{{org_field_logo}}

{{org_field_name}}

Registration Number: {{org_field_registration_no}}

---

Confidentiality and Data Protection (UK GDPR) – Staff Policy

1. Purpose

The purpose of this policy is to ensure that {{org_field_name}} protects confidential, personal and special category information in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the Regulation and Inspection of Social Care (Wales) Act 2016, the Regulated Services (Service Providers and Responsible Individuals) (Wales) Regulations 2017, as amended, and current Care Inspectorate Wales (CIW) requirements.

This policy sets out the standards expected of all staff when accessing, recording, using, storing, sharing, disclosing, transferring, retaining or disposing of personal information relating to individuals who use the service, their representatives, relatives, visitors, staff, volunteers, agency workers and other people connected with the service.

{{org_field_name}} recognises that care home services process highly sensitive information, including health and social care information. This information must be handled lawfully, fairly, transparently, securely and only where there is a legitimate care, employment, safeguarding, regulatory, contractual or legal reason to do so.

This policy supports compliance with:

• The UK General Data Protection Regulation (UK GDPR).
• The Data Protection Act 2018.
• The Regulation and Inspection of Social Care (Wales) Act 2016.
• The Regulated Services (Service Providers and Responsible Individuals) (Wales) Regulations 2017, as amended.
• Welsh Government statutory guidance for service providers and responsible individuals, Version 3, March 2024.
• Care Inspectorate Wales registration, inspection, notification and enforcement expectations.
• The Social Services and Well-being (Wales) Act 2014, including safeguarding duties.
• The Mental Capacity Act 2005, where information-sharing or decision-making involves a person who may lack capacity.
• The Equality Act 2010, including the need to provide information in accessible formats where required.
• The Caldicott Principles, where confidential health and social care information is used or shared.
• Social Care Wales codes of professional practice and employer expectations.

Staff must understand that confidentiality is not optional. Personal information must only be accessed, used or shared where there is a lawful, necessary and proportionate reason to do so.

2. Scope

This policy applies to:

• All employees of {{org_field_name}}, including permanent, temporary, part-time and full-time staff.
• Agency workers, bank staff, students, apprentices, contractors and volunteers.
• The Registered Manager, Responsible Individual, senior managers, directors and nominated data protection leads.
• Any person who has access to confidential or personal information through their work with or for {{org_field_name}}.
• Third-party organisations that process personal data on behalf of {{org_field_name}}, including electronic care planning providers, payroll providers, IT support providers, HR systems, training providers and professional advisers.

This policy applies to all formats of information, including:

• Paper records.
• Electronic care records.
• Staff files and HR records.
• Emails, letters, reports, photographs and scanned documents.
• Medication records, care plans, risk assessments, daily notes and incident records.
• CCTV, door-entry, call-bell, monitoring or assistive technology records where used.
• Information held on laptops, tablets, mobile phones, removable media, cloud systems or shared drives.
• Verbal discussions and telephone conversations.

This policy covers information relating to:

• Individuals receiving care and support.
• Representatives, attorneys, deputies, relatives, advocates and visitors.
• Staff, volunteers, agency workers and applicants.
• Safeguarding referrals, complaints, incidents, accidents, investigations and regulatory notifications.
• Health, social care, financial, equality, employment and safeguarding information.

Staff must follow this policy whether they are working on the premises, working remotely, attending meetings, using electronic systems, speaking with professionals, or communicating with families, representatives or external agencies.

3. Principles of Data Protection and Confidentiality

3.1 Data Protection Principles

{{org_field_name}} will comply with the UK GDPR data protection principles. All personal data must be:

1. Processed lawfully, fairly and transparently – individuals must be told how their information is used through clear privacy information, unless an exemption applies.
2. Collected for specified, explicit and legitimate purposes – information must only be used for the purpose for which it was collected, unless there is a lawful reason to use it for another compatible purpose.
3. Adequate, relevant and limited to what is necessary – staff must only record, access or share the minimum information required.
4. Accurate and kept up to date – factual records must be accurate, and inaccurate information must be corrected where appropriate.
5. Kept for no longer than necessary – records must be retained in line with {{org_field_name}}’s retention schedule and securely destroyed when no longer required.
6. Processed securely – records must be protected against unauthorised access, loss, destruction, damage or disclosure.
7. Accountable – {{org_field_name}} must be able to demonstrate compliance through policies, training, audits, breach logs, privacy notices, data-sharing records and governance arrangements.

