NHSScotland Caldicott Guardians: Principles into Practice

Foundation manual for NHS Scotland Cadicott Guardians

3. Role of the Caldicott Guardian?

3.1 The Caldicott Guardian plays a key operational role in ensuring that NHSS and partner organisations satisfy the highest practical standards for handling patient identifiable information.

Acting as the 'conscience' of an organisation, the Guardian should also actively support work to facilitate and enable information sharing, advising on options for lawful and ethical processing of information as required. Local issues will inevitably arise for Caldicott Guardians to resolve. Many of these will relate to the legal and ethical decisions required to ensure appropriate information sharing. It is essential in these circumstances for Guardians to know when and where to seek advice.

In all but the smallest organisations the Caldicott Guardian should work as part of a broader Information Governance function with support staff, Caldicott or Information Governance leads e.g. Data Protection Officers, Freedom of Information leads, Health Records Managers and IT Security staff contributing to the work as required.

3.2 Key Caldicott Responsibilities

The Caldicott Guardian also has a strategic role, however, that it is less appropriate to delegate.

Strategy & Governance:

  • Acts as an advisor and accountable for that advice
  • Sit on an organisation's Information Governance Board/Group or equivalent
  • Ensure that governance arrangements regarding Information Governance are in place and are effective in their organisation
  • Advise the Management team or the CEO of any issues relating to confidentialty assurance so they can be included in the Statement of Internal Controls.
  • Act as enabler for appropriate information sharing.

Confidentiality & Data Protection expertise:

  • Ensure that confidentiality issues are raised and minuted at Board / management team level,
  • Ensure that results/implications of internal and external audits relating to confidentialty and DP assurance and options for improvement where necessary are raised at Board
  • Develop a knowledge of confidentiality and data protection matters, drawing support from subject topic experts working within the organisation and external sources of advice and guidance where available.

Information Processing:

  • Oversees the confidentiality assurance requirements within IG Toolkit
  • Ensures that annual IG performance assessments are undertaken by staff involved in the Caldicott function
  • Ensure that confidentiality issues are appropriately reflected in organisational strategies, policies and working procedures for staff.

Information Sharing:

  • Provide advice on individual cases where there are any concerns about the potential for the disclosure of patient-identifiable information.
  • Oversee all arrangements, protocols and procedures where confidential patient information may be shared with external bodies both within and outside the NHS e.g. disclosure to research interests and other agencies e.g. the police
  • Oversee all arrangements to ensure that Information Governance is embedded in all clinical and research governance.

3.3 Please see: Job profile of Caldicott Guardian - The UK Council of Caldicott Guardians have endorsed a job description NHS Caldicott Guardians

3.4 The CHI Number

3.4.1 It is NHSS policy that a verified CHI Number is allocated to every patient at the beginning of their journey through the NHS, and that it is used in all records associated with every episode of healthcare. This is the only number which is to be used in clinical communications.

The Caldicott Guardian should ensure that the organisation develops procedures for the determination, recording and use of verified CHI numbers for all 'Active' patients, which should be used for both internal and external communications. All care records must include the CHI number as the patient identifier.

Since it is recognised that there are some patients for whom it is difficult to establish a verified CHI number, the Caldicott Guardian should ensure that this is part of the programme of work undertaken under the heading information management and that this area is the focus of constant attention and continuing effort.

All procedure documentation should be regularly reviewed and updated as appropriate.

Please see: NHS Scotland Information Governance Standards 5.007

The Caldicott Guardian should either be directly involved in or have given documented delegated authority to a colleague to validate and authorise the clinical information assurance required for the implementation of new systems and services.

Please see: NHS Scotland Information Governance Standards 6.003<</p>

3.4.2 The Caldicott Guardian should ensure that they are notified of all research and clinical education activities to verify the appropriate use of personal identifiable information for these purposes, in line with the Caldicott principles and data protection requirements.

3.4.3 Given the potential scope for the volume of research projects, it is appropriate for the Caldicott Guardian to give documented delegated authority for this to a suitable senior colleague. Or where the organisation has a defined post in the organisation for Research and Development management, the Caldicott Guardian should ensure they work closely with the post holder and act as final arbiter where a research project is in dispute, in terms of its appropriateness or clinical validity.

Please see: NHS Scotland Information Governance Standards 7.003

Local projects for clinical education should seek the opinion of the Caldicott Guardian on aspects of clinical governance. Such projects are usually authorised by the Lead of the clinical service, e.g. Director of Post-Graduate Medical and Dental Education, Director of Nursing.

Back to top