What Are The 8 Caldicott Principles?

When people give their personal information to health or social care professionals, they also hand them the key to their safety. Hence, safeguarding the patient’s privacy becomes the caregiver’s responsibility. This is where the 8 Caldicott Principles come in. 

The Caldicott principles help social and healthcare professionals and organisations establish an effective framework for sharing information. If you are new to the concepts of Caldicott Principles, we are here to explain the details. Stay tuned!

Table of Contents

What are the Caldicott Principles?

What is caldicott principles

The Caldicott principles are guidelines to protect patients’ personal information across all health and social care settings. All medical organisations, such as, hospitals, clinics, healthcare institutions etc, must follow these guidelines. The main aim of these guidelines is to avoid information leaks. They protect the privacy of patients and prevent any kind of threat towards them.

These principles balance the need to share care information and protect confidentiality. They safeguard the integrity and privacy of the patients. These principles help health and social care professionals develop an effective data management system. Also, these principles play a key role in educating patients. They can learn how their information is being protected and used.

How Many Caldicott Principles are there in 2024?

As of 2024, there are 8 Caldicott Principles in total to protect identifiable patient information.
These 8 Caldicott Principles establish a proper framework for all health settings.

Health Care Management Level 3
Prepare yourself for your job health care environment
Health Care Management Level 3
Prepare yourself for your job health care environment

What is Patient-Identifiable Information?

To put it simply, patient-identifiable information refers to any information that will help identify a particular person. Such identifiers may include their name, address, postcode, date of birth, or NHS number.
We all know how important information is. So, we need to know the critical patient-identifiable information –

  • A patient’s full name, home or work address, full postcode and date of birth
  • Any picture, video, audio recording or other medical prints of patients
  • NHS number and local patient-identifiable codes
  • Any distinct information may allow individuals to be identified, directly or indirectly. For instance, rare conditions or unique symptoms, diagnoses, or drug treatments.

When were the Caldicott Principles Introduced, and Why?

In 1997, there were growing complaints about misusing patients’ personal information in the UK. There were reports of using personal information for political and commercial purposes. In addition, the NHS was struggling with the development of technology. They failed to incorporate information technology effectively and safely in the data management process.

This is when ‘The Caldicott Committee’s Report on the Review of Patient-Identifiable Information’ was commissioned. Dame Fiona Caldicott led the committee that conducted the review. This is where the Caldicott name came from. At that time, she was the Principal of Somerville College, Oxford. She was also the former president of the Royal College of Psychiatrists. 

This committee reviewed how the NHS used patient information. Also, they discussed the difficulties they faced in maintaining confidentiality. Initially, they came up with six principles. These principles aim to protect the confidentiality of the service receiver. 

However, another review in 2013 led to the development of the 7th principle. After that, in 2020, the National Data Guardian conducted another review, which resulted in the creation of the 8th principle. This is how the 8 Caldicott Principles came into play. Every healthcare organisation must follow them to ensure data safety.

Why do We Need Caldicott Principles?

When there are no rules or frameworks set up for information sharing, the misuse of information is inevitable. People with ill intentions can use others’ information for personal gain. For example, identity theft. In addition, access to private information can cause concerns, such as abuse, social discrimination and criminal actions.  

In order to protect the care receiver from such concern, the Caldicott principles play a vital role. Due to these principles, only authorised people get access to the information. Furthermore, while sharing information, a legal framework and a set of organisational policies are followed. As a result, they reduce the risk of misuse of information.

Along with protecting the patients, these principles also play a significant impact in building trust. When the patient knows that their information is safe with you, they feel comfortable opening up about their issues. As a result, the care provider can understand the problems. It allows them to design their treatment accordingly.  In simple words, these principles help build a bridge between the caregiver and the receiver.

Who do the Caldicott Principles Apply To?

The Caldicott Principles apply to all kinds of health and social care services that store and use patient data. 

  • All kinds of health and social care organisations when they share information within or with other organisations and/or between individuals.
  • People who process staff information working in health and social care.
  • All NHS organisations must abide by the principles and have a Caldicott guardian.

You might be surprised to know that Caldicott Principles apply to the deceased, too. These Principles apply to records and information regarding deceased people. However, when making important health and care decisions, it’s wise to involve a Caldicott Guardian.

Keep reading to find out more about Caldicott Guardians.

What are the 8 Caldicott Principles?

After reviewing the Caldicott report, the committee established six principles. They focused on protecting the patient’s information. However, later on, two more principles were added to the list. 

Here is the list of 8 Caldecott Principles, along with brief explanations.

Principle 1:  Justify the purpose(s) of using confidential information.

Principle 2: Use confidential information only when it is necessary

Principle 3: Use the minimum necessary confidential information

Principle 4: Access to private information must be on a strict need-to-know basis.

Principle 5: Everyone with access to confidential information should be aware of their responsibilities

Principle 6: Comply with the law.

