Check out the courses we offer
Knowledge Base » Health and Safety » What are the Eight Caldicott Principles?

What are the Eight Caldicott Principles?

Last updated on 24th November 2021

There is a need for an existent and functional set of policies to ensure transparency in every institution, especially when it comes to health and social care. The health and social care sectors are vital to the general populace’s lives and wellbeing. Due to the personal nature of healthcare, these sectors even require further attention, given that they deal with vital information about the citizenry. This was the reason that the Caldicott principles were created.

Senior officials are designated in the various related institutions to supervise the enforcement of the Caldicott principles. Doing this ensures that everyone who works in social care honours these principles for every patient’s safety and privacy.

In this five-minute guide, well discuss what the Caldicott principles are, outlining their purpose, what they represent, why they were introduced, and how they can be applied in health and social care today.

Nurse examining patient ensuring she adheres to the seven Caldicott principles

What are the Caldicott Principles?

In 1997, rising concerns about the use (or misuse thereof) of patients’ data resulted in the commissioning of the Caldicott Report by England’s Chief Medical Officer. The report is fully described as ‘The Caldicott Committee’s Report on the Review of Patient-Identifiable Information’.

The principles were essentially created to tackle difficulties that the National Health Society (NHS) faced in dealing with patients’ information and how technology affected the inclusive processes.

The review published its discoveries in December of the same year of its commission. Its comprehensive findings culminated in establishing an initial six Caldicott principles and 16 recommendations for enforcing the guidelines.

The Caldicott report was chaired by Dame Fiona Caldicott (DBE, FMedSci), the then Principal of Somerville College, Oxford, and former president of the Royal College of Psychiatrists. She currently serves as the National Data Guardian for Health and Social Care.

A section of the Caldicott report clearly instructs that all items of data that pertain to an attribute of a person should be treated as capable of identifying patients and hence should be appropriately protected as to safeguard confidentiality.

The report’s third recommendation states that a Caldicott Guardian is appointed in each hospital to enforce that every worker in social and health care adheres to the Caldicott principles. The guardian reviews all procedures related to person-identifiable health data.

Dame Fiona Caldicott, 14 years later, oversaw a supplementary review (Caldicott2), concluding the emergence of another Caldicott principle and 26 new recommendations. The government requested that this additional brief be conducted following the NHS Future Forum’s propositions. This 2012 follow-up report brings the number of Caldicott principles to seven. A controversy later ensued, which led to an additional 2016 review of these vital principles.

To prevent undermining a patient’s private information and preventing leaks, specific organisations must follow the Caldicott principles to the point. These organisations include all public and private hospitals, clinics, and health or social care institutions. The recommendations and principles serve as an ethical basis for any worker to handle data and follow best practices.

They are also useful, particularly in instances of conflicting interests, whereby a patient’s information may need to be used or transferred while the patient wants otherwise. An example is when a third party is harmed or might be at risk of any harm. Another tricky situation arises if the patient is suspected or linked to any crime. In these circumstances, organisations may have to disclose patient-identifiable information to the right channels. However, a Caldicott Guardian must always approve of such release of information.

A detailed review was led by the Information Commissioner’s Office to determine the amount and frequencies of data breaches.

Information Commissioner’s Office record of breaches

  • In 2014/15, 41% of all breaches reported to the ICO were from the health sector.
  • Breaches largely happened due to human behaviour.
  • In 2014/15, 48% of data breaches in the health sector affected fewer than 10 data subjects, with only 9% affecting more than 1,000 data subjects (usually relating to spreadsheets).
  • Technological issues also lead to breaches, such as unencrypted devices or information in supposedly anonymised data sets not being properly anonymised.
  • The use of unencrypted devices is a concern across health and social care, resulting in a fine of £325,000 to a single NHS Trust

How many Caldicott Principles are there?

The Caldicott principles were initially six until April 2013 when Dame Fiona Caldicott, the founder, reviewed the information governance for the second time and decided it was best to add the seventh principle.

The review started in 2012 when she established a small panel of experts to help out. The study was carried out to ensure that the balance between protecting patients’ or users’ information and the use of that information at any given time, was appropriate.

The review recognised that there are times when it is necessary to share information about a patient for their safety and improved care. In March 2013, the expert panel concluded that a balance between sharing and protecting the information of patients was needed urgently to protect their interests and that of the users alike.

The most recent review was in December 2020 and an eighth principle was added.

The eight Caldicott principles are listed below as follows:

  • Justify the purpose for using confidential information.
  • Don’t use personal confidential data unless absolutely necessary.
  • Use the minimum necessary personal confidential data.
  • Access to personal confidential data should be on a strictly need-to-know basis.
  • Everyone with access to personal confidential data should be aware of their responsibilities.
  • Understand and comply with the law.
  • The duty to share information can be as important as the duty to protect patient confidentiality.
  • Inform patients and service users about how their confidential information is used.

