Caldicott Guardians
The DPO Centre can fulfil the role of Caldicott Guardian for UK National Health Service (NHS) organisations, their suppliers and social care providers.
What are Caldicott Guardians?
Caldicott Guardians were introduced after the report by Dame Fiona Caldicott’s committee on the Review of Patient-Identifiable Information published in 1997, well before the introduction of data protection laws such as the GDPR.
Every NHS organisation is now required to appoint a Caldicott Guardian to ensure the organisation adheres to the “Caldicott principles” when using patient data. Whilst it’s not mandatory for social care providers and other suppliers who hold patient data to have a Guardian, it is always necessary that they understand and manage data using these principles.

“We are confident in the knowledge that our staff understand their responsibilities and The DPO Centre’s team is on hand to assist when required.”
Client of the DPO Centre
Caldicott Principles
In April 2013, Dame Fiona Caldicott made a second review of Information Governance, generally known as Caldicott 2, which added a 7th principle and in 2020 a further principle was added.
The eight Caldicott Principles are now:
- Justify the purpose(s) for using confidential information
- Don’t use personal confidential data unless it is absolutely necessary
- Use the minimum necessary personal confidential data
- Access to personal confidential data should be on a strict need-to-know basis
- Everyone with access to personal confidential data should be aware of their responsibilities
- Comply with the law
- The duty to share information can be as important as the duty to protect patient confidentiality
- Inform patients and service users about how their confidential information is used
Caldicott vs GDPR
Caldicott and the GDPR share many of the same basic principles and the knowledge and skills to be a Caldicott Guardian or a Data Protection Officer are therefore similar.
However, the seventh Caldicott principle “the duty to share information can be as important as the duty to protect patient confidentiality” is different in that the GDPR essentially considers personal data and confidentiality to be paramount.
This difference can therefore lead to circumstances where the role of data protection officer and Caldicott Guardian conflict.
Outsourcing the Caldicott Guardian and DPO roles
Outsourcing one or both of the roles mitigates conflicts of interest. Where the DPO Centre provides resources for both data protection officer and Caldicott Guardian within a single organisation, we provide two separate individuals and therefore avoid the potential for conflict.
Enquire Today
Fill in your details below and we’ll get back to you as soon as possible
DATA PROTECTION SERVICES FOR SECTORS

Alex Aucutt-Ford
Spencer Hospitals
“Our DPO from the DPO Centre has been excellent. They are happy to answer any questions we have, and have been a great sounding board for our Information Governance team which has supported all the great work the team does. By helping to provide a clear and prioritised plan of action, our DPO has ensured that we stay on track to meet our compliance goals.”
