What data security and protection roles should care providers have?

All care services should assign responsibility for data security and protection to someone in their organisation. We have called this person a Data Security and Protection Lead – but it may also be known as an Information Governance (IG) Lead or Data Protection Champion.

You must have someone performing this role in order to complete the Data Security and Protection Toolkit.

Care services that are owned by a local authority or the NHS, or large groups who process high volumes of care records, are required to have a Data Protection Officer.

Local authorities and NHS bodies are required to have a Caldicott Guardian. If LA’s operate inhouse care services then those services are also required to have access to a Caldicott Guardian.

It is not currently mandatory for social care providers to have a Caldicott Guardian, but you may choose to have one in place. From 30 June 2023, all social care services which receive public funding will be required to have a Caldicott Guardian. We will release more guidance in due course. The FAQs on this change are available here: https://www.ukcgc.uk/ndg-guidance-faqs

Read our short guide to roles and responsibilities.

Back to FAQs