Skip to main content

Caldicott Principles

In 1997 the government conducted a review of Patient-Identifiable Information (PII), chaired by Dame Fiona Caldicott, who produced the Caldicott Report. The report made a number of recommendations for regulating the use and transfer of person identifiable information between NHS organisations and between NHS and non-NHS bodies. The aim was to ensure that patient-identifiable information was shared only for justified purposes and that only the minimum necessary information was shared in each case in accordance with six key principles.


Over recent years the issue of whether professionals shared information effectively and safely was evident.  There had been a growing perception that information governance was being cited as an impediment to sharing information, even when sharing would have been in the patient’s best interests.  A Caldicott review in 2012 identified the need for a 7th principle. Following a further review in December 2020, an 8th principle was included to support transparency.


The Caldicott Principles

Principle 1. Justify the purpose(s) for using confidential information

Every proposed use or transfer of personal confidential data within or from an organisation should be clearly defined, scrutinised and documented, with continuing uses regularly reviewed, by an appropriate guardian.


Principle 2. Don't use personal confidential data unless it is absolutely necessary

Personal confidential data items should not be included unless it is essential for the specified purpose(s) of that flow. The need for patients to be identified should be considered at each stage of satisfying the purpose(s).


Principle 3. Use the minimum necessary personal confidential data

Where use of personal confidential data is considered to be essential, the inclusion of each individual item of data should be considered and justified so that the minimum amount of personal confidential data is transferred or accessible as is necessary for a given function to be carried out.


Principle 4. Access to personal confidential data should be on a strict need-to-know basis

Only those individuals who need access to personal confidential data should have access to it, and they should only have access to the data items that they need to see. This may mean introducing access controls or splitting data flows where one data flow is used for several purposes.


Principle 5. Everyone with access to personal confidential data should be aware of their responsibilities

Action should be taken to ensure that those handling personal confidential data - both clinical and non-clinical staff - are made fully aware of their responsibilities and obligations to respect patient confidentiality.


Principle 6. Comply with the law

Every use of personal confidential data must be lawful. Someone in each organisation handling personal confidential data should be responsible for ensuring that the organisation complies with legal requirements.


Principle 7. The duty to share information can be as important as the duty to protect patient confidentiality

Health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by these principles. They should be supported by the policies of their employers, regulators and professional bodies.


 Principle 8. Inform patients and service users about how their confidential information is used

A range of steps should be taken to ensure no surprises for patients and service users, so they can have clear expectations about how and why their confidential information is used, and what choices they have about this. These steps will vary depending on the use: as a minimum, this should include providing accessible, relevant and appropriate information - in some cases, greater engagement will be required.


Caldicott Guardian

A further recommendation was the appointment in each NHS organisation of a “Guardian” of person-based clinical information to oversee the arrangements for the use and sharing of clinical information.
A Caldicott Guardian is a senior person responsible for protecting the confidentiality of patient and service-user information and enabling appropriate information-sharing. The Guardian plays a key role in ensuring that the NHS, Social Services and partner organisations satisfy the highest practicable standards for handling patient identifiable information. The PTHB Medical Director is the Health Board’s Caldicott Guardian.
To contact the Caldicott Guardian, please use the IG email address and title your email FAO Caldicott Guardian. 

Welsh Information Governance Toolkit assessment

The Welsh Information Governance Toolkit assessment replaced the Caldicott Principles into Practice assessment (C-PiP) in 2020. Following changes to data protection legislation in May 2018 and guidance from the Information Commissioner's Office (ICO), a more robust assessment was developed to ensure the health board is compliant with the latest data protection legislation, national information governance standards and good practice. The toolkit is a mandatory annual assessment that sets a series of compliance targets in the following areas:

  • Information Governance Management
  • Policies and Procedures
  • Information Sharing
  • Contracts and Agreements
  • Data Protection by Design and Default
  • Freedom of Information Act including Environmental Information Regulations
  • Privacy and Electronic Communication Regulations
  • Business Continuity
  • Auditing
  • Individual's Rights and Obligations
  • Management of Health Records (Acute, Community and Mental Health) and Corporate Records
  • Technical, Physical and Organisational Security Measures
  • Reporting Data Breaches

The Assessment score for:

* 2020/2021 - 85%

* 2021/2022 - 92%. 

* 2022/2023 - 92%

Caldicott: Principles into Practice (C-PiP) assessment

The Caldicott: Principles into Practice (C-PIP) Assessment had been developed for Caldicott Guardians to use as their primary mechanism for benchmarking. Completion of the Assessment was mandatory and must be undertaken on at least an annual basis.  In addition, the scores together with the Out-Turn Report is published on the organisation’s website.
This measurement is achieved following the identification of 41 Standards which are a series of targets for compliance in NHS Wales covering the following areas:
  • Governance
  • Management
  • Information for Patients and Service Users
  • Training and Awareness
  • Information Management
  • Controlling Access to Confidential Information

Caldicott Principles into Practice Assessment – Out-Turn Score

  • 2013/14 – 71%
  • 2014/15 – 84%
  • 2015/16 – 88%
  • 2016/17 – 92%
  • 2017/18 - 94%