{{org_field_logo}}

{{org_field_name}}

Registration Number: {{org_field_registration_no}}

---

Data Protection and GDPR Compliance Policy

1. Purpose and Aims

At our Home Care business, we are committed to protecting the privacy and personal information of our service users, their families, and our staff. We understand that to meet the standards set by the Care Inspectorate Scotland, we must demonstrate robust data protection practices in line with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This policy outlines the measures we take to ensure the confidentiality, integrity, and lawful processing of all personal data. It provides clear instructions to our staff on how to handle information responsibly and demonstrates to relevant regulators and stakeholders, including the Care Inspectorate and the Information Commissioner’s Office (ICO), our ongoing commitment to best practice in data protection.

2. Scope

This policy applies to all personal data processed by our organization, whether relating to service users, employees, contractors, suppliers, or any other individual. It covers data held and processed in any form—be it electronic, paper, or other storage media—and applies to all staff members, including permanent, temporary, agency, and volunteer roles.

3. Regulatory Context

• UK General Data Protection Regulation (UK GDPR): Governs how personal data must be collected, processed, and stored, ensuring transparency and fairness in data usage.
• Data Protection Act 2018: Supplements and tailors the UK GDPR, containing provisions particular to the UK context.
• Data (Use and Access) Act 2025 (DUAA): Makes targeted amendments to the UK GDPR, DPA 2018 and PECR, including clarifying subject access handling (including a ‘stop the clock’ approach where further information is required) and introducing clearer expectations for handling data protection complaints.
• Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR): Applies to electronic marketing and the use of cookies and similar technologies.
• Care Inspectorate Scotland: Requires regulated care services to maintain robust privacy and data security measures in accordance with its Health and Social Care Standards.
• Care Quality Commission (CQC) (for cross-border considerations): Relevant only where the organisation also delivers regulated activities in England. Where applicable, we will follow CQC expectations alongside Scottish requirements.
• By complying with these regulations, we protect the rights and freedoms of individuals whose data we process and uphold the trust they place in us.
• Public Services Reform (Scotland) Act 2010 and The Social Care and Social Work Improvement Scotland (Requirements for Care Services) Regulations 2011 (SSI 2011/210): Set requirements for how care services are provided and how records/plans are maintained.
• Care Inspectorate: ‘Records that registered care services must keep’ and notification/reporting guidance (as applicable to the service type).

4. Definitions

• Personal Data: Any information relating to an identified or identifiable living individual (e.g., name, address, date of birth, phone number, email address, online identifiers).
• Special Category Data (UK GDPR Article 9): Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data (where used to uniquely identify someone), data concerning health, or data concerning a person’s sex life or sexual orientation.
• Criminal Offence Data (UK GDPR Article 10): Personal data relating to criminal convictions and offences or related security measures (e.g., PVG/disclosure outcomes where applicable).
• Processing: Any operation performed on personal data (e.g., collecting, recording, organising, storing, accessing, sharing, amending, restricting, deleting, destroying).
• Data Subject: The individual whose personal data is processed (e.g., service users, family members where relevant, staff, applicants).
• Data Controller: The organisation (our Home Care business) that decides why and how personal data is processed.
• Data Processor: A person or organisation that processes personal data on behalf of the Data Controller (e.g., payroll provider, care management software provider).
• Personal Data Breach: A security incident leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

5. Principles of Data Protection

We adhere to the fundamental principles laid out in the UK GDPR:

1. Lawfulness, Fairness, and Transparency: We only process data where we have a lawful basis (e.g., consent, contractual necessity, legal obligation) and clearly communicate this to individuals.
2. Purpose Limitation: We collect data for specific, explicit, and legitimate purposes and do not process it in ways incompatible with those purposes.
3. Data Minimization: We only collect the personal data that is relevant, adequate, and limited to what is necessary for the provision of care or running of our business.
4. Accuracy: We keep personal data accurate and up to date. Inaccuracies are rectified or deleted promptly.
5. Storage Limitation: We retain personal data only as long as necessary, in line with legal or regulatory requirements.
6. Integrity and Confidentiality: We process data in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing, accidental loss, destruction, or damage.
7. Accountability: We take responsibility for and can demonstrate compliance with all of the above principles.

6. Data Protection Process

We manage data protection through a systematic approach that follows the cycle of identification, assessment, implementation, documentation, and review. We align this with our broader governance framework, ensuring that data protection remains a core component of our organizational processes.

