. There is often confusion between patient-identifiable information relevant to the health record and other information which does not constitute personal data - whether of the applicant or a third party under the Data Protection Act 1998. - in such cases the information is not personal information and is not covered by a request.

Issues of Consent

The National Creutzfeldt - Jakob Disease ( CJD) Surveillance Unit and London School of Hygiene and Tropical Medicine embarked on a study to determine the risk factors for CJD. Following research and Ethics Committee Approval ( REC), GP's were asked to contact relatives of both CJD sufferers and healthy controls (of a similar age and sex to those with CJD) to ask for their consent to be contacted by the Surveillance Unit. Three quarters of the GPs asked declined to participate; however, only 16% of the controls contacted by their GP's agreed to be interviewed.

This low response may compromise the validity of this study using this control group. The researchers were unable to get REC approval to telephone non-responders as it was considered a breach of patient confidentiality.


4.15 Organisations cannot comply with the requirements of the Data Protection Act without having supporting policies and processes in place. These policies which should be part of the Information Management Strategy should:

  • define all information covered by the DPA
  • list all the DPA principles
  • outline the organisational policy for holding, obtaining, sharing, recording, using and storing personal or sensitive data
  • provide guidance on the acceptable use of such information
  • describe corporate and personal responsibility.

4.16 Access to Health Records Act 1990 - deceased patients

Only a small part of this legislation now remains after the implementation of the Data Protection Act 1998. It governs access to the medical records of deceased persons.

The duty of confidentiality remains after a patient has died.

Under the Access to Health Records Act 1990, the personal representative of the deceased and people who may have a claim arising from the patient's death are permitted access to the records. This applies to information provided after November 1991 and disclosure should be limited to that which is relevant to the claim in question.

4.17 Even where these tests are met this legislation does not grant a general right of access and there are circumstances which could limit disclosure:

  • if there is evidence that the deceased did not wish for any part of their information to be disclosed
  • if the disclosure would cause serious harm to the physical or mental health of any person
  • if disclosure would identify a third party.

Please see link for further guidance: Access to Health Records 1990 - deceased patients

4.18 The Freedom of Information (Scotland) Act 2002

The Freedom of Information (Scotland) Act 2002 ( FOISA) came into force on 1 Jan 2005. The main features of the Act are:

  • gives anyone from anywhere in the world - a general right of access to recorded information of any age held by a wide range of bodies across the public sector in Scotland, subject to certain conditions and exemptions;
  • in relation to most exempt information, the information should only be withheld if the public interest in withholding it is greater than the public interest in releasing it;
  • the creation of the office of Scottish Information Commissioner (the Commissioner), with wide powers to promote good practice and to enforce the rights created in the Act;
  • a duty on each Scottish public authority to adopt and maintain a publication scheme, approved by the Scottish Information Commissioner. Publication schemes must specify the classes and manner in which information is, or is intended to be, published, together with an indication of whether the information will be available free of charge or on payment of a fee;
  • a duty on the Scottish Ministers to issue Codes of Practice containing guidance on specific issues e.g. general duties and records management (under section 60 and 61 of the Act).

All requests for information to public authorities are requests under the Freedom of Information (Scotland) Act 2002 if they are in writing, there is a name and a contact address (an email address is sufficient) for response and you can broadly speaking understand what information is being requested.

The FOISA also imposes a statutory time limit within which requests must be dealt within (20 working days) and an upper limit applies to disproportionate costs for retrieving and collating information.

There is a strong interface with the DPA and with all other legislation which prohibits or limits the disclosure of personal information in any way.

4.19 If a request is for the Health Record of the patient themselves, the FOISA takes us along a pathway to DPA, Subject Access Requests and the process for dealing with requests from individuals asking about themselves. However, the FOISA also tells us what to do about requests for personal identifiable information from third parties i.e. not from the subject themselves. We should still apply the principles of the DPA as the criteria on which decisions are made.

4.20 It is necessary for all organisations to have specific policies that ensure compliance with the Freedom of Information (Scotland) Act 2002. These should be statements of the organisation's principles and mechanisms which the organisation has adopted. Detailed guidance for staff should be posted on the organisation's intranet and leaflets made available for patients and staff.

4.21 Applicants for information under both the Data Protection Act 1998 and the Freedom of Information (Scotland) Act 2002 have the opportunity to complain if they feel that either Act has not been complied with by an NHS organisation. The Data Protection Act can be taken through the NHS complaints procedure. FOISA goes through a review process.

4.22 The Human Rights Act 1998

The rights of data subjects are often discussed in the context of the Human Rights Act 1998 ( HRA). Article 8 of the HRA establishes a right to 'private and family life'. This principle goes hand-in-hand with the Requests for third party information.

Common Law Duty of Confidentiality and the importance of protecting the privacy of individuals and the confidentiality of their health and social care records. However, it is not the case that the Human Rights Act confers unlimited privacy. It is recognised that there are specified grounds on which it may be legitimate for authorities to limit or supersede those rights. It is generally accepted that compliance with the Data Protection Act 1998 and the common law duty of confidentiality will satisfy the requirements of the Human Rights Act 1998.

