Skip to main content

Update on the outcome of the consultation about the Caldicott Principles

The new Caldicott Principles — how do they apply to the healthcare sector?

In December 2020 the National Data Guardian published the outcomes of a consultation about the Caldicott Principles and the role of Caldicott Guardians. The consultation response contains a revised — and expanded — set of eight Caldicott Principles.


The principles were introduced in 1997 as part of a review into patient-identifiable information, which was motivated by concerns about patient confidentiality at a time of rapidly expanding use of information technology in the NHS. Six principles were proposed, based on common sense, to safeguard confidentiality, with a seventh added in 2013 to encourage better information sharing.

The same review also introduced Caldicott Guardians in the NHS, and subsequently in local authorities. This was to ensure all organisations handling patient and service users’ health data had a senior person with specific responsibility for protecting the confidentiality of that information. Today there are now more than 18,000 Caldicott Guardians — and not just in health and care.

The consultation

As there has been much change since the role was first established, the consultation was devised to obtain a clear understanding of people’s current views on its value, given the introduction of additional information governance (IG) roles into health and care settings, such as data protection officers (DPOs) and senior information risk owners (SIROs) which had changed the landscape.

The feedback was overwhelmingly that there is still a value in the role of the Caldicott Guardian as they are able to bring something nuanced and very specific to discussions and decision-making. Their deep understanding of how health and care data is different to other data (in many cases because they are clinicians and care providers themselves), positions them as knowledgeable advocates for patients. The other IG roles ensure the legality and technical protections are as they should be, but Caldicott Guardians have a different ‘flavour’ and, rightly, are often referred to as the conscience of their organisations.

Following the consultation, an additional principle is proposed to serve as a simple guide for frontline workers making data sharing decisions. This new principle focuses on ensuring that expectations of patients and care users are considered and met when decisions about data sharing are made. At the same time, the existing seven principles have been reworded.

The consultation response also confirms the NDG’s intention to issue guidance, using her statutory powers, by April 2021 about the appointment of Caldicott Guardians for all public bodies within the health and adult social care sector in England, and all organisations which contract with such public bodies to deliver health or adult social care services.

It is expected the guidance will come into force during 2021-2022 and will define the roles and responsibilities of Caldicott Guardians and how they should be supported by their organisations. The guidance will provide flexibility for organisations for which it is not proportionate to appoint a dedicated Caldicott Guardian and will suggest options/models to ensure those organisations can still have a Caldicott function.

Supporting resources will be made available for those who need to appoint a Caldicott Guardian or establish a Caldicott function within their organisations.

The eight Caldicott Principles:

Principle 1: Justify the purpose(s) for using confidential information

Every proposed use or transfer of confidential information should be clearly defined, scrutinised and documented, with continuing uses regularly reviewed by an appropriate guardian.

Principle 2: Use confidential information only when it is necessary

Confidential information should not be included unless it is necessary for the specified purpose(s) for which the information is used or accessed. The need to identify individuals should be considered at each stage of satisfying the purpose(s) and alternatives used where possible.

Principle 3: Use the minimum necessary confidential information

Where the use of confidential information is considered to be necessary, each item of information must be justified so that only the minimum amount of confidential information is included as necessary for a given function.

Principle 4: Access to confidential information should be on a strict need-to-know basis

Only those who need access to confidential information should have access to it, and then only to the items that they need to see. This may mean introducing access controls or splitting information flows where one flow is used for several purposes.

Principle 5: Everyone with access to confidential information should be aware of their responsibilities

Action should be taken to ensure that all those handling confidential information understand their responsibilities and obligations to respect the confidentiality of patients and service users.

Principle 6: Comply with the law

Every use of confidential information must be lawful. All those handling confidential information are responsible for ensuring that their use of and access to that information complies with legal requirements set out in statute and under the common law.

Principle 7: The duty to share information for individual care is as important as the duty to protect patient confidentiality

Health and social care professionals should have the confidence to share confidential information in the best interests of patients and service users within the framework set out by these principles. They should be supported by the policies of their employers, regulators and professional bodies.

Principle 8: Inform patients and service users about how their confidential information is used

A range of steps should be taken to ensure no surprises for patients and service users, so they can have clear expectations about how and why their confidential information is used, and what choices they have about this. These steps will vary depending on the use: as a minimum, this should include providing accessible, relevant and appropriate information — in some cases, greater engagement will be required.


The principles are intended to apply to all data collected for the provision of health and social care services where patients and service users can be identified and would expect that it will be kept private. This may include, for instance, details about symptoms, diagnosis, treatment, names and addresses. In some instances, the principles should also be applied to the processing of staff information.

They are primarily intended to guide organisations and their staff, but it should be remembered that patients, service users and/or their representatives should be included as active partners in the use of confidential information.

Where a novel and/or difficult judgement or decision is required, it is advisable to involve a Caldicott Guardian.

For any provisions you have for Caldicott Guardians, or if you would like some further information on this article, please don’t hesitate to contact our healthcare lawyers.