Personal confidential data is a term used in the Caldicott Information Governance Review and describes personal information about identified or identifiable individuals, which should be kept private or confidential and includes dead as well as living people.

The review interpreted ‘personal’ as including the Data Protection Act definition of personal data, but included data relating to deceased as well as living people, and ‘confidential’ includes both information ‘given in confidence’ and ‘that which is owed a duty of confidence’ and is adapted to include ‘sensitive’ as defined in the Data Protection Act.

Examples of identifiable data are:

As per the EU General Data Protection Regulation (GDPR) and the Data Protection Act 2018, and defined by the Information Commissioner’s Office. Personal data means data which relate to a living individual who can be identified:

(a) From those data, or

(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.

Sensitive personal data is different from personal data. Sensitive personal data means personal data consisting of information as to:

(a) the racial or ethnic origin of the data subject, (b) their political opinions, (c) their religious beliefs or other beliefs of a similar nature, (d) whether a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992), (e) their physical or mental health or condition, (f) their sexual life, (g) the commission or alleged commission of any offence, or (h) any proceedings for any offence committed or alleged to have been committed, the disposal of such proceedings or the sentence of any court in such proceedings

Secondary care data is information we have obtained from local hospitals, other care providers and other external public sources.

Primary care data is information that is provided by your GP surgery and other community service providers.

Indirect patient care is defined by the Caldicott Review as activities that contribute to the overall provision of services to a population as a whole or a group of patients with a particular condition, but which fall outside the scope of direct care. It covers health services management, preventative medicine, and medical research. Examples of activities would be risk prediction and stratification, service evaluation, needs assessment, financial audit.

Indirect patient care is defined by the Caldicott Review as activities that contribute to the overall provision of services to a population as a whole or a group of patients with a particular condition, but which fall outside the scope of direct care. It covers health services management, preventative medicine, and medical research. Examples of activities would be risk prediction and stratification, service evaluation, needs assessment, financial audit.

A Data Controller is a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.

A person who has expert knowledge of data protection law and practice. This person report to the highest management level of the organisation. The DPO, advice the organisation on Data Protection compliance and monitoring.

Your information may be used to help assess the needs of the general population and make informed decisions about the provision of future services. Information can also be used to conduct health research and development and monitor NHS performance.

Where information is used for statistical purposes, stringent measures are taken to ensure individual patients cannot be identified.  Anonymous statistical information may also be passed to organisations with a legitimate interest, including universities, community safety units and research institutions.