Further help and guidance
Supporting organisations
United Kingdom Caldicott Guardian Council (UKCGC)
The UKCGC is the national body for Caldicott Guardians, providing best practice, advice and guidance, and a benchmark for all Caldicott Guardians. The Council will also support all professionals across health and care organisations who have a responsibility to implement and uphold the Caldicott principles. It is an independent council, and a sub-group of the National Data Guardian's Panel.
Office of the National Data Guardian
The National Data Guardian for Health and Social Care (NDG) is an independent expert who advises and challenges the health and care system to help ensure that citizens' confidential information is safeguarded securely and used properly.
Dr Nicola Byrne is the current National Data Guardian. Her role is to help ensure that the public can trust their confidential information is being securely managed, and to make sure that it is used to support citizens' care and to achieve better outcomes from health and care services.
The National Data Guardian was placed on a statutory footing by the Health and Social Care (National Data Guardian) Act 2018
NHS England information governance guidance
NHS England provides an Information Governance (IG) Portal on behalf of the Health and Care Information Governance Panel. Its aim is to simplify information governance, ensuring that it is accessible and relevant.
The online portal showcases IG advice not only for IG professionals but also for patients, service users and health and care staff. You can sign up to the IG newsletter to receive updates on the Portal by emailing england.IGpolicyteam@nhs.net.
National SIGN and local IG networks
The National SIGN brings together the chairs of a network of independent, regional, and sectoral information governance groups from across England. The individual groups provide information governance and data protection professionals working in health and care access to peer support, networking and best practice advice and guidance. Issues identified locally are frequently escalated to the National SIGN, which works with central agencies, providing feedback on the impact of current issues and helping to influence the structure of their formal advice and guidance.
Professional guidance
General Medical Council – Confidentiality guidance
Confidentiality: good practice in handling patient information sets out the principles of confidentiality and respect for patients' privacy that doctors are expected to understand and follow. Caldicott Guardians often get asked about the difference between maintaining confidentiality and the duty to share.
Nursing and Midwifery Council (NMC)
The NMC provides guidance on safeguarding, confidentiality, and sharing information with other healthcare professionals.
Health and Care Professions Council (HCPC)
The HCPC regulates health, psychological and social work professionals. It's guidance on confidentiality describes how it expects its registrants to meet its standards when handling information about patients and service users.
The Professional Standards Authority
The The Professional Standards Authority for Health and Social Care's policy work covers a broad range of issues across the regulation of health and social care professions. It provides advice on particular problems and identifies issues through its work with the professional regulators and accredited registers.
Other organisations
NHS England
NHS England took over NHS Digital’s role as the national provider of information, data and IT systems for health and care services in February 2023.
Information Commissioner's Office
The Information Commissioner's Office (ICO) is "The UK's independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals". It provides a plethora of information and guidance, including model privacy impact assessments and fair processing notices.
Care Quality Commission (CQC)
The Care Quality Commission states on its website: "We monitor, inspect and regulate health and social care services. We publish what we find, including ratings to help people choose care". The CQC also has responsibility for monitoring data security and information governance in the organisations it regulates.
Regulation and Quality Improvement Authority
The Northern Ireland counterpart to the Care Quality Commission.
UK Health Security Agency (UKHSA)
The UK Health Security Agency (UKHSA) is responsible for protecting every member of every community from the impact of infectious diseases, chemical, biological, radiological, and nuclear incidents, and other health threats.
It provides intellectual, scientific, and operational leadership at national and local level, as well as on the global stage, to make the nation’s health secure.
UKHSA is an executive agency of the Department of Health and Social Care.
Health Research Authority
The Health Research Authority protects and promotes the interests of patients and the public in health and social care research. It has developed a single approval process for all study types taking place in the NHS in England. Its Confidentiality Advisory Group (CAG) provides independent expert advice on the appropriate use of confidential patient information.
Further reading
To Share or Not to Share. The Information Governance Review
Informally known as Caldicott2, this considers how information about patients is shared across the health and care system. It introduced a seventh Caldicott principle — The duty to share information can be as important as the duty to protect patient confidentiality. It also sets out actions required by Caldicott Guardians in health and social care.
The National Data Guardian's Review of Data Security, Consent and Opt Outs
This review by Dame Fiona Caldicott, published in 2016, provides 20 recommendations and 10 data security standards aimed at strengthening the security of health and care information, and ensuring people can make informed choices about how their data is used
Safe data, safe care
This report from the CQC covers how data should be safely and securely managed in the NHS. Makes recommendations inter alia on training for Caldicott Guardians and SIROs.
Data Security and Protection Toolkit (DSPT)
The Data Security and Protection Toolkit replaced the IG Toolkit in April 2018. It is an online system which allows organisations to assess themselves or be assessed against data security and information governance standards. It also makes available participating organisations' performance available to members of the public.
GP online services toolkit
The Royal College of General Practitioners has published a toolkit to help practices provide GP online services effectively, efficiently, safely and securely.
Information sharing
The Information Commissioner's Office has recently updated its Data Sharing Code of Practice. "The code, and a suite of new resources, provides practical advice to businesses and organisations on how to carry out responsible data sharing.
"Data sharing is central to digital innovation in both the private and public sectors. It can lead to many economic and social benefits, including greater growth, technological innovations, and the delivery of more efficient and targeted services."
Information sharing for secondary purposes in Northern Ireland
NHS Records Management Code of Practice 2021
The NHS Records Management Code of Practice 2021 sets out standards required for the management of NHS records — both paper and digital. When sharing data, organisations need to ensure their own records management policies align with those with whom and whose data is shared. For example if your local polices allow for data to be held for three years but another organisation holds it for two years, you could, by default become the data controller for their originating information.
Striking the Balance: Guidance on information sharing
This guidance on information sharing in cases of domestic violence has been published jointly by the Department of Health and the UK Caldicott Guardian Council to assist those who need to share information about individuals involved in domestic violence at a multi-agency risk assessment conference (MARAC) — a local, victim-focused meeting where information is shared on the highest risk cases of domestic abuse between different agencies. It sets out the underlying ethical considerations between confidentiality and information sharing and identifies the role of the Caldicott Guardian in striking the balance between maintaining the individuals' confidentiality and privacy, and wider considerations such as protection from harm.
Information governance in Scotland
A portal to a comprehensive collection of resources including COVID-19 IG advice, the Scottish Information Sharing Toolkit, information security and details of its Public Benefit & Privacy Panel. Scotland also has a Records Management Health and Social Care Code of Practice.
The Wales Accord on the Sharing of Personal Information (WASPI)
A framework for organisations concerned with the health, education, safety, and social wellbeing of people in Wales that hold information about individuals, and who need to share that information to deliver effective services.