1. Identifying Data Protection Requirements
   • We monitor changes in legislation and best practice to ensure our processes remain compliant.
   • We identify high-risk data types (e.g., health, financial, or special category data) and take extra measures to protect them, ensuring we only process such data where necessary and lawful.
2. Assessing Data Handling Processes
   • We regularly conduct Data Protection Impact Assessments (DPIAs) for new or significantly changed services to evaluate potential risks.
   • These assessments help us understand the data flow within our organization, identifying areas where data could be vulnerable to breaches or misuse.
3. Development of Data Protection Measures
   • Access Controls: We adopt role-based access, granting staff the minimum level of access necessary to perform their duties.
   • Encryption and Secure Storage: We encrypt digital records, store physical files in locked cabinets, and implement secure backup systems to guard against data loss.
   • Privacy by Design: When introducing new systems or processes, we consider data protection at the outset to embed privacy measures in each stage of development.
4. Documentation and Communication
   • We maintain an up-to-date Data Protection Policy, Privacy Notices, and Data Retention Schedules, ensuring staff and service users have a clear understanding of our practices.
   • Key information about data handling is included in service user agreements, staff contracts, and relevant organizational handbooks to promote transparency.
   • We document our legal basis for processing data and inform service users of their rights, including how they can exercise these rights.

5. Implementation and Staff Guidance
   • Staff Training: We provide comprehensive induction training on data protection, with mandatory refresher courses at regular intervals. Training covers practical steps for maintaining confidentiality (e.g., proper handling of paperwork, cautious email/IT usage).
   • Safe Sharing of Data: If we need to share information with third parties (e.g., health professionals, emergency services), we do so only with consent or another lawful basis, ensuring appropriate agreements are in place to protect that information.
   • Breaches and Near Misses: Staff are instructed to report any suspected or actual data breach to the Registered Manager or Data Protection Officer (if designated) immediately. Prompt reporting aids quick containment and remediation.
6. Monitoring and Review
   • We conduct periodic audits of our data processing activities to ensure ongoing compliance with the UK GDPR and Care Inspectorate Scotland standards.
   • The Registered Manager and senior leadership analyse audit results, address identified gaps, and update policies or procedures as needed.
   • We engage in continuous improvement, seeking feedback from staff, service users, and external partners on data handling practices.

7. Lawful Bases for Processing

We only process personal data where we have a lawful basis under Article 6 UK GDPR and, where we process special category data (such as health and care information), we also identify a separate condition under Article 9 UK GDPR. ICO

7.1 Article 6 UK GDPR lawful bases (personal data)

We process personal data under one or more of the following lawful bases, depending on the purpose:

• Consent: Where an individual has given clear permission for us to process their data for a specific purpose (not normally relied on for core care delivery where there is an imbalance of power or where care must continue regardless).
• Contract: Where processing is necessary to enter into or perform a contract with the individual (e.g., service agreements, employment contracts).
• Legal obligation: Where we must process data to meet statutory or regulatory requirements.
• Vital interests: In emergency situations, where processing is necessary to protect someone’s life.
• Legitimate interests: Where processing is necessary for our organisational needs, provided those interests are not overridden by the individual’s rights and freedoms (and we document our assessment where appropriate).

7.2 Special category data and criminal offence data (additional safeguards)

Because we routinely handle special category data (including health data) in the delivery and management of care, we identify and document an Article 9 condition before processing begins (in addition to the Article 6 lawful basis).

Where we process criminal offence data (for example where disclosure/PVG information is relevant to recruitment and safer staffing), we ensure we have the required UK legal basis and safeguards in place.

7.3 Schedule 1 (DPA 2018) and Appropriate Policy Document (APD)

Where we rely on a Data Protection Act 2018 Schedule 1 condition for processing special category or criminal offence data, we will maintain an Appropriate Policy Document (APD) and supporting records (including retention and erasure policies) where required, and keep these under review.

8. Service User and Staff Rights

Under the UK GDPR, individuals have the right to:

• Be Informed: About how we process their data and why.
• Access: A copy of their personal data (Subject Access Request).
• Rectification: Of inaccuracies in their data.
• Erasure (“Right to be Forgotten”): Where continued processing is not justified.
• Restrict Processing: Under certain circumstances (e.g., pending correction of data).
• Data Portability: Receive personal data in a structured, commonly used, and machine-readable format.
• Object: To processing based on legitimate interests or for direct marketing.
• Not Be Subject to Automated Decision-Making: Without meaningful human intervention.

We inform service users and staff of these rights in our Privacy Notices and respond to any request promptly and in accordance with statutory timescales.

We respond to SARs within the statutory timescales. Where we require additional information to verify identity and/or to clarify what is requested, we will request this promptly. In line with current UK law, we may pause the response time while we are awaiting the additional information, and the response time will resume once the information is received. We will undertake reasonable and proportionate searches for personal data when responding.

Individuals can raise concerns or complaints about how we use their information. We will provide a clear route to do so (including an electronic option where appropriate), investigate promptly, and inform the individual of the outcome and any actions taken. Individuals also have the right to complain to the Information Commissioner’s Office (ICO).

