Supporting Caldicott Guardians across the UK



Caldicott Guardians derive their name and inspiration from the Government Review of Patient-Identifiable Information, chaired by Dame Fiona Caldicott, which reported in December 1997. One of its recommendations was that “a senior person, preferably a health professional, should be nominated in each health organisation to act as a guardian, responsible for safeguarding the confidentiality of patient information.” The report also set out six principles for determining when confidential information might be used and when it should not. These six Caldicott principles have since helped Caldicott Guardians to make balanced judgements for their organisations.

In 2013 Dame Fiona completed an Information Governance Review, which has come to be known as the Caldicott 2 report. It confirmed the enduring relevance of the six principles, but added a seventh which says that “the duty to share information can be as important as the duty to protect patient confidentiality.” The seven Caldicott principles are shown on the following page. In 2014 Dame Fiona was appointed to be the National Data Guardian for health and social care in England. This became a statutory role in 2018.

NHS organisations have been required to have a Caldicott Guardian since 1998 and they were introduced into social care in 2002, mandated in England by Local Authority Circular: LAC(2002)2. The sharing of health information to benefit service users in social care is just as important as it is in the NHS. However, although having a Caldicott Guardian became mandatory in both sectors, it was left to individual organisations to determine how they would operate. Although the NHS is governed separately in England and in the devolved administrations in Wales, Scotland and Northern Ireland, all four nations have chosen to have Caldicott Guardians. There are some differences however: for example, in Scotland Caldicott Guardians are only required in the NHS and there are subtle differences in legislation and common law, although all four are bound by the UK Data Protection Act.

This manual has been written by experienced Caldicott Guardians distilling best practice from their experience. The pages that follow include frequent references to what Caldicott Guardians should do and what their powers and procedures should be. In this context “should” represents the considered view of the UK Caldicott Guardian Council. It is a manual of good practice.

This page last updated 17th December, 2018