A Caldicott Guardian is placed within a health organisation and is responsible for ensuring that all personal confidential data is handled legally, ethically and responsibly.

Caldicott Guardians should provide leadership and guidance on all matters related to information sharing and confidentiality.

Health care organisations must handle all information about patients, other service users and anyone related to patient care appropriately. Since organisations must store, manage and distribute personal information about patients and staff, standards of confidentiality must be applied.

A Caldicott Guardian should ensure that the Seven Principles are applied using common sense, wisdom and within the requirements of the law.

Any decision a Guardian makes will affect real people, so all decisions must be tempered with compassion.

Caldicott Guardians never meet most of the people their decisions affect, but they must do everything in their power to act as the conscience of their organisation.

The Seven Principles

1 – Justify the Purpose of Personal Confidential Data

Every proposal for the use or transfer of a patient or staff member’s personal confidential data within or from any organisation must be explicitly and clearly defined and documented. All uses of this personal information must also be continuously reviewed by a relevant Guardian.

2 – Only use Personal Confidential Data when Necessary

Never utilise a patient’s personal data within a workflow unless it is essential for that workflow’s continued operation. The need to identify a patient should be evaluated at every stage of the process.

3 – Use the Minimum Personal Confidential Data

Whenever the use of personal confidential data is necessary, each item of data should be evaluated. If any item of personal confidential data cannot be justified, then it cannot be used. The goal is to ensure that the minimum required amount of personal confidential data is ever accessed or transferred.

4 – Personal Confidential Data should be Accessed on a Need to Know Basis

Only people who require access to personal confidential data should be able to access it. These people should also only have access to the individual items that are relevant to their needs. Doing so may require the creation of access controls or the division of data flows so that one data stream can be used by multiple people with different requirements.

5 – Everyone who Accesses Personal Confidential Data must know their Responsibilities

Anyone who accesses any item of personal confidential data must be fully aware of their responsibilities with regards to maintaining patient confidentiality.

6 – Full Compliance with the Law

Every use of personal confidential data must operate within legal boundaries. Every health care organisation should have a person handling personal confidential data who is also responsible for ensuring that legal requirements are maintained by that organisation.

7 – Sharing Information can be Just as Important as Maintaining Patient Confidentiality

When it is in a patient’s best interests, a health care provider must have the confidence to share that patient’s personal confidential data as required. This sharing should be carried out as outlined by the other six principles.


Strategy and Governance

Caldicott Guardians must raise all appropriate issues related to personal confidential data at a board and senior management level. A Guardian should be a member of any group or board responsible for operational governance and act as that body’s conscience.


Caldicott Guardians must develop a working and up-to-date knowledge of confidential and data protection practices. They should utilise both the health care organisation’s internal resources as well as any relevant external sources of advice or guidance.

Information Processing

Caldicott Guardians should check that all confidentiality issues are addressed appropriately within their organisation’s policies, strategies and staff procedures. All key areas which must be addressed are contained within the Information Governance Toolkit.

Information Sharing

If confidential data is shared with any external organisation, Caldicott Guardians are responsible for overseeing the procedures, protocols and arrangements that govern the sharing process. Instances include disclosing information to the police, disclosing information for research purposes, sharing information across IT systems, or sending information to and receiving information from partner agencies.

Some or all of these responsibilities are shared with the organisation’s Senior Risk Information Officer (SIRO). The Caldicott Guardian and SIRO of a health organisation should seek to work together closely.

Staff should always seek advice from a Caldicott Guardian on relevant topics such as:

  • Dealing with a police request for a patient’s personal details.
  • Patient requests for the deletion of personal data.
  • Any actual or alleged breaches of confidentiality.

To learn more about being a Caldicott Guardian, read more about our Caldicott Guardian training course.