Principle 7: The duty to share information for individual care is as important as the duty to protect patient confidentiality

Principle 8: Inform patients and service users about how their confidential information is used

Principle 1: Justify the Purpose(s) of using Confidential Information

There has to be an appropriate purpose for sharing information. This is the main focus of the first Caldicott principles. Moreover, it is mandatory to evaluate, examine and document before sharing any information. Also, the information used on a regular basis must go through reviews. An appropriate guardian should conduct these reviews. According to this principle, unless and until it is to protect the patient’s best interest, the information should stay private.

In addition, the reason for sharing the personal information has to be clearly stated. It is also mandatory that the guardian is well aware of it. It is their responsibility to check the documenting process. Also, they oversee if other legal requirements are being followed as well.

Principle 2: Use Confidential Information only when it is Necessary

The private information of the patient should be only used when it is an absolute necessity. There should be a serious and specified purpose for using the information. 

Before sharing the information, it is important to evaluate it. If there is an alternative to sharing information, then take the alternative path. In a nutshell, this principle states that personal information must stay confidential unless there is no other way.

Principle 3: Use the Minimum Necessary Confidential Information

Use the Minimum Necessary Confidential Information

Suppose there is a justified reason for sharing personal information. Then there is one more thing to consider — the quantity of the information. According to the third principle of Caldicott, only the minimum amount of information should be shared. Sharing too much personal information can cause security threats for the patients. Thus, it is vital to keep the information as minimal as possible.

Principle 4: Access to Confidential Information should be on a Strict Need-to-Know Basis

Only those who need it to provide care should get access to the information. Also, sharing information is permissible only when it’s needed. The personal information of the care receiver must be protected at any cost. 

Thus, there is no access for any third party who is not associated with the caregiving process. It is the responsibility of the caregivers and organisations to protect the confidentiality. Therefore, they must deny access to unauthorised parties and ensure the data is fully protected.

Principle 5: Everyone with Access to Confidential Information should be Aware of their Responsibilities

The people who have access to the information must handle it carefully. It is their responsibility to ensure the privacy of the information. The healthcare professional and the organisation must take the essential steps to prevent leaks or exposure of data. 

If it is necessary to share the information of the care receiver, it should be in their best interest. Also, only the authorised people can view it. Professionals must be aware of these responsibilities and maintain them with utmost seriousness.

Principle 6: Comply with the Law

Comply with the law

All the information shared and used must be lawful. Those who have authorisation to use the data have to follow the legal process. The healthcare professionals and organisations should be aware of the legal requirements and must obey them at any cost.
In order to avoid compliance issues, every organisation needs to have a guardian. Their role is to check the sharing or using process of personal information. The guardian makes sure everyone is following the legal obligation.

Principle 7: The Duty to Share Information for Individual Care is as Important as the Duty to Protect Patient Confidentiality

There are times when sharing confidential information becomes crucial for the patient. In this situation, one can share the information. However, it should be according to the Caldicott framework. Also, it is mandatory to follow the regulations set by the organisation.
For example, if some patient health data can benefit medical research, then, it is permissible to share the information. However, in such cases, the information is shared anonymously. Exposing their identity is not allowed.
Sometimes, the policy may ask for some information as a part of their inquiry. The authorised persons can give out information in such situations. However, first, they have to ensure a court order is issued to share information.

Principle 8: Inform Patients and Service Users about how their Confidential Information is Used

The patient should be aware of how and why their personal information is being used. They must be well-informed about the flow of information so that there are no shocks or surprises.
A series of steps should be taken in order to keep the patients informed. The steps will vary depending on the situation. At the minimum, accessible, appropriate and relevant information should be given.

Download Free Poster of 8 Caldicott Principles

Here’s a free poster of 8 Caldicott Principles that you can easily print to remember and maintain.

Caldicott Principles Free Poster

How can You Apply Caldicott Principles in Your Settings?

Every health and social care organisation is required to apply the Caldicott principles. It is vital to protect the private information of service receivers. However, there might be situations that can create confusion. Professionals and organisations may not understand how and when to share the information.  


The very first thing to apply these principles is to remember them. So, here’s a mnemonic to remember Caldicott Principles easily. 

  • Formal justification of purpose.
  • Information is to be transferred only when necessary.
  • Only the minimum required info will be shared.
  • Need to know access controls.
  • All involved will understand their responsibilities.
  • Comply with the law and understand it well.


It will help you remember the principles easily. And hopefully, you’ll be able to protect patient info in your work setting more confidently.

Caldicott Guardian

A Caldicott Guardian is someone who protects the privacy of the patient or service receiver. The organisation appoints them to establish the principles effectively. This person is a certified healthcare professional in a senior position.

All NHS organisations and local governments that provide social services must have a Caldicott Principles. The UK Caldicott Guardian Council (UKCGC) is the national body for Caldicott Guardians.

Who can be a Caldicott Guardian?

A Caldicott Guardian can be a health or social care professional with plenty of experience and knowledge of working with patients or service users and managing the complexities of frontline care.

