Exam Pass Notes

Download (Word)

Leadership and Accountability

• The accountability principle requires the organisation to comply with data protection law and to be able to demonstrate that compliance.
• Document who has leadership responsibility: owners, senior managers, superintendent pharmacists, IG leads, DPOs, branch managers and system owners.
• Using suppliers does not remove the pharmacy's responsibility as controller.
• Community Pharmacy England recommends clear allocation of data-security roles, including a DPO and a named IG lead or SIRO-style role.

Roles, Evidence, and Change Control

• Controller, processor and joint-controller status depends on who determines the purposes and the essential means of processing.
• Maintain evidence such as policies, ROPA or data maps, retention rules, training records, access reviews, incident and SAR logs, and supplier documentation.
• Leadership assurance should include audits, branch checks, walkrounds and management reporting rather than relying only on annual declarations.
• DPIAs are an accountability tool and are legally required where processing is likely to result in high risk.
• New services, AI tools, major data-sharing changes, supplier onboarding and mergers should trigger early governance screening.

Access, Training, and AI

• Role-based access, named accounts, joiner-mover-leaver controls and regular audit-trail review are core duties.
• Physical and digital security both matter: paper records, printers, devices, repairs, disposal and back-office areas need active control.
• Leaders must verify that critical data can be restored after an outage or cyber incident and that backups are protected and available.
• All staff need regular data-protection training; specialist roles require deeper training and yearly review of needs.
• AI use should be restricted to approved tools, minimise prompts, include supplier due diligence and human review, and prohibit pasting identifiable data into unapproved systems.
• Security frameworks such as Cyber Essentials can support assurance but do not replace wider governance and risk assessment.

Breaches, SARs, Sharing, and Contracts

• Personal data breaches include mis-sent information, unauthorised access, loss, unsafe disposal and accidental deletion as well as cyberattacks.
• Loss of availability can be a breach if records cannot be restored and people may be harmed by the outage.
• If a breach is reportable, notify the ICO without undue delay and within 72 hours of becoming aware.
• SARs may be made verbally or in writing and are usually responded to within one month, with secure disclosure and proper identity checks.
• Processor contracts should specify instructions, confidentiality, security, sub-processor rules, support for rights requests and breaches, DPIA cooperation, deletion or return of data, and audit rights.