The National Data Guardian has published new guidance on the appointment and role of Caldicott Guardians. This is the first major guidance to be published by the new National Data Guardian, Dr Nicola Byrne.
The guidance covers:
- When an organisation needs to appoint a Caldicott Guardian
- The roles and responsibilities of the Caldicott Guardian
- The relationship between the Caldicott Guardian to other key organisational roles. Interestingly, the guidance advises against Caldicott Guardians also being a Senior Information Risk Owner (SIRO) but acknowledges that the same person might be a Caldicott Guardian and Data Protection Officer (DPO).
- Accountability of the Caldicott Guardian
- Caldicott Guardian knowledge and skills
- How organisations should involve and support their Caldicott Guardian
- The relationship between the Caldicott Guardian and patients, service users, the public and other staff. The guidance recommends that Guardians should be “available and accessible for patients and service users”. Contact details for Caldicott Guardians should be publicly accessible to patients and service users. This suggests that Guardians should have a public facing role similar to that of a DPO.
- The register of Caldicott Guardians. NHS Digital will retain the register and organisations must ensure that the register has up to date details of their Guardian.
All organisations that provide NHS funded health care or local authority funded social care in England must “have regard” to the guidance. This includes NHS Trusts and Foundation Trusts. NHS suppliers must also “have regard” to the guidance if they handle patient information.
“Having regard” means that these organisations must be able to show that:
- They are aware of the guidance;
- They have taken it into account when making decisions in areas covered by the guidance; and
- If they have decided not to follow the guidance, they have good reasons for doing so.
