Caldicott Principle 8 in Practice: Patient Transparency in the NHS

The Caldicott Principles govern how patient information should be handled in health and social care settings in England. First established in 1997 following Dame Fiona Caldicott's landmark review, the principles have been updated twice since — in 2013 (adding Principle 7: 'The duty to share can be as important as the duty to protect') and in 2020, when an eighth principle was added. Principle 8 focuses on patient transparency, and it is often the one that health and social care organisations find hardest to put into practice.

What Does Principle 8 Say?

Caldicott Principle 8 states: 'Inform patients and service users about how their confidential information is used'. The National Data Guardian's guidance specifies that organisations should ensure patients and service users are aware of how their information will be used, when it will be shared, and with whom — and that this information should be accessible, clear, and available before information is used.

This principle aligns closely with the transparency requirements of UK GDPR (Articles 13 and 14), which require controllers to provide privacy information to data subjects at the point of collection and when data is obtained from third parties. For NHS organisations, Principle 8 adds a specifically health-focused obligation that sits alongside — and reinforces — the statutory transparency requirements.

The National Data Opt-Out

A key part of Principle 8 in practice is the National Data Opt-Out. Introduced in 2018 following the National Data Guardian's recommendation, the National Data Opt-Out allows patients to opt out of their confidential patient information being used for research and planning purposes — uses that go beyond their direct care.

Health and social care organisations in England that use or share confidential patient information for purposes beyond direct care must:

• Check whether patients have registered a National Data Opt-Out before using their data for planning or research
• Apply the opt-out at the point of data dissemination — this should be built into your data sharing processes
• Update your privacy notice to explain the National Data Opt-Out and how patients can register one
• Record the application of opt-outs as part of your data sharing governance

The deadline for mandatory compliance with the National Data Opt-Out for all health and social care organisations was originally September 2021. If your organisation is still not checking opt-outs before non-direct-care data flows, this should be treated as an urgent remediation.

Fair Processing Notices in Practice

The most common practical expression of Principle 8 is the fair processing notice — the information you provide to patients about how their data will be used. In the NHS, this is commonly delivered through:

• Website privacy notices covering all processing activities
• Posters in waiting rooms and clinical areas
• Leaflets and patient-facing materials
• Digital patient-facing systems (e.g. NHS App, patient portals)
• Verbal explanation during first registration or admission

The challenge for large NHS organisations — trusts, ICBs, large GP federations — is ensuring that every processing activity is reflected in the patient-facing privacy notice, and that the notice is kept up to date as activities change. A privacy notice that doesn't reflect current processing is both a UK GDPR transparency failure and a breach of Caldicott Principle 8.

Practical Steps for Compliance

• Maintain a Record of Processing Activities (ROPA) that covers all patient data flows — this is the foundation for keeping your privacy notice accurate
• Review your privacy notice at least annually and after any significant change in processing
• Train clinical and administrative staff to be able to answer basic patient questions about data use
• Implement the National Data Opt-Out check in all non-direct-care data sharing workflows
• Document your Principle 8 compliance approach in your DSPT submission