The National Data Guardian has published guidance on the appointment, role and responsibilities of organisations that process confidential information about patients or service users as part of the NHS. The word “organisations” encompasses those who own pharmacies that provide NHS services, and they have a legal duty to have regard to the guidance.

The guidance recommends the appointment of a Caldicott Guardian by anyone who provides services as part of the NHS.

Caldicott Guardians should: “Play a key role in helping to ensure that their organisation(s) satisfy the highest ethical and legal standards for processing patient and service user confidential information. Their main concern is confidential information relating to patients, service users and their care.”

Day-to-day activities of a Caldicott Guardian will vary according to the type and size of the organisation, but they may include:

 • advising on disclosures of confidential information, and in particular whether they can be made in line with the common law duty of confidentiality

• involvement with patients’ or service users’ complaints

 • involvement in audit reporting or recommendations

• involvement in data breach investigations.

Caldicott Guardians should document any advice offered, judgments or decisions made and the reasoning behind them in the interests of transparency and accountability. The National Data Guardian advises that emails and written communications are preferable to verbal conversations because they provide Caldicott Guardians with a clear, documented history including how the Caldicott Principles have been considered, any advice given, how much information has been shared, and with whom.

Caldicott Guardians should be “available and accessible for patients and service users”. Their contact details should be publicly accessible, for example via websites. Organisations must register the details of Caldicott Guardians on the Caldicott Guardian register, which is maintained by NHS Digital.

Some Caldicott Guardians may also have senior management responsibilities, but the National Data Guardian emphasises that they must be free to advise in the best interests of patients and service users even if this conflicts with the views of other senior management colleagues, saying: “The line between their advice as a Caldicott Guardian and their corporate view must be very clear to all.”

The guidance says Caldicott Guardians should have “inquisitiveness to question, analyse and challenge decision-makers”. Caldicott Guardians should not be dismissed or penalised by the organisation for performing their role and responsibilities to the required standard.

A Caldicott Guardian need not be an employee, and the role could be provided by another organisation and/or could be shared with other providers of healthcare services.

Since the General Data Protection Regulation became law in 2018, pharmacies have had to have a Data Protection Officer (DPO) and there is some overlap in responsibilities. The role of Caldicott Guardian can be combined with that of DPO so long as no conflict of interest arises.

However, the responsibilities of a Caldicott Guardian are not the same as a DPO, and the former will need to have detailed knowledge of the relevant law and the Caldicott principles, which are set out in an Annex to the guidance.

David Reissner is a solicitor and Chair of the Pharmacy Law & Ethics Association.