Caldicott Guardians: A Requirement for Public Bodies

A Caldicott Guardian is an appointed individual within an organisation that is in charge of protecting the confidentiality of patients’ and service users’ personal information. Their role is crucial in making sure that data involving health and social care is handled responsibly.

Originally, NHS organsiations and local authorities were required to have a Caldicott Guardian, but this was extended to public bodies in the new National Data Guardian (NDG) guidance published in 2021. The NDG said that introducing the requirement to have Caldicott Guardians in more settings will help to maintain the public’s trust and confidence in the health and social care system.

Who Is Required to Have a Caldicott Guardian in Place?

Prior to the new guidance, only NHS organisations and local authorities that provide social services had to appoint a Caldicott Guardian. Now, Caldicott Guardians must also be appointed within public bodies that process confidential information about their patients and service users that operate in the health service sector or, that provide social care or adult carer support. In addition, other organisations that are contracted by public bodies to provide publicly funded services in health, adult social care, or adult carer support must appoint a Guardian.

The role can be taken on by an existing member of staff like a social worker or a care home manager, or specific Caldicott Guardians can be employed. Alternatively, the role of the Caldicott Guardian could be shared with another organisation. For instance, a group of care homes or GP practices could choose to appoint one Caldicott Guardian collectively.

What Must a Caldicott Guardian Do?

Caldicott Guardians must ensure that patients’ and service users’ confidential information is collected, used, and processed ethically, legally, and appropriately. Guardians must advise on whether it is appropriate to disclose confidential information by weighing up both the patient’s best interests and data protection and confidentiality requirements. For instance, a Guardian may have to consider whether to share concerning information about a patient who is at risk of harm with third-party organisations such as the police or social services.

Caldicott Guardians have to carry out general duties such as reviewing data protection impact assessments and sharing agreements to ensure they are in line with the law. They’ll also be involved in data breach investigations if sensitive information is leaked or if there is a cyber attack and data is lost.

Important Action to Take

Relevant organisations that must appoint a Caldicott Guardian by law have been encouraged to register the details of their appointed Caldicott Guardian on the Caldicott Guardian Register and on their annual Data Security and Protection Toolkit by 30th June 2023. The Data Security and Protection Toolkit is an online self-assessment tool that must be used by all NHS organisations that have access to patient data and systems.

Registering a Caldicott Guardian must be done by downloading the online form and completing the details of the appointed Caldicott Guardian. After this, the form must be submitted to the NHS helpdesk via email or through the self-serve online portal.

Contact us to schedule your complimentary consultation.