{{org_field_logo}}

{{org_field_name}}

Registration Number: {{org_field_registration_no}}

---

Confidentiality and Data Protection (GDPR)-Staff Policy

1. Purpose

The purpose of this policy is to ensure that all staff members at {{org_field_name}} understand their responsibilities in maintaining confidentiality and compliance with data protection laws, including the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.

This policy ensures that:

• Personal data of the people we support, staff, and stakeholders is handled securely and lawfully.
• Staff understand their legal and ethical duties concerning confidentiality and data protection.
• Our care home remains compliant with CQC regulations, including Regulation 17 (Good Governance)​, and the Data Protection Act 2018.
• Robust systems are in place to prevent data breaches and safeguard confidential information.

2. Scope

This policy applies to:

• All staff members (permanent, temporary, agency, and volunteers) handling personal data.
• Personal and sensitive data of the people we support, their families, staff members, and external stakeholders.
• Any data held in physical and digital formats, including paper records, emails, databases, and IT systems.

3. Principles of Confidentiality and Data Protection

3.1 Lawful, Fair, and Transparent Processing

• All personal data must be processed lawfully, fairly, and in a transparent manner.
• Individuals must be informed about how their data is used, including through privacy notices.

3.2 Purpose Limitation

• Data should only be collected for specified, explicit, and legitimate purposes.
• Staff must not use personal data for any purpose beyond their professional duties.

3.3 Data Minimisation

• Only necessary data should be collected and retained.
• Staff must not collect excessive or irrelevant personal information.

3.4 Accuracy

• Personal data must be kept accurate and up to date.
• Individuals have the right to request corrections to inaccurate information.

3.5 Storage Limitation

• Personal data must not be kept for longer than necessary.
• Retention periods are defined based on legal and operational requirements.

3.6 Integrity and Confidentiality (Security)

• Data must be stored securely to prevent unauthorised access, loss, or breaches.
• Staff must follow secure handling, storage, and disposal procedures.

3.7 Accountability

• {{org_field_name}} is responsible for demonstrating GDPR compliance.
• The Data Protection Officer (DPO) – {{org_field_data_protection_officer_first_name}} {{org_field_data_protection_officer_last_name}} oversees compliance and data protection policies.

4. Staff Responsibilities in Data Protection

4.1 Handling Personal Data Securely

• Staff must only access, use, and share data as necessary for their role.
• Staff must not share confidential information without consent, unless legally required.
• Personal data should be kept secure at all times (e.g., locked cabinets, password-protected systems).

4.2 IT and Digital Security

• Staff must use strong passwords and two-factor authentication (where applicable).
• Personal and confidential information must not be shared via unsecured channels (e.g., personal emails, social media, or unauthorised USB devices).
• Staff must log out of systems and lock screens when leaving their workstation.

4.3 Secure Disposal of Data

• Physical documents must be shredded or securely disposed of when no longer required.
• Digital files must be deleted or archived securely in line with data retention policies.

4.4 Confidential Conversations

• Staff must only discuss confidential matters in private areas.
• Conversations about the people we support must not be held in public areas (e.g., reception, hallways).

4.5 Reporting Data Breaches

• Any suspected or actual data breach must be reported immediately to the Data Protection Officer (DPO) – {{org_field_data_protection_officer_first_name}} {{org_field_data_protection_officer_last_name}}.
• A breach response plan will be followed, including investigation, mitigation, and reporting to the Information Commissioner’s Office (ICO) if required.

5. Information Sharing and Consent

5.1 Sharing Data with External Parties

• Personal data can only be shared if there is a lawful basis, such as:
  • Consent from the individual or their representative.
  • Legal obligation (e.g., safeguarding concerns).
  • Vital interests (to protect life or prevent harm).
  • Legitimate interest (where necessary for service delivery).

5.2 Obtaining Consent for Data Use

• Consent must be freely given, specific, informed, and unambiguous.
• Individuals can withdraw consent at any time, and their request must be respected.

5.3 Confidentiality in Safeguarding Situations

• In safeguarding cases, data may be shared without consent if it is necessary to prevent harm.
• Staff must follow the Safeguarding Adults from Abuse and Improper Treatment Policy (CH13)​.

6. Training and Compliance

6.1 Staff Training on GDPR and Confidentiality

• All staff must complete mandatory GDPR training upon induction and annually thereafter.
• Training includes:
  • Recognising and handling personal data correctly.
  • Understanding the legal basis for processing data.
  • Preventing and responding to data breaches.

6.2 Monitoring and Audits

• Regular audits of data protection practices are conducted.
• Staff non-compliance may lead to disciplinary action under the Staff Conduct and Code of Ethics Policy (CH28)​.

7. Data Subject Rights

Under GDPR, individuals have rights over their data, including:

• Right to be informed – knowing how their data is used.
• Right of access – requesting copies of their data.
• Right to rectification – correcting inaccurate data.
• Right to erasure (“Right to be forgotten”) – requesting deletion of personal data.
• Right to restrict processing – limiting how data is used.
• Right to data portability – transferring data to another provider.
• Right to object – challenging data processing in certain cases.
• Rights in relation to automated decision-making – ensuring human intervention in significant decisions.

Requests for data access must be submitted in writing to {{org_field_data_protection_officer_first_name}} {{org_field_data_protection_officer_last_name}} and processed within one month.

8. Related Policies

This policy should be read alongside:

• Safeguarding Adults from Abuse and Improper Treatment Policy (CH13)​.
• Good Governance Policy (CH04)​.
• IT and Digital Security Policy.
• Staff Conduct and Code of Ethics Policy (CH28)​.

9. Policy Review

This policy is reviewed annually or sooner if:

• Legislative changes occur.
• CQC guidance is updated.
• New risks or incidents highlight the need for revision.

This Confidentiality and Data Protection (GDPR) – Staff Policy ensures that staff understand their legal obligations, personal data is protected, and our care home remains compliant with GDPR and CQC requirements.

---

Responsible Person: {{org_field_registered_manager_first_name}} {{org_field_registered_manager_last_name}}
Reviewed on: {{last_update_date}}
Next Review Date: {{next_review_date}}
Copyright © {{current_year}} – {{org_field_name}}. All rights reserved.