Checklist for new Caldicott Guardians
- Have your details been added to the Caldicott Guardian Register?
- Are your details available on your organisation's web site?
Search for Caldicott Guardian and check your contact details are correct.
- Ensure your details are known to organisation switchboard/reception staff.
Ring the main switchboard and ask to be put through to the Caldicott Guardian and see what information they provide. Check this is appropriate to ensure you are made aware of these requests. If not, make the necessary changes.
- Check if there is a generic Caldicott Guardian email address
How will you be able to distinguish between your day to day emails and those for your role as Caldicott Guardian? What happens if you are away from the office: will emails be monitored or passed to an appropriate person? How should Caldicott issues be addressed in your absence without a generic email?
- Arrange a deputy to cover when you are absent
Who will this be? If it is an IG lead are they sufficiently trained to understand your role and how it differs from IG? Will they have access to your Caldicott Guardian mailbox?
- Arrange a meeting or meetings with the SIRO and IG leads
Use the meetings to gauge the organisation's IG maturity and discuss how you can work together; what support you can offer each other; and your respective roles, responsibilities and expectations.
- Information sharing
Find out what information sharing agreements (ISAs) and protocols (ISPs) your organisation has, and their reporting/monitoring arrangements. What is the process for approval, and your role involved in approving future agreements? Who checks the organisation is adhering to the agreed protocols? Who are the information asset owners? Are they aware of your role and the need to consult you before sharing information?
- Find out how Caldicott decisions are recorded
See previous sections on evidence for appraisal, a way of monitoring and evidencing your role and impact is through a decision log.
- Establish your accountability and reporting arrangements
Who will you report to and what information are you expected to provide? What are the reporting arrangements for information governance generally—for example to the Board? and to whom e.g. input into a quarterly SIRO report at Board level? Many organisations will have an information governance committee or equivalent. Make sure that you are a member of this and your membership is recorded in the committee's terms of reference.
- Establish your profile
Is there a mention of the Caldicott Guardian role as part of staff induction? Is the role mentioned in the generic data protection training? Plan time out to promote your role with key staff who may need to contact you.
- Consider what support is available to you
Is there a local or regional network you can join? What events and support are available to you? Sign up to appropriate newsletters e.g. IGA, ICO. Identify peers and perhaps a mentor or coach. See also Where to find help and guidance.
- Understand your IG Toolkit responsibilities
Do you know what you will be expected to sign off annually? Build time in your diary to ensure these tasks are completed before the deadline.
- Identify your training and development needs
Ensure you have undertaken your SWOT analysis, created your personal development plan, and booked your appraisal in good time. See the section on Learning and Development.
- Understand your access to internal audit staff and their reports
Are you notified of any reports which have a Caldicott/IG component? If there is a breach or near miss that requires further investigation and changes in policy/procedure to prevent similar recurrences, are you able to commission any internal audit time to address the issue?
- Check progress on your organisation's Caldicott2 action plan
Find out how your organisation is progressing against the recommendations in the Caldicott2 report: Information: to share or not to share.
Check your organisation's compliance with the National Data Guardian's Review of Data Security Consent and Opt Outs and readiness for the EU General Data Protection Regulation.