{{org_field_logo}}

{{org_field_name}}

Registration Number: {{org_field_registration_no}}

---

Confidentiality and Data Protection (GDPR) Policy

1. Introduction

At {{org_field_name}}, we are committed to safeguarding the privacy and personal data of our service users. This policy outlines our approach to managing personal information in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We aim to handle all personal data lawfully, fairly, and transparently, ensuring the rights and freedoms of our service users are respected.

2. Purpose

The purpose of this policy is to:

• Define the types of personal data we collect and process.
• Explain how we use, store, and protect personal data.
• Inform service users of their rights regarding their personal data.
• Ensure compliance with applicable data protection legislation.

3. Scope

This policy applies to all personal data processed by {{org_field_name}} concerning our service users, including data collected, stored, and shared in any format. It covers all employees, contractors, and partners involved in the processing of personal data.

4. Data Collection

We collect personal data necessary for providing domiciliary care services, which may include:

• Personal Identification Information: Name, date of birth, address, telephone number, and email address.
• Health Information: Medical history, medication details, care plans, and records of care provided.
• Next of Kin and Emergency Contact Details: Names and contact information of designated individuals.
• Financial Information: Billing details and payment information.

We collect this information through various means, including service user assessments, care plans, and communications with healthcare professionals and family members.

5. Lawful Basis for Processing

Our processing of personal data is based on the following lawful grounds:

• Consent: Where explicit consent has been obtained from the service user or their legal representative.
• Contractual Necessity: To fulfil our obligations under the care service agreement.
• Legal Obligation: To comply with applicable laws and regulations governing health and social care.
• Vital Interests: To protect the life or health of the service user in emergency situations.
• Legitimate Interests: Where processing is necessary for our legitimate interests or those of a third party, provided these interests are not overridden by the service user’s rights.

6. Use of Personal Data

We use personal data to:

• Develop and implement personalised care plans.
• Communicate effectively with service users, their families, and healthcare professionals.
• Manage and deliver care services safely and effectively.
• Maintain accurate records for legal, regulatory, and quality assurance purposes.
• Process billing and financial transactions.

7. Data Sharing

We may share personal data with:

• Healthcare professionals involved in the service user’s care.
• Regulatory bodies, as required by law.
• Emergency services, when necessary to protect the service user’s vital interests.
• Third-party service providers who support our operations, under strict confidentiality agreements.

We ensure that any third parties with whom we share personal data are compliant with data protection laws and uphold the same standards of confidentiality and security.

8. Data Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, or damage. These measures include:

• Access Controls: Restricting access to personal data to authorised personnel only.
• Data Encryption: Using encryption technologies to protect data during storage and transmission.
• Regular Audits: Conducting periodic audits to assess data security practices and compliance.
• Training: Providing regular training to staff on data protection and confidentiality protocols.

9. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, in accordance with legal and regulatory requirements. Upon the conclusion of the retention period, we securely dispose of or anonymise personal data.

10. Rights of Service Users

Service users have the following rights regarding their personal data:

• Right to Access: To obtain a copy of their personal data and information about how it is processed.
• Right to Rectification: To request correction of inaccurate or incomplete data.
• Right to Erasure: To request deletion of personal data, subject to certain conditions.
• Right to Restrict Processing: To request a limitation on the processing of their data.
• Right to Data Portability: To receive their data in a structured, commonly used format and transfer it to another controller.
• Right to Object: To object to the processing of their data based on legitimate interests.

To exercise these rights, service users or their representatives should contact the Data Protection Officer:

{{org_field_data_protection_officer_first_name}} {{org_field_data_protection_officer_last_name}}

Email: {{org_field_data_protection_officer_email}}

Phone: {{org_field_data_protection_officer_phone}}

11. Data Breaches

In the event of a personal data breach, we will promptly assess the risk to service users’ rights and freedoms and, if necessary, report the breach to the Information Commissioner’s Office (ICO) within 72 hours. Affected individuals will be informed without undue delay if the breach is likely to result in a high risk to their rights and freedoms.

12. Policy Review We regularly review and update this policy to reflect changes in legislation, best practices, and our operational procedures.

---

Responsible Person: {{org_field_registered_manager_first_name}} {{org_field_registered_manager_last_name}}
Reviewed on: {{last_update_date}}
Next Review Date: {{next_review_date}}
Copyright © {{current_year}} – {{org_field_name}}. All rights reserved.