Caldicott policy

How we protect confidential patient identifiable information.




This document describes the NHS Counter Fraud Authority’s (NHSCFA) policy on Data Protection and Caldicott requirements and its employees’ responsibilities, for the safeguarding of confidential information whether held manually (in a structured filing system) or electronically

NHSCFA holds and manages personal and confidential information relating to individuals, the public and employees of the organisation

The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 exist to strike a balance between the rights of individuals to privacy and the ability of organisations to use personal and sensitive data for legitimate business purposes. They work to provide individuals with certain rights, whilst imposing certain responsibilities on those who record and use personal information.

In December 1997 the Caldicott Report identified weaknesses in the way NHS organisations handled confidential identifiable patient information. It introduced and defined the Caldicott principles and created the role of the Caldicott Guardian

One of the recommendations advocated that all NHS organisations appoint a Caldicott Guardian to ensure patient identifiable information is kept secure. It recommended that Caldicott Guardians should be senior members of staff, preferably at board level

The NHSCFA’s ‘Head of Operations’ has been appointed as the organisation’s Caldicott Guardian. An outline of the nature of job responsibilities for the Caldicott Guardian’s role is shown at Appendix A.

Policy statement

This document defines the Caldicott policy for the NHSCFA and sets out the framework to ensure the organisation complies with the law.

The Caldicott policy applies to all person identifiable information, regardless of whether it was originally obtained and processed by the NHSCFA and its employees or acquired through a third party.

This document:

  • sets out the organisation’s policy for the protection of all person identifiable information obtained and processed
  • establishes the responsibilities for Caldicott Guardianship
  • provides reference to the Caldicott principles


Person identifiable information takes many forms. It can be stored on computers, transmitted across networks, printed or stored on paper, spoken or recorded

The NHSCFA must safeguard the integrity, confidentiality, and availability of sensitive information it holds.

No one from the NHSCFA is allowed to share any sensitive personal or patient identifiable information unless it has been approved by the NHSCFA Caldicott Guardian (via the Information Governance Team). It is unlikely that this authorisation will be granted unless the access is on a need to know basis and justifiable against the Caldicott principles

The Caldicott standard is based around seven principles:

Principle 1 - Justify the purpose(s) for using confidential information

Every proposed use or transfer of personal confidential data within or from an organisation should be clearly defined, scrutinised and documented, with continuing uses regularly reviewed, by an appropriate guardian.

Principle 2 - Don't use personal confidential data unless it is absolutely necessary

Personal confidential data items should not be included unless it is essential for the specified purpose(s) of that flow. The need for patients to be identified should be considered at each stage of satisfying the purpose(s).

Principle 3 - Use the minimum necessary personal confidential data

Where use of personal confidential data is considered to be essential, the inclusion of each individual item of data should be considered and justified so that the minimum amount of personal confidential data is transferred or accessible as is necessary for a given function to be carried out.

Principle 4 - Access to personal confidential data should be on a strict needto-know basis

Only those individuals who need access to personal confidential data should have access to it, and they should only have access to the data items that they need to see. This may mean introducing access controls or splitting data flows where one data flow is used for several purposes.

Principle 5 - Everyone with access to personal confidential data should be aware of their responsibilities

Action should be taken to ensure that those handling personal confidential data - both clinical and non-clinical staff - are made fully aware of their responsibilities and obligations to respect patient confidentiality.

Principle 6 - Comply with the law

Every use of personal confidential data must be lawful. Someone in each organisation handling personal confidential data should be responsible for ensuring that the organisation complies with legal requirements.

Principle 7 - The duty to share information can be as important as the duty to protect patient confidentiality

Health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by these principles. They should be supported by the policies of their employers, regulators and professional bodies.

Scope of this policy

This policy applies to all person identifiable information processed and stored on computer or relevant filing systems (manual records) and the NHSCFA staff who use the information in connection with their work.

It also provides an overview of the responsibilities of the appointed Caldicott Guardian(s) as well as providing all employees and partner organisations with an understanding of their responsibilities in ensuring the Caldicott Guardian’s views and sign-off are appropriately sought or deferred to the Information & Governance Risk Management Lead as and when required.

All employees handling personal confidential data on behalf of the NHSCFA have a personal responsibility, where appropriate to engage either the Caldicott Guardian or the Information Governance & Risk Management Lead as and when required.

Associated legislation

In addition to the Caldicott standard (including the Caldicott2 recommendations) and the Caldicott Guardian Manual 2017, there are other legislative and common law provisions relevant to the use and protection of person identifiable information that must be considered. These include but are not limited to:

See appendix B for brief explanation of each.

Training, policies and procedures

NHSCFA staff have a responsibility to comply with legislation and the Caldicott standard. To this end the NHSCFA has:

  • confidentiality clauses in employment contracts which the employee is required to sign
  • a new-starter induction pack
  • computer based training programmes (including completing a competency test)
  • annual refresher training
  • policies, procedures and agreements to ensure any processing and/or transfer of person identifiable information is legally compliant

Advice and guidance

The provision of advice and guidance regarding the Caldicott standard and other relevant legislation may be obtained from the Information Governance & Risk Management Lead.

Validity of this policy

This policy is designed to avoid discrimination and comply with the Human Rights Act 1998 and its underlying principles.

This policy will be subject to regular planned review on at least a biennial basis by the Caldicott Guardian or sooner if required via the Information Governance Lead or the IT Security Forum, where there are changes in legislation or recommended improvements to best practice

Help us improve

Tell us what's happened so we can fix the problem. Please do not provide any personal, identifiable or sensitive information.


Thanks for the feedback!