Caldicott Guardian

To follow any changes to this service, visit the Council Service Updates page.

What is Caldicott?

The General Data Protection Regulation (GDPR) governs the way in which we handle and use the personal information of the people who use our services and who work for us.  The Caldicott Principles underpin Data Protection legislation.  There are seven principles and they are specific to Health and Social Care Services. Our Caldicott Plan [PDF, 641Kb] provides further information.



In response to growing concern about the ways patient information was used in the NHS, the Chief Medical Officer of England and Wales commissioned a review to look into the use of information and confidentiality.  The review was chaired by Dame Fiona Caldicott.

This resulted in the Caldicott Report that was published in December 1997 highlighting six key principles that health and, later, social care authorities incorporated into their practice.

In April 2013 the follow up to the Caldicott Report, ‘The Information Governance Review’ was published.  This review was commissioned to “ensure that there is an appropriate balance between the protection of patient information and the use and sharing of information to improve patient care”.  This review was again chaired by Dame Fiona Caldicott and became informally known as the Caldicott 2 Review.

Caldicott 2 resulted in a refresh of the existing six principles plus the addition of a seventh principle, along with 26 recommendations.

Caldicott 3 followed reviewing data security, consent and opt-outs.


Caldicott Guardians

The original Caldicott Report recommended that all health and social care authorities appoint a Caldicott Guardian to be responsible for overseeing all procedures that affect access to person-identifiable information.  This includes Records Management, General Data Protection Regulation Subject Access Requests and Information Sharing.  The Caldicott Guardian has a role in ensuring that the Caldicott Principles are adhered to.


The Caldicott Guardians for Social Services are:

  • Tom Hewis, Principal Social Work, Children’s Services
  • Wendy Lawtey, Principal Manager, Adult Services

The Caldicott Guardian for Public Health is:

  • Penny Spring, Director of Public Health

Principle 1 – Justify the purpose(s)

Every proposed use or transfer of personal confidential data within or from an organisation should be clearly defined, scrutinised and documented, with continuing uses regularly reviewed by the Caldicott Guardian.

Principle 2 – Don’t use personal confidential data unless it is absolutely necessary

Personal confidential information should not be included unless it is essential for the intended purpose(s). The need for service users to be identified should be considered at each stage of to ensure that it is necessary.

Principle 3 – Use the minimum necessary personal confidential data

Where use of personal confidential data is considered to be essential, the inclusion of each individual item of data should be considered and justified so that the minimum amount of personal confidential information should be transferred or accessible. Only that which is necessary for a given function to be carried out should be used.

Principle 4 – Access to personal confidential data should be on a strict need-to-know basis

Only those individuals who need access to personal confidential data should have access to it, and they should only have access to the information that they need to see.  This may mean introducing access controls or separating out information where one data flow is used for several purposes.

Principle 5 – Everyone with access to personal confidential data should be aware of their responsibilities

Action should be taken to ensure that those handling personal confidential data, both practitioner and non-practitioner staff, are made fully aware of their responsibilities and obligations to respect an individual’s confidentiality.

Principle 6 – Comply with the law

Every use of personal confidential data must be lawful.  Someone in each organisation handling personal confidential data should be responsible for ensuring that the organisation complies with legal requirements.

Principal 7 – The duty to share information can be as important as the duty to protect patient confidentiality

Health and social care professionals should have the confidence to share information in the best interests of individuals within the framework set out by these principles. They should be supported by the policies of their employers, regulators and professional bodies.

The seven principles are simple steps to ensure the security of information and to protect the confidentiality of patients or service users.  Every employee is responsible for information security and for ensuring that:

01 Any information obtained, either directly or indirectly from or about a client is not disclosed to any  person, organisation or body who does not need to know or who does not have an authorised right to access that information.
02 Every use or transfer of personal information, including e-mail, is clearly justified. Personal information should not be used unless it is absolutely necessary.
03 Consent is sought wherever possible for the recording, retention and sharing of personal information.
04 Appropriate information is shared with other professionals if it is in the best interests of the client or is necessary to safeguard another professional.
05 Wherever appropriate, personal information is anonymised, for example, for statistical reporting.
06 Reasonable steps are taken to ensure that all information recorded is accurate and up-to-date and that information is only changed or modified by someone authorised to do so.  (If a patient or service user advises that their information is incorrect, a correction a should be made immediately or a note added to the file if correction is not possible or inappropriate).
07 Security passwords are not be shared with any other person.
08 Patient or service user records or systems are not accessed unless there is a business reason for the access.