What are the 8 Caldicott Principles in Health and Social Care?

September 15, 2023
Clock Icon 4 min read

For those working within the health and social care sector, the confidentiality of patient and service user information is essential. Understanding what this means in practice, and your roles and responsibilities when it comes to information sharing, is outlined within the Caldicott Principles.

In this article we will outline what the eight Caldicott Principles are, why they were introduced and how they apply within the workplace. We have also provided a free downloadable poster that can be printed and displayed within your setting, to act as a reminder and help to ensure everyone acts in accordance with these principles at all times.


What are the Caldicott Principles?

The Caldicott Principles are fundamentals that organisations should follow to protect any information that could identify a patient – such as their name and their health records. Organisations should always use the Principles as a way of determining whether sharing an individual’s information could identify them, and if it does, whether it is appropriate and relevant for it to be shared.

In 1997, Dame Fiona Caldicott – and the committee she chaired – produced a report regarding confidentiality and the transfer of identifiable patient information within the health service. From this, a set of standards known as the Caldicott Principles were formed. Originally beginning with six principles, subsequent reviews have since taken place, with a seventh and then an eighth principle being added in 2013 and 2020 respectively.


Why Were the Caldicott Principles Introduced?

Not so long ago, our personal information – including that relating to our health – was not protected from public access. This meant that not only could your personal information and health status become public knowledge, but that it could be used inappropriately. For example, those wishing to exert power or control over others and those who would use it as a means to socially discriminate and abuse others, were able to do so.

In the past, there were many stigmas associated with certain health conditions and treatments and the worry over this information becoming known within their community could be a huge source of concern and upset for many. As technology advanced, these concerns understandably became greater.

Therefore, the motivation behind the Caldicott report was the increasing concern about advancements in technology and its capability to distribute information about patients quickly and extensively. The basis of the review was to ensure that confidentiality was not being undermined.

The Caldicott Principles helped to set out what, when and how information could and should be shared – supporting an acceptable level of confidentiality without compromising the quality of care received. The formation of these standards helped to tackle the problems within the National Health Service (NHS) involving patient data and its accessibility, storage and use. 

As technological advances and the digitisation of data continues to evolve, keeping up-to-date with developments and the use of technology in health and social care is vital to help you to understand the various ways a patient or service user’s personal information can be used, stored and shared.

Woman having a check-up at the dentist

The 8 Caldicott Principles

Below is a summary of each of the eight Caldicott Principles as outlined by the National Data Guardian for Health and Social Care. You can find the information in full here

Principle 1: Justify the purpose(s) for using confidential information

Every proposed use or transfer of personally identifiable information, either within or from an organisation, should be clearly defined and scrutinised. Its continuing uses should be regularly reviewed by an appropriate guardian.

Principle 2: Use confidential information only when it is necessary

Identifiable information should not be used unless it’s essential for the specified purposes. The need for this information should be considered at each stage of the process.

Principle 3: Use the minimum necessary confidential information

Where the use of personally identifiable information is essential, each individual item should be considered and justified. This is so the minimum amount of data is shared and the likelihood of identifiability is minimal.

Principle 4: Access to confidential information should be on a strict need-to-know basis

Only those who need access to personal confidential data should have access to it. They should also only have access to the data items that they need.

Principle 5: Everyone with access to confidential information should be aware of their responsibilities

Action should be taken to ensure that those handling personally identifiable information are aware of their responsibilities and their obligation to respect patient and client confidentiality.

Principle 6: Comply with the law

Every use of personally identifiable data must be lawful. Organisations that handle confidential data must have someone responsible for ensuring that the organisation complies with legal requirements.

Principle 7: The duty to share information for individual care is as important as the duty to protect patient confidentiality

Health and social care professionals should have the confidence to share information in the best interests of their patients and within the framework set out by these principles. They should also be supported by the policies of their employers, regulators, and professional bodies.

Principle 8: Inform patients and service users about how their confidential information is used

Steps should be taken to ensure patients and service users understand how and why their confidential information is used. They should always be provided with accessible, relevant and appropriate information.

Expert Icon

Looking for a Course?

Take a look at our catalogue of courses for those working in Health and Social Care. These include courses to help you further your knowledge of data handling, such as our Information Governance training course.


How to Apply the Caldicott Principles

The Caldicott Principles are something that all health organisations should follow and promote to staff to protect patient information. The seventh principle, however, can cause a lot of confusion in healthcare environments. Often, people are uncertain about when it’s acceptable to share information about someone and when it’s not. 

There are certain circumstances that override your duty of confidentiality. This is the aim of principle 7: to realise that sharing information can be as important as protecting confidentiality. It’s important that you can successfully balance the need for maintaining confidentiality with the need for keeping people safe.

You should share information about a patient when:

  • They, or others, are, or might be, at risk of harm.
  • They are at risk of posing harm to someone else.
  • A crime could be prevented if the information is shared.
  • A serious crime has been committed.
  • A court order or other legal authority has requested the information.

Knowing both when and how to maintain confidentiality in health and social care is not only important to ensure you are upholding your legal responsibilities, but it also helps to build and support trust between yourself and those within your care. 

Always follow your organisation’s policies and procedures to make sure you are complying with confidentiality standards and the 8 Caldicott Principles within your day-to-day duties. This could mean that you do not provide the personal information of those within your care without certain identity checks, or it may mean that you do not repeat details of anyone’s personal life or events with those you don’t need to – including other colleagues.


Free 8 Caldicott Principles Poster

You can download our free poster at the link below. Why not display it within your setting to act as a reminder of the key principles of confidentiality.


The 8 Caldicott Principles provide a framework for all health settings to follow to protect identifiable patient information. If you work in a health setting, it’s important that you’re aware of these responsibilities and know what your duties are in relation to them.


Further Resources: