Reading List

The sources below are primarily official guidance and primary references. Data protection law is changing following the Data (Use and Access) Act 2025; check the latest ICO guidance before updating policies, conducting DPIAs, responding to breaches, handling SARs, or managing suppliers.

Core UK data protection leadership

• ICO: A guide to the data protection principles
  https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/data-protection-principles/a-guide-to-the-data-protection-principles/
  Sets out accountability, lawfulness, transparency, minimisation, accuracy, storage limitation, and security, and describes the evidence organisations should keep under UK GDPR.
• ICO: Data (Use and Access) Act 2025 - summary of changes
  https://ico.org.uk/about-the-ico/what-we-do/legislation-we-cover/data-use-and-access-act-2025/the-data-use-and-access-act-2025-duaa-summary-of-the-changes/
  Explains how DUAA amends data protection law and why leaders must follow ICO updates rather than rely on older policy wording.
• ICO: Documentation and records of processing
  https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/documentation/
  Guidance for creating and maintaining records of processing activities, data maps, and accountability evidence.
• ICO: Data protection officers
  https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/guide-to-accountability-and-governance/data-protection-officers/
  Explains when a DPO is required, the DPO's role, independence and resourcing, and why the organisation remains responsible for compliance.

DPIAs, suppliers, security, and AI

• ICO: What is a DPIA?
  https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/data-protection-impact-assessments-dpias/what-is-a-dpia/
  Describes when a DPIA is required and how it documents and reduces risk before higher-risk processing begins.
• ICO: Data protection by design and by default
  https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/guide-to-accountability-and-governance/data-protection-by-design-and-by-default/
  Practical guidance for approving new systems, CCTV, monitoring, family portals, AI tools, and digital care workflows.
• ICO: Controllers and processors
  https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/controllers-and-processors/controllers-and-processors/what-are-controllers-and-processors/
  Helps determine supplier and partner roles rather than relying on marketing or contract labels.
• ICO: Contracts and liabilities between controllers and processors
  https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/contracts-and-liabilities-between-controllers-and-processors-multi/
  Sets out contractual terms required when a processor handles personal data on behalf of a controller.
• ICO: Security, including cyber security
  https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/security/
  A hub covering information security, encryption, ransomware, passwords, and secure working practices.
• ICO: AI and data protection risk toolkit
  https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/artificial-intelligence/guidance-on-ai-and-data-protection/ai-and-data-protection-risk-toolkit/
  Practical tools for assessing AI-supported documentation, analytics, triage, or operational tools before they process personal data.

Breaches, SARs, and sharing

• ICO: Personal data breaches - a guide
  https://ico.org.uk/for-organisations/report-a-breach/personal-data-breach/personal-data-breaches-a-guide/
  Defines breaches, explains logging and 72-hour notification, and sets out when to inform individuals. Advises keeping records of all breaches, even those not reportable.
• ICO: UK GDPR data breach reporting
  https://ico.org.uk/for-organisations/report-a-breach/personal-data-breach/
  Current ICO entry point for reporting breaches and performing self-assessment during incident triage.
• ICO: A guide to subject access
  https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/subject-access-requests/a-guide-to-subject-access/
  Explains how to recognise SARs, time limits, identity and authority checks, handling third-party information, reasonable searches, exemptions, and secure disclosure.
• ICO: Data sharing code of practice
  https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/data-sharing/data-sharing-a-code-of-practice/
  Guidance for safer data sharing with families, professionals, commissioners, local authorities, safeguarding partners, police, and other agencies.
• ICO: How to deal with data protection complaints
  https://ico.org.uk/for-organisations/how-to-deal-with-data-protection-complaints/
  Explains the DUAA complaints-process requirements due to take effect on 19 June 2026 and describes good complaint handling in advance of that date.

Health and adult social care sources

• National Data Guardian: The Caldicott Principles
  https://www.gov.uk/government/publications/the-caldicott-principles
  The eight principles for handling confidential health and social care information, including minimum necessary use and appropriate sharing for care.
• National Data Guardian: Caldicott Guardian appointment guidance
  https://www.gov.uk/government/news/national-data-guardian-publishes-new-guidance-about-the-appointment-of-caldicott-guardians
  England-specific guidance for health and adult social care bodies and contracted providers handling confidential information.
• NHS Standards Directory: Data Security and Protection Toolkit
  https://standards.nhs.uk/published-standards/data-security-and-protection-toolkit
  Explains the DSPT standard, its scope, and its relevance to adult social care providers that access NHS data or systems or have contractual requirements.
• NHS England Digital: Data Security and Protection Toolkit
  https://digital.nhs.uk/services/data-security-and-protection-toolkit
  Operational entry point and explanation for organisations required to use the DSPT to demonstrate data security and protection assurance.
• NCSC: Mitigating malware and ransomware attacks
  https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks
  Official guidance on backups, recovery, multi-factor authentication, malware, ransomware, and incident planning.

Care regulation and four-nations signposting

• CQC: Regulation 17 - Good governance
  https://www.cqc.org.uk/guidance-regulation/providers/regulations-service-providers-and-managers/health-social-care-act/regulation-17
  England-specific guidance on governance, accurate and secure records, confidentiality, and data protection legislation.
• GOV.WALES: Managing health and social care records - code of practice 2022
  https://www.gov.wales/managing-health-and-social-care-records-code-practice-2022
  Records-management guidance for health and social care in Wales.
• Scottish Government: Records Management Code of Practice for Health and Social Care
  https://www.gov.scot/publications/records-management-code-practice-health-social-care/
  Scottish standards for managing data, information, and records in health and social care.
• Care Inspectorate Wales: Code of Practice for Inspection of Regulated Services
  https://www.careinspectorate.wales/code-practice-inspection-regulated-services-html
  Welsh regulator guidance on inspection practice and how regulated-service information may be handled.
• RQIA: Nursing Homes - Provider Guidance 2025-26
  https://www.rqia.org.uk/wpfd_file/nursing-homes-provider-guidance-2025-26/
  Northern Ireland nursing home provider guidance on governance, communication, and care records.

Use this list alongside your organisation's policies, contracts, local authority or commissioner requirements, and current ICO updates. Data protection leadership requires ongoing review and active governance, not a once-a-year document update.