Now, let’s discuss these principles in some detail.

Doctor looking over medical records ensuring she is sticking by the seven Caldicott principles

Principle 1: Justify the purpose for using confidential information

Every proposed use or transfer of personal confidential data within or from an organisation should be clearly defined, scrutinised, and documented, with continuing uses regularly reviewed, by an appropriate guardian.

It is important that the reasons for giving out any personal information about a patient are clearly stipulated and that a guardian be present for proper documentation and witness if there is further use of said information. No confidential information of any patient should be shared if it is not in the best interest of that patient.

Principle 2: Don’t use personal confidential data unless absolutely necessary

Identifiable information should not be used unless it’s essential for the specified purposes. The need for this information should be considered at each stage of the process.

Giving out personal information on any patient can be an issue of safety and should be taken into serious consideration. If the information is not to protect the patient, then it is not necessary to give it out.

Principle 3: Use the minimum necessary personal confidential data

Where the use of personally identifiable information is essential, each item should be considered and justified. This is so the minimum amount of data is shared, and the likelihood of identifiability is minimal.

Where it is essential to give out personal information on any patient, only the most important and least personal data should be shared. Each data on a patient should be checked and considered before being shared to secure confidentiality.

Principle 4: Access to personal confidential data should be on a strictly need-to-know basis

According to this principle, access to personal information of patients should be allowed only to people who are permitted. Health or social professionals must strictly follow this principle as personal confidential data isn’t meant to be visible to anybody and everybody.

The information should not be given out to those who are not permitted or supposed to have it. Personal confidential data of patients is to be protected at all costs for the interest of the patient, and a third party who isn’t cleared to have such information should not and must not have access to it.

Various individuals or organisations might seek or request to be allowed to access the data, or they may ask that the data be shared with them. It is the responsibility of the health or social worker to make sure that isn’t allowed. The personal confidential data will always remain hidden to those who should not have access to it.

Principle 5: Everyone with access to personal confidential data should be aware of their responsibilities

It is important first to note that only very few people should be allowed to have access to the personal confidential data of patients.

Whoever is privy to such information should take note of their responsibilities and duties in making sure they protect the interest of the patient. A non-recognised individual or organisation must not be given access to such information.

Necessary action should be taken to make sure that the people who are allowed access to personal confidential data are aware of their obligations to obey and respect the client’s confidentiality.

Health and social workers need to be in the know and take note of this. On no account should they let out confidential information about a patient. Also, if there is a need for information to be shared, it must be in the best interest of the patient or those who are rightfully allowed to have access to the data.

Principle 6: Understand and comply with the law

The sixth principle of Caldicott says that the use of personally identifiable data should and must be lawful. Every organisation that has the confidential information or data of individuals should have at least someone who is in charge of ensuring that all legal requirements are followed.

A social or health organisation wouldn’t want to get to the point of breaking such a principle or carelessly letting out the confidential information of an individual. The laws are there to be read and understood by anyone who wants to, and there are consequences that could be faced if anyone breaches such laws.

It is therefore advisable that every organisation that handles the confidential data of individuals has someone who makes sure the laws are followed. The responsibility of such a person is to make sure the organisation keeps the data and sees that it remains as confidential as it should.

Principle 7: the duty to share information can be important as the duty to protect patient confidentiality

As much as it is permitted to share information only in the best interest of the patient, an organisation must ensure it protects the confidentiality of the patient.

There are times when it is needed to share some information about a patient. Such cases require desperate measures whereby health or social care professionals will be forced to share some information about a patient.

Sometimes, information might be needed by government agencies or research and development organisations for other purposes. In such cases, health and social workers should be able to share the information but must make sure that the patient is anonymous.

However, they must also make sure that this is done in the framework set by these principles, and not doing it outside of what is being provided by the principles. They must oversee the flow of patient information either for the purpose of research, or disclosure of information to the police.

Principle 8: inform patients and service users about how their confidential information is used.

A range of steps should be taken to ensure there are no surprises for patients and service users, so they can have clear expectations about how and why their confidential information is used, and what choices they have about this.

These steps will vary depending on the use: as a minimum, this should include providing accessible, relevant and appropriate information – in some cases, greater engagement will be required.

Chemist sorting out a prescription ensuring he is adhering to the seven Caldicott principles

Why were the Caldicott Principles introduced?

For so many patients, confidentiality can play a major role in their healing process, as it helps with how their psyche handles the situation. Previously, patients’ records were easily accessible by the public, and most times put them at the risk of social discrimination and abuse. The need for change was called upon, and the medical world thought of solutions to curtail the lingering issue.

