The Caldicott principles and guardian roles explained

What you need to know about the Caldicott principles and the National Data Guardian.

  • The National Data Guardian (NDG) plays a crucial role in maintaining the confidentiality of health and social care services.
  • Caldicott guardians oversee the upholding of the eight Caldicott principles to ensure proper handling and preservation of patient information.
  • The Caldicott principles may also apply to the deceased, just as confidentiality continues after death.
  • All NHS organisations should have a Caldicott guardian role.

National Data Guardian role

The National Data Guardian (NDG) is a statutory role that acts as an independent champion for patients and the public in England when it comes to their health and care information. The NDG's mission is to help preserve trust in the confidentiality of health and social care services.

The NDG works with the Department of Health and Social Care and "advises and challenges the health and care system to help ensure that citizens' confidential information is safeguarded securely and used properly".

It has the statutory power to issue official guidance about the processing of adult health and social care data in England. Public bodies (such as GPs and NHS trusts) must take note of the guidance.

The NDG used its power to issue formal guidance in 2021 on the appointment, roles and responsibilities of Caldicott guardians.

The Caldicott principles

The Caldicott principles, first introduced in 1997 (following a review chaired by Dame Fiona Caldicott) and since expanded, are a set of good practice guidelines for using and keeping safe people's health and care data. Caldicott guardians support the upholding of the principles at organisational level.

All NHS organisations must have a Caldicott guardian, and a wider range of bodies are now expected to have a guardian in place (see below).

The principles are intended to apply to all data collected for the provision of health and social care services where patients and service users can be identified and where they would expect this to be kept private.

  • Principle 1: justify the purpose(s) for using confidential information.
  • Principle 2: use confidential information only when it is necessary.
  • Principle 3: use the minimum necessary confidential information.
  • Principle 4: access to confidential information should be on a strict need-to-know basis.
  • Principle 5: everyone with access to confidential information should be aware of their responsibilities.
  • Principle 6: comply with the law.
  • Principle 7: the duty to share information for individual care is as important as the duty to protect patient confidentiality.
  • Principle 8: inform patients and services users about how their confidential information is used and what choice they have. There should be no surprises.

Caldicott guardians

In upholding the Caldicott principles, Caldicott guardians work closely with other information and legal colleagues to help ensure health and care information is used ethically, legally and appropriately. They have been called the 'conscience of the organisation' when it comes to information.

NHS organisations have been required to have a Caldicott guardian since 1998 but the 2021 guidance covers which organisations should appoint a Caldicott guardian (and how), their role and responsibilities and how they should be supported, as well as the competencies and knowledge that will assist a Caldicott guardian. This is available from the NDG and you can find supporting information and advice from the UK Caldicott Guardian Council (UKCGC) website. The UKCGC is the point of contact for Caldicott guardians to seek advice on their role and responsibilities.

All the following organisations should appoint a Caldicott guardian:

  1. public bodies exercising functions relating to the health service, adult social care or adult carer support in England (that process confidential information about patients/service users)
  2. other organisations providing health or adult social care/carer support that is publicly funded (even if the organisation is not a public body).

All such organisations have a statutory duty to 'have regard' to the NDG guidance, which means they are expected to take it into account and have good reason for any decision to depart from it.

Small organisations where it is not proportionate to appoint a staff member to the role can share a Caldicott guardian (for example, a group of care homes or GP practices).


Do the Caldicott principles apply to deceased patients?

The Data Protection Act (2018) applies only to living people, but confidentiality continues after death and there is nothing in the Caldicott principles that limits them to the living. Just as for the living, the confidentiality of deceased patients should be respected and principles such as justifying the purpose and using confidential information only when necessary are evidently important whether the patient is still alive or has died. Read our guide to disclosures after death.

How can we fulfil principle 8, informing patients about how their confidential information is used?

Patients need to be given clear expectations about how and why their confidential information is used, and what choices they have about this. The Caldicott principles stipulate that, "as a minimum, this should include providing accessible, relevant and appropriate information - in some cases, greater engagement will be required."

For GP practices, it may be enough for most patients to have access to information about data use on the website and in leaflets. But some patients, such as those with different language or communication needs, will need careful consideration.

Should I discuss my disclosure dilemma with the Caldicott guardian or the MDU?

Both. We're very happy to provide advice but we will often also advise our members in England to seek guidance from their Caldicott guardian. This is particularly important because it is often the case that, while a doctor can come to their own ethical decision about whether a disclosure can be justified, they need organisational support and the input of those locally responsible for data protection.

This page was correct at publication on 31/03/2023. Any guidance is intended as general guidance for members only. If you are a member and need specific advice relating to your own circumstances, please contact one of our advisers.