NDG announces new Caldicott Principle and guidance on Caldicott Guardians


The National Data Guardian for Health and Social Care (NDG) Dame Fiona Caldicott has today published the outcomes from a public consultation that she ran to seek views on her intention to:

  • revise the existing 7 Caldicott Principles
  • introduce a new principle about ensuring there are no surprises for patients and service users about the use of their confidential information
  • issue guidance about the role of Caldicott Guardians using her statutory powers

The consultation response contains a revised – and expanded – set of 8 Caldicott Principles and includes a commitment to issue guidance about Caldicott Guardians in 2021.

The Caldicott Principles, first introduced in 1997 and previously amended in 2013, are guidelines applied widely across the field of health and social care information governance to ensure that people’s data is kept safe and used appropriately. Caldicott Guardians support the upholding of these principles at an organisational level.

The new principle’s purpose is to make clear that patient and service user expectations must be considered and informed when confidential information is used, to ensure ‘no surprises’ about the handling or sharing of their data. Following feedback from the consultation, the wording of this new, eighth principle is:

Principle 8: Inform patients and service users about how their confidential information is used

A range of steps should be taken to ensure no surprises for patients and service users, so they can have clear expectations about how and why their confidential information is used, and what choices they have about this. These steps will vary depending on the use: as a minimum, this should include providing accessible, relevant and appropriate information – in some cases, greater engagement will be required.

Its introduction was prompted by a careful consideration of the role that the legal concept of ‘reasonable expectations’ should play in shaping the circumstances under which health and care data may be legitimately shared. The NDG does not envisage that this principle will establish reasonable expectations as a legal basis in its own right to meet the duty of confidence. However, given the influence of the Caldicott Principles, she does believe it will helpfully emphasise the perspective of patients and service users in decisions to use and share confidential information.

The consultation response also confirms the NDG’s intention to issue guidance using her statutory powers in 2021 about the appointment of Caldicott Guardians for all public bodies within the health and adult social care sector in England, and all organisations which contract with such public bodies to deliver health or adult social care services. The guidance will define the roles and responsibilities of Caldicott Guardians and how they should be supported by their organisations. The guidance will provide flexibility for organisations for which it is not proportionate to appoint a dedicated Caldicott Guardian and will suggest options/models to ensure those organisations can still have a Caldicott function.

Supporting resources will be made available for those who need to appoint a Caldicott Guardian or establish a Caldicott function within their organisations.

This will be the first time that the National Data Guardian has issued statutory guidance using her powers under the Health and Social Care (National Data Guardian) Act 2018.

Notes to editors

The consultation was conducted via a written survey, which received 194 responses, and eight online focus groups involving 88 patients, social care service users and members of the public. These activities were supplemented by engagement with key individuals and organisations from across the health and care system, before and during the consultation period.

A set of six principles was first published as part of The Caldicott Committee’s Report on the Review of Patient-Identifiable Information published in 1997 to serve as good practice guidelines to be applied to the use of confidential information within the NHS. A further principle was added in 2013 as part of The Information Governance Review.

The 1997 review also recommended that a senior person, preferably a health professional, should be nominated in each health organisation to act as a guardian, responsible for safeguarding the confidentiality of patient information. These became known as Caldicott Guardians. Local authorities with adult social care responsibilities have been required to have one since 2002. There are over 18,000 Caldicott Guardians in post today.

The National Data Guardian has published a blog post on this topic.

For further information contact Jenny Westaway, Head of the Office of the National Data Guardian on [email protected] or 07827 955 604


This site uses Akismet to reduce spam. Learn how your comment data is processed.