{{org_field_logo}}

{{org_field_name}}

Registration Number: {{org_field_registration_no}}

---

Confidentiality and Data Protection (GDPR) – Service User Policy

1. Purpose

The purpose of this policy is to ensure that {{org_field_name}} processes personal data lawfully, fairly, securely and transparently in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the Regulation and Inspection of Social Care (Wales) Act 2016, the Regulated Services (Service Providers and Responsible Individuals) (Wales) Regulations 2017, as amended, and relevant Care Inspectorate Wales (CIW) requirements and guidance.

This policy sets out how {{org_field_name}} will protect the confidentiality, integrity, availability and appropriate use of personal data and special category data relating to service users, their families, representatives, staff and others. It also explains how the service will maintain accurate and secure records, support individuals to access information about themselves, share information lawfully for care, safeguarding and regulatory purposes, and respond appropriately to data protection incidents and breaches.

The policy supports a rights-based, person-centred approach and must be read alongside the service’s safeguarding, record keeping, complaints, consent/mental capacity, duty of candour, staff conduct and information governance arrangements.

2. Scope

This policy applies to all employees, agency staff, bank staff, contractors, students, volunteers, visiting professionals, the registered manager, the responsible individual, and any other person working at or on behalf of {{org_field_name}} who may access personal data.

It applies to all personal data and special category data processed by the service in any format, including paper records, electronic records, care planning systems, emails, text messages, handwritten notes, CCTV or other surveillance images, photographs, audio recordings, portable devices, archived files and verbal disclosures.

It also applies to third-party organisations acting as data processors or joint working partners where they process data on behalf of, or with, {{org_field_name}}.

3. Principles of Data Protection and Confidentiality

{{org_field_name}} will process personal data in line with the following principles:

Lawfulness, fairness and transparency: Personal data will only be processed where there is a valid lawful basis under Article 6 UK GDPR and, where special category data is involved, an additional condition under Article 9 UK GDPR and Schedule 1 to the Data Protection Act 2018. Individuals will be given clear privacy information explaining how their information is used.

Purpose limitation: Personal data will be collected for specified, explicit and legitimate purposes connected with care and support, safeguarding, employment, health and safety, complaints handling, service management, legal duties and regulatory compliance, and will not be used in a way that is incompatible with those purposes.

Data minimisation: Only information that is adequate, relevant and limited to what is necessary will be collected, accessed, used, shared and retained.

Accuracy: Records must be accurate, complete, contemporaneous where appropriate, and kept up to date. Errors will be corrected promptly and, where needed, a clear audit trail maintained.

Storage limitation: Records will be retained only for as long as necessary and in line with legal, regulatory and operational retention requirements.

Integrity and confidentiality: Appropriate technical and organisational measures will be used to protect personal data against unauthorised or unlawful access, disclosure, alteration, loss, destruction or damage.

Accountability: {{org_field_name}} will be able to demonstrate compliance through policies, training, audits, retention schedules, breach records, access controls, contracts with processors, privacy notices, and documented decision-making.

Confidentiality in practice: Information about service users will only be discussed with those who have a legitimate need to know in order to provide care, protect safety, meet safeguarding duties, comply with the law, or fulfil regulatory obligations.

4. Managing Personal and Sensitive Data

4.1 Collection of Data

Data is collected directly from service users, their families, healthcare professionals, and regulatory bodies. This includes personal details, medical history, care preferences, and other relevant information necessary for providing high-quality care. Individuals must be informed, through an accessible privacy notice and related information, how their data will be processed. {{org_field_name}} will identify and document the appropriate lawful basis for processing under Article 6 UK GDPR and, where special category data is processed, the relevant Article 9 condition. Explicit consent will only be relied upon where consent is genuinely the appropriate lawful basis and can be freely given, specific, informed and capable of being withdrawn. In many care home contexts, information will instead be processed because it is necessary for the provision of health or social care, compliance with a legal obligation, safeguarding, vital interests, public task, or other lawful grounds permitted by law. Information must only be collected when necessary for the provision of care, safeguarding, legal compliance, or regulatory reporting.

Where information is collected from a representative, family member, healthcare professional, local authority, health board or other agency, staff must record the source of the information and any relevant lawful authority for receiving it.

4.2 Storage and Security of Data

All service user data must be stored securely to prevent unauthorised access, loss, or misuse:

• Electronic records must be kept in password-protected systems with role-based access to ensure only authorised individuals can retrieve or modify data.
• Paper records must be stored in locked filing cabinets within secure areas, with controlled access granted to designated personnel.
• Restricted access: Staff members should only access the information necessary for performing their job roles, following the principle of least privilege.
• Regular security audits will be conducted to identify vulnerabilities and implement necessary improvements to data protection measures.

In addition, {{org_field_name}} will ensure that:

• confidential information on laptops, tablets, mobile phones and removable media is encrypted where appropriate and protected against unauthorised access;
• passwords and access credentials are not shared and are changed in line with organisational requirements;
• screens are locked when unattended and paper records are not left visible in communal or unsecured areas;
• access to electronic records is role-based and, where systems allow, auditable;
• disposal of paper and electronic records is confidential and secure;
• records remain secure if the service closes, changes ownership, relocates, or changes electronic systems.