4.23 An important principle associated with the interpretation of the HRA when considering disclosure of confidential information is that of proportionality. Any proposal to waive the obligations of confidentiality by the application of legislation must:

  • pursue a legitimate aim
  • be considered necessary in a democratic society
  • be proportionate to a specified need.

Any activity which interferes with the right to respect for private and family life by, for example, disclosing confidential information, must also be justified as being necessary to support legitimate aims and be proportionate to need.

Any action against a public authority alleging a breach of the HRA will require the public authority to demonstrate that in making the decision it was aware of and gave due consideration to the rights granted by the Act and that the reasons for setting these aside were justified.

4.24 In order to demonstrate that to be the case, any decision to interfere with the provisions of the HRA must be subject to a specific Test of Proportionality which balances the right of the individual to respect for their privacy with other important considerations such as the prevention and detection of crime or protecting others from harm. In this the demands of the HRA are closely associated with the Principles of the Data Protection Act.

4.25 These are the most significant of the Acts and Codes directly involved in the protection of patient-identifiable information. There are others which only assume importance in particular circumstances in which the Caldicott Guardian may occasionally be called upon to offer advice.

4.26 The Human Fertilisation and Embryology Act 1990, as amended by the Human Fertilisation and Embryology (Disclosure of Information) Act 1992.

Further amendments to this legislation were introduced in 2008 following a review and consultation but these are unlikely to affect the disclosure of information. One of the most important tenets remaining is that this Act is retrospective and applies to information created both before and after the Act was passed.

The 2008 Act mainly amends the Human Fertilisation and Embryology Act 1990. Key provisions of the 2008 Act is to:

  • ensure that all human embryos outside the body - whatever the process used in their creation - are subject to regulation.
  • ensure regulation of "human-admixed" embryos created from a combination of human and animal genetic material for research.
  • ban sex selection of offspring for non-medical reasons. This puts into statute a ban on non-medical sex selection currently in place as a matter of HFEA policy. Sex selection is allowed for medical reasons - for example to avoid a serious disease that affects only boys
  • recognise same-sex couples as legal parents of children conceived through the use of donated sperm, eggs or embryos. These provisions enable, for example, the civil partner of a woman who carries a child via IVF to be recognised as the child's legal parent.
  • retain a duty to take account of the welfare of the child in providing fertility treatment, but replace the reference to "the need for a father" with "the need for supportive parenting" - hence valuing the role of all parents

alter the restrictions on the use of HFEA-collected data to help enable follow-up research of infertility treatment.In general terms the Act prohibits disclosure of information by current and former members of the Authority and employees relating to entries in the Register of the Authority or any information obtained with an expectation of confidentiality. A further Regulation, The Human Fertilisation and Embryology Authority (Disclosure of Donor Information) Regulations 2004 ( SI 1511) limits the information which will be provided by the Authority to persons who have attained the age of 18 and who may have been born in consequence of treatment services under the Act.

4.27 The Law and Information Sharing

We have thus far largely concentrated on legislation and Codes of Practice which prohibit or limit access to patient identifiable information. However there are also important legislative mechanisms which lay out conditions which state where information should be shared. More information about these and other mechanisms can be accessed via the Caldicott website. For reference purposes, we have included the most important here:

4.28The Abortion Regulations 1991 provide a statutory gateway for disclosure of certificates of opinion to the Chief Medical Officer as required by the Abortion Act 1967.

4.29Multi Agency Public Protection Arrangements( MAPPAs) The Management of Offenders (Scotland) Act 2005 required the police, local authorities and the Scottish Prison Services (known as the 'Responsible Authorities') to jointly establish arrangements for the assessment and management of risk posed by sex offenders and violent offenders. In practice this will be undertaken by the establishment across Scotland of 'Multi Agency Public Protection Arrangements' or MAPPAs. As well as having implications for the responsible authorities (which includes health boards in the case of mentally disordered offenders), the MAPPA's have an impact and requirement for agencies who have a 'Duty to Co-operate' under the 2005 Act.

4.30The Public Health (Scotland) Act 2008 updates the law on public health, enabling Scottish Ministers, health boards and local authorities to better protect public health in Scotland. It will also assist Scottish Ministers to meet their obligations under the International Health Regulations. The Act also makes provision relating to the use, sale or hire of sunbeds, clarifies statutory responsibility for the provision of mortuaries and post mortem facilities and amends the law on statutory nuisances.

4.31.The Gender Recognition (Disclosure of Information) Scotland Order 2005 is gateway legislation which allows disclosure of information to a health professional which is otherwise prohibited by the Gender Recognition Act 2004.

4.32. The Road Traffic Acts ( RTAs) also make provision for the disclosure of information by NHS bodies to enable the recovery of any costs of treatment. RTAs also require the NHS to provide any information which it is in their power to give and which may lead to the identification of a driver who has committed an offence under the Acts.

Only the most important legislation has been dealt with in detail here but links are available on the website to other legislation which has some interface with the protection or disclosure of patient-identifiable information.

4.33. Gun and Knife Wounds raise issues that warrant special consideration with regards to the sharing of information with the police. The General Medical Council ( GMC) requires doctors to inform the police or social services whenever they treat a patient who is a victim of gun or knife crime, particularly those under 18. Guidance is available from the GMC and also the BMA.

Back to top