Table 1.
Caldicott audit points
| Audit points | Audit level 0 | Audit level 1 | Audit level 2 | |
| 1 | Information for patients/clients on the proposed uses of information about them | No information provided, or limited to simple posters and leaflets in waiting rooms, etc | An active information campaign is in place to promote patient understanding of NHS information requirements | An active information campaign is supported by comprehensive arrangements for patients with special/different needs |
| 2 | Staff code of conduct in respect of confidentiality | No code exists, or staff not generally aware of it | Code of conduct exists and all staff aware of it | Code regularly reviewed and updated as required |
| 3 | Staff induction procedures | No mention of confidentiality and security requirements in induction for most staff | Basic requirements outlined as part of induction process | Comprehensive awareness raising exercise undertaken and comprehension checked |
| 4 | Confidentiality and security training needs assessment | Training needs not assessed systematically for most staff | Training needs only considered as a consequence of organisational or systems changes | Systematic assessment of staff training needs and evaluation of training that has occurred |
| 5 | Training provision (confidentiality and security) | No training available to most staff | Training opportunities broadcast with take up left to line management discretion | In house training provided for staff; for example, comparable to health and safety training provision |
| 6 | Staff contracts | No reference to confidentiality requirements in staff contracts | Confidentiality requirements included in contracts for some staff | Contractual requirements included in all staff contracts |
| 7 | Contracts placed with other organisations | No confidentiality requirements included | Basic agreements of undertaking are signed by contractors | Formal contractual arrangements exist with all contractors and support organisations |
| 8 | Reviewing information flows containing patient identifiable information | Information flows have not been comprehensively mapped | Information flows have been mapped and senior management has been informed | Procedures are in place for the regular review of information flows and the justification of purposes |
| 9 | Internal information/data “ownership” established | Information/data “ownership” has not been established for all information/data sets | “Ownership” established for all information/data sets and register established | All “owners” justifying purposes and agreeing staff access restrictions with the guardian |
| 10 | Safe haven procedures in place to safeguard information flowing to and from the organisation | No safe haven procedures used | Safe haven procedures used for some information flows | Safe haven procedures in place for all patient identifiable information |
| 11 | Protocols governing the sharing of patient identifiable information with other organisations locally agreed | No locally agreed protocols in place | Partner organisations clearly identified and information requirements understood | Agreed protocols in place to govern the sharing and use of confidential information |
| 12 | Security policy document | No security policy available | Security policy exists but not reviewed within last 12 months | Security policy reviewed annually and reissued if appropriate |
| 13 | Security responsibilities | No information security officer appointed, or existing officer is not appropriately trained | An appropriately trained information security officer is in post | Responsibility for information security identified in various staff roles, coordinated by the security officer |
| 14 | Risk assessment and management | No programme of information risk management exists | A risk management programme is under way and reports are available | A formal programme exists with regular reviews, outcome reports, and recommendations provided for senior management |
| 15 | Security incidents | No incident control or investigation procedures exist | The security officer handles incidents as they arise | Procedures are documented and accessible to staff to ensure incidents reported and investigated promptly |
| 16 | Security monitoring | No monitoring or reporting of security effectiveness or incidents takes place | Basic reporting of major incidents or problem areas only | There are regular reports made to senior management on the effectiveness of information security |
| 17 | User responsibilities | No guidance issued to staff for password management | Users encouraged to change passwords regularly but this is at their discretion | Password changes are enforced on a regular basis |
| 18 | Controlling access to confidential patient information | Staff vigilance, and/or an “honour” system control access. Some physical controls, lockable rooms, etc, may exist | Access for many staff controlled by “all or nothing” systems. Staff groups requiring access identified and agreed with the guardian | All staff have defined and documented access rights agreed by the guardian. Access is controlled, monitored and audited |