Frequently asked questions

The National Data Guardian (NDG) has published guidance under her statutory powers about the appointment, role and responsibilities of Caldicott Guardians in respect of data processing activities undertaken within their organisations.

What is the purpose of the Caldicott Guardian role and this guidance?

Everyday thousands of health and care staff make decisions that relate to both the security and appropriate use of people’s confidential health and care data. Most of these decisions are routine. However, both frontline staff and the senior leaders of health and care organisations can sometimes be faced with questions about data that are complex.

Caldicott Guardians support both frontline and senior staff in making these decisions. They can, for example, support staff and organisations to share information when it is appropriate and necessary for safe care, but staff may be feeling too anxious about ‘getting it wrong’ to do so. Equally, they can support staff in deciding not to share information when they may be under pressure to do so, but are concerned it’s not the right thing to do.

This guidance seeks to encourage the appointment of Caldicott Guardians to give all health and social care staff, at all the levels, the support they need in these situations. In turn, this guidance seeks to help organisations demonstrate their accountability for decisions made concerning their patient or service users’ information.

Do I need to follow this guidance?

The Health and Social Care (National Data Guardian) Act 2018 empowers the NDG to issue official guidance about the processing of health and adult social care data in England. The following have a statutory duty to ‘have regard to’ that guidance:

1. Public bodies exercising functions that relate to the health service, adult social care, or adult carer support in England and that process confidential information about patients and service users.

   For example, hospitals, GP surgeries, care homes, and planners and commissioners of health and care services.

2. Other persons or organisations that provide services as part of the publicly funded health service, adult social care, or adult carer support (pursuant to arrangements with a public body falling within point 1 above) and that process confidential information about patients and service users.

   For example, private companies and third-sector organisations like charities delivering services for the NHS or publicly funded adult social care.

The duty to have regard to this guidance applies to organisations that are not public bodies only in relation to their publicly funded work. They should appoint a Caldicott Guardian to assist with the processing of confidential data of patients and service users of publicly funded services.

What does ‘having regard to’ mean?

‘Having regard’ to the NDG guidance means that the organisations within its scope should be able to show that:

• they are aware of the guidance

• they have taken it into account when making a decision to which the guidance is relevant

• if they have decided to depart from the guidance, they have good reasons for doing so

Can we outsource our Caldicott Guardian function?

Yes, the Caldicott Guardian function can be outsourced.

Where an organisation considers it is not proportionate or feasible to appoint a member of its own staff to the role, it should arrange for the function to be provided in another way. An organisation may choose to share a Caldicott Guardian with one or more other organisations.

See section 3 of the guidance ‘Should your organisation appoint a Caldicott Guardian?’ for further information.

Can a group of organisations be represented by a single Caldicott Guardian?

Yes, an organisation may choose to share a Caldicott Guardian with one or more other organisations. For example, a group of care homes, a primary care network (PCN), or a consortium of GP surgeries may arrange for a single Caldicott Guardian to represent the group.

Very small organisations that have been commissioned to provide services might put in place an arrangement with their commissioning organisation to make its Caldicott Guardian available where necessary.

Our organisation provides a range of health and social care services covering several different specialities. Do we need a separate Caldicott Guardian for each service?

No, but organisations have discretion as to whether one or more Caldicott Guardians should be appointed, or whether it should put deputies in place where specific expertise is required.

The key consideration is whether the individual appointed has the knowledge and skills to provide accurate advice and consideration, in line with the Caldicott Principles, in relation to a particular area or service.

We are a privately funded organisation; do we need a Caldicott Guardian?

If you are a private or third-sector organisation and you deliver any work that is publicly funded, then yes, then you must have regard to the guidance and you should appoint a Caldicott Guardian to cover that aspect of your work.

Private or third-sector organisations (such as charities) that do not deliver any publicly funded work do not need to appoint one.

However, the UKCGC considers it best practice for any organisation that processes confidential patient information to have a Caldicott Guardian, irrespective of how they are funded.

What training is available for Caldicott Guardians?

The UK Caldicott Guardian Council and Health Education England have launched an eLearning programme, The Role of the Caldicott Guardian. The programme is for Caldicott Guardians and those with an interest in finding out more about they do to keep people’s data safe and ensure that wise decisions are made about its use. The programme offers three audience specific sessions:

• A session for all staff

• A session for Caldicott Guardians

• A session for senior staff

You can access all of these sessions here.

