Guidance

National Data Guardian guidance on the appointment of Caldicott Guardians, their role and responsibilities

This guidance, issued under the National Data Guardian's statutory powers, is about the appointment, role and responsibilities of Caldicott Guardians.

Applies to England

Documents

Details

National Data Guardian guidance on Caldicott Guardians

What is this guidance about?

This guidance is about the appointment, role and responsibilities of Caldicott Guardians in respect of data processing activities undertaken within their organisations.

As it is published under the National Data Guardian’s power to issue guidance described within the Health and Social Care (National Data Guardian) Act 2018, those it applies to need to give it due regard.

What is a Caldicott Guardian?

Caldicott Guardians are senior people within an organisation who protect the confidentiality of people’s information by considering the ethical and legal aspects of data sharing. They play a vital role in ensuring that health and social care data is used responsibly to support the delivery of better care.

What does the guidance require?

Previously, only NHS organisations and local authorities were required to have a Caldicott Guardian. This guidance changes that, by introducing a requirement that widens the type and number of organisations that are expected to have one. Now, organisations in scope of the guidance are being asked to put in place a Caldicott Guardian, whether by appointing a member of their own staff or making other arrangements.

What does the guidance cover?

The guidance covers the following areas:

  • which organisations should appoint a Caldicott Guardian
  • advice on how to appoint them
  • the way the role should be supported by organisations
  • the role and responsibilities of a Caldicott Guardian
  • the competencies and knowledge that will assist a Caldicott Guardian

Who does the guidance apply to?

The guidance applies to all public bodies within the health service, adult social care or adult carer support sector in England that handle confidential information about patients or service users.

This also includes organisations contracted by public bodies to deliver health or adult social care services that handle such information.

Suggested implementation timeline

Taking COVID-19 pressures into account, organisations are encouraged to be compliant with the guidance by 30 June 2023. This includes registering the details of their Caldicott Guardian(s) on the Caldicott Guardian Register. Where an organisation is required to complete the Data Security and Protection Toolkit (DSPT), the DSPT requires that it should provide details about its Caldicott Guardian(s) as part of their annual submission.

Why is the NDG issuing this guidance?

In 2020, the NDG held a public consultation about the Caldicott Principles and Caldicott Guardians. People who responded to the consultation felt this important, ethics-based role needed stronger emphasis across the whole of health and social care and so the NDG proposed to expand the types of organisations that are expected to have a Caldicott Guardian; the proposal received strong support.

Further information and support

Help can be found on the UK Caldicott Guardian Council (UKCGC) website. The UKCGC provide support for Caldicott Guardians and others fulfilling the Caldicott function within their organisation. Their resources may be useful to organisations seeking to implement the guidance. The website also provides practical resources and advice to help new and existing Caldicott Guardians be effective in their work.

Updates to this page

Published 27 August 2021

Sign up for emails or print this page