Supporting Caldicott Guardians across the UK



All staff in health and social care are expected to undertake an annual appraisal and this is likely to be the case in other organisations. For medical and nursing staff this is central to revalidation, and it should cover all aspects of your work. In addition to supporting revalidation, the outputs from the appraisal can be used in evidence for your organisation's IG toolkit return.

Caldicott Guardians should be able to provide evidence to their own organisations, to regulators (for example, the Care Quality Commission and the Information Commissioners Office) and to the public on how they are fulfilling their role and how effectively their organisation is applying the Caldicott principles. They should also be able to demonstrate how their organisation is responding to their advice.

In preparing for your appraisal you may wish to consider the following:

How does my Caldicott role add value to my organisation?

Without appropriate time and support the Caldicott Guardian role can be perceived as a ‘tick box’ exercise to achieve compliance, but where the role is supported and appropriate time provided to carry out the role effectively, there can be significant benefits to organisations including:

Improving service users’ experience: a key aspect of the role is to know when information should be shared, taking into account the condition of the patient or service user, and the effect a disclosure would have on them. Organisations should have a privacy statement informing people how information about them will be used, which the Caldicott Guardian should oversee. In addition, promoting the safe use of anonymised data for research will help future generations and medical research plus targeting of services.

Improved efficiency: working more collaboratively requires information to be shared safely between organisations. By establishing an environment in which the seventh Caldicott principle is at the forefront of the decision making, the duty to share becomes the starting point and an enabler rather than barrier to information sharing, resulting in improved efficiency and thereby lowering costs.

Improving culture: by publicising decision logs, staff are aware of what information they can share safely and know that they have the support of the organisation for example sharing with the police (how much do staff share?). Promoting the use of privacy impact assessments and regular updating of privacy notices enables ‘privacy by design’ to be built into the organisation’s culture.

Preventing future problems: by engaging with the Board and the SIRO, in reviewing ‘near misses’ in information breaches, and engaging in wider networking with Caldicott Guardians such as regional networks, best practice can be established before its absence is identified by regulators (e.g. ICO, CQC) and potential adverse publicity and monetary penalties avoided.

What training and development do I need?

Although much of a Caldicott Guardian’s work involves plain common sense, there are practical and legal aspects that the Caldicott Guardian must know about or at least be aware of, and evidence of this will need to be available for appraisal. The learning and development section above provides guidance on the knowledge required and how to obtain it.

What support do I need?

Annex B provides details of help and support available to Caldicott Guardians. In addition, you should consider the following:

  • a deputy: a nominated individual to cover when you are absent. This might be the IG lead, but if so they will need training to enable them to understand the specifics of this role;
  • information governance/legal support: to ensure you ‘comply with the law’ and are actively involved in investigation of breaches and near misses to improve the culture and knowledge of the organisation;
  • time to do the job properly – this will depend on the size of your organisation and the scope of your role, but may be anything from one day per month to several days a week.

What evidence should I provide?

An important aspect of appraisal for professional revalidation is that you are able to provide evidence for the statements you make in the appraisal document. The following are points to consider:

  • training and development attended;
  • documentation demonstrating Caldicott decisions made. Note that to date the ICO has not fined an organisation for sharing information inappropriately where relevant risks had been considered, mitigated as far as possible, and documented in a privacy impact assessment (PIA) and/or an information sharing agreement;
  • IG Toolkit compliance (if required);
  • number of information sharing agreements signed, their purpose, and confirmation that they have an legal basis and are in line with the ICO’s code of practice (see Annex B);
  • attendance at strategic and steering groups where IG and Caldicott issues are discussed;
  • progress with the organisation’s Caldicott 2 action plan;
  • organisational preparedness for the National Data Guardian’s Review of Data Security Consent and Opt Outs;
  • organisational response to the recommendations of the Care Quality Commission’s report Safe data, safe care, including robust mechanisms for recruitment and training of Caldicott Guardians, and clarity of accountability for all aspects of data security.