{{org_field_logo}}

{{org_field_name}}

Registration Number: {{org_field_registration_no}}

---

Confidentiality and Data Protection (GDPR)-Staff Policy

1. Purpose

The purpose of this policy is to ensure that {{org_field_name}} complies with the General Data Protection Regulation (GDPR), the Data Protection Act 2018, and Care Inspectorate Wales (CIW) requirements regarding confidentiality, data protection, and information security. This policy sets out clear expectations for all staff on handling personal and sensitive data in a lawful, secure, and ethical manner to protect service users, staff, and the organisation.

This policy aligns with:

• The Data Protection Act 2018, which enforces GDPR requirements in the UK.
• The General Data Protection Regulation (UK GDPR), which governs the lawful processing of personal data.
• The Regulation and Inspection of Social Care (Wales) Act 2016, which requires care providers to handle information safely​.
• CIW regulations, which expect high standards of confidentiality, record-keeping, and data security​.
• The Caldicott Principles, which provide best practice guidelines for sharing confidential information in health and social care.

2. Scope

This policy applies to:

• All staff members, including permanent, agency, and volunteer staff.
• Service users and their families, ensuring their data is protected.
• Third-party service providers, including contractors and external agencies handling data on behalf of {{org_field_name}}.
• Electronic and paper records, covering storage, access, sharing, and disposal of data.

The policy covers:

• Data protection principles under GDPR.
• Handling and sharing confidential information securely.
• Service user and staff rights regarding personal data.
• Data breaches and reporting procedures.
• Staff responsibilities for compliance.

3. Principles of Data Protection and Confidentiality

3.1. Adhering to GDPR’s Data Protection Principles

All personal data handled by {{org_field_name}} must comply with the seven key GDPR principles:

1. Lawfulness, fairness, and transparency – Data must be collected and processed fairly, with full disclosure to the individual.
2. Purpose limitation – Data is used only for the specified and legitimate purposes.
3. Data minimisation – Only necessary data is collected and processed.
4. Accuracy – Personal data must be accurate and kept up to date.
5. Storage limitation – Data is retained for only as long as necessary.
6. Integrity and confidentiality – Data must be protected from unauthorised access, loss, or damage.
7. Accountability – {{org_field_name}} is responsible for ensuring compliance with GDPR.

Staff are legally and professionally required to follow these principles at all times.

3.2. Maintaining Confidentiality of Service User Information

All staff must:

• Respect service user confidentiality at all times.
• Only access service user records if required for work purposes.
• Not disclose personal information to unauthorised individuals.
• Use secure systems for storing and handling records (e.g., electronic care planning systems).
• Discuss confidential matters privately, ensuring conversations cannot be overheard.

Any sharing of personal data must be justified and documented, following GDPR’s lawful processing rules.

3.3. Staff Confidentiality and Employment Records

Staff personal data is also protected under GDPR and employment law. This includes:

• Payroll information, employment contracts, disciplinary records, and appraisals.
• Health information, including occupational health reports.
• Background checks, including DBS records.

Only authorised personnel (e.g., HR, senior management) have access to staff records, which are stored securely.

3.4. Lawful Sharing of Information

There are instances where {{org_field_name}} may be legally required to share personal data, such as:

• Safeguarding concerns – Sharing information with social services, police, or safeguarding boards​.
• Regulatory compliance – Providing CIW with required records during inspections​.
• Medical emergencies – Sharing relevant health data with NHS professionals.

Before sharing, staff must:

• Ensure the request is legitimate and follows GDPR’s lawful bases for processing.
• Only share the minimum necessary information.
• Record the disclosure, including who accessed the data and why.

3.5. Secure Storage, Access, and Disposal of Records

To ensure data security, all records must be handled properly:

• Paper records must be locked away when not in use.
• Electronic records must be password-protected and only accessed by authorised personnel.
• Emails containing personal data must be encrypted where possible.
• Data backups are conducted regularly to prevent data loss.
• Retention schedules must be followed, with records securely disposed of when no longer needed.

Paper documents are shredded before disposal, and electronic data is permanently deleted using secure methods.

3.6. Managing Data Breaches and Reporting

A data breach includes:

• Loss or theft of personal data, such as lost paperwork or stolen laptops.
• Unauthorised access, such as a staff member viewing records without permission.
• Accidental disclosure, such as emailing sensitive data to the wrong person.

If a data breach occurs:

1. Staff must report it immediately to the Data Protection Officer (DPO): {{org_field_data_protection_officer_first_name}} {{org_field_data_protection_officer_last_name}}.
2. The DPO investigates and assesses the breach’s impact.
3. If required, the breach is reported to the Information Commissioner’s Office (ICO) within 72 hours.
4. Affected individuals are informed, where necessary.
5. Corrective actions are implemented, preventing future incidents.

3.7. Staff Responsibilities and Training

All staff are responsible for protecting personal data and must:

• Complete mandatory GDPR and confidentiality training.
• Follow correct procedures when handling personal information.
• Report concerns about improper data handling or security breaches.
• Use work devices responsibly, avoiding unauthorised use of personal data.

Managers conduct regular audits and refresher training to reinforce compliance.

4. Managing Data Protection Efficiently

4.1. Leadership and Accountability

• The Data Protection Officer (DPO) oversees GDPR compliance and investigates breaches.
• The Registered Manager ensures staff follow confidentiality protocols in day-to-day operations.
• Supervisors and team leaders monitor how data is handled on the frontline.

4.2. Staff Training and Awareness

• All staff complete GDPR and confidentiality training during induction.
• Annual refresher courses ensure knowledge is up to date.
• Role-specific training is provided for managers and data handlers.
• Confidentiality posters and guidance materials reinforce best practices.

4.3. Monitoring and Continuous Improvement

• Regular audits assess compliance with GDPR and confidentiality policies.
• Feedback from service users and staff helps improve data protection processes.
• Incident trend analysis identifies risks and areas for improvement.
• Annual policy reviews ensure alignment with regulatory updates.

5. Related Policies

This policy is supported by:

• CHW04 – Good Governance Policy
• CHW11 – Safe Care and Treatment Policy
• CHW13 – Safeguarding Adults from Abuse and Improper Treatment Policy
• CHW16 – Health and Safety at Work Policy
• CHW18 – Risk Management and Assessment Policy
• CHW24 – Management of Accidents, Incidents, and Near Misses Policy

6. Policy Review

This policy is reviewed annually, or sooner if there are changes in legislation, CIW guidance, or cybersecurity threats. Updates are communicated to all staff, and additional training is provided as necessary.

---

Responsible Person: {{org_field_registered_manager_first_name}} {{org_field_registered_manager_last_name}}
Reviewed on: {{last_update_date}}
Next Review Date: {{next_review_date}}
Copyright © {{current_year}} – {{org_field_name}}. All rights reserved.