This site uses cookies to store information on your computer. I'm fine with this Cookie information

Caldicott Principles & Data Protection Act

Note - To contact the NHSGGC Caldicott Guardian/Information Governance Dept. please phone

0141 355 2020


The Caldicott Framework was set up in March 1999 following The Caldicott Report 1997. The Framework requires each NHSScotland organisation to appoint a 'Caldicott or Information Guardian'. The Guardian's responsibilities include:

  • Auditing current practice and procedures;
  • Managing an improvement plan which is monitored through the clinical and corporate governance frameworks;
  • Developing protocols for inter-agency information sharing at a local level and;
  • Making decisions about how their organisation uses patient identifying information. For example they provide advice in relation to research studies, or disclosure in the public interest.

NHS Greater Glasgow & Clyde Policy Dictates:

Confidentiality is a fundamental principle in the delivery of health services. Much of the confidential information held relates to patients and employees of the service. This information should be treated with respect to ensure integrity, protect it from inappropriate disclosure and to make sure that it is only available to authorised staff. NHS Greater Glasgow & Clyde will take all reasonable measures to comply with its legal responsibilities and to preserve and maintain the confidentiality of the information it holds.

The Caldicott princples have been integrated into the NHSScotland Code of Practice and define that in order to use patient data we must:

  • Justify the purpose
  • Use only when necessary
  • Use the minimum necessary
  • Access on a 'need to know' basis
  • Be aware of your responsibilities
  • Comply with the law

The Data Protection Act 1998 demands that patient data:

  • Shall be processed fairly and lawfully and, in particular, shall not be processed unless specific conditions are met;
  • Shall be obtained for only one or more specified and lawful purpose(s) and shall not be further processed in any manner incompatible with that purpose or these purposes;
  • Shall be adequate, relevant and not excessive in relation to the purpose(s) for which they are processed;
  • Shall be accurate and, where necessary, kept up to date;
  • Shall not be kept for longer than is necessary for that purpose or these purposes;
  • Shall be processed in accordance with the rights of data subjects under the Act;
  • That appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data;
  • Shall not be transferred to a country or territory outside the European Economic Area 1 unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.