  • A person who is a board member of the health and social care organisation.
  • A social or healthcare professional working in a senior position.
  • Someone who is a staff member and is responsible for establishing clinical governance in the organisation.

Why is it called a Caldicott Guardian?

The Caldicott Guardians name derives from Dame Fiona Caldicott, who chaired the Government Review of Patient-Identifiable Information in 1997.

What are the Roles of a Caldicott Guardian?

The primary role of the guardian is to ensure patient data protection. They are responsible for reducing the risk of information breaches. Along with handling the data flow, the Caldicott guardian is responsible for legal compliance. They must oversee whether the data is shared according to the legal framework.

Caldicott Guardians are in charge of the following on a daily basis.

  • Define local procedures for information disclosure,
  • Limit access to patient information through rigorous need-to-know criteria,
  • Assess and evaluate patient information,
  • Ensure that patient-identifiable data is handled legally, ethically, and appropriately.

In addition to the above, the Caldicott Guardian is also responsible for ensuring the following laws regarding data management.

The Caldicott Guardian ensures patient-centric care. They help healthcare professionals in making informed decisions about the patient. This is mandatory for providing proper care. Meanwhile, they secure the privacy of the patient and ensure their safety.

When can You Share Confidential Information?

The 7th Caldicott principle says — sharing information for care can be as important as the duty to protect patient confidentiality. This principle talks about sharing information but does not point out when it’s okay to share. Here is a list that will help you understand the appropriate time to share information.

A patient’s personal identification information can be shared in the following situations:

  • When the patient is being transferred to another facility for treatment purposes.
  • If there is potential for risk or harm towards the patient. 
  • If there is the possibility that the patient may harm others.
  • When a patient is wanted for a crime committed.
  • When it is possible to prevent a crime by sharing the information
  • A relative needs to identify a deceased person
  • The police or any legal authorities show a court order when requesting information.
  • If the law authorises it for any other reason.  

When professionals in health and social care organisations face the above-described situations, they are allowed to share patient information. However, there can be other situations where sharing information may seem important. In this case, it is suggested to discuss with the higher authorities. The authorities will assess the situation and decide if it is appropriate to share information.  

Please note that police or any other member of the executive has no right to ask information regarding a patient, unless they present a court order. If you withhold information when there’s a written court order, you can be held in contempt of court. 

Healthcare GDPR Basics Course
Be a pro at healthcare GDPR and security measures
Healthcare GDPR Basics Course
Be a pro at healthcare GDPR and security measures


The 8 Caldicott principles are crucial for patient safety. Sidestepping these principles can have catastrophic consequences. Thus, every health and social care professional must educate themselves on these principles and understand how to apply them in real-life scenarios. It is also the responsibility of the organisation to train its employees on these principles and other laws regarding confidentiality.


Caldicott and the GDPR share many of the same principles. Therefore, Caldicott Guardians and Data Protection Officers must have a similar level of knowledge and skills. 

The main difference lies in the 7th principle –

“The duty to share information can be as important as the duty to protect patient confidentiality.”

The difference is that GDPR considers personal data and confidentiality essential. This can lead to conflict in the role of the data protection officer and Caldicott Guardian conflict.

The role of the Caldicott Guardian covers health and social care with 8 principles. It also aligns with the acts regarding information management, including: 

  • Data Protection Act 2018
  • NHS Act 2006 (section 251)
  • Freedom of Information Act 2000

After revising the existing 7 Caldicott Principles, a new Caldicott Principle was added in 2020. The new principle is – 

‘Caldicott Principle 8: Inform Patients and Service Users about how their Confidential Information is Used.’

Confidentiality is the duty to protect information and share authorised information accordingly. It reinstates the notion that personal information should be treated with care and that a person’s wishes should be respected. Confidentiality can be applied to individuals, organisations, and institutions.

Confidentiality breaches happen when a patient’s information is disclosed without consent or proper authorisation. It is permissible to break confidentiality in specific scenarios –

  • When it’s in the best interest of the patient,
  • When it’s required by law,
  • When the patient gives consent.

For more info on when you can share information, please check “When can You Share Confidential Information”

Yes, the Caldicott principles apply to those who are deceased as well. When handling private information, treat both the living and the deceased in the same way.

In the UK, it is mandatory to follow the Caldicott principles in the health and social care sector. Disobeying these principles can lead to compliance issues. Organisations or professionals may have to pay a penalty for breaking confidentiality. It can also damage their reputation and professional image.

In the initial stages, there were 6 Caldicott principles. However, two more principles were added later to provide better privacy and care for the patient, so there are now 8 Caldicott Principles.

Any health or social care organisation that uses personal information of the service received must follow the principles. If they ignore or fail to comply with them, legal action will be taken against them.

May 30, 2024
    Your Cart
    Your cart is emptyReturn to Shop

    SPRING SALE – All Courses For Just £49/ year


    No more than 50 active courses at any one time. Membership renews after 12 months. Cancel anytime from your account. Certain courses are not included. Can't be used in conjunction with any other offer.

      Apply Coupon