Origins of the role

Caldicott Guardians derive their name and inspiration from the Government Review of Patient-Identifiable Information, chaired by Dame Fiona Caldicott, which reported in December 1997. One of its recommendations was that “a senior person, preferably a health professional, should be nominated in each health organisation to act as a guardian, responsible for safeguarding the confidentiality of patient information.” The report also set out six principles for determining when confidential information might be used and when it should not. These six Caldicott Principles have since helped Caldicott Guardians to make balanced judgements for their organisations.

In 2013 Dame Fiona completed an Information Governance Review, which has come to be known as the Caldicott 2 report. It confirmed the enduring relevance of the six principles, but added a seventh which says that “the duty to share information can be as important as the duty to protect patient confidentiality.” The principles were updated in December 2020 and a new, eighth principle added to enhance public trust in the safe use of their personal information.

In 2014 Dame Fiona was appointed to be the first National Data Guardian for health and social care in England; this became a statutory role in 2018. Dame Fiona remained in post until her death in February 2021. Dr Nicola Byrne is the current post holder, having been appointed in March 2021.

NHS organisations have been required to have a Caldicott Guardian since 1999 (HSC 1999/012), and Local Authorities in England providing social care social care since 2002 (HSC 2002/003 LAC(2002)2). The sharing of health information to benefit service users in social care is just as important as it is in the NHS. However, although having a Caldicott Guardian became mandatory in both sectors, it was left to individual organisations to determine how they would operate.

Although the NHS is governed separately in England and in the devolved administrations in Wales, Scotland and Northern Ireland, all four nations have chosen to have Caldicott Guardians or equivalent roles. There are some differences however: for example, in Scotland Caldicott Guardians are only required in the NHS, and there are subtle differences in legislation and common law, although all four are bound by the UK Data Protection Act and the UK General Data Protection Regulation (UK GDPR).