Staff must not access, browse, discuss, copy, photograph, download, share or disclose personal information unless it is necessary for their role and there is a lawful reason to do so.

3.2 Types of Information Covered by This Policy

For the purposes of this policy:

Personal data means any information that identifies, or could identify, a living person. This includes names, addresses, dates of birth, contact details, photographs, identification numbers, care records, employment records and opinions about a person.

Special category data is more sensitive personal data and requires additional protection. In a care home setting, this may include information about:

• Physical or mental health.
• Disability.
• Care and support needs.
• Medication and treatment.
• Race or ethnic origin.
• Religious or philosophical beliefs.
• Sex life or sexual orientation.
• Biometric data, where used for identification.
• Safeguarding concerns and related risk information.

Criminal offence data includes information about criminal convictions, offences, allegations, DBS checks, police involvement or safeguarding matters involving possible criminal conduct.

Because {{org_field_name}} provides care and support, staff must assume that most service user information is confidential and may include special category health or social care information. Special category data must only be processed where there is both a lawful basis under Article 6 of the UK GDPR and a special category condition under Article 9 of the UK GDPR.

3.3 Lawful Basis for Processing Information

{{org_field_name}} will identify and document the lawful basis for processing personal data. Depending on the circumstances, this may include:

• Processing necessary for the performance of a contract, such as employment contracts or service agreements.
• Processing necessary to comply with a legal obligation, such as regulatory, employment, health and safety, safeguarding or tax requirements.
• Processing necessary to protect vital interests, such as in a medical emergency.
• Processing necessary for legitimate interests, where this is appropriate and does not override the rights and freedoms of the individual.
• Consent, where consent is the correct lawful basis and the person has a genuine choice.

For special category health and social care information, {{org_field_name}} will also identify an Article 9 condition. This may include processing necessary for the provision of health or social care, management of health or social care systems and services, employment obligations, safeguarding, public interest, legal claims, or vital interests, depending on the circumstances.

Consent must not be used as the default lawful basis for care records where another lawful basis is more appropriate. Where consent is used, it must be freely given, specific, informed and capable of being withdrawn.

Staff must seek advice from the Data Protection Officer, Registered Manager or senior manager before relying on consent, sharing unusual or sensitive information, or using information for a new purpose.

3.4 Confidentiality of Service User Information

All staff must maintain the confidentiality of individuals who use the service. Staff must:

• Only access service user records where access is necessary for their role.
• Never access records out of curiosity or for personal reasons.
• Only discuss confidential information in private and where there is a legitimate work-related reason.
• Check the identity and authority of any person requesting information before information is disclosed.
• Share only the minimum information necessary for the purpose.
• Record significant disclosures of information, including what was shared, with whom, when, why and under what authority.
• Follow safeguarding procedures where information indicates a risk of abuse, neglect, harm or improper treatment.
• Respect the individual’s privacy, dignity, rights and confidentiality.
• Use secure systems and approved communication methods only.
• Never post, discuss or disclose information about individuals on social media or messaging apps.

Confidentiality does not prevent staff from sharing information where there is a lawful and necessary reason, such as safeguarding, medical emergency, regulatory inspection, serious risk, court order, police request with lawful authority, or another legal requirement.

Where there is uncertainty about whether information should be shared, staff must seek advice from the Registered Manager, Data Protection Officer or senior manager. Staff must not delay urgent safeguarding or emergency action because of uncertainty about confidentiality.

3.5 Staff Confidentiality and Employment Records

Staff personal data is protected under the UK GDPR, the Data Protection Act 2018 and employment law. Staff records may include:

• Application forms and recruitment records.
• References and interview notes.
• Right to work checks.
• DBS information and risk assessments.
• Contracts, payroll, pension and tax information.
• Supervision, appraisal, training and competency records.
• Disciplinary, grievance and performance records.
• Sickness absence, occupational health and health-related information.
• Accident, incident, safeguarding or whistleblowing records involving staff.
• Professional registration and Social Care Wales registration information, where applicable.