9. Data Retention and Disposal

• We retain personal data only for as long as is necessary to fulfill the purpose for which it was collected or to comply with legal obligations.
• Clear retention schedules dictate how long various categories of data (e.g., service user records, staff files) are kept.
• Once the retention period expires, data is securely disposed of or anonymized, ensuring it can no longer identify individuals.

Our retention schedules specifically cover the categories of records we are required to hold as a regulated care service (including care records and other operational records), and are aligned to Care Inspectorate requirements on records services must keep and related notification/reporting expectations. We can evidence retention periods and secure disposal decisions on request.

10. Data Security Measures

1. Physical Security:
   • Lockable storage for paper records.
   • Restricted access to offices or archives, monitored by staff oversight or security systems.
2. IT Security:
   • Use of secure passwords and unique logins for each staff member.
   • Firewalls, anti-virus software, and automated system updates.
   • Encrypted data transfers and backup processes.
   • Role-based access to software systems, limiting data availability to those who need it.
3. Portable Devices:
   • Strict rules on using personal mobile phones, laptops, or tablets for work-related tasks.
   • Encryption of all devices that handle personal data.
   • Prohibitions on storing sensitive data on unencrypted USB sticks or cloud services outside our approved providers.

11. Data Breach Management

• Immediate Reporting: Staff are required to report suspected or actual data breaches immediately to the Registered Manager or designated Data Protection Officer.
• Investigation and Containment: An internal team investigates the cause and scope of the breach. We take swift action to prevent further unauthorized access, using measures such as shutting down systems or changing passwords.
• Notification: Where a personal data breach is likely to result in a risk to the rights and freedoms of individuals, we will notify the Information Commissioner’s Office (ICO) without undue delay and, where feasible, within 72 hours. Where the breach is likely to result in a high risk to individuals, we will also inform affected individuals without undue delay.
• Corrective Measures: After the breach is contained, we evaluate our processes and implement additional safeguards to prevent recurrence.

12. Staff Training and Responsibilities

All staff receive mandatory training on data protection, both at induction and regularly thereafter. This includes:

• Understanding the principles of data protection and confidentiality.
• Practical steps for data handling (e.g., secure filing, password management).
• Recognizing potential breaches and reporting them promptly.
• Respecting service users’ rights, including the right to privacy and the confidentiality of personal information.

Staff are held accountable for any breaches resulting from their negligence or misconduct. Repeated or serious failures to follow data protection protocols may result in disciplinary action.

13. Working with Third Parties

We may share personal data with third-party service providers (e.g., payroll companies, IT support, external healthcare professionals) in order to deliver safe and effective care or manage the business efficiently. We:

• Conduct due diligence on all third parties to ensure they uphold data protection standards.
• Use data-sharing agreements or contractual clauses to clarify each party’s responsibilities and ensure compliance with the UK GDPR.
• Only share data relevant to the defined purpose, and limit the scope of access accordingly.

14. Quality Assurance and Continuous Improvement

• Auditing: We regularly audit our data handling processes to check compliance, identifying any areas where we can strengthen security or clarity.
• Feedback Loop: We encourage staff, service users, and other stakeholders to provide feedback on our data protection practices.
• Policy Review: We review this Data Protection Policy and related procedures at least annually, or when new legislation or guidance requires updates.

15. Implementation and Review of This Policy

This policy takes immediate effect once approved by the senior management team. All staff must familiarise themselves with its contents and integrate these practices into their daily work. Should any aspect of this policy require amendment (due to changes in law, guidance, or the structure of our services), we will promptly communicate these changes to all staff, ensure they receive adequate training, and record the revisions in our policy documentation system.

16. References

1. UK General Data Protection Regulation (UK GDPR)
2. Data Protection Act 2018
3. Care Inspectorate Scotland: Health and Social Care Standards
4. Information Commissioner’s Office (ICO) Guidance
5. Data (Use and Access) Act 2025 (DUAA)
6. PECR 2003
7. SSI 2011/210

Policy Statement
By adhering to this Data Protection and GDPR Compliance Policy, our Home Care business demonstrates its unwavering commitment to safeguarding personal information and respecting individuals’ rights. Through well-defined procedures, comprehensive staff training, and continuous monitoring, we ensure the confidentiality, integrity, and lawful handling of all data in accordance with Care Inspectorate Scotland regulations and best practice standards.

---

Responsible Person: {{org_field_registered_manager_first_name}}{{org_field_registered_manager_last_name}}
Reviewed on: {{last_update_date}}
Next Review Date: {{next_review_date}}
Copyright © {{current_year}} – {{org_field_name}}. All rights reserved.