{{org_field_logo}}

{{org_field_name}}

Registration Number: {{org_field_registration_no}}

---

Confidentiality and Data Protection (GDPR)-Service User Policy

1. Purpose

The purpose of this policy is to ensure that {{org_field_name}} complies with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and Care Inspectorate Wales (CIW) regulations when handling service user information. This policy outlines our approach to confidentiality, data security, and compliance with legal obligations while ensuring that all personal data is processed fairly, lawfully, and transparently.

Protecting the confidentiality of service users is fundamental to maintaining trust, ensuring dignity, and safeguarding personal rights. This policy applies to all staff, volunteers, contractors, and third parties who handle service user data in any capacity.

2. Scope

This policy applies to:

• All personal and sensitive data collected, stored, and processed by {{org_field_name}}.
• All staff members, volunteers, and external contractors handling service user information.
• Electronic, paper-based, and verbal data exchanges related to service users.

It covers:

• Confidentiality principles and legal compliance.
• Data collection, storage, and processing.
• Data sharing and access control.
• Service user rights under GDPR.
• Data breach procedures.

3. Legal and Regulatory Compliance

{{org_field_name}} is committed to complying with:

• UK General Data Protection Regulation (UK GDPR) – Ensures personal data is processed fairly, transparently, and securely.
• Data Protection Act 2018 – Regulates the processing of personal information in the UK.
• Regulation and Inspection of Social Care (Wales) Act 2016 – Sets out the responsibility of care providers in protecting service user information【32】.
• Health and Social Care (Quality and Engagement) (Wales) Act 2020 – Promotes transparency and accountability in social care.

4. Principles of Confidentiality and Data Protection

All data processing activities at {{org_field_name}} adhere to the following key principles:

4.1 Lawfulness, Fairness, and Transparency

• Service users must be informed about how their data is collected, used, and stored.
• Written consent must be obtained before collecting or sharing personal information.
• Privacy notices will be provided in accessible formats, explaining data processing activities.

4.2 Purpose Limitation

• Personal data will only be collected for specific, explicit, and legitimate purposes related to care provision.
• Information will not be used for purposes unrelated to care delivery, such as marketing.

4.3 Data Minimisation

• Only the minimum necessary data will be collected to fulfil care needs.
• Staff must not collect excessive or irrelevant information about service users.

4.4 Accuracy

• Service user records must be accurate and kept up to date.
• Any inaccuracies should be corrected as soon as they are identified.

4.5 Storage Limitation

• Personal data will be retained only for as long as necessary for care provision and regulatory compliance.
• Records will be securely deleted or anonymised when no longer needed.

4.6 Integrity and Confidentiality

• Personal data will be stored securely, using encryption and access controls.
• Staff must follow confidentiality agreements and secure communication protocols.

5. Data Collection, Storage, and Processing

5.1 Data Collection

• Personal data is collected during initial assessments, care planning, and ongoing service provision.
• Data collected includes:
  • Basic identification details (e.g., name, address, date of birth).
  • Health and medical history relevant to care provision.
  • Emergency contact and next of kin details.
  • Care preferences and risk assessments.

5.2 Data Storage and Security

• Electronic records are stored securely using encrypted care management systems.
• Paper records are kept in locked cabinets with restricted staff access.
• Staff must use password-protected devices when accessing personal data.
• Unauthorised access or data sharing is strictly prohibited.

5.3 Data Processing

• Personal data is processed to deliver safe and effective care.
• Data is only accessed by authorised staff members who require it for their role.
• Processing activities are monitored for compliance with GDPR and CIW regulations【35】.

6. Data Sharing and Access Control

6.1 Who Can Access Service User Data?

• Only authorised employees who require access to perform their duties.
• Care professionals involved in service user support, such as GPs or social workers.
• Regulatory bodies (CIW, local authorities) if required by law.

6.2 Sharing Data with Third Parties

• Data will only be shared when necessary for care provision, safeguarding, or legal compliance.
• Service user consent must be obtained before sharing non-essential information.
• A formal Data Processing Agreement is required before engaging third-party providers.

6.3 Service User Access to Their Own Data

• Service users have the right to request access to their personal information.
• Requests will be processed within one month, in line with GDPR guidelines.
• Service users can request corrections, deletions, or restrictions on data processing.

7. Data Breach Procedures

7.1 Identifying a Data Breach

A data breach includes:

• Unauthorised access or disclosure of personal data.
• Loss or theft of records or devices containing personal data.
• Cybersecurity breaches affecting data security.

7.2 Reporting and Responding to a Data Breach

• All breaches must be reported immediately to the Data Protection Officer: {{org_field_data_protection_officer_first_name}} {{org_field_data_protection_officer_last_name}}.
• A breach assessment will be conducted to determine the level of risk.
• Serious breaches must be reported to the Information Commissioner’s Office (ICO) within 72 hours.

7.3 Actions to Mitigate Risk

• Contain and investigate the breach to prevent further data loss.
• Notify affected individuals if there is a high risk to their rights and freedoms.
• Implement corrective measures to prevent recurrence.

8. Staff Responsibilities and Training

8.1 Staff Responsibilities

• All staff must follow data protection policies and maintain service user confidentiality.
• Personal data should only be accessed when necessary for service delivery.
• Any suspected data breaches must be reported immediately.

8.2 Mandatory Data Protection Training

• All employees must complete GDPR and confidentiality training during induction.
• Refresher training is conducted annually.
• Training covers:
  • GDPR compliance and legal responsibilities.
  • Secure data handling and storage.
  • Identifying and responding to data breaches.

9. Monitoring and Compliance

• The Data Protection Officer conducts regular audits to ensure GDPR compliance.
• CIW inspections will assess data protection practices as part of regulatory checks【35】.
• Service user feedback is used to monitor data protection effectiveness.

10. Related Policies

This policy should be read in conjunction with:

• Whistleblowing (Speaking Up) Policy (DCW29)
• Staff Conduct and Code of Ethics Policy (DCW28)
• Safeguarding Adults from Abuse and Improper Treatment Policy (DCW13)【34】
• Complaints Handling Policy (DCW14)

11. Policy Review

This policy will be reviewed annually or sooner if required by legislative changes, CIW guidance, or operational needs. Staff will be informed of any updates, and additional training will be provided as necessary.

---

Responsible Person: {{org_field_registered_manager_first_name}} {{org_field_registered_manager_last_name}}
Reviewed on: {{last_update_date}}
Next Review Date: {{next_review_date}}
Copyright © {{current_year}} – {{org_field_name}}. All rights reserved.