Where CCTV or any other surveillance system is used, {{org_field_name}} will ensure that the use is lawful, proportionate, clearly signposted, kept under review, and supported by a Data Protection Impact Assessment (DPIA) where required.

4.3 Sharing and Disclosure of Data

Personal data will only be shared where there is a clear lawful basis, a genuine need to know, and sharing is necessary, proportionate and relevant to the purpose.

Information may be shared for the following purposes:

• provision of safe and effective care and support;
• continuity of care with GPs, pharmacists, district nurses, hospitals, therapists, social workers and other professionals;
• safeguarding children and adults at risk;
• responding to medical emergencies or serious risks to life;
• compliance with legal, regulatory, court or statutory requirements;
• CIW inspection, investigation or notification requirements;
• complaints, claims, insurance and legal proceedings where disclosure is lawful and necessary.

Where special category data is shared, {{org_field_name}} will identify the relevant Article 9 condition, such as the provision of health or social care, substantial public interest, safeguarding, or another lawful condition.

Consent will not be treated as the default basis for sharing care information. Where consent is relied upon, this must be documented. However, information may be shared without consent where the law permits or requires this, including for safeguarding, serious risk, legal obligation, regulatory oversight, prevention or detection of crime, or where sharing is otherwise lawful and necessary.

Only the minimum necessary information will be shared. Staff must verify the identity and authority of the recipient before disclosure and record what was shared, with whom, for what purpose, on what basis, and by whom where appropriate.

Where an individual lacks capacity to make a relevant decision, information sharing decisions must take account of the Mental Capacity Act 2005, any person with legal authority to act on the individual’s behalf, and the individual’s best interests.

Where third-party providers process data on behalf of {{org_field_name}}, a written data processing agreement meeting UK GDPR requirements must be in place.

4.4 Data Breach, Confidentiality Incident and Security Incident Management

A personal data breach includes any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes verbal disclosures, emails sent to the wrong recipient, lost paperwork, inappropriate access to records, missing devices, cyber incidents and failures in record security.

Any member of staff who becomes aware of, suspects, or causes a personal data breach or confidentiality incident must report it immediately to the person responsible for data protection, and to the registered manager without delay. Immediate containment steps must be taken where possible.

{{org_field_name}} will:

• record every breach and near miss in a breach log, whether reportable or not;
• assess the nature of the data, number of people affected, likely consequences, vulnerability of the individuals affected, and whether special category data is involved;
• take immediate action to contain, recover and reduce harm;
• decide whether the breach must be reported to the ICO;
• where required, notify the ICO without undue delay and, where feasible, within 72 hours of becoming aware of the breach;
• notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms;
• consider whether the incident also requires action under safeguarding, duty of candour, complaints, disciplinary, HR, police, insurer, commissioner or CIW procedures;
• complete a post-incident review and implement learning, corrective action and further controls.

Where an incident affects the safety, well-being or lawful care of a service user, {{org_field_name}} will also consider whether it meets any wider notification or safeguarding threshold under Welsh social care requirements or CIW reporting arrangements. CIW requires notifications about certain changes and incidents to be made via CIW Online, and failure to notify required matters may be unlawful.

4.5 Records Retention, Archiving and Secure Disposal

{{org_field_name}} will keep records securely, accurately and in good order and will retain them in accordance with legal and regulatory requirements. In line with the Welsh regulated services requirements:

• records relating to adults will be retained for a minimum of 3 years from the date of the last entry, unless a longer period is required by law, insurance, safeguarding, litigation, contract or another applicable retention requirement;
• records relating to children will be retained for a minimum of 15 years from the date of the last entry, unless they must be returned to the placing authority or retained longer for a lawful reason;
• records must remain secure if the service closes, transfers, relocates or changes provider;
• individuals must be informed that they can access records about themselves, subject to lawful restrictions.

At the end of the retention period, records will be reviewed and securely destroyed or deleted in a way that preserves confidentiality and, where appropriate, an auditable record of destruction will be maintained.

4.6 Subject Access Requests and Requests by Representatives

An individual may request access to their personal data verbally or in writing. {{org_field_name}} will recognise and log all subject access requests promptly.

Before disclosing information, the service will verify the identity of the requester and, where a request is made by a representative, the representative’s authority to act. This may include parental responsibility, a health and welfare lasting power of attorney, deputyship, litigation authority, written consent, or other lawful authority.

Requests will be answered without undue delay and normally within one calendar month, subject to lawful extensions, exemptions, redaction of third-party information, and any necessary clarification. A record of the request, decision-making, information supplied, exemptions relied upon and date of response will be kept.

4.7 Welsh Language, Accessible Information and Communication Needs

{{org_field_name}} will provide privacy information, rights information and support relating to confidentiality and data protection in a format that the individual can understand, taking account of language, communication method, sensory loss, cognition, literacy and capacity.

