Supporting Caldicott Guardians across the UK


Further help and guidance

Supporting organisations

United Kingdom Caldicott Guardian Council (UKCGC)

The UKCGC is the definitive national body for Caldicott Guardians, providing best practice, advice and guidance, and a bench-mark for all Caldicott Guardians. The Council will also support all professionals across health and care organisations who have a responsibility to implement and uphold the Caldicott principles. It is an independent Council, and a sub-group of the National Data Guardian's Panel.

Office of the National Data Guardian

The National Data Guardian for Health and Social Care (NDG) is an independent expert who advises and challenges the health and care system to help ensure that citizens' confidential information is safeguarded securely and used properly.

Dame Fiona Caldicott was appointed as the first National Data Guardian by the Secretary of State for Health in November 2014. Her role, which is due to be placed on a statutory footing, is to help ensure that the public can trust their confidential information is securely safeguarded, and to make sure that it is used to support citizens' care and to achieve better outcomes from health and care services.

Information Governance Alliance (IGA)

The IGA provides a wealth of guidance for both Caldicott Guardians and Senior Information Risk Owners (SIROs). Their newsletters will keep you up to date on IG issues but also on Caldicott Guardian matters. Email them at [][3] to join their mailing list, subscribe to IGA news or to submit an article or showcase an achievement.

NHS Digital (also known as the HSCIC: the Health and Social Care Information Centre)

NHS Digital provides national information, data and IT systems for health and care services. It is an executive non-departmental public body. It also provides the Caldicott Guardian Register.

Professional guidance

General Medical Council – Confidentiality guidance

Confidentiality:good practice in handling patient information (2017) sets out the principles of confidentiality and respect for patients' privacy that doctors are expected to understand and follow. Caldicott Guardians often get asked about the difference between maintaining confidentiality and the duty to share.

General Dental Council – Standards for the dental team

"There are nine principles registered dental professionals must keep to at all times...#4: Maintain and protect patients’ information"

British Dental Association

Individual dental practices do not need to appoint their own Caldicott Guardian but they should have appointed a lead individual (dentist, nurse or other responsible person) for dealing with Caldicott issues. On the BDA website there is guidance around sharing information, primarily around safeguarding.

Nursing and Midwifery Council

Provides guidance on safeguarding, confidentiality, and sharing information with other healthcare professionals.

Health and Care Professions Council

Regulating health, psychological and social work professionals. "Our standards of conduct, performance and ethics are the ethical framework within which HCPC registrants must work. It is important that registrants read and understand this document"

The Professional Standards Authority (PSA)

"Our policy work covers a broad range of issues across the regulation of health and social care professions. We carry out work when we are asked to look at a particular problem and give our advice. We also identify issues through our work with the professional regulators and accredited registers. The Secretary of State for Health and the health ministers in Northern Ireland, Scotland and Wales often ask us to examine particular questions." The website has a range of guidance including Sharing Information at First Entry to Registers.

Other organisations

Information Commissioner's Office (ICO)

The ICO is "The UK's independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals". It provides a plethora of information and guidance, including model privacy impact assessments and fair processing notices.

Care Quality Commission (CQC)

The CQC states on its website: "We monitor, inspect and regulate health and social care services. We publish what we find, including ratings to help people choose care". It is expected to incorporate the recommendations from the latest NDG review into its inspection regime, following consultation. The CQC also has responsibility for monitoring IG in the organisations it regulates.

Regulation and Quality Improvement Authority

The Northern Ireland counterpart to the Care Quality Commission.

Public Health England (PHE)

We protect and improve the nation's health and wellbeing, and reduce health inequalities. PHE provides high quality data and analysis tools and resources for public health professionals.

Health Research Authority

The HRA protects and promotes the interests of patients and the public in health and social care research. It has developed a single approval process for all study types taking place in the NHS in England. Its Confidentiality Advisory Group (CAG) provides independent expert advice on the appropriate use of confidential patient information.

