{{org_field_logo}}

{{org_field_name}}

Registration Number: {{org_field_registration_no}}

---

Confidentiality and Data Protection (GDPR)-Staff Policy

1. Purpose

The purpose of this policy is to ensure that {{org_field_name}} complies with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 when handling staff information. It sets out clear guidelines for the confidentiality, security, and lawful processing of employee data, ensuring that personal and sensitive information is managed responsibly and ethically.

This policy ensures compliance with:

• UK GDPR and the Data Protection Act 2018 – Defines legal obligations regarding data processing, security, and individual rights.
• The Regulation and Inspection of Social Care (Wales) Act 2016 – Requires care providers to protect personal data and maintain confidentiality【32】.
• The Employment Rights Act 1996 – Covers staff rights regarding employment records and confidentiality.
• Care Inspectorate Wales (CIW) Regulations – Ensures compliance with data protection and confidentiality requirements for staff and service user records【35】.

2. Scope

This policy applies to:

• All employees, contractors, agency staff, and volunteers at {{org_field_name}}.
• Personal and sensitive staff data, including employment records, health information, disciplinary records, and payroll details.
• Confidentiality obligations regarding service users, colleagues, and company information.

It covers:

• Staff responsibilities in data protection and confidentiality.
• How personal staff data is collected, processed, and stored.
• Access control and data security.
• Staff rights under GDPR.
• Data breaches and reporting procedures.

3. Principles of Confidentiality and Data Protection

{{org_field_name}} follows the six key principles of GDPR, ensuring that personal data is:

1. Processed lawfully, fairly, and transparently.
2. Collected for specified, explicit, and legitimate purposes.
3. Limited to what is necessary (data minimisation).
4. Accurate and kept up to date.
5. Stored securely and retained only as long as necessary.
6. Processed in a way that ensures integrity and confidentiality.

4. Staff Responsibilities

All staff are responsible for ensuring that confidentiality and data security are upheld at all times. This includes:

• Maintaining strict confidentiality when handling sensitive staff, service user, or business-related data.
• Not sharing passwords, access credentials, or confidential documents with unauthorised persons.
• Securely disposing of confidential paperwork (shredding or confidential waste disposal).
• Reporting data breaches immediately to the Data Protection Officer:
  📌 Data Protection Officer: {{org_field_data_protection_officer_first_name}} {{org_field_data_protection_officer_last_name}}.
  📌 Email: {{org_field_data_protection_officer_email}}.

5. Collection, Processing, and Storage of Staff Data

5.1 What Personal Data We Collect

{{org_field_name}} collects and processes staff information necessary for employment, payroll, and compliance. This includes:

• Identification details (name, address, date of birth, contact details).
• Employment records (contracts, job applications, performance reviews, disciplinary records).
• Payroll and tax information (salary, pension, National Insurance details).
• Health and safety records (medical conditions affecting work, accident reports).
• Training and professional qualifications.

5.2 How Staff Data is Processed

• Staff personal data is only used for employment purposes (e.g., payroll, compliance, performance management).
• Data is processed in line with employment contracts and GDPR legal requirements.
• Sensitive information (e.g., health data) is only processed with explicit consent, unless required by law.

5.3 How Staff Data is Stored

• Electronic records are stored on secure, password-protected systems.
• Paper records are kept in locked cabinets with restricted access.
• Only authorised personnel (HR, management) have access to confidential staff data.

6. Access Control and Data Security

6.1 Who Has Access to Staff Data?

• HR, payroll, and management teams handling staff records.
• Regulatory bodies (CIW, HMRC, local authorities) when legally required.
• External service providers (e.g., payroll processors) under strict confidentiality agreements.

6.2 Secure Access Procedures

• Staff must not share logins or passwords for data systems.
• Company-issued devices must be used for accessing sensitive information, with two-factor authentication where applicable.
• Staff must lock screens when leaving computers unattended.

7. Staff Rights Under GDPR

Employees have the following rights regarding their personal data:

7.1 Right to Access

• Staff can request access to their personal data by submitting a Subject Access Request (SAR) to the Data Protection Officer.
• Requests will be processed within one month, in line with GDPR requirements.

7.2 Right to Rectification

• If personal data is inaccurate or outdated, staff can request corrections.

7.3 Right to Erasure (Right to Be Forgotten)

• Employees can request the deletion of personal data if there is no legal obligation to retain it (e.g., tax records must be retained for 6 years).

7.4 Right to Restrict Processing

• If a staff member disputes the accuracy of their data, processing can be temporarily restricted while it is verified.

7.5 Right to Data Portability

• Staff can request their data in a portable format if they change employment.

8. Data Breaches and Reporting Procedures

8.1 What Constitutes a Data Breach?

A data breach occurs when unauthorised access, loss, or disclosure of personal data occurs. This includes:

• Lost or stolen devices containing staff records.
• Unauthorised access to HR databases.
• Accidental sharing of confidential emails or files.

8.2 Reporting a Data Breach

1. Report the breach immediately to the Data Protection Officer.
2. The Data Protection Officer assesses the severity and takes remedial action.
3. If the breach poses a significant risk, it must be reported to the ICO (Information Commissioner’s Office) within 72 hours.

9. Staff Training and Awareness

• All employees must complete data protection training during induction.
• Annual refresher training covers:
  • Understanding GDPR principles.
  • Safe handling of personal and service user data.
  • Recognising and reporting data breaches.
• The Registered Manager and HR team ensure staff compliance with data protection policies.

10. Monitoring and Compliance

• The Data Protection Officer conducts regular audits to ensure GDPR compliance.
• Confidentiality agreements are signed by all employees as part of their contract.
• Service user and staff feedback is reviewed to monitor data handling effectiveness.
• CIW will assess data protection practices during regulatory inspections【35】.

11. Related Policies

This policy should be read in conjunction with:

• Confidentiality and Data Protection (GDPR) – Service User Policy (DCW34).
• Whistleblowing (Speaking Up) Policy (DCW29).
• IT and Cybersecurity Policy (DCW40).
• Disciplinary and Grievance Policy (DCW31).

12. Policy Review

This policy will be reviewed annually or sooner if required by legislative changes, CIW regulations, or operational needs.

---

Responsible Person: {{org_field_registered_manager_first_name}} {{org_field_registered_manager_last_name}}
Reviewed on: {{last_update_date}}
Next Review Date: {{next_review_date}}
Copyright © {{current_year}} – {{org_field_name}}. All rights reserved.