The service will take reasonable steps to meet language needs and will evidence its commitment to actively offering services in Welsh to individuals whose first language is Welsh, in line with Welsh Government expectations for health and social care in Wales.

Where required, information will be provided or explained using accessible formats, including large print, easy read, visual aids, communication tools, advocates, interpreters, sign language support or other aids and equipment.

4.8 CCTV, Photography and Audio/Visual Recording

Where CCTV, surveillance, photographs, audio or video recordings are used, {{org_field_name}} will ensure that their use is lawful, proportionate, necessary, transparent and consistent with the dignity, privacy and safety of individuals.

The purpose of the recording must be clear and documented. Appropriate signage and privacy information will be provided. Access to recordings will be restricted and retention periods defined. A DPIA will be completed where required, particularly where monitoring may create a high risk to privacy.

5. Staff Responsibilities, Confidentiality Standards and Training

All staff, agency workers, volunteers and contractors at {{org_field_name}} have a duty to maintain confidentiality and protect personal data in the course of their work. They must:

• comply with this policy, related procedures, professional codes of practice and all applicable data protection law;
• only access records and information needed to carry out their role;
• keep passwords, devices, keys and records secure;
• ensure records are factual, accurate, timely, respectful and professionally written;
• not disclose confidential information inappropriately, including in public areas, on social media, or to unauthorised persons;
• verify identity and authority before sharing information;
• report actual or suspected breaches, inappropriate disclosures or security weaknesses immediately;
• complete data protection, confidentiality and information security training at induction and refresher training thereafter;
• participate in supervision, competency checks and audits relating to record keeping and confidentiality.

A breach of confidentiality, misuse of records, unauthorised access, or failure to report a data incident may result in disciplinary action and, where appropriate, referral to safeguarding agencies, CIW, the ICO, Social Care Wales, the DBS, police or another professional body.

6. Individuals’ Data Protection Rights

Service users, and where appropriate their authorised representatives, have rights under UK GDPR and the Data Protection Act 2018. These include:

• the right to be informed about how their data is used;
• the right of access to their personal data, subject to lawful exemptions;
• the right to rectification where information is inaccurate or incomplete;
• the right to request erasure in certain circumstances, although this right is not absolute and may not apply where records must be retained for legal, regulatory, safeguarding, public interest, health or social care reasons;
• the right to request restriction of processing in certain circumstances;
• the right to data portability only where the legal conditions for that right are met;
• the right to object to certain types of processing, although this may be limited where processing is necessary for legal obligations, public functions, safeguarding, or provision of health or social care;
• rights in relation to automated decision-making where applicable;
• the right to complain to the ICO if they are dissatisfied with how their personal data has been handled.

Requests may be made verbally or in writing. {{org_field_name}} will respond without undue delay and normally within one calendar month, subject to lawful extensions or exemptions. Proof of identity and authority may be requested before information is disclosed.

Individuals, and where appropriate their authorised representatives, will be informed that they may request access to records and information about themselves, subject to legal requirements and any applicable exemptions.

7. Accountability, Governance and Monitoring

{{org_field_name}} will appoint a named person with lead responsibility for data protection compliance. Where the organisation is legally required to appoint a Data Protection Officer (DPO), or chooses to do so voluntarily, that role will be clearly identified. Where a formal DPO is not required, overall responsibility will remain with the service provider and registered management arrangements.

The service will maintain appropriate governance arrangements, which may include:

• privacy notices;
• data protection and confidentiality training records;
• audit and monitoring of record keeping and access controls;
• a retention and secure disposal schedule;
• a data breach and incident log;
• contracts and data processing agreements with third parties;
• records of subject access requests and other rights requests;
• DPIAs where required;
• review of surveillance/CCTV arrangements where used;
• periodic policy review in response to legal, regulatory or service changes.

8. Related Policies

This policy should be read alongside, as applicable:

• Complaints Policy
• Safeguarding Adults at Risk Policy
• Safeguarding Children Policy
• Record Keeping / Records Management Policy
• Information Sharing Procedure
• Consent and Mental Capacity Policy
• Duty of Candour Policy
• Staff Code of Conduct / Disciplinary Policy
• Whistleblowing Policy
• CCTV / Surveillance Policy
• Cyber Security / IT Acceptable Use Policy
• Data Retention and Secure Disposal Schedule
• Privacy Notice(s)

9. Policy Review

This policy will be reviewed at least annually, and sooner if there are changes to legislation, ICO guidance, CIW requirements, Welsh Government guidance, service delivery arrangements, technology, surveillance arrangements, or lessons learned from complaints, incidents, audits or breaches. Updates will be made to reflect legislative changes, advancements in data protection practices, or identified areas for improvement.

---

Responsible Person: {{org_field_registered_manager_first_name}} {{org_field_registered_manager_last_name}}
Reviewed on: {{last_update_date}}
Next Review Date: {{next_review_date}}
Copyright © {{current_year}} – {{org_field_name}}. All rights reserved.