Caldicott Guardians

The DPO Centre can fulfil the role of Caldicott Guardian for UK National Health Service (NHS) organisations, their suppliers and social care providers. 


What are Caldicott Guardians?

Caldicott Guardians were introduced after the report by Dame Fiona Caldicott’s committee on the Review of Patient-Identifiable Information published in 1997, well before the introduction of data protection laws such as the GDPR. 

Every NHS organisation is now required to appoint a Caldicott Guardian to ensure the organisation adheres to the Caldicott principles when using patient data.  Whilst it’s not mandatory for social care providers and other suppliers who hold patient data to have a Guardian, it is always necessary that they understand and manage data using these principles. 

Enquire now


“We are confident in the knowledge that our staff understand their responsibilities and The DPO Centre’s team is on hand to assist when required.”

Client of the DPO Centre

Alternatively click one of the options below to speak to us


Email Call

Caldicott Principles  

In April 2013, Dame Fiona Caldicott made a second review of Information Governance, generally known as Caldicott 2, which added a 7th principle and in 2020 a further principle was added.

The eight Caldicott Principles are now:

  1. Justify the purpose(s) for using confidential information 
  2. Don’t use personal confidential data unless it is absolutely necessary 
  3. Use the minimum necessary personal confidential data 
  4. Access to personal confidential data should be on a strict need-to-know basis 
  5. Everyone with access to personal confidential data should be aware of their responsibilities 
  6. Comply with the law 
  7. The duty to share information can be as important as the duty to protect patient confidentiality 
  8. Inform patients and service users about how their confidential information is used

Caldicott vs GDPR 

Caldicott and the GDPR share many of the same basic principles and the knowledge and skills to be a Caldicott Guardian or a Data Protection Officer are therefore similar. 

However, the seventh Caldicott principle “the duty to share information can be as important as the duty to protect patient confidentiality is different in that the GDPR essentially considers personal data and confidentiality to be paramount.   

This difference can therefore lead to circumstances where the role of data protection officer and Caldicott Guardian conflict.

Outsourcing the Caldicott Guardian and DPO roles  

Outsourcing one or both of the roles mitigates conflicts of interest.  Where the DPO Centre provides resources for both data protection officer and Caldicott Guardian within a single organisation, we provide two separate individuals and therefore avoid the potential for conflict. 

Enquire Today

Fill in your details below and we’ll get back to you as soon as possible

Frequently Asked Questions

We’ve compiled a series of FAQs but if you can’t find the answer here please contact us to find out more. 

Is a Caldicott Guardian different to a Senior Information Risk Owner (SIRO)?

While a Caldicott Guardian and SIRO both deal with NHS data protection, they do perform different roles. A Caldicott Guardian is a senior person who ensures patient and service data information is shared correctly while protecting confidentiality of people’s health data. A SIRO oversees the implementation and management of information risks to the organisation and its business partners, which are contracted to deliver a service. 

Does my organisation need a Caldicott Guardian?

All health and adult social care public bodies (including organisations contracted by these bodies to deliver social care) are required, by law, to appoint a Caldicott Guardian by the 30th of June 2023. The scope of work carried out by the Guardian will vary depending on the type and size of the organisation. 

What if we are too small to hire a Caldicott Guardian?

Organisations that fall within the scope will need to have someone in place as a Caldicott Guardian. If your organisation is small and does not have enough staff to appoint a Caldicott Guardian, you can outsource the service to provide the ethical guidance you need. If you are part of a larger group of homes or services, the service can also be shared to reduce overall costs.  

What does the Caldicott Guardian service provide?

The DPO Centre’s Caldicott Guardian service ensures your organisation has a named individual who is able to fulfil this role. The Caldicott Guardian provided by The DPO Centre will carry out all the required responsibilities and can advise your organisation’s board and senior management on the best practice for the processing of confidential information. 

Are Caldicott principles also used for the deceased?

While the Data Protection Act 2018 and the UK GDPR provides guidelines for people who are alive, the Caldicott principles should also be applied to information and records held on deceased individuals.  

Alternatively click one of the options below to speak to us


Email Call



Alex Aucutt-Ford

Spencer Hospitals

“Our DPO from the DPO Centre has been excellent. They are happy to answer any questions we have, and have been a great sounding board for our Information Governance team which has supported all the great work the team does. By helping to provide a clear and prioritised plan of action, our DPO has ensured that we stay on track to meet our compliance goals.”