Access to staff records is restricted to authorised personnel only, such as the Registered Manager, Responsible Individual, HR, payroll, senior managers or external professional advisers where necessary.

Staff health information is confidential and must only be accessed or shared where there is a lawful and necessary reason, such as occupational health support, fitness to work, reasonable adjustments, health and safety, safeguarding, employment law obligations or regulatory requirements.

Staff must not access or discuss another staff member’s personal information unless this is required for their role.

3.6 Lawful Sharing of Information

{{org_field_name}} will share personal information only where there is a lawful, necessary and proportionate reason to do so.

Information may be shared with:

• Health professionals, including GPs, nurses, pharmacists, dentists, opticians, mental health services and emergency services.
• Local authorities, safeguarding teams and social workers.
• Care commissioners and placing authorities.
• CIW, where required for inspection, notification, registration, enforcement or regulatory purposes.
• Social Care Wales or professional regulators, where required.
• The police or courts, where there is lawful authority or a legal obligation.
• Advocates, attorneys, deputies, representatives or family members, where they have authority or it is appropriate and lawful to share.
• Third-party processors acting under contract, such as electronic care planning, payroll, IT, HR or archive providers.

Before sharing information, staff must consider:

• What information is being requested.
• Who is requesting it.
• Whether the requester has lawful authority or a legitimate need to know.
• Whether the individual has capacity and whether their wishes are known.
• Whether the sharing is necessary, proportionate and in the individual’s interests.
• Whether sharing is required for safeguarding, public protection, medical emergency or legal compliance.
• Whether the minimum necessary information can be shared.

Where information is shared routinely with another organisation, {{org_field_name}} will ensure that appropriate data-sharing arrangements, contracts or processor agreements are in place.

All non-routine disclosures must be recorded, including the date, recipient, reason for sharing, information shared, lawful basis where known, and the staff member authorising or making the disclosure.

3.7 Individual Rights

Individuals have rights under the UK GDPR. These include:

• The right to be informed about how their personal information is used.
• The right of access to their personal information.
• The right to rectification of inaccurate or incomplete information.
• The right to erasure, where this applies.
• The right to restrict processing, where this applies.
• The right to data portability, where this applies.
• The right to object to processing, where this applies.
• Rights in relation to automated decision-making and profiling, where applicable.

Any request from an individual, representative, attorney, deputy, staff member or other person to access, correct, restrict, delete or object to the use of personal information must be forwarded to the Data Protection Officer or Registered Manager immediately.

Subject Access Requests may be made verbally or in writing. Staff must not ignore a request because it does not mention “Subject Access Request” or “UK GDPR”.

{{org_field_name}} will usually respond to individual rights requests within one calendar month, unless an extension or exemption applies. Where a request involves health or social care information, safeguarding information, third-party information, legal privilege, serious harm concerns or capacity issues, advice must be taken before disclosure.

Staff must not disclose records directly to a requester unless authorised to do so.

3.8 Privacy Information and Accessible Communication

{{org_field_name}} will provide clear privacy information explaining how personal information is collected, used, stored, shared and retained.

Privacy information will be made available to individuals using the service, representatives, staff, applicants and other relevant people. It will be written in clear language and made available in accessible formats where required.

Where an individual has communication needs, cognitive impairment, sensory impairment, limited literacy, language needs or requires support to understand information, staff must take reasonable steps to support understanding. This may include large print, easy read, verbal explanation, translation, interpretation, advocacy, communication aids or support from an appropriate representative.

Privacy information must be reviewed regularly and whenever there is a significant change in how personal information is used.

3.9 Secure Storage, Access and Disposal of Records

{{org_field_name}} will maintain appropriate technical and organisational measures to protect personal information.

