Reading List

The sources below are mainly official guidance. Data protection rules are being updated in stages following the Data (Use and Access) Act 2025, so managers and information leads should check the ICO for the latest guidance when updating policies or making reportability decisions.

Core UK data-protection guidance

• ICO: A guide to the data protection principles
  https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/data-protection-principles/a-guide-to-the-data-protection-principles/
  Explains the seven UK GDPR principles: lawfulness, fairness and transparency, data minimisation, accuracy, storage limitation, security, and accountability.
• ICO: Transparency in health and social care
  https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/data-protection-principles/transparency-in-health-and-social-care/
  Guidance on providing clear, accessible information to residents and service users about how their health and care information is used.
• ICO: Data sharing code of practice
  https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/data-sharing/data-sharing-a-code-of-practice/
  Practical advice for safe, lawful information sharing. Useful where staff worry that data protection prevents necessary care or safeguarding disclosures.
• ICO: Personal data breaches - a guide
  https://ico.org.uk/for-organisations/report-a-breach/personal-data-breach/personal-data-breaches-a-guide/
  Defines personal data breaches and explains when organisations must report incidents to the ICO and to affected individuals.
• ICO: A guide to subject access
  https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/subject-access-requests/a-guide-to-subject-access/
  Explains how organisations should recognise and respond to subject access requests, including verbal requests.
• ICO: Data (Use and Access) Act 2025 - summary of data protection changes
  https://ico.org.uk/about-the-ico/what-we-do/legislation-we-cover/data-use-and-access-act-2025/the-data-use-and-access-act-2025-duaa-summary-of-the-changes/
  An ICO summary of the DUAA changes. Most relevant for managers, data protection leads and those updating policies or training.

Health and social care confidentiality

• National Data Guardian: The Caldicott Principles
  https://www.gov.uk/government/publications/the-caldicott-principles
  Sets out the eight principles for using confidential information in health and social care, including need to know, minimum necessary use, and the duty to share for individual care.
• GOV.UK: Approval standards and guidelines - confidential patient information
  https://www.gov.uk/government/publications/accessing-ukhsa-protected-data/approval-standards-and-guidelines-confidential-patient-information
  Explains the common law duty of confidentiality, direct care, informed consent, and lawful reasons for setting confidentiality aside.
• GOV.UK: Care and support statutory guidance, safeguarding chapter
  https://www.gov.uk/government/publications/care-act-statutory-guidance/care-and-support-statutory-guidance
  England statutory guidance under the Care Act. Explains when safeguarding information should be shared proportionately.

Care regulation and records

• CQC: Regulation 17 - Good governance
  https://www.cqc.org.uk/guidance-regulation/providers/regulations-service-providers-and-managers/health-social-care-act/regulation-17
  England-specific guidance on secure, accurate, complete and contemporaneous care records, and on confidentiality systems in regulated services.
• NHS Standards Directory: Data Security and Protection Toolkit
  https://standards.nhs.uk/published-standards/data-security-and-protection-toolkit
  Explains the DSP Toolkit standards for health, NHS and adult social care settings. Most useful for managers and information governance leads.
• NHS England Transformation Directorate: Records Management Code of Practice
  https://transform.england.nhs.uk/information-governance/guidance/records-management-code/records-management-code-of-practice/
  England-focused records-management guidance relevant to NHS work and to adult social care functions commissioned or delivered by local authorities.

Four-nations signposting

• GOV.WALES: Managing health and social care records - code of practice 2022
  https://www.gov.wales/managing-health-and-social-care-records-code-practice-2022
  Records-management guidance for health and social care in Wales.
• Scottish Government: Health and social care records management code of practice
  https://www.gov.scot/publications/records-management-code-practice-health-social-care/
  Scotland guidance on required standards for managing data, information and records in health and social care.
• Care Inspectorate Wales: Code of Practice for Inspection of Regulated Services
  https://www.careinspectorate.wales/code-practice-inspection-regulated-services-html
  Explains how the Welsh regulator handles inspection evidence and information security in inspection work.
• RQIA: Nursing Homes - Provider Guidance 2025-26
  https://www.rqia.org.uk/wpfd_file/nursing-homes-provider-guidance-2025-26/
  Northern Ireland provider guidance on care records, communication and governance in nursing homes. Staff should follow their local provider procedures and RQIA requirements.

Use this list to deepen your knowledge of confidentiality, lawful data handling, safe information sharing, records management, subject access, breach reporting, and four-nations care-record requirements.