What is this guidance about?

This guidance is about the appointment, role and responsibilities of Caldicott Guardians in respect of data processing activities undertaken within their organisations. As this guidance is published under the National Data Guardian’s power to issue guidance described within the Health and Social Care (National Data Guardian) Act 2018, those it applies to need to give it due regard.

What is a Caldicott Guardian?

Caldicott Guardians are senior people within an organisation who protect the confidentiality of people’s information by considering the ethical and legal aspects of data sharing. They play a vital role in ensuring that health and social care data is used responsibly to support the delivery of better care and that confidentiality is respected.

What does the guidance require?

Previously only NHS organisations and local authorities were required to have a Caldicott Guardian. This guidance changes that, by introducing a requirement that widens the type and number of organisations that are expected to have one. Now, organisations in scope of the guidance are being asked to put in place a Caldicott Guardian, whether by appointing a member of their own staff or making other arrangements.

What does the guidance cover?

The guidance covers the following areas:

which organisations should appoint a Caldicott Guardian

advice on how to appoint them

the way the role should be supported by organisations

the role and responsibilities of a Caldicott Guardian

the competencies and knowledge that will assist a Caldicott Guardian

Who does the guidance apply to?

The guidance applies to all public bodies within the health service, adult social care or adult carer support sector in England that handle confidential information about patients or service users.

This also includes organisations contracted by public bodies to deliver health or adult social care services that handle such information.

Why is the NDG issuing this guidance?

 In 2020, the NDG held a public consultation about the Caldicott Principles and Caldicott Guardians. People who responded to the consultation felt this important, ethics-based role needed stronger emphasis across the whole of health and social care and so the NDG proposed to expand the types of organisations that are expected to have a Caldicott Guardian; the proposal received strong support.

Suggested implementation timeline

Taking COVID-19 pressures into account, the NDG is encouraging organisations to become compliant with the guidance by 30 June 2023.

This includes registering the details of their Caldicott Guardian(s) on the Caldicott Guardian Register. Where an organisation is required to complete the Data Security and Protection Toolkit (DSPT), the DSPT requires that it should provide details about its Caldicott Guardian(s) as part of their annual submission.

Further information and support

This website is a useful starting point for organisations who are seeking to implement the guidance. It provides lots of information about what the Caldicott Guardian role entails, and a suggested job description template. It also provides a manual to help new and existing Caldicott Guardians be effective in their work.

Read the guidance on the National Data Guardian's website

Read the National Data Guardian’s press release

Frequently asked questions