Printed from CheckTick DSPT Compliance Documentation
Caldicott Guardian Statement: CheckTick
Caldicott Guardian: [Caldicott Guardian] Position: Director Appointed: 8/7/2022 Last Review Date: 29/11/2025 Version: 1.0
1. Purpose
This statement outlines how CheckTick, as a provider of healthcare survey services, adheres to the Caldicott Principles to protect the confidentiality of patient and service user information.
2. Commitment to the 8 Caldicott Principles
CheckTick operates in full alignment with the 8 Caldicott Principles (National Data Guardian, 2020) to ensure that health and social care data is handled with the highest level of integrity.
| Principle | Implementation at CheckTick |
|---|---|
| 1. Justify the purpose | Every survey created on our platform must have a clearly defined clinical or research purpose. We discourage unnecessary data collection. |
| 2. Use only when necessary | We implement technical "need to know" barriers. Data is processed only when essential for the survey outcome. |
| 3. Use the minimum necessary | Our platform architecture supports data minimization, encouraging the use of anonymized or pseudonymized data sets where possible. |
| 4. Access on a need-to-know basis | We use Role-Based Access Control (RBAC). Staff access to production databases is strictly restricted and logged. |
| 5. Understand responsibilities | All staff (directors and developers) undergo annual data security training focused on the duty of confidentiality. |
| 6. Comply with the law | We maintain a Record of Processing Activities (ROPA) and follow UK GDPR and the Data Protection Act 2018. |
| 7. Duty to share (Safe sharing) | We provide secure API and export mechanisms (AES-256) to ensure data can be shared safely with authorised clinical teams. |
| 8. Inform patients/users | Transparency is maintained through our Privacy Notice and clear participant information on landing pages. |
3. The Role of the Caldicott Guardian in a Small Team
Within our 2-person organisational structure, the Caldicott Guardian acts as the independent arbiter for data confidentiality. They are responsible for:
- Reviewing and approving Data Protection Impact Assessments (DPIAs).
- Acting as the point of escalation for complex data sharing or confidentiality queries.
- Ensuring that technical development (led by the CTO) remains aligned with clinical safety standards.
4. Decision Making & Audit
All decisions made by the Caldicott Guardian regarding the access or disclosure of personal data are documented in our internal compliance logs, noting the justification and the specific Caldicott Principle applied.
Approved By: [SIRO Name] Date: 29/11/2025