Newcastle Laboratories

Data Protection
Caldicott Principles

What are the Caldicott principles and what are they used for?

The Caldicott Principles were devised by the Caldicott Committee (headed by Dame Fiona Caldicott), which reported in 1997 following a review of patient indentifiable information. They were developed in conjunction with the Data Protection Act to provide a framework of good practice in the use of patient information for NHS Staff. Access to patient information should be restricted to those who have a justifiable need to know that information in order to carry out their work.

In 2013, the Government tasked Dame Fiona with performing this review again, with a focus on the appropriate sharing of identifiable information. The original 6 principles where joined by a 7th which looked at this specifically. A link to Dame Fiona’s review and the Government’s response to it can be found at the bottom of this page.

The 7 Caldicott Principles

(1) Justify the purpose(s)

Every proposed use or transfer of personal confidential data within or from an organisation should be clearly defined, scrutinised and documented, with continuing uses regularly reviewed, by an appropriate guardian.

(2) Don’t use personal confidential data unless it is absolutely necessary

Personal confidential data should not be included unless it is essential for the specified purpose(s) of that flow. The need for patients to be identified should be considered at each stage of satisfying the purpose(s).

(3) Use the minimum necessary personal confidential data

Where use of patient confidential data is considered to be essential, the inclusion of each individual item of data should be considered and justified so that the minimum amount of personal confidential data transferred or accessible as is necessary for a given function to be carried out.

(4) Access to personal confidential data should be on a strict need-to-know basis

Only those individuals who need access to personal confidential data should have access to it, and they should only have access to the data items that they need to see. This may mean introducing access controls or splitting data flows where one data flow is used for several purposes.

(5) Everyone with access to personal confidential data should be aware of their responsibilities

Action should be taken to ensure that those handling personal confidential data – both clinical and non clinical staff – are made fully aware of their responsibilities and obligations to respect patient confidentiality.

(6) Comply with the law

Every use of personal confidential data must be lawful. Someone in each organisation handling patient information should be responssible for ensuring that the organisation complies with legal requirements.

(7) The duty to share information can be as important as the duty to protect patient confidentiality

Health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by these principles. They should be supported by the policies of their employers, regulators and professional bodies.

How do I make a Caldicott / Data Protection Application? 

The collection, use and transfer of any patient information must be approved by the Trust’s Caldicott Guardian. This covers all databases and records systems that contain clinical information or patient details, ranging from medical records and eRecord to local departmental databases and files.

Consent is obtained by submitting an application form either through the intranet or by emailing a completed form to The form can be used for gaining both Data Protection approval (ie for databases to be held within the Trust) and for Caldicott approval (ie for studies which require a transfer of information to another organisation).

Sections 1 to 13 are relevant to Data Protection and highlight the important areas that need to be addressed such as the location of storage for the data, what type of data will be collected and why they are being collected. Sections 1 to 14 are relevant to Caldicott applications. Section 14 details the transfer of the information to another organisation. The form goes through the 6 Caldicott principles enabling applicants to demonstrate their study meets the criteria.

How are applications approved?

***New Procedure In place***

Overall responsibility for approval of Data Protection and Caldicott applications rests with the Trust’s Caldicott Guardian, Andrew Welch. All applications are received and initially reviewed by the IG team.

The Trust’s Lead for Data Protection is Richard Oliver.

The Trust’s Data Protection Registration Number is Z6173332

All Caldicott and Data Protection Applications will be reviewed and approved on a Wednesday afternoon and a Friday afternoon. All communications must be directed to the mailbox and will be answered during this period.

We will NEVER reject an application immediately. The IG Team will contact you to discuss why it may not be acceptable and suggest ways that the information could be collected and/or shared in a more appropriate way. Please ensure you read the Advice document to avoid potential problems.

Although we aim to get all applications approved as soon as possible, please ensure you leave plenty of time before the research project/study is due to start to gain your approval.

Any Data Protection and Caldicott forms requiring further information from applicants that have been outstanding for 3 months will be rejected. Applicants will be informed and will be invited to resubmit when information becomes available.

All contacts provided within the application will be notified of it’s approval.

Please remember to complete all relevant sections of the caldicott application form, giving as much detail as possible.


If you are having difficulty completing a Caldicott application form, please email or call Fay O’Sullivan on 31805.

Please ensure that you read the Advice document before completing your application to minimise any potential issues.