Are you a new Caldicott Guardian wondering where to start?
Try this checklist.
Have your details been added to the Caldicott Guardian Register?
Check the register and contact the NHS England help desk to update your details if necessary.
Are your details available on your organisation's web site?
Search for Caldicott Guardian and check your contact details are correct.
Ensure your details are known to organisation switchboard/reception staff
Ring the main switchboard and ask to be put through to the Caldicott Guardian and see what information they provide. Check this is appropriate to ensure you are made aware of these requests. If not, make the necessary changes.
Check if there is a generic Caldicott Guardian email address
How will you be able to distinguish between your day to day emails and those for your role as Caldicott Guardian? What happens if you are away from the office: will emails be monitored or passed to an appropriate person? How should Caldicott issues be addressed in your absence without a generic email?
Arrange a deputy to cover when you are absent
Who will this be? If it is an IG lead are they sufficiently trained to understand your role and how it differs from IG? Will they have access to the Caldicott Guardian mailbox?
Arrange a meeting or meetings with the SIRO, DPO and IG leads
Use the meetings to assess the organisation's information governance/data protection maturity and discuss how you can work together, what support you can offer each other, and your respective roles, responsibilities and expectations.
Information sharing
Find out what information sharing agreements (ISAs), protocols (ISPs) and relevant Data Protection Impact Assessments (DPIAs) your organisation has, and their reporting/monitoring arrangements. What is the process for approval, and your role involved in approving future agreements? Who checks the organisation is adhering to the agreed protocols? Who are the information asset owners? Are they aware of your role and the need to consult you before sharing information?
Determine how your advice/decisions will be recorded
It is important to document requests for advice and advice given. Emails and written communications are generally preferable to verbal conversations as they provide a clear, documented history of events. Some organisations may also use a log as a way of monitoring and evidencing their role and impact. We have provided a sample log to show what this might look like.
Establish your accountability and reporting arrangements
Who will you report to, and what information are you expected to provide? What are the reporting arrangements for information governance generally—for example, to the board? And to whom e.g. input into a quarterly SIRO report at board level? Many organisations will have an information governance committee or equivalent. Make sure you are a member of this and your membership is recorded in the committee's terms of reference.
Establish your profile
Is there a mention of the Caldicott Guardian role as part of staff induction? Is the role mentioned in the generic data protection training? Plan time out to promote your role with key staff who may need to contact you.
Consider what support is available to you
What events and support are available to you? Sign up to appropriate newsletters e.g. UKCGC, ICO. Join the Digital Health Caldicott Guardian forum (online). Identify peers and perhaps a mentor or coach.
Understand your Data Security and Protection Toolkit responsibilities
Do you know what you will be expected to sign off annually? Build time in your diary to ensure these tasks are completed before the deadline.
Identify your training and development needs
Ensure you have undertaken your SWOT analysis, created your personal development plan, and booked your appraisal in good time. See the section on learning and development.
Understand your access to internal audit staff and their reports
Are you notified of any reports which have a Caldicott/IG component? If there is a breach or near miss that requires further investigation and changes in policy/procedure to prevent similar recurrences, are you able to commission any internal audit time to address the issue?
Compliance with the National Data Opt-out
Check your organisation's compliance with the National Data Guardian's Review of Data Security Consent and Opt-Outs.