Reading List

The following official resources support the course and are useful for staff induction, refresher learning, SOP review, and governance. They are grouped so different roles can find the most relevant sources quickly.

Core confidentiality and legal guidance

GPhC: In practice - guidance on confidentiality (updated November 2025)
Pharmacy-specific professional guidance covering consent, disclosure without consent, disclosures required by law, public interest disclosures, and complying with data protection law when handling confidential information.
https://assets.pharmacyregulation.org/files/2025-12/gphc-in-practice-guidance-on-confidentiality-updated-november-2025.pdf?VersionId=Pk5eQC5S2gde.S49An7hU7MT7wwiGx2z

ICO: What is personal data?
Explains how broad the definition of personal data is, including paper records, identifiers, and information that relates to an identifiable person in routine business systems.
https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/personal-information-what-is-it/what-is-personal-data/what-is-personal-data/

ICO: What is special category data?
Explains why health data requires additional protection and why short messages or inferred information can still be sensitive.
https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/lawful-basis/special-category-data/what-is-special-category-data/

ICO: What are the rules on special category data?
A legal reference explaining why pharmacies need both a lawful basis and an Article 9 condition for handling health data, and why data minimisation, security, and documentation are required.
https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/lawful-basis/special-category-data/what-are-the-rules-on-special-category-data/

Breaches, secure communication, and safer working

ICO: 72 hours - how to respond to a personal data breach
Practical steps for the first 72 hours: start a log, contain the breach, assess risk, protect affected people, and decide whether to report to the ICO.
https://ico.org.uk/for-organisations/advice-for-small-organisations/personal-data-breaches/72-hours-how-to-respond-to-a-personal-data-breach/

ICO: What is an accidental personal information breach?
Uses common examples, such as sending an email to the wrong person, and explains that all breaches must be recorded, contained, assessed, and escalated appropriately.
https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/security/disclosing-documents-to-the-public-securely/what-is-an-accidental-personal-information-breach/

ICO: Data security - a guide to the basics
A short practical guide covering locked storage, secure communication, passwords, software updates, and safer sharing. Suitable for team refresher training.
https://ico.org.uk/media2/for-organisations/documents/2617548/ico-data-security-guide-to-the-basics.pdf

ICO: Guidance on AI and data protection
Explains how data protection law applies when AI tools process personal data, including risks from pasting patient information into generative AI tools or external AI services without approval or safeguards.
https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/artificial-intelligence/guidance-on-ai-and-data-protection/about-this-guidance/

Pharmacy systems, training, and NHS-facing practice

Community Pharmacy England: Records, Data security & IG
A sector hub that brings together records policy, data security, EHR guidance, and the NHS Data Security and Protection Toolkit. Useful for practical guidance on everyday pharmacy operations.
https://cpe.org.uk/digital-and-technology/records-data-security-ig/

Community Pharmacy England: Summary Care Record (SCR)
Explains role-based access, Smartcard rules, permission to view, legitimate relationship, and that SCR access is auditable. Mainly England-facing; local equivalents and rules apply elsewhere in the UK.
https://cpe.org.uk/digital-and-technology/electronic-health-records/summary-care-record-scr/

Community Pharmacy England: Data security training
States that all pharmacy staff who handle confidential information must complete regular data security and protection training, with more detailed training for specialist governance roles.
https://cpe.org.uk/digital-and-technology/data-security/data-security-training/

Across the UK, confidentiality and data protection law are broadly aligned. The main operational differences are in NHS system access, national toolkits, and local service arrangements rather than the legal duty to protect patient information.