New Caldicott principle and statutory guidance arriving in 2021

Earlier this month National Data Guardian (NDG), Dame Fiona Caldicott published the outcomes of a consultation that was held in June 2020 about the Caldicott Principles and the role of Caldicott Guardians. You can read our earlier blog post on the consultation here.

The consultation response contains a revised – and expanded set of eight Caldicott Principles and a commitment to issue guidance in 2021 that looks to increase the number (and type) of organisations which should appoint a Caldicott Guardian.

New eighth principle

Dame Fiona explains that the new principle’s purpose is to make clear that patient and service user expectations must be considered and informed when confidential information is used – to ensure ‘no surprises’ about the handling or sharing of their data.

Following feedback from the consultation, the wording of this new, eighth principle is:

Inform patients and service users about how their confidential information is used

Its introduction was prompted by consideration of the role that the legal concept of ‘reasonable expectations’ should play in shaping the circumstances under which health and care data may be legitimately shared. The NDG does not ‘envisage’ that this principle will establish reasonable expectations as a legal basis in its own right to meet the duty of confidence. But she does believe that it will “‘helpfully emphasis the perspective of patients and service users in decisions to use and share confidential information”.

The new principle provides that:

“ A range of steps should be taken to ensure no surprises for patients and service users, so they can have clear expectations about how and why their confidential information is used, and what choices they have about this. These steps will vary depending on the use: as a minimum, this should include providing accessible, relevant and appropriate information - in some cases, greater engagement will be required.”

Statutory guidance coming in 2021

This will be the first time that the NDG has issued guidance using her powers under the Health and Social Care (National Data Guardian) Act 2018. The guidance will provide for the appointment of Caldicott Guardians for all public bodies within the health and adult social care sector in England – and all organisations which contract with such public bodies to deliver health or adult social care services. The guidance will provide flexibility for organisations for which it is not proportionate to appoint a dedicated Caldicott Guardian and will suggest options/models to ensure those organisations can still have a Caldicott function.

We understand that supporting resources will be made available for those who need to appoint a Caldicott Guardian or establish a Caldicott function within their organisation.

We will report back once the new guidance is published.

Our content explained

Every piece of content we create is correct on the date it’s published but please don’t rely on it as legal advice. If you’d like to speak to us about your own legal requirements, please contact one of our expert lawyers.

Posted by


Mills & Reeve Sites navigation
A tabbed collection of Mills & Reeve sites.
My Mills & Reeve navigation
Subscribe to, or manage your My Mills & Reeve account.
My M&R


Register for My M&R to stay up-to-date with legal news and events, create brochures and bookmark pages.

Existing clients

Log in to your client extranet for free matter information, know-how and documents.


Mills & Reeve system for employees.