{{org_field_logo}}

{{org_field_name}}

Registration Number: {{org_field_registration_no}}

---

Confidentiality and Data Protection (GDPR) Policy

1. Purpose

The purpose of this policy is to ensure that our care home complies with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and CQC Regulation 17 – Good Governance in relation to the confidentiality and protection of personal data of the people we support. We are committed to maintaining the highest standards of privacy, security, and lawful processing of personal data to protect the dignity and rights of individuals.

This policy ensures that personal and sensitive data of people we support is collected, stored, processed, shared, and disposed of in a lawful and ethical manner. It also defines the responsibilities of staff in protecting confidentiality and upholding data security. Failure to comply with this policy may result in disciplinary action and legal consequences.

2. Scope

This policy applies to all employees, agency workers, volunteers, contractors, and any third-party organisations handling personal data within our care home. It covers:

• Personal Identifiable Information (PII) such as name, date of birth, and contact details.
• Special Category Data including health records, ethnicity, religion, and biometric data.
• Records related to care plans, assessments, medication, and safeguarding concerns.
• Communication records including emails, phone calls, and meeting notes regarding the people we support.
• Data shared with external organisations such as the NHS, local authorities, and regulatory bodies.

3. Related Policies

This policy works alongside:

• CH04 – Good Governance Policy, ensuring secure data management.
• CH07 – Person-Centred Care Policy, promoting privacy and dignity.
• CH13 – Safeguarding Adults from Abuse Policy, ensuring confidentiality in safeguarding cases.
• CH29 – Whistleblowing (Speaking Up) Policy, protecting those who report data breaches.
• CH31 – Disciplinary and Grievance Policy, enforcing consequences for data breaches.

4. Policy Statement

Our care home is committed to protecting the privacy and confidentiality of the people we support. We ensure that:

• Personal data is processed lawfully, fairly, and transparently.
• Data is collected only for specified, explicit, and legitimate purposes.
• Only the minimum necessary personal data is processed.
• Data is kept accurate, up to date, and retained only as long as necessary.
• All personal data is securely stored, protected, and access is restricted.
• Data subjects (the people we support) have full rights over their personal information, including access and correction.

5. Implementation – How We Manage Confidentiality and Data Protection Efficiently

5.1 Lawful Basis for Processing Personal Data

We collect and process data only when there is a legitimate and lawful basis, including:

• Consent – The individual has given explicit permission for specific data processing activities.
• Contractual Obligation – Data is processed to fulfil a care agreement.
• Legal Obligation – Data is required to comply with regulatory or safeguarding requirements.
• Vital Interests – Data is used to protect the life or safety of the person we support.
• Public Task – Data processing is necessary for official duties, such as liaising with healthcare services.
• Legitimate Interests – The organisation has a legitimate reason to process data, ensuring it does not override the individual’s rights.

5.2 Confidentiality and Secure Data Handling

All staff must maintain strict confidentiality and adhere to the following principles:

• Only access personal data if it is necessary for work duties.
• Never share data without proper authorisation or a lawful basis.
• Ensure conversations regarding personal data take place in private settings.
• Use encrypted systems for electronic data storage and transfer.
• Lock physical records in secure cabinets with restricted access.
• Shred or securely dispose of printed confidential documents.

5.3 Access to Personal Data

Only authorised personnel may access the personal data of the people we support. Access is granted based on job roles and responsibilities, ensuring that:

• Care workers can access relevant care records but not financial or personal details beyond their role.
• Managers and safeguarding leads can access full personal files for oversight.
• External professionals (e.g., GPs, social workers) only receive necessary data relevant to their service.

The people we support have the right to access their personal data under GDPR. Requests for data access must be made in writing to the Registered Manager, who will respond within one month.

5.4 Sharing Data with External Organisations

We only share personal data with third parties when:

• There is explicit consent from the person we support.
• It is required by law, such as reporting safeguarding concerns to local authorities.
• A legitimate healthcare need exists, such as sharing care plans with GPs or hospitals.

Before sharing data, we:

• Verify the identity and authorisation of the requesting organisation.
• Ensure data transfer follows encryption and secure email protocols.
• Record who accessed or shared the data and why.

5.5 Data Breaches and Incident Reporting

A data breach occurs when personal data is lost, accessed without authorisation, disclosed unlawfully, or compromised in any way.

If a data breach occurs:

1. Staff must report it immediately to the Registered Manager.
2. An internal investigation will be conducted to determine the cause and extent of the breach.
3. If the breach poses a high risk to individuals, the Information Commissioner’s Office (ICO) will be notified within 72 hours.
4. The affected individual will be informed, outlining the nature of the breach and any protective measures taken.

All data breaches should be reported to:

• Registered Manager: {{org_field_registered_manager_first_name}} {{org_field_registered_manager_last_name}}
• Email: {{org_field_registered_manager_email}}
• Phone: {{org_field_registered_manager_phone}}

Failure to report a data breach may result in disciplinary action.

5.6 Staff Training and Responsibilities

All staff must complete mandatory GDPR and confidentiality training covering:

• Principles of data protection and confidentiality.
• Secure handling and storage of data.
• Recognising and reporting data breaches.
• How to respond to data access requests.

Managers are responsible for monitoring compliance, conducting regular confidentiality audits, and ensuring staff follow best practices.

5.7 Data Retention and Disposal

Personal data must only be kept for as long as necessary and legally required.

• Care records are retained for 8 years after the person we support leaves the service.
• Safeguarding records are retained for at least 10 years.
• Financial records are retained for 6 years.

When no longer needed, data is securely disposed of by shredding physical documents and permanently deleting electronic records.

6. Compliance with CQC Standards

This policy ensures compliance with:

• Regulation 17 – Good Governance, ensuring data security and confidentiality.
• Regulation 10 – Dignity and Respect, protecting individuals’ privacy.
• UK GDPR and Data Protection Act 2018, ensuring lawful processing of data.
• Regulation 13 – Safeguarding, ensuring confidentiality in safeguarding concerns.

7. Monitoring and Review

This policy is reviewed annually, or sooner if:

• GDPR laws or CQC regulations change.
• A serious data breach highlights the need for policy updates.
• Staff, people we support, or external audits identify improvements.

The Registered Manager is responsible for monitoring compliance and ensuring continuous improvement in data protection.

---

Responsible Person: {{org_field_registered_manager_first_name}} {{org_field_registered_manager_last_name}}
Reviewed on: {{last_update_date}}
Next Review Date: {{next_review_date}}
Copyright © {{current_year}} – {{org_field_name}}. All rights reserved.