Reading List

A selected reading list to support and extend learning from Data Protection and Confidentiality for Optical Support Staff.

The sources below are mainly official guidance. Support staff should use them alongside local policy. Managers and information leads should consult the ICO when updating procedures, privacy notices or breach handling.

Optical confidentiality standards

• GOC - Standard 14: Maintain confidentiality and respect your patients' privacy
  The professional confidentiality and privacy standard for optometrists and dispensing opticians. Useful follow-on reading for clinical staff and registrants.
  https://optical.org/standards-and-guidance/standards/standards-of-practice-for-optometrists-and-dispens/14-maintain-confidentiality-and-respect-your-patie.html

• GOC - Optical Business Standard 2.4: Confidentiality is respected
  Business-level confidentiality expectation for optical businesses, relevant to reception, administration, systems, staff training and everyday privacy controls.
  https://optical.org/standards-and-guidance/standards/standards-for-optical-businesses/2-4-confidentiality-is-respected.html

ICO data protection guidance

• ICO - What is personal data?
  Explains what counts as personal data, including direct identifiers and information that can identify someone when combined with context.
  https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/personal-information-what-is-it/what-is-personal-data/what-is-personal-data/

• ICO - What is special category data?
  Explains why health data needs additional protection under data protection law.
  https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/lawful-basis/special-category-data/what-is-special-category-data/

• ICO - A guide to the data protection principles
  Explains the UK GDPR principles: lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, security and accountability.
  https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/data-protection-principles/a-guide-to-the-data-protection-principles/

• ICO - A guide to subject access
  Explains subject access requests, including that requests can be verbal or written and do not need special wording.
  https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/subject-access-requests/a-guide-to-subject-access/

• ICO - Personal data breaches: a guide
  Defines personal data breaches and explains organisational duties to contain, assess, record and report where required.
  https://ico.org.uk/for-organisations/report-a-breach/personal-data-breach/personal-data-breaches-a-guide/

• ICO - Guidance on AI and data protection
  Explains how data protection law applies when AI tools process personal data, including prompt and system risks.
  https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/artificial-intelligence/guidance-on-ai-and-data-protection/about-this-guidance/

• ICO - Data (Use and Access) Act 2025 summary
  ICO summary of DUAA 2025 data protection changes. Most useful for managers, data protection leads and policy owners.
  https://ico.org.uk/about-the-ico/what-we-do/legislation-we-cover/data-use-and-access-act-2025/the-data-use-and-access-act-2025-duaa-summary-of-the-changes/

Health and care information governance

• National Data Guardian - The Caldicott Principles
  Sets out the eight principles for using confidential information appropriately in health and care, including need to know, minimum necessary use and sharing for individual care.
  https://www.gov.uk/government/publications/the-caldicott-principles

• NHS - Data Security and Protection Toolkit
  NHS-facing toolkit for data security and protection assurance. Mainly useful for managers and information leads where NHS services or contracts apply.
  https://www.dsptoolkit.nhs.uk/

• NHS England - Records Management Code of Practice
  Records-management guidance for health and care records, including retention and disposal principles.
  https://transform.england.nhs.uk/information-governance/guidance/records-management-code/

Use these readings to reinforce handling of confidential information, need-to-know access, recognising subject access requests, breach reporting and safe digital practice.