The UKCGC also provides some advice and guidance on training and development in our manual which you can also find on the Council's website. The learning and development section in particular provides guidance on the knowledge required and how to obtain it.

The UKCGC does not formally endorse or accredit trainers, however the Council has worked with several providers to review the content of the training being delivered. We have provided direct links to those training providers that have worked with the UKCGC below:

• Health care conferences UK

• Stay Compliant training

• Leadership through Data

Does a Caldicott Guardian need to be a healthcare professional?

As per the National Data Guardian’s guidance about the appointment of Caldicott Guardians, their role and responsibilities, it is preferable for a Caldicott Guardian to be a health or social care professional who has experience and knowledge of working with patients or service users and managing the complexities of frontline care. For example, this will often be a regulated or registered professional such as a doctor, social worker, or nurse.

However, this is not mandatory. Organisations can consider individuals based on their skills, personal attributes, and capabilities. Individuals with a willingness to learn and who have appropriate support within their organisation may be suitable to undertake the role.

The guidance referenced and linked to above would be a useful starting point for you in terms of considering what is expected of the Caldicott Guardian and how best an organisation can support those that undertake the role.

What should we do if we decide appointing a Caldicott Guardian is not feasible?

The National Data Guardian guidance about the appointment of Caldicott Guardians, their role and responsibilities states the following on this:

If an organisation with a statutory duty to have regard to this guidance chooses not to appoint a Caldicott Guardian, it should document this decision and the reasons for it, for example in the minutes of a meeting, by e-mail, or in correspondence with other key organisational roles.

Before making this decision, organisations are encouraged to consider all the options available to them. For example, organisations may wish to consider sharing a Caldicott Guardian, or arrange to have access to a Caldicott Guardian via their commissioning organisation. What is likely to be feasible will vary locally. As such, the guidance is not prescriptive about how this might be achieved.

What enforcement action will be taken for care providers who don’t have a Caldicott Guardian?

As the Guidance about the appointment of Caldicott Guardians, their role and responsibilities is published under the National Data Guardian’s power to issue guidance described within the Health and Social Care (National Data Guardian) Act 2018, those it applies to need to give it ‘due regard’.

The National Data Guardian is not a regulator and does not have enforcement powers in relation to the Act. However, the purpose of guidance published under the NDG’s statutory function is to describe best practice relating to the processing of health and adult social care data in England. Following this best practice, in the context of performing the Caldicott function, ensures the protection and appropriate use of confidential patient information (CPI) in line with the Caldicott Principles. This helps organisations minimise information risks by supporting their staff who have access to CPI, particularly where members of staff must tackle complex or novel issues involving access to CPI. In turn this helps organisations to demonstrate trustworthiness and helps organisations to prevent breaches or patient confidentiality. Organisations should implement the guidance to the best of their ability. However, the guidance recognises that there may be reasons why elements of the guidance cannot be met. The meaning of ‘having regard’ is defined in the guidance:

‘Having regard’ to the NDG guidance about the appointment of Caldicott Guardians, their role and responsibilities means that the organisations in scope of the guidance should be able to show that:

• they are aware of the guidance and,

• they have taken it into account when making a decision to which the guidance is relevant and,

• if they have decided to depart from the guidance, they have good reasons for doing so.

Thus, the scope of the guidance in and of itself recognises that organisations might have good reasons to depart from the guidance. Sections 3.4 and 3.7 of the guidance outline what organisations with a statutory duty to have regard to this guidance should do if they choose not to appoint a Caldicott Guardian. The guidance provides that organisations should record their justifications for departing from the guidance. Where an organisation decides not to appoint a Caldicott Guardian, it is expected that all staff with access to CPI are aware of and confident in their understanding of their responsibilities relating to uses of CPI and in adherence to the Caldicott principles, without the need to access the additional support a Caldicott Guardian would provide.

The guidance has not been developed to be prescriptive; it has been issued as best practice and for organisations to feel empowered to make the decisions on what is feasible.

How flexible is the timeline for implementation and what is the timescale for an expected full role out?

The National Data Guardian (NDG) issued the Appointment of Caldicott Guardian guidance In August 2021. The implementation timeline encouraged organisations to be compliant with the guidance by 30 June 2023.

Organisations who are yet to appoint a Caldicott Guardian, and are within the scope of the guidance, should do so as soon as possible. Where an organisation has taken a decision not to appoint based on the feasibility of doing so, they should document the rationale for their decision and consider documenting whether there are plans to appoint a Caldicott Guardian in the future.

