{{org_field_logo}}

{{org_field_name}}

Registration Number: {{org_field_registration_no}}

---

Accessing Data of People Receiving Care – GDPR Compliance Policy

1. Purpose

The purpose of this policy is to ensure that {{org_field_name}} fully complies with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and Care Inspectorate Scotland regulations when accessing, storing, processing, and sharing data related to people receiving care. This policy ensures that individuals’ personal data is handled securely, lawfully, and in a manner that upholds their rights to privacy and confidentiality.

This policy ensures that:

• People receiving care have full transparency on how their personal data is used.
• Staff follow clear and legally compliant data-handling procedures.
• The rights of individuals under UK GDPR and data protection laws are upheld.
• Data security measures prevent unauthorised access, breaches, or misuse.
• A structured approach to accessing and sharing data is in place, ensuring ethical and professional data handling.

2. Scope

This policy applies to:

• All employees, including care workers, supervisors, and management, who access or handle personal data.
• Agency and temporary staff, ensuring they follow the same GDPR-compliant procedures as permanent staff.
• Third parties, including external professionals and service providers, who process data on behalf of {{org_field_name}}.
• People receiving care and their families, ensuring they are aware of their rights regarding data access and security.

3. Legal and Regulatory Framework

This policy aligns with:

• UK General Data Protection Regulation (UK GDPR) – Governing the processing of personal and sensitive data.
• Data Protection Act 2018 – Providing additional UK-specific data protection laws.
• The Care Inspectorate’s Quality Framework – Setting expectations for data protection in care services.
• Health and Social Care Standards (Scotland) 2018 – Ensuring dignity, choice, and transparency in data handling.
• Scottish Social Services Council (SSSC) Codes of Practice – Establishing professional responsibilities in data confidentiality.
• Freedom of Information (Scotland) Act 2002 – Governing public sector data requests.
• The Public Services Reform (Scotland) Act 2010 – Outlining Care Inspectorate responsibilities in data protection.

4. Principles of GDPR in Handling Care Data

{{org_field_name}} follows the seven key principles of UK GDPR to ensure ethical and legal data processing:

4.1 Lawfulness, Fairness, and Transparency

• Personal data must be processed lawfully, fairly, and transparently.
• Individuals must be informed why their data is being collected and how it will be used.
• Privacy notices are provided to individuals outlining their data rights.

4.2 Purpose Limitation

• Data must only be collected for specified, explicit, and legitimate purposes.
• Personal data cannot be used for unrelated purposes without consent.

4.3 Data Minimisation

• Only the minimum necessary personal data should be collected and processed.
• Staff must not access data unless it is essential for delivering care.

4.4 Accuracy

• Personal data must be accurate, up-to-date, and corrected when necessary.
• People receiving care have the right to request corrections to their records.

4.5 Storage Limitation

• Personal data must be kept only for as long as necessary.
• Retention schedules ensure that outdated data is securely deleted or archived.

4.6 Integrity and Confidentiality (Security)

• Data must be kept secure and protected from unauthorised access, loss, or breaches.
• Staff must follow strict data security policies, including encryption and access controls.

4.7 Accountability

• {{org_field_name}} must be able to demonstrate compliance with UK GDPR.
• A Data Protection Officer (DPO) is responsible for overseeing GDPR compliance.

5. Handling and Accessing Personal Data

5.1 Collecting and Storing Personal Data

• Data collected includes personal identifiers (name, DOB, address), health records, and care plans.
• Information is stored securely in electronic care systems with controlled access.
• Paper records are kept in locked filing cabinets with access restrictions.

5.2 Accessing Personal Data

Only authorised staff can access personal data, and only when required for care provision. Access levels are defined as follows:

• Care staff – Access to care plans, risk assessments, and medical records as needed.
• Supervisors and managers – Access to care documentation, incident reports, and safeguarding records.
• Data Protection Officer (DPO) – {{org_field_data_protection_officer_first_name}} {{org_field_data_protection_officer_last_name}} – Oversees access permissions and compliance monitoring.
• External professionals (e.g., GPs, social workers) – Access granted on a need-to-know basis, with appropriate consent.

5.3 Sharing and Disclosing Data

Personal data should only be shared when:

• The individual has given explicit consent.
• It is required for legal or safeguarding purposes.
• It is shared with authorised health professionals to ensure continuity of care.
• Data is anonymised where possible to protect privacy.

6. Rights of People Receiving Care under GDPR

Individuals have the right to:

• Access their personal data (Subject Access Request – SAR).
• Request corrections to inaccurate or incomplete data.
• Withdraw consent for data processing (where applicable).
• Request deletion of data that is no longer required.
• Restrict data processing in certain circumstances.
• Object to data being processed for specific reasons.

Requests for data access must be processed within one month and free of charge, unless deemed excessive.

7. Data Security Measures

To protect personal data, {{org_field_name}} enforces:

• Encrypted digital records and secure access to care management systems.
• Password-protected staff accounts with role-based access.
• Confidentiality agreements signed by all employees handling sensitive data.
• Regular security audits to prevent unauthorised access.
• Strict policies for mobile devices and remote working, including VPN access.

8. Reporting Data Breaches

Any suspected data breach must be reported immediately to the Data Protection Officer (DPO). Steps include:

1. Identify the breach and assess the level of risk.
2. Contain and mitigate potential damage (e.g., revoke access, notify affected individuals).
3. Report the breach to the Information Commissioner’s Office (ICO) within 72 hours (if required by law).
4. Conduct an internal review to prevent recurrence.

9. Staff Training and Compliance

To maintain GDPR compliance, all staff must:

• Complete mandatory GDPR and data protection training.
• Understand their responsibilities in handling personal data.
• Follow confidentiality and security procedures at all times.
• Report any suspected data breaches or concerns immediately.

10. Monitoring and Audit Processes

To ensure GDPR compliance, {{org_field_name}} will:

• Conduct regular GDPR audits on data access and security measures.
• Review and update data protection policies annually.
• Seek feedback from people receiving care about how their data is managed.
• Work with external data protection specialists where necessary.

11. Related Policies

This policy should be read alongside:

• Data Protection and Confidentiality Policy
• Safeguarding and Protection Policy
• Whistleblowing Policy
• Incident Reporting Policy
• Training and Continuing Professional Development Policy

12. Policy Review

This policy will be reviewed annually or sooner if there are changes in legislation, best practices, or organisational needs. Any amendments will be communicated to all staff and relevant stakeholders.

---

Responsible Person: {{org_field_registered_manager_first_name}} {{org_field_registered_manager_last_name}}
Reviewed on: {{last_update_date}}
Next Review Date: {{next_review_date}}
Copyright © {{current_year}} – {{org_field_name}}. All rights reserved.