The DPO Centre can fulfil the role of Caldicott Guardian for UK National Health Service (NHS) organisations, their suppliers and social care providers.
What are Caldicott Guardians?
Caldicott Guardians were introduced after the report by Dame Fiona Caldicott’s committee on the Review of Patient-Identifiable Information published in 1997, well before the introduction of data protection laws such as the GDPR.
Every NHS organisation is now required to appoint a Caldicott Guardian to ensure the organisation adheres to the “Caldicott principles” when using patient data. Whilst it’s not mandatory for social care providers and other suppliers who hold patient data to have a Guardian, it is always necessary that they understand and manage data using these principles.
In April 2013, Dame Fiona Caldicott made a second review of Information Governance, generally known as Caldicott 2, which added a 7th principle
The seven Caldicott Principles are now:
- Justify the purpose(s) for using confidential information
- Don’t use personal confidential data unless it is absolutely necessary
- Use the minimum necessary personal confidential data
- Access to personal confidential data should be on a strict need-to-know basis
- Everyone with access to personal confidential data should be aware of their responsibilities
- Comply with the law
- The duty to share information can be as important as the duty to protect patient confidentiality
Caldicott vs GDPR
Caldicott and the GDPR share many of the same basic principles and the knowledge and skills to be a Caldicott Guardian or a Data Protection Officer are therefore similar.
However, the seventh Caldicott principle “the duty to share information can be as important as the duty to protect patient confidentiality” is different in that the GDPR essentially considers personal data and confidentiality to be paramount.
This difference can therefore lead to circumstances where the role of data protection officer and Caldicott Guardian conflict.
Outsourcing the Caldicott Guardian and DPO roles
Outsourcing one or both of the roles mitigates conflicts of interest. Where the DPO Centre provides resources for both data protection officer and Caldicott Guardian within a single organisation, we provide two separate individuals and therefore avoid the potential for conflict.