Organisations within the scope of the guidance who have not appointed a Caldicott Guardian (or made alternative arrangements) by the implementation date of 30 June 2023 should see responses to the questions “What enforcement action will be taken for care providers who don’t have a Caldicott Guardian?” and “Where an organisation makes the determination that they won’t have an inhouse CG, what paperwork do they need to have in place to evidence their decision making?” of this FAQ page for the relevant processes.

Where an organisation makes the determination that they won’t have an inhouse CG, what paperwork do they need to have in place to evidence their decision making?

If an organisation with a statutory duty to have regard to this guidance chooses not to appoint a Caldicott Guardian, it should document this decision and the reasons for it, for example in the minutes of a meeting, by e-mail, or in correspondence with other key organisational roles.

Further information can be found in the guidance in section 3.7.

What training is necessary for someone to meet the Caldicott “function” if they don’t have a CG in place?

In the absence of a Caldicott Guardian, all staff members who have access to confidential patient information (CPI) should be aware of their ethical, legal and contractual duties with regard to patient and service user confidentiality. Where an organisation decides not to appoint a Caldicott Guardian, it should consider how to ensure all staff who have access to CPI are aware of these responsibilities and provide other mechanisms to ensure that staff are supported in meeting those responsibilities especially where staff might encounter complex or novel issues relating to use of or access to CPI.

Where an organisation does appoint a Caldicott Guardian, there are no formal training requirements for a person appointed to the role, however, individuals fulfilling the Caldicott function should be capable of providing leadership and informed advice on complex matters involving the use and sharing of patient and service user confidential information, especially in situations where there may be areas of legal and/or ethical ambiguity.

It is preferable for a Caldicott Guardian to be a health or social care professional who has experience and knowledge of working with patients or service users and managing the complexities of frontline care in particular context within which they are working. Caldicott Guardians are often regulated or registered professionals such as a doctor, social worker, or nurse. However, it is possible for this role to be undertaken by another person providing they have the necessary experience, knowledge and skills to provide appropriate support and guidance to staff with access to CPI within their organisation.

The UK Caldicott Guardian Council (UKCGC) provides extensive training and support for anyone who is fulfilling the Caldicott Guardian function. However, this should not be seen as an alternative to the local support that can be provided by a Caldicott Guardian, as it is not possible for the UKCGC to respond in the time sensitive manner that is appropriate in many complex situations involving access to CPI that Caldicott Guardians often consider locally.

Available training

We recommend anyone who is fulfilling the function of the Caldicott role complete the UKCGC’s online learning programme (developed with Health Education England (HEE)), The Role of the Caldicott Guardian.

The programme offers three audience-specific modules, however the sessions we would recommend to those performing Caldicott functions are:

A session for all staff: Caldicott Guardians: sharing information and protecting confidentiality in health and care. The aim of this session is to raise awareness and inform a broad range of staff from across health and social care of the importance of Caldicott Guardians and confidentiality in their setting, organisation, or sector. The learning would benefit staff working in the NHS, adult social care, local authorities and private sector partners.

A session for Caldicott Guardians: My role and responsibilities as a Caldicott Guardian. The aim of this session is to provide a starting point for newly appointed Caldicott Guardians, an aide memoire for the more experienced, and a pointer to the possibilities for professional development and support. It is also intended to inform Caldicott Guardians of the latest guidance about Caldicott Guardians, the support available to them, and to help train them for their role in the workplace.

UK Caldicott Guardian Council (UKCGC)

The UKCGC also offers peer-to-peer support, evening classes and breakfast clubs to support Caldicott Guardians (and those fulfilling the Caldicott Guardian function) in different organisational environments, whether in health-focussed organisations or in the care sector. More information on UKCGC events and resources can be found here.

Caldicott Guardian Manual

The UKCGC has produced a manual for Caldicott Guardians (and those fulfilling the Caldicott function). This is intended to be a starting point for newly appointed individuals, a refresher for the more experienced, and a pointer to possibilities for professional development and support. The learning and development section provides guidance on the knowledge required and how to obtain it.

Further help and guidance

The guidance provides comprehensive information on:

• which organisations should appoint a Caldicott Guardian

• advice on how to appoint them

• the way the role should be supported by organisations

• the role and responsibilities of a Caldicott Guardian

• the competencies and knowledge that will assist a Caldicott Guardian

If you cannot find the answer you are looking for or are unsure about any part of the guidance, contact ukcgcsecretariat@nhs.net for help.