Staff must follow these requirements:

• Paper records must be stored securely when not in use.
• Confidential records must not be left unattended in communal areas, vehicles, staff rooms or public spaces.
• Filing cabinets, offices and archive areas must be locked where confidential records are stored.
• Electronic systems must only be accessed using authorised individual logins.
• Passwords must not be shared, written down in insecure places or reused across work and personal systems.
• Multi-factor authentication must be used where available.
• Staff must log out or lock screens when leaving devices unattended.
• Access to electronic care records and staff records must be role-based and reviewed regularly.
• Personal devices must not be used to store, photograph or transmit service user or staff information unless expressly authorised by management and protected by approved security controls.
• Confidential emails must be checked carefully before sending, including recipient, attachment and content.
• Personal or sensitive information must be encrypted or otherwise protected where appropriate.
• Removable media must not be used unless authorised and encrypted.
• Records must not be removed from the service unless authorised and necessary.
• Confidential waste must be disposed of securely using shredding or an approved confidential waste process.
• Electronic records must be securely deleted or archived in line with the retention schedule.
• Backups must be maintained and tested to reduce the risk of data loss.

Staff must immediately report lost records, misdirected emails, unauthorised access, cyber incidents, ransomware, phishing, lost devices or any suspected breach.

3.10 Record Retention

Records must be kept for no longer than necessary, but long enough to meet legal, regulatory, safeguarding, employment, insurance, contractual and operational requirements.

{{org_field_name}} will maintain a record retention schedule that identifies:

• The type of record.
• The retention period.
• The reason for the retention period.
• The person or role responsible for retention and disposal.
• The method of secure destruction or archiving.

Records must not be destroyed where they may be required for:

• An ongoing complaint, safeguarding enquiry, investigation or litigation.
• A CIW inspection, enforcement matter or notification.
• Police, court, coroner, commissioner or local authority enquiries.
• Insurance, employment or regulatory proceedings.
• A Subject Access Request or other individual rights request that has been received.

Any destruction of confidential records must be authorised and recorded.

3.11 Managing Personal Data Breaches and Security Incidents

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

Examples include:

• Sending personal information to the wrong person.
• Losing care records, staff files, medication records or incident records.
• Unauthorised access to electronic care records.
• A staff member accessing records without a work-related reason.
• Theft or loss of a laptop, tablet, phone, USB device or paper file.
• Cyber attack, ransomware, malware or phishing.
• Accidental deletion or alteration of records.
• Discussing confidential information where it can be overheard.
• Disclosing information to a family member, representative or professional without proper authority.
• Failing to use blind copy when sending group emails containing personal information.

All staff must report actual or suspected breaches immediately to:

Data Protection Officer: {{org_field_data_protection_officer_first_name}} {{org_field_data_protection_officer_last_name}}
Registered Manager: {{org_field_registered_manager_first_name}} {{org_field_registered_manager_last_name}}

Staff must not attempt to conceal a breach or delay reporting. Immediate reporting is essential because some breaches must be reported to the Information Commissioner’s Office within 72 hours of {{org_field_name}} becoming aware of the breach.

The Data Protection Officer, Registered Manager or authorised senior manager will:

1. Contain the breach and reduce further risk.
2. Record the breach in the data breach log.
3. Assess what information is involved.
4. Assess who is affected.
5. Assess the likely risk to individuals’ rights and freedoms.
6. Decide whether the breach is reportable to the ICO.
7. Decide whether affected individuals must be informed.
8. Decide whether the incident must also be notified to CIW, commissioners, safeguarding bodies, police, insurers or other relevant agencies.
9. Record the decision-making process, including where a decision is made not to report.
10. Identify lessons learned and corrective actions.

Where the breach is likely to result in a high risk to individuals, affected individuals will be informed without undue delay unless an exemption applies.

Where the incident is also a notifiable event to CIW, the Responsible Individual or Registered Manager will ensure that CIW is notified through CIW Online in line with CIW requirements.

Breaches, near misses and information security incidents will be reviewed as part of governance, audit and quality assurance arrangements.

3.12 Staff Responsibilities and Training

All staff are responsible for protecting personal and confidential information.

Staff must:

• Read, understand and follow this policy.
• Complete confidentiality, data protection and information security training during induction.
• Complete refresher training at least annually or sooner where required.
• Follow the confidentiality and data protection requirements of their role.
• Only access records where there is a legitimate work-related reason.
• Keep accurate, respectful, factual and contemporaneous records.
• Challenge and report unsafe, unlawful or inappropriate information handling.
• Report actual or suspected data breaches immediately.
• Cooperate with audits, investigations and requests for information.
• Follow Social Care Wales codes of professional practice where applicable.
• Maintain confidentiality after their employment or engagement with {{org_field_name}} ends.

