Who are the Caldicott Guardian, SIRO and DPO?


The NHS processes enormous amounts of personal data, with all the patients that come and go, an almost unfathomable volume of records are handled by hospital staff across the country every day. With this in mind, you can imagine how much risk is involved in keeping this data secure. Patient data needs to be handled very carefully, so those in charge of ensuring its safety must take their responsibilities seriously. Two of the most essential roles involved in this are the Caldicott Guardian and Senior Information Risk Owner, or “SIRO”.


Whether you’re familiar with these job titles or not, they’re performing crucial duties behind the scenes to prevent your patient data from slipping through the cracks and landing before prying eyes.


So, what are these roles, exactly? How are they different from each other? And what precisely are they responsible for?

The Caldicott Guardian


A Caldicott Guardian is a senior person who’s responsible for protecting the confidentiality of people’s health and care information. It’s their job to ensure that this information is used legally, ethically, and appropriately, whilst making sure that confidentiality is maintained. Essentially, a Caldicott Guardian acts as the ‘conscience’ of an organisation.


Each NHS Trust and special health authority is mandated to appoint somebody in this role to be a guardian of patient identifiable information, and to oversee the arrangements for the use and sharing of patient information.

The Eight Caldicott Principles


When an individual is operating in the capacity of a Caldicott Guardian, there are eight principles that should be used to ensure that people’s personal data is kept confidential and used correctly. It’s best practice to operate with these in mind, as they act as helpful guidelines to inform the most appropriate carrying out of the Caldicott Guardian’s duties.


These principles are:


  1. Justify the purpose(s) for using confidential information.

  2. Use confidential information only when it is necessary.

  3. Use the minimum necessary confidential information.

  4. Access to confidential information should be on a strict need-to-know basis.

  5. Everyone with access to confidential information should be aware of their responsibilities.

  6. Comply with the law.

  7. The duty to share information for individual care is as important as the duty to protect patient confidentiality.


Inform patients and service users about how their confidential information is used.

The Senior Information Risk Owner (SIRO)

A SIRO, while working toward the same ultimate goal as the Caldicott Guardian, is a little different. In short, the SIRO is an individual responsible for managing information security risks and implementing measures to prevent them.

This person should be an Executive Director, someone who holds a senior position as a member of the board, or somebody in a senior management position. This ensures that the SIRO actually has the requisite authority to implement the necessary measures to enact the organisation’s compliance strategy.

The person in this role should NOT be the same individual who is acting as the Caldicott Guardian. This is because the SIRO should be part of the organisation’s management hierarchy, whereas the Guardian is more of an advisory role. This separation avoids a conflict of interest and ensures that decisions can be made cooperatively, leveraging multiple perspectives.

The SIRO has many responsibilities, including (but not limited to):

  • Understanding how the strategic business goals of the organisation may be impacted by information risks.

  • Acting as an advocate for information risk on the board and in internal discussions.

  • Ensuring that identified information security risks are followed up and incidents are managed.

  • Overseeing the development of the Information Risk Policy (and having ownership of this policy).

  • Taking ownership of the risk assessment process. 

Although the two roles are separate from each other, the SIRO and the Caldicott Guardian should work together towards their shared goal of consistent confidentiality and compliance.

The Data Protection Officer


It’s also worth giving a mention to the role of the Data Protection Officer (DPO), as their work in an organisation is also hugely important. As a public body, the NHS has a duty to appoint a DPO. The DPO should be an expert in data protection law, and there should be no conflict of interest when the DPO is fulfilling their role. This is why it’s often beneficial for an organisation to outsource their DPO (a service that DPAS offers). 


Essentially, the DPO’s goal is to help the organisation remain UK GDPR compliant. It is important to note that DPO’s are not responsible for maintaining compliance, but rather their role is to assist and monitor the organisation’s compliance. 


Some of the DPO’s responsibilities include:


  • Informing and advising their organisation about its obligations for compliance.
  • Act as a point of contact for data subjects.
  • Advise on Data Protection Impact Assessments (DPIAs)
  • Keep records of data processing activities.

Again, this role comes with different responsibilities (the ones listed above being only a handful) but the Data Protection Officer works toward the same overall goal of keeping their organisation compliant with data protection law, and making sure that patient and staff data is kept safe and secure.



The stakes are high when it comes to the handling of patient data, as it’s absolutely vital that the trust between patient and healthcare provider isn’t broken. Those allowing the NHS to access their personal information should always feel assured that it won’t be inappropriately shared with third parties, or vulnerable to damage or loss.


The Caldicott Guardian and SIRO are crucial to maintaining this trust. By adhering to these principles, those in these roles can ensure that they’re carrying out their responsibilities as they should be and making the right decisions at every turn. And by cooperating with each other, alongside the DPO, their collaborative efforts can maintain the security and confidentiality of the data entrusted to them.

How DPAS can help 

Trying to figure this all out with no knowledge or expertise can prove to be difficult as there is a vast amount of information to take in. Maybe you are in one of these roles but feel overwhelmed by the responsibilities and need to boost confidence in your job performance. After all, it’s a complicated job.

That’s why here at DPAS, we offer training specifically designed to help you in your role as either a Caldicott Guardian or a Senior Information Risk Owner.

We also offer outsourced DPO services. Here at DPAS we have data protection experts that can act as your organisation’s outsourced DPO.

To find out more, give us a call on 0203 3013384 or send us an email at info@dataprivacyadvisory.com – or fill in a contact form and we’ll get in touch with you.

related posts

Get a Free Consultation