The Caldicott Principles

Caldicott Principles

The Caldicott Principles are an important fundamental of confidentiality in care and a key part of the Care Certificate.

The Caldicott Principles are a set of guidelines established to ensure the confidentiality and proper handling of personally-identifiable information within health and social care services in the UK. Originally developed in 1997 and updated over the years, these principles guide how personal data should be used and shared, balancing the need for information sharing in healthcare with the necessity to protect personal privacy.

The 8 Caldicott Principles are:

  1. Justify the purpose(s) for using confidential information: Each use or transfer of confidential information should have a clear and justified purpose, and its ongoing use should be regularly reviewed.
  1. Use confidential information only when necessary: Identifiable information should only be used when it is essential for the intended purpose. If the objective can be achieved without using such information, it should not be used.
  1. Use the minimum necessary confidential information: When identifiable information is necessary, only the minimum amount required should be used to achieve the purpose.
  1. Access to confidential information should be on a strict need-to-know basis: Only those individuals who need the information to perform their duties should have access to it, and they should only access the specific data they need.
  1. Everyone with access to confidential information should be aware of their responsibilities: All staff and individuals with access to confidential information should understand their responsibilities to protect and respect personal confidentiality.
  1. Comply with the law: The use of identifiable data must always comply with legal requirements, including data protection laws.
  1. The duty to share information can be as important as the duty to protect personally confidentiality: Health and social care professionals should be confident in sharing information when it is in the best interest of the individual, as long as it complies with these principles.
  1. Inform people and service users about how their confidential information is used: People should be informed about how their information is used, ensuring transparency and avoiding any surprises regarding their data handling.

These principles are overseen by Caldicott Guardians, senior roles within organisations tasked with ensuring that personal information is used ethically and legally.

Caldicott Principles -

The Creation of the Caldicott Principles

The Caldicott Principles were established to ensure the safe and confidential handling of personal information within the UK’s healthcare system. These principles are named after Dame Fiona Caldicott, who chaired the original review that led to their creation.

Background and Need for the Principles

In the 1990s, there was growing concern about the protection of personal information as healthcare services increasingly relied on electronic systems for managing data. With the advent of digital technology, there was a need to balance the benefits of sharing personal information for clinical and research purposes with the imperative to safeguard personal privacy.

To address these concerns, in 1997, the UK Government commissioned a review of how personal information was being used and shared across the National Health Service.

The Caldicott Committee

The review was conducted by a committee chaired by Dame Fiona Caldicott, an eminent psychiatrist and former President of the Royal College of Psychiatrists. The committee’s task was to examine the ways in which personal information was shared within the NHS and to recommend guidelines to protect personal confidentiality.

Findings and Recommendations

The committee’s report, often referred to as the Caldicott Report, identified a range of issues related to the handling of personal information. It highlighted that while information sharing was essential for providing quality care, there were significant risks associated with improper handling and breaches of confidentiality.


The report recommended a framework of principles to guide healthcare professionals in managing personally information responsibly. These principles aimed to ensure that personal data was used appropriately and only shared when necessary, with the person’s consent and in a way that protected their privacy.

The Original Caldicott Principles (1997)

The committee proposed six key principles:

  1. Justify the Purpose: Any use or sharing of personal information should have a clear and justified purpose.
  2. Don’t Use personally-Identifiable Information Unless Absolutely Necessary: Only use information that identifies a person if there is no alternative.
  3. Use the Minimum Necessary personally-Identifiable Information: Use only the amount of information required to fulfil the purpose.
  4. Access to personally-Identifiable Information Should be on a Need-to-Know Basis: Only those individuals who need access to personal information to perform their duties should have access.
  5. Everyone with Access to personally-Identifiable Information Should Be Aware of Their Responsibilities: All personnel should understand and adhere to their responsibilities in safeguarding personal data.
  6. Understand and Comply with the Law: There should be a clear understanding of legal requirements related to personal confidentiality.