Managers must ensure that staff understand this policy, have access to current procedures, and are supported through supervision, team meetings, competency checks and training.

Failure to follow this policy may result in disciplinary action and may also lead to referral to Social Care Wales, another professional regulator, the Disclosure and Barring Service, the ICO, CIW, the police or another relevant authority where appropriate.

4. Data Protection Impact Assessments

{{org_field_name}} will complete a Data Protection Impact Assessment (DPIA) where processing is likely to result in a high risk to individuals.

A DPIA must be considered before introducing or significantly changing:

• Electronic care planning systems.
• CCTV, monitoring, surveillance or sensor technology.
• Call monitoring, access control or visitor management systems.
• Artificial intelligence or automated decision-making tools.
• Large-scale processing of health, care, safeguarding or staff information.
• New systems involving special category data.
• New data sharing arrangements.
• New remote access, cloud storage or mobile working arrangements.
• Any processing involving vulnerable individuals where there may be a high risk.

A DPIA will identify the purpose of the processing, the lawful basis, the necessity and proportionality of the processing, the risks to individuals, and the measures used to reduce those risks.

Where a DPIA identifies a high risk that cannot be reduced, {{org_field_name}} will seek advice from the Data Protection Officer and, where required, consult the ICO before the processing begins.

5. Data Processors and Third-Party Systems

Where {{org_field_name}} uses another organisation to process personal data on its behalf, the organisation must be subject to appropriate due diligence and a written contract or data processing agreement.

This may include providers of:

• Electronic care planning systems.
• Medication management systems.
• Payroll and pension services.
• HR and recruitment systems.
• Training platforms.
• IT support, cloud storage and backup services.
• CCTV or access control systems.
• Accountancy, legal, insurance or professional advisory services.
• Archive storage or confidential waste disposal.

Before using a processor, {{org_field_name}} will consider whether the processor provides sufficient guarantees about confidentiality, security, staff training, access controls, breach reporting, data location, subcontracting, deletion or return of data, and audit rights.

Processors must be required to report data breaches or suspected breaches to {{org_field_name}} without undue delay.

Staff must not upload, transfer or enter personal information into any third-party system unless the system has been approved by {{org_field_name}}.

6. Photographs, CCTV and Monitoring Technology

Photographs, CCTV images, audio recordings, video recordings and monitoring data may be personal data and must be handled in accordance with this policy.

Staff must not take photographs, videos or recordings of individuals using personal devices. Any photograph, recording or image taken for care, identification, activity, evidence, medication, wound care, accident, safeguarding or promotional purposes must be authorised, necessary, proportionate and recorded.

Where CCTV or monitoring technology is used, {{org_field_name}} will ensure that:

• There is a clear and lawful purpose.
• A DPIA is completed where required.
• Individuals, representatives, visitors and staff are informed.
• Signage is displayed where appropriate.
• Access to footage or recordings is restricted.
• Footage is retained only for the approved retention period unless needed for an incident, safeguarding, complaint, investigation or legal reason.
• Covert recording is not used unless there is exceptional lawful justification and senior authorisation.

Monitoring technology must not be used in a way that unnecessarily compromises privacy, dignity, autonomy or confidentiality.

7. Mental Capacity, Representatives and Best Interests

Where an individual may lack capacity to make a specific decision about information sharing, staff must follow the Mental Capacity Act 2005 and any relevant best interests process.

Staff must check whether any person requesting information has lawful authority to act for the individual, such as:

• Lasting Power of Attorney for Health and Welfare.
• Lasting Power of Attorney for Property and Financial Affairs.
• Court-appointed deputyship.
• Appointeeship, where relevant to financial matters.
• Written consent from the individual.
• Other legal authority.

A family relationship alone does not automatically give a person the right to access all personal information.

Where information is shared in the individual’s best interests, staff must ensure that the decision is necessary, proportionate, properly recorded and limited to the information required.

8. Managing Data Protection Effectively

8.1 Leadership and Accountability

The service provider, Responsible Individual, Registered Manager and Data Protection Officer are responsible for ensuring that effective confidentiality, data protection and information governance arrangements are in place.