It was believed that a set of rules would eradicate the cases of indiscriminate access to vital and sensitive information. Stories about patients’ information being acquired by rivals, especially those in the political sector or leadership position, were frequent and widespread.

The 1997 meeting was a step forward, as a report was made on this confidentiality issue. When the meeting was concluded, the panel was able to come up with six principles that have guided the medical field ever since. To assure the total compliance with the principles, it was mandated that a guardian be facilitated to monitor how patient information was being safeguarded and disclosed.

As time went on, the introduction of the seventh principle in 2013 brought about more amendments to the pre-existing guidelines and principles. The Caldicott principles’ introduction and acceptance into the NHS saw the total overhaul of indiscriminate access and gave access to only the patient or family member.

Over time unauthorised access to a patient’s medical record came to be seen as unlawful, as it was legally backed. The Data Protection Act of 1998 also restricted and ruled against unauthorised access, as all individuals are entitled to privacy.

Another reason why this principle was important is mostly due to a situation whereby the electronic transfer of patient data was required. This principle places a checkmate of illegal access to that information on transfer of personal data.

The Caldicott principles also help to lay down more guidelines for medical practitioners to follow and limit the leak of patients’ personal information. The only time a patient’s records can be accessed without their consent borders on registering public records, and only government officials can do this under an act of non-disclosure.

In conclusion, the Caldicott principles have laid a basis for the adequate interaction of personal information between the patient, and medical and government officials to keep medical records and registers safe and secure.

How can we apply Caldicott Principles in our settings?

Caldicott principles can be said to be fundamental rules and regulations that guide a patient’s confidentiality. They are the basic rules every healthcare personnel must follow to ensure there is no breach of confidentiality whatsoever.

The Caldicott principles were formulated in 1997 by Dame Fiona Caldicott. Six principles were in place as of then. However, in April 2013, Dame Fiona Caldicott, during her second review of information guidance, made the seventh principle.

These principles were put in place for different reasons, including:

  • So that the patients will feel more in control of their personal information.
  • So as to protect the different identities of the patients.
  • So that patients know how and when to object to the release of their personal information.
  • So that patients feel confident that their information is in safe hands and not have to worry.
  • So as to ensure that healthcare personnel do not use personal information for individual purposes.

As stated in the explanation above, Caldicott principles are important as patients’ confidentiality has to be protected. However, there has been confusion about whether or not giving out information about patients can be justified.

Subsequently, if we take a close look at Principle 7: The duty to share personal information can be as important as the duty to have regard for patient confidentiality, we can deduce that while the need to protect patients’ confidentiality is necessary, there are also exceptions to a breach of duty of care.

A patient’s personal identification information can be given if:

  • The patient is being transferred to another hospital for treatment.
  • There is information that a patient is at risk of harm and needs protection.
  • A patient is being wanted for a crime committed.
  • A patient is dead, and a relative needs to be identified.
  • The law is authorising it.

No member of the Executive, e.g. the police, has the right to request information about a patient without a written order by the court. In a case where there is a written order and information is still being withheld, the patient’s doctor could be held in contempt of court.


The introduction of the Caldicott principles was a move in the right direction, as it brought about better policies in the health sector. Institutions that work with these principles would notice a tangible difference in their operations and handling of patients. With the addition of the eighth principle, we now have a more standardised solution and tool for improving the healthcare sector and protecting sensitive and personal information.

[ucaddon_uc_solid_side_carousel_content title=”Safeguarding Vulnerable Adults Level 2″ bg_color=”#094b77″ image=”33600″ btn_text=”Take a look at this course” link=”” uc_fonts_data=”JTdCJTIyYnRuX3RleHQlMjIlM0ElN0IlMjJjdXN0b20lMjIlM0ElMjJ0ZXh0LXRyYW5zZm9ybSUzQSUyMG5vbmUlM0IlMjAlMjIlN0QlN0Q=”]JTNDaDQlMjBzdHlsZSUzRCUyMmNvbG9yJTNBJTIzZmZmZmZmJTIyJTNCJTNFSnVzdCUyMCVDMiVBMzIwJTNDJTJGaDQlM0VTdHVkeSUyMG9ubGluZSUyMGFuZCUyMGdhaW4lMjBhJTIwZnVsbCUyMENQRCUyMGNlcnRpZmljYXRlJTIwcG9zdGVkJTIwb3V0JTIwdG8lMjB5b3UlMjB0aGUlMjB2ZXJ5JTIwbmV4dCUyMHdvcmtpbmclMjBkYXku[/ucaddon_uc_solid_side_carousel_content]

About the author

Avatar photo

Marcel Deer

Marcel qualified as a journalist from Liverpool John Moore's University in 2009. After working in PR and digital marketing for five years, he spent two years working as a social media consultant. Since then, he's worked from 15 countries as a remote content writing/marketing expert.

Similar posts