Appraisals

All health and social care staff are expected to undertake an annual appraisal. This is central to revalidation for medical and nursing staff, and it should cover all aspects of your work.

In addition to supporting revalidation, the outputs from the appraisal can be used as evidence in your organisation's Data Security and Protection Toolkit return.

Caldicott Guardians should be able to provide evidence to their organisations, regulators (e.g. Care Quality Commission and the Information Commissioners Office), and the public on:

  • how they fulfil their role

  • how effectively their organisation applies the Caldicott principles

  • how their organisation is responding to their advice

In preparing for your appraisal, you may wish to consider the following:

How does my Caldicott role add value to my organisation?

Without appropriate time and support, the Caldicott Guardian role can be perceived as a ‘tick box’ exercise to achieve compliance. But where enough time and support are provided to carry out the role effectively, there can be significant organisational benefits, including:

Improving service users’ experience: a vital aspect of the role is to know when information should be shared, taking into account the patient or service user’s condition and the effect a disclosure would have on them. Organisations should publish a privacy notice informing people how their information will be used, which the Caldicott Guardian should oversee. In addition, promoting the safe use of de-identified data for research will help future generations and medical research, plus targeting of services.

Improved efficiency: working more collaboratively requires information to be shared safely between organisations. By establishing an environment in which Caldicott Principle 7 is at the forefront of decision-making, the duty to share becomes the starting point and an enabler rather than a barrier to information sharing, resulting in improved efficiency and lowers costs.

Improving culture: by publicising decision logs, staff are aware of what information they can share safely and know that they have the organisation’s support, for example, sharing with the police (how much do staff share?). In addition, promoting the use of privacy impact assessments and regularly updating privacy notices enables ‘privacy by design’ to be built into the organisation’s culture.

Preventing future problems: by engaging with the Board and the SIRO in reviewing ‘near misses’ in information breaches, and engaging in wider networking with Caldicott Guardians, such as regional networks, best practice can be established before its absence is identified by regulators and potential adverse publicity and monetary penalties avoided.

What training and development do I need?

Although much of a Caldicott Guardian’s work involves plain common sense, there are practical and legal aspects that the Caldicott Guardian must know about or at least be aware of. Evidence of this will need to be available for appraisal. The learning and development section of the website provides guidance on the knowledge required and how to obtain it.

What support do I need?

Details of help and support available to Caldicott Guardians are provided here.

In addition, you should consider the following:

  • a deputy: a nominated individual to cover when you are absent. This might be the IG lead, but if so, they will need training to enable them to understand the specifics of this role:

  • information governance/legal support: to ensure you ‘comply with the law’ and are actively involved in the investigation of breaches and near misses to improve the culture and knowledge of the organisation

  • time to do the job properly. This will depend on the size of your organisation and the scope of your role; it may be anything from one day per month to several days a week

What evidence should I provide?

An important aspect of appraisal for professional revalidation is that you can provide evidence for statements you make in the appraisal document. The following are points to consider:

  • training and development attended

  • documentation that describes the Caldicott decisions made. Note that to date, the ICO has not fined an organisation for sharing information inappropriately where relevant risks had been considered, mitigated as far as possible, and documented in a data protection impact assessment (DPIA) and/or an information sharing agreement

  • DSPT Toolkit compliance (if required)

  • number of information sharing agreements signed, their purpose, and confirmation that they have a legal basis and are in line with the ICO’s code of practice

  • attendance at strategic and steering groups where IG and Caldicott issues are discussed

  • organisational compliance with the National Data Guardian’s Review of Data Security Consent and Opt-Outs

  • organisational position on the recommendations of the Care Quality Commission’s report Safe data, safe care, including robust mechanisms for recruitment and training of Caldicott Guardians, and clarity of accountability for all aspects of data security