Single Assessment Process
The Caldicott Report set out a number of general principles that health and social care organisations should use when reviewing its use of client information and these are set out below:
Principle 1: Justify the purpose(s)
Every proposed use or transfer of personally identifiable information within or from an organisation should be clearly defined and scrutinised, with continuing uses regularly reviewed by the appropriate guardian.
Principle 2: Do not use personally identifiable information unless it is absolutely necessary.
Personally identifiable information items should not be used unless there is no alternative.
Principle 3: Use the minimum personally identifiable information.
Where the use of personally identifiable information is considered to be essential, each individual item of information should be justified with the aim of reducing identifiably.
Principle 4: Access to personally identifiable information should be on a strict need to know basis.
Only those individuals who need access to personally identifiable information should have access to it.
Principle 5: Everyone should be aware of their responsibilities.
Action should be taken to ensure that those handling personally identifiable information are aware of their responsibilities and obligations to respect patient/client confidentiality.
Principle 6: Understand and comply with the law.
Every use of personally identifiable information must be lawful. Someone in each organisation should be responsible for ensuring that the organisation complies with legal requirements.
Principles of the Data Protection Act 1998
Personal data shall be processed fairly and lawfully, and in particular, shall not be processed unless at least one of the conditions in Schedule 2 is met, and in the case of sensitive personal data, at least one condition in Schedule 3 is also met.
Personal data shall be obtained only for one or more specified and lawful purposes , and shall not be further processed in a manner incompatible with that purpose or those purposes.
Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
Personal data shall be accurate and, where necessary, kept up to date.
Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
Personal data shall be processed in accordance with the rights of data subjects under this Act.
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensure an adequate level of protection of the rights and freedoms of data subject in relation to the processing of personal data.