Data security roles

Published on: 19th January 2021 | Updated on: 7th April 2022

Some individuals within the pharmacy / organisation hold data security responsibilities. Within many pharmacies and particularly smaller pharmacies, the same person(s) may hold many of these roles.

The Data Security and Protection Toolkit (‘Toolkit’) includes questions related to roles and responsibilities relating to data security and information governance (IG). The Toolkit also enables the ‘Organisation Profile’ webpage to be populated after/if data security roles have been assigned.

IG lead and/or Senior Information Risk Owner (SIRO)

 The lead persons looking after data security.

Superintendent pharmacist

The superintendent pharmacist is in overall control of the management of a pharmacy, including its professional and clinical management and management of the administration of the sale and supply of medicines.

Caldicott Guardian

The National Data Guardian advise that health and social cares may appoint a Caldicott Guardian to look after data security matters within their organisation.

Some types of organisation should appoint one. However, it is not mandatory for pharmacy contractors to appoint a registered Caldicott Guardian, though they may choose to do so if this makes sense for their organisation. There should already be somebody at a high level within the organisation – which might be the IG lead – who takes responsibility for protecting the confidentiality of service users’ health and care data and making sure that it is used appropriately. The Caldicott Guardian manual can be a useful resource to assist in this job role and the Caldicott Guardian Council can provide help and guidance. A Caldicott Guardian could also be appointed for multi pharmacies.

Data Protection Officer

The DPO may, or may not, be a member of staff. The DPO has responsibilities set out in the GDPR – guidance may be found in the Information Governance Alliance’s guidance ‘The GDPR Data Protection Officer’ at The DPO should advise you on your obligations under the GDPR and should have expert knowledge of data protection law. You may want to appoint a DPO even if you are not required to do so.

This is a formally assigned responsibility for data security to the relevant individual. It could form part of their job description or be an email from the appropriate manager in your organisation.

Community Pharmacy England recommends an internal DPO for their local knowledge but the reasoning for staff selection and any later conflicts can be noted as per advice: NHS England and NHS Improvement has advised Community Pharmacy England:

ICO advice is when a Pharmacy Manager (or staff member) becomes a DPO, the decision and reasons behind it should be documented and retained as part of the ‘accountability’ that GDPR requires. They also said, where possible, that any conflicts of interest between a person’s current role and that of DPO should be recorded along (again where possible) with mitigating measures to reduce or even eliminate such conflicts. Where they have to deal with a small public authority with the requirement for a DPO to be appointed, they intend to be as pragmatic as they can be.”


Pharmacy contractors may wish to download, adapt and use:

Data security (DS) and IG template 21: Data security roles (see DS templates webpage).


Further info

If you have queries on this webpage or you require more information please contact To share and hear views about digital developments with like-minded pharmacy team members, join the CP Digital email group today.



Return to the section: Data security and information governance

Return to the section: Data Security and Protection Toolkit

Return to the Pharmacy IT hub or IT a-z index

Latest Digital & Technology news

View more Digital & Technology newsSee all