The report recommended a framework of principles to guide healthcare professionals in managing personally information responsibly. These principles aimed to ensure that personal data was used appropriately and only shared when necessary, with the person’s consent and in a way that protected their privacy.

Updates and Expansion

In 2013, Dame Fiona Caldicott was asked to review the principles again, given the significant changes in technology and data usage. This led to the publication of the ‘Information Governance Review’, often referred to as Caldicott 2. 


This review reaffirmed the original principles and added a seventh principle:


  1. The Duty to Share Information Can Be As Important As the Duty to Protect Confidentiality: This principle emphasised that appropriate sharing of information is crucial for safe and effective care.


Later, in 2020, the principles were revisited and updated to include an eighth principle in response to evolving practices and digital advancements:


  1. Inform Service Users About How Their Confidential Information is Used: This principle focuses on transparency, ensuring that people understand how their data is used and shared.

Impact and Legacy

The Caldicott Principles have become a cornerstone of information governance in the NHS. They are integral to policies and practices that protect personal confidentiality and guide the responsible sharing of health information. The principles continue to evolve to address new challenges and advancements in the field, ensuring that personal privacy remains a priority in an increasingly digital world.

The principles help balance the need for sharing information to provide effective care while protecting people’s rights to privacy and confidentiality, fostering trust between people and healthcare providers.

Applying the Caldicott Principles in Care

The Caldicott Principles provide essential guidance on how to handle and share personal information responsibly in healthcare settings. Their application is crucial for protecting confidentiality while ensuring that necessary information is available for effective care.

The first principle emphasises the importance of justifying the purpose of using or sharing personal information. In practice, healthcare professionals should always clarify why they need the information and be prepared to explain this purpose to the person. For instance, if a nurse needs to share details with a specialist for a referral, the necessity of sharing should be clear and communicated to the person.

Next, the principle of using personally-identifiable information only when absolutely necessary means that healthcare providers should consider whether tasks can be accomplished with anonymised or less specific data. For example, when preparing reports or case studies, care should be taken to remove any identifying details unless they are essential for understanding the case.

When it is essential to use personally-identifiable information, only the minimum amount necessary should be used. This approach helps protect personally privacy by limiting exposure to sensitive information. For example, when reporting a person’s progress to a multidisciplinary team, only the relevant details should be included rather than the person’s entire medical history.

Access to personally information should be on a need-to-know basis, meaning that only those who need the information to perform their job should have access to it. For instance, a receptionist should have access only to the personal contact details for appointment scheduling and not their full medical records.

It’s vital that everyone involved in the care setting understands their responsibilities regarding personal information. This includes regular training and clear communication about data protection policies, ensuring that all staff are aware of their role in maintaining confidentiality.

Compliance with the law is another cornerstone of the Caldicott Principles. Healthcare providers must handle personal information in accordance with legal requirements, such as the Data Protection Act and GDPR. This compliance includes securing personal consent for data use when required and staying informed about the legal frameworks governing personal information.

An important aspect of the Caldicott Principles is recognising that the duty to share information can be as important as the duty to protect confidentiality. In some cases, sharing information is crucial for providing effective care. For example, in life-threatening situations, sharing personal information with emergency services is essential and must be done promptly and accurately.

Transparency with people about how their information is used is also critical. They should be informed about how their data is being used and shared. This can be achieved by clearly explaining these processes during consultations and providing them with written resources or online information detailing their rights regarding their data.

Implementing the Caldicott Principles effectively requires healthcare providers to develop clear policies that reflect these guidelines and ensure they are accessible to all staff. Regular training and updates are essential to keep everyone informed about information governance and personal confidentiality. Monitoring and auditing practices around the use of personal information help maintain compliance and address any issues promptly. Fostering a culture where respecting personal confidentiality is a core value ensures that all staff feel responsible for upholding these standards.

Applying the Caldicott Principles in care ensures that personal information is managed with respect and confidentiality, balancing the need for information sharing with the imperative to protect personal privacy. This approach is fundamental for maintaining trust and delivering high-quality healthcare.