Supporting Caldicott Guardians across the UK


In addition to the Data Protection Act and common law duty of confidentiality, the most significant legislation of which Caldicott Guardians should be aware are listed below. There are others which only assume importance in particular circumstances in which the Caldicott Guardian may occasionally be called upon to offer advice. The Official Home of UK Legislation.

Common law

Common law exists throughout the UK but the judgements made in one country may not apply to all, although as far as the duty of confidentiality is concerned there are no practical differences. Common law guidance for Northern Ireland; Legal guidance on data sharing in Scottish Public Services.

Human Rights Act 1998

The Human Rights Act 1998 applies to the whole of the UK. effectively brings various rights enshrined in the European Convention of Human Rights into our domestic law. Of particular importance from the Caldicott Guardian perspective, is the impact of Article 8 of the Convention, which is the right which provides for respect for private and family life. This right will be 'engaged' if confidential information about a patient or service user is shared. However, the information sharing will generally not breach the person's rights under Article 8 as long as it is shared lawfully and proportionately (so that the obligations under the DPA and common law have been complied with). An important principle associated with the interpretation of the Act when considering disclosure of confidential information is that of proportionality. Human Rights Act 1998.

Save the Children has a useful checklist: Children and the Human Rights Act.

Mental capacity

The Mental Capacity Act 2005 provides a legal framework in England and Wales for acting and making decisions on behalf of individuals who lack capacity to make particular decisions for themselves about issues such as their property, financial affairs and health and social care. Mental Capacity Act.

The Alzheimer's Society has some useful guidance and flow chart plus links to relevant information for Northern Ireland: Alzheimer's Society: Mental Capacity.

The Adults with Incapacity (Scotland) Act 2000 provides a framework for safeguarding the welfare and managing the finances of adults (people aged 16 or over) who lack capacity due to mental illness, learning disability or a related condition, or an inability to communicate. Adults with Incapacity Act.

Mental health

The Mental Health Act 1983, significantly updated in 2007, is the law in England and Wales allowing people with a 'mental disorder' to be admitted to hospital, detained and treated, without their consent – either for their own health and safety, or for the protection of other people.

A code of practice (2008, updated 2015) shows professionals how to carry out their roles and responsibilities under the Act, to ensure that all patients receive high quality and safe care. Mental Health Act code of practice.

The Mental Health (Scotland) Act 2015 is the corresponding legislation for Scotland Mental Health (Scotland) Act.

In Northern Ireland mental health is covered by the Mental Health (Northern Ireland) Order 1986.

Section 251 of the NHS Act 2006

Section 251 of the NHS Act applies only in England and Wales. (Corresponding legislation for Scotland and Northern Ireland is described above.) It enables the common law duty of confidentiality to be temporarily lifted so that confidential patient information can be legally disclosed. The discloser and applicant must still comply with all other relevant legal obligations e.g. the DPA. It is intended to facilitate essential activities of the NHS and important medical research that require the use of identifiable patient information where it is considered impracticable to obtain patients' consent.

Persons seeking approval for the use of Section 251 must apply to the Confidentiality Advisory Group (CAG) of the Health Research Authority. [Confidentiality Advisory Group](

Access to Health Records Act (AHRA) 199

This applies to the records of deceased patients, for their personal representatives and others having a claim on the deceased's estate. The AHRA is very prescriptive and only permits such access when certain conditions are met. These involve confirming that the person asking for the information is the legal personal representative of the deceased patient. Even where these tests are met this legislation does not grant a general right of access and there are circumstances which could limit disclosure. Guidance is available from the NHS Guidance for Access to Health Records Requests; and the British Medical Association Access to Health Records.

Freedom of Information Act

The Freedom of Information Act (FOIA) 2000 and the Freedom of Information Act (Scotland) 2002 are the overarching pieces of primary legislation dealing with information rights. There is a strong interface with the DPA, and with all other legislation which prohibits or limits the disclosure of information in any way. The FOIA also imposes a statutory time limit within which requests must be dealt with (20 working days) and an upper limit applies to disproportionate costs for retrieving and collating information.

The Information Commissioner's Office has provided guidance on the Act in England and Wales: What is the Freedom of Information Act?.

Crime and Disorder Act 1998

This Act introduces measures to reduce crime and disorder. Section 115 of the Act provides that any person has the power to lawfully disclose information to the police, local authorities, probation service or health authorities (or persons acting on their behalf) where they do not otherwise have the power but only where it is necessary and expedient for the purposes of the Act. The Home Office has issued guidance on Information sharing for community safety.

The Children Act 2004

The Act provides a legislative spine for the wider strategy to improve children's lives. It aims to improve the integrated planning, commissioning and delivery of children's services, promote early intervention, provide strong leadership and bring together different professionals in multi-disciplinary teams in order achieve positive outcomes and improve the well being of children and young people and their families. Working together to safeguard children.

The Care Act 2014

Defines local authorities' responsibilities for cooperation with other parties, which is likely to involve information sharing (or protection). Care Act 2014.

Other relevant legislation

The Human Fertilisation and Embryology Act 2008 imposes restrictions on the disclosure of specific personal information.

The Abortion Regulations 1991 provide a statutory gateway for disclosure of certificates of opinion to the Chief Medical Officer as required by the Abortion Act 1967.

The Gender Recognition (Disclosure of Information) England, Wales and Northern Ireland (No 2) Order 2005 is gateway legislation which allows disclosure of information to a health professional which is otherwise prohibited by the Gender Recognition Act 2004.

The Road Traffic Acts (RTA) make provision for the disclosure of information by NHS bodies to enable the recovery of any costs of treatment. RTAs also require the NHS to provide any information which it is in their power to give and which may lead to the identification of a driver who has committed an offence under the Acts.

These are the most significant examples of the Acts and common law directly involved in the protection of patient-identifiable information. There are others which only assume importance in particular circumstances in which the Caldicott Guardian may occasionally be called upon to offer advice.

Statutory guidance

Statutory guidance is issued by law; you must follow it unless there’s a good reason not to.

Working together to safeguard children is statutory guidance on inter-agency working to safeguard and promote the welfare of children. It applies to all organisations and agencies who have functions relating to children: specifically, local authorities, clinical commissioning groups, police but also other organisations and agencies including the NHS.

Last updated 13th July, 2018