Photo of a padlock placed on top of a keyboard

What is Caldicott?

The Data Protection Act governs the way in which we deal with the personal information of the people who use our services and who work for us.  The Caldicott Principles underpin the Data Protection Act 1998.  There are seven principles and they are specific to health and social care services.


In response to growing concern about the ways patient information was used in the NHS, the Chief Medical Officer of England and Wales commissioned a Review to look into the use of information and confidentiality.  The review was chaired by Dame Fiona Caldicott. This resulted in the Caldicott Report that was published in December 1997 highlighting six key principles that health and later social care authorities should incorporate into their practice. In April 2013, the follow up to the Caldicott Report, ‘The Information Governance Review’ was published.  This review was commissioned to “ensure that there is an appropriate balance between the protection of patient information and the use and sharing of information to improve patient care”.  This review was again chaired by Dame Fiona Caldicott and became informally known as the Caldicott 2 Review. Caldicott 2 resulted in a refresh of the existing six principles plus the addition of a seventh principle, along with 26 recommendations. 

Caldicott Guardians

The original Caldicott Report recommended that all Health and Social Care Authorities appoint a Caldicott Guardian to be responsible for overseeing all procedures that affect access to person-identifiable information.  This includes Records Management, Data Protection Act, Subject Access Requests and Information Sharing.  The Guardian has a role in ensuring that the Caldicott Principles are adhered to. The Caldicott Guardian for People and Communities Directorate is Lesley Hutchinson, Head of Safeguarding and Quality Assurance (01225) 396339

Caldicott Principles that we adhere to:

Principle 1 - Justify the purpose(s)

Every proposed use or transfer of personal confidential data within or from an organisation should be clearly defined, scrutinised and documented, with continuing uses regularly reviewed by the Caldicott Guardian.

Principle 2 - Don’t use personal confidential data unless it is absolutely necessary

Personal confidential information should not be included unless it is essential for the intended purpose(s). The need for service users to be identified should be considered at each stage of to ensure that it is necessary.

Principle 3 - Use the minimum necessary personal confidential data

Where use of personal confidential data is considered to be essential, the inclusion of each individual item of data should be considered and justified so that the minimum amount of personal confidential information should be transferred or accessible.  Only that which is necessary for a given function to be carried out should be used.

Principle 4 - Access to personal confidential data should be on a strict need-to-know basis

Only those individuals who need access to personal confidential data should have access to it, and they should only have access to the information that they need to see.  This may mean introducing access controls or separating out information where one data flow is used for several purposes.

Principle 5 - Everyone with access to personal confidential data should be aware of their responsibilities

Action should be taken to ensure that those handling personal confidential data - both practitioner and non-practitioner staff are made fully aware of their responsibilities and obligations to respect an individual’s confidentiality.

Principle 6 - Comply with the law

Every use of personal confidential data must be lawful.  Someone in each organisation handling personal confidential data should be responsible for ensuring that the organisation complies with legal requirements.

Principle 7 - The duty to share information can be as important as the duty to protect patient confidentiality

Health and social care professionals should have the confidence to share information in the best interests of individuals within the framework set out by these principles.  They should be supported by the policies of their employers, regulators and professional bodies.

What does this mean for People and Communities staff?

The seven principles are simple steps to ensure the security of information and to protect the confidentiality of service users.  Every employee is responsible for information security and for ensuring that:

  1. Any information obtained, either directly or indirectly from or about a client is not disclosed to any person, organisation or body who does not need to know or who does not have an authorised right to access that information.
  2. Every use or transfer of personal information, including e-mail, is clearly justified.  Personal information should not be used unless it is absolutely necessary.
  3. Consent is sought wherever possible for the recording, retention and sharing of personal information.
  4. Appropriate information is shared with other professionals if it is in the best interests of the client or is necessary to safeguard another professional.
  5. Wherever appropriate, personal information is anonymised, e.g. for statistical reporting.
  6. Reasonable steps are taken to ensure that all information recorded is accurate and up-to-date and that information is only changed or modified by someone authorised to do so.  (If a patient or service user advises that their information is incorrect, that a correction is made immediately, or a note added to the file if correction is not possible or inappropriate).
  7. Security passwords are not be shared with any other person.
  8. Service user records or systems are not accessed unless there is a business reason for the access. 

Caldicott Function Plan 2015 - 2017

What to do if you have a concern or query?

Contact, (regarding a subject access request) or for guidance.

Your rating: 

Your rating: None Average: 4.3 (4 votes)