Data security roles

The person responsible for leading on data security and managing information risk within the organisation.

The superintendent pharmacist oversees the professional and clinical management of the pharmacy, including the safe sale and supply of medicines.

The National Data Guardian recommends that health and social care organisations appoint a Caldicott Guardian to protect patient confidentiality and ensure appropriate use of health data.

Pharmacy owners are not required to appoint a registered Caldicott Guardian, but may choose to do so. Someone senior—such as the IG lead—should already take responsibility for confidentiality and appropriate data use.

Helpful resources:

• Caldicott Guardian Manual
• Caldicott Guardian Council guidance

A Caldicott Guardian can also be appointed across multiple pharmacies.

The DPO role is defined under GDPR. The DPO advises on compliance and should have expert knowledge of data protection law.

You may appoint a DPO even if not legally required. Community Pharmacy England recommends an internal DPO for local knowledge.

Important:

• Document the decision and reasons for appointing a DPO.
• Record any conflicts of interest and steps taken to reduce them.

NHS England has advised Community Pharmacy England:

“ICO advice is when a Pharmacy Manager (or staff member) becomes a DPO, the decision and reasons behind it should be documented and retained as part of the ‘accountability’ that GDPR requires. They also said, where possible, that any conflicts of interest between a person’s current role and that of DPO should be recorded along (again where possible) with mitigating measures to reduce or even eliminate such conflicts. Where they have to deal with a small public authority with the requirement for a DPO to be appointed, they intend to be as pragmatic as they can be.”

Pharmacy owners can download and adapt: Data security (DS) and IG template 21: Data security roles (see DS templates webpage).