Further reading

To Share or Not to Share. The Information Governance Review

Informally known as Caldicott2, this considers how information about patients is shared across the health and care system. It introduced a new Caldicott principle — Principle 7: The duty to share information can be as important as the duty to protect patient confidentiality. It also sets out actions required by Caldicott Guardians in health and social care.

The National Data Guardian's Review of Data Security, Consent and Opt Outs

Published in July 2016, this is the latest report by Dame Fiona Caldicott in her role as the National Data Guardian. The review provides 20 recommendations and 10 data security standards aimed at strengthening the security of health and care information, and ensuring people can make informed choices about how their data is used.

Data security review: letter to NHS Trusts

Just prior to the publication of the review of data security, consent and opt-outs, Dame Fiona Caldicott, the National Data Guardian (NDG), and David Behan, Chief Executive of the CQC, wrote a joint letter to NHS trusts. The letter outlines what trusts should be doing now in the area of data security. This is a succinct aide memoire to check compliance within your organisation, especially if you are subject to CQC audits.

CQC report Safe data, safe care

Covers how data should be safely and securely managed in the NHS. Makes recommendations inter alia on training for Caldicott Guardians and SIROs.

Data Security and Protection Toolkit (DSPT)

The Data Security and Protection Toolkit replaced the IG Toolkit in April 2018. It is an online system which allows organisations to assess themselves or be assessed against data security and information governance standards. It also makes available participating organisations' performance available to members of the public.

Information sharing

The Information Commissioner's Office code of practice:

Examples of successful information sharing initiatives in Leeds, London and Worcestershire were included in the National Data Guardian's Review of Data Security, Consent and Opt-Outs (July 2016, pages 25-28.). A series of videos which inform people about how organisations are working together to support those living with dementia:

Information sharing for secondary purposes in Northern Ireland:

Records Management: NHS Code of Practice

This is for background information. It sets out standards required for the management of NHS records — both paper and digital. When sharing data, organisations need to ensure their own records management policies align with those with whom and whose data is shared. For example if your local polices allow for data to be held for three years but another organisation holds it for two years, you could, by default become the data controller for their originating information.

Striking the Balance: Guidance on information sharing

This guidance has been published jointly by the Department of Health and the UK Caldicott Guardian Council to assist those who need to share information about individuals involved in domestic violence at a multi-agency risk assessment conference (MARAC) — a local, victim-focused meeting where information is shared on the highest risk cases of domestic abuse between different agencies. It sets out the underlying ethical considerations between confidentiality and information sharing and identifies the role of the Caldicott Guardian in striking the balance between maintaining the individuals' confidentiality and privacy, and wider considerations such as protection from harm.

SIRO role and guidance

The NHS has detailed guidance on the SIRO and information asset owner roles. This may help Caldicott Guardians in understanding the differing roles which may be able to assist in the day to day assurance of information risk management:

Codes of practice for handling information in health and care

Both the Department of Health and Social Care and the HSCIC (now NHS Digital) have extant guidance on confidentiality which can be sourced via the link below. An IGA working party is presently (2018) reviewing the guidance and expects to publish fresh guidance in late 2018 or early 2019.

Information governance in Scotland

The portal to a comprehensive collection of IG resources.

NHS Scotland Caldicott Guardians: principles into practice

A foundation manual for Caldicott Guardians in Scotland.

The Wales Accord on the Sharing of Personal Information (WASPI)

A framework for organisations concerned with the health, education, safety, and social wellbeing of people in Wales that hold information about individuals, and who need to share that information to deliver effective services.

Welsh Health Circular: Duty to Share" and people's access to their electronic care records

Confirms application of the seventh Caldicott principle in Wales.

The Centre of Excellence for Information Sharing

Works with a variety of localities across a range of policy areas to help uncover and understand what is limiting good information sharing between them and their partners.

The risks of absolute medical confidentiality

Explores the concept of patient confidentiality and argues that although a very important medical and bioethical issue, this needs to be wisely delivered to reduce third party harm or even detriment to the patient.

Crook MA (2011) The risks of absolute medical confidentiality. Science and Engineering Ethics19: 107–122.

This page last updated on 3rd July, 2018