The Data Protection Officer or nominated data protection lead will:

• Advise on data protection compliance.
• Support breach assessment and reporting.
• Support responses to Subject Access Requests and individual rights requests.
• Advise on DPIAs.
• Maintain or oversee data protection records, breach logs and audit evidence.
• Support staff training and awareness.
• Monitor compliance with this policy.

The Responsible Individual and Registered Manager will ensure that:

• Staff have access to current policies and procedures.
• Staff understand confidentiality and data protection expectations.
• Information governance risks are included in quality assurance and governance systems.
• Incidents, complaints, breaches and audit findings are reviewed.
• CIW is notified of relevant incidents through CIW Online where required.
• Improvements are implemented and monitored.

8.2 Staff Training and Awareness

All staff must receive confidentiality, data protection and information security training during induction and refresher training at least annually.

Training will cover:

• Confidentiality in health and social care.
• UK GDPR principles.
• Special category data.
• Lawful access and lawful sharing.
• Safeguarding and information sharing.
• Subject Access Requests and individual rights.
• Secure record keeping.
• Email, phone and verbal confidentiality.
• Data breach identification and reporting.
• Cyber security, phishing and safe use of systems.
• Social media and personal device restrictions.
• Staff responsibilities under this policy.

Additional training will be provided to staff with higher levels of access to records, management responsibilities, system administration duties, HR responsibilities or responsibility for responding to information rights requests.

Training completion will be recorded and monitored.

8.3 Monitoring, Audit and Continuous Improvement

{{org_field_name}} will monitor compliance with this policy through governance and quality assurance systems.

This may include:

• Audits of care records and staff records.
• Access permission reviews.
• Checks of staff training completion.
• Review of breach logs and near misses.
• Review of Subject Access Requests and response times.
• Review of complaints involving confidentiality or records.
• Review of data sharing arrangements.
• Review of processor contracts.
• Review of retention and secure disposal.
• Cyber security checks and phishing awareness.
• Lessons learned from incidents, inspections, complaints and safeguarding matters.

Findings will be used to improve systems, training, policies and practice. Significant findings will be reported to the Registered Manager, Responsible Individual and senior management as appropriate.

9. Related Policies

This policy should be read alongside:

• CHW04 – Good Governance Policy.
• CHW11 – Safe Care and Treatment Policy.
• CHW13 – Safeguarding Adults from Abuse and Improper Treatment Policy.
• CHW16 – Health and Safety at Work Policy.
• CHW18 – Risk Management and Assessment Policy.
• CHW24 – Management of Accidents, Incidents, and Near Misses Policy.
• Complaints Policy.
• Whistleblowing Policy.
• Duty of Candour Policy.
• Record Keeping Policy.
• Access to Records / Subject Access Request Procedure.
• Information Security / Cyber Security Policy.
• Data Retention and Disposal Schedule.
• CCTV / Surveillance Policy, where applicable.
• Social Media and Acceptable Use Policy.
• Staff Disciplinary Policy.
• Mental Capacity Act and Deprivation of Liberty Safeguards Policy.
• Safeguarding Children Policy, where the service accommodates or supports children.

10. Policy Review

This policy will be reviewed at least annually, or sooner where there are changes in legislation, Welsh Government guidance, CIW requirements, ICO guidance, service delivery, technology, cyber security risks, incidents, complaints, safeguarding issues or inspection findings.

The review will consider:

• Changes to UK GDPR, the Data Protection Act 2018 or associated guidance.
• Changes to Welsh care home legislation or CIW requirements.
• Data breaches, near misses and information security incidents.
• Complaints or concerns involving confidentiality or records.
• Audit findings and staff training compliance.
• Changes to electronic care planning, monitoring technology or third-party processors.
• Feedback from individuals, representatives and staff where relevant.

Updated versions of this policy will be communicated to staff. Staff may be required to confirm that they have read and understood the updated policy.

---

Responsible Person: {{org_field_registered_manager_first_name}} {{org_field_registered_manager_last_name}}
Reviewed on: {{last_update_date}}
Next Review Date: {{next_review_date}}
Copyright © {{current_year}} – {{org_field_name}}. All rights reserved.