Caldicott Guardian

The Caldicott Guardian is a role within an organisation allocated to a senior manager responsible for protecting the confidentiality of patient and service – user information and enabling appropriate information – sharing.

In 1997 a report of the Review of Patient-Identifiable Information, chaired by Dame Fiona Caldicott recommended that every flow of person-identifiable information should be regularly justified and routinely tested against the principles below, which form the basis of best practice in information management within health and social care organisations

In 2012 the Health Secretary commissioned the Information Governance Review led by Dame Fiona Caldicott, with a remit to focus on the appropriate ‘balance between protecting patient’s health and social care information and the use and sharing to improve patient care.’ One result of this was the addition of Principle Seven.

The Caldicott Principles – Revised September 2013

Principle 1 – Justify the purpose(s) for using confidential information

Every proposed use or transfer of personal confidential information within or from an organisation should be clearly defined, scrutinised and documented, with continuing uses regularly reviewed, by an appropriate guardian.

Principle 2 – Don’t use personal confidential information unless it is absolutely necessary

Personal confidential information items should not be included unless it is essential for the specified purpose(s) of that flow. The need for patients to be identified should be considered at each stage of satisfying the purpose(s).

Principle 3 – Use the minimum necessary personal confidential information

Where use of personal confidential information is considered to be essential, the inclusion of each individual item of information should be considered and justified so that the minimum amount of personal confidential information is transferred or accessible as is necessary for a given function to be carried out.

Principle 4 – Access to personal confidential information should be on a strict need-to-know basis

Only those individuals who need access to personal confidential information should have access to it, and they should only have access to the information items that they need to see. This may mean introducing access controls or splitting information flows where one information flow is used for several purposes.

Principle 5 – Everyone with access to personal confidential information should be aware of their responsibilities

Action should be taken to ensure that those handling personal confidential information – both clinical and non-clinical staff – are made fully aware of their responsibilities and obligations to respect patient confidentiality.

Principle 6 – Comply with the law

Every use of personal confidential information must be lawful. Someone in each organisation handling personal confidential information should be responsible for ensuring that the organisation complies with legal requirements.

Principle 7 – The duty to share information can be as important as the duty to protect patient confidentiality

Health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by these principles. They should be supported by the policies of their employers, regulators and professional bodies.