The UK’s National Data Guardian for Health and Social Care (NDG) is carrying out a consultation seeking views on proposed revisions to the seven Caldicott Principles. The consultation is open until 3rd September. We’ve set out a summary of 4 key changes proposed in the NDG’s consultation paper.

What are the Caldicott Principles?

In 1997, Dame Fiona Caldicott chaired a committee which produced a report containing six principles on patient confidentiality after reviewing the transfer of ‘patient-identifiable information’ in the NHS. These principles became known as the Caldicott Principles.

Since 1998, in addition to applying the Caldicott Principles, each NHS organisation also has a Caldicott Guardian – a senior health professional nominated to safeguard the confidentiality of patient information.

In 2013, the Information Governance Review introduced a new seventh Caldicott principle, which states that the duty to share information can be as important as the duty to protect patient confidentiality.

4 key changes proposed by the NDG in the consultation

  1. Eighth Caldicott Principle: No surprises – The NDG proposes introducing a new eighth principle, which emphasises the importance of there being no surprises for patients and service users with regard to the use of their confidential health and care data.

The principle states that a range of steps should be taken to ensure ‘no surprises’ for patients and service users, and these steps will vary depending on use of the information. As a minimum, this should include providing relevant and appropriate information. In some cases, greater engagement will be required to promote understanding and acceptance of uses of information. Patients and service users should be given an accessible way to opt out.

The NDG believes the new principle would align with:

  • the direction that the courts have taken in making an individual’s reasonable expectations of privacy the touchstone of the duty of confidentiality;
  • the General Data Protection Regulation (GDPR)’s emphasis on data transparency; and
  • professional guidance such as the General Medical Council’s Confidentiality: good practice in handling patient information.

It also moves away from a paternalistic ‘doctor knows best’ approach towards a partnership approach between healthcare professionals and their patients.

2. Applicable organisations – The NDG has expressly added that these principles will apply to the use of and access to confidential information (i) within health and social care organisations, (ii) from health and social care organisations to other organisations and (iii) between individuals.

3. Definition of ‘confidential information’ – The NDG replaces ‘confidential data’ in the Caldicott Principles with ‘confidential information’, which has been defined as ‘all information collected for the provision of health and social care services where patients and service users expect that it will be kept private. In some instances, the principles should also be applied to the processing of staff information. This may include for instance, details about symptoms, diagnosis, treatment, names and addresses’.

4. NDG to issue statutory guidance on the Caldicott Guardian’s role – The NDG’s power to issue statutory guidance derives from the Health and Social Care (National Data Guardian) Act 2018. The NDG is seeking views on whether it should exercise its power to provide more detailed guidance in relation to the Caldicott Guardian’s role.

This would cover (i) how the role should be carried out, (ii) the accountability and decision-making of the Caldicott Guardian in relation to the rest of the organisation, and (iii) the relationship between the Caldicott Guardian and other essential roles within the organisation.


Jaspreet is a Senior Associate, and advises clients on complex issues at the intersection of healthcare, data and technology. Her practice has a particular focus on accessing and using patient data, innovative collaborations with hospitals, and the use and regulation of AI in the healthcare space.

Write A Comment