{{org_field_logo}}

{{org_field_name}}

Registration Number: {{org_field_registration_no}}

---

Record-Keeping and Confidentiality Policy

Introduction

{{org_field_name}} is committed to maintaining accurate, secure, and confidential records in compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the Health and Social Care Standards, and Care Inspectorate requirements, including the Care Inspectorate guidance Adult care services: Guidance on records you must keep and notifications you must make (March 2025). Proper record-keeping supports safe, effective, and person-centred care; regulatory compliance; and the safety and wellbeing of people experiencing care and our staff.

Purpose of This Policy

The purpose of this policy is to outline the principles and procedures related to record-keeping and confidentiality within our home care agency. It ensures that all records are created, maintained, and disposed of appropriately while safeguarding sensitive information against unauthorised access, loss, or misuse.

Principles of Record-Keeping

We adhere to the following principles to ensure high-quality record management:

• All records must be accurate, clear, and up-to-date, reflecting the care provided.
• Information recorded must be relevant, factual, and free from subjective opinions or bias.
• Records should be legible, signed, and dated by the person making the entry.
• Records must be maintained in a way that ensures accountability, traceability, and adherence to regulatory requirements.

Types of Records Maintained

{{org_field_name}} maintains various types of records, including but not limited to:

• Service user records (care plans, risk assessments, health records, incident reports, and daily care logs).
• Staff records (training records, employment contracts, Disclosure Scotland / PVG scheme membership and checks (as applicable), supervision notes, and disciplinary records).
• Organisational records (policies and procedures, accident logs, financial records, and complaint records).

Care Inspectorate required records and notifications (adult services)

We maintain the records required for our service type and submit statutory notifications in line with the Care Inspectorate guidance Adult care services: Guidance on records you must keep and notifications you must make (March 2025). This includes keeping clear records of key events (for example, protection concerns, adverse events, missed/late visits where applicable, recruitment checks, supervision/training, and disciplinary outcomes) and making notifications to the Care Inspectorate within required timescales using the digital portal/eForms. Failure to keep required records and submit required notifications may place the service in breach of registration requirements. When completing Care Inspectorate notifications, we will refer to people using the service and staff by initials only unless the guidance states otherwise.

Confidentiality and Data Protection

All records are handled with the highest level of confidentiality. Personal and sensitive data will only be accessed by authorised personnel who have a legitimate reason for viewing it. We comply with the principles of data protection by:

• Ensuring that personal data is processed lawfully, fairly, and transparently.
• Limiting access to records based on job role and necessity.
• Keeping records secure both physically (locked cabinets, restricted office access) and electronically (password protection, encryption, and access logs).
• Not sharing personal information with third parties without consent unless required by law.

Record Storage and Security Measures

To ensure the security and integrity of records:

• Paper-based records are stored in locked filing cabinets in restricted-access areas.
• Digital records are stored on encrypted systems with multi-factor authentication.
• Staff are trained on secure data handling practices, including how to prevent data breaches and handle sensitive information.
• All access to electronic records is logged and monitored to prevent unauthorised use.

Retention and Disposal of Records

Records are retained for the required period as specified by legal and regulatory requirements. We follow strict procedures for the secure disposal of records:

• Paper records are shredded or securely disposed of when no longer needed.
• Electronic records are permanently deleted following GDPR-compliant procedures.
• Any disposal of records is documented to ensure compliance and traceability.

Managing Risks Related to Record-Keeping and Confidentiality

{{org_field_name}} recognises that improper handling of records and breaches of confidentiality pose risks to individuals and the organisation. To manage these risks effectively:

• We conduct regular audits to ensure compliance with record-keeping and confidentiality policies.
• Staff undergo continuous training in data protection, confidentiality, and secure record management.
• We have a clear incident response plan for personal data breaches, including assessing risk, containing the breach, documenting the incident and decision-making, and notifying the ICO within 72 hours of becoming aware of a notifiable breach (where feasible), as well as notifying affected individuals without undue delay where required.
• Confidentiality agreements are signed by all employees and contractors handling sensitive data.

Access to Records

Service users (or their authorised representative) have the right to access their personal data, including care records, by making a Subject Access Request (SAR). Requests do not need to be made in writing. We will verify identity and (where relevant) the authority of any representative (for example, welfare power of attorney/guardianship) before releasing information. We will respond without undue delay and within one month of receipt; where a request is complex or numerous we may extend by up to a further two months and will tell the requester within the first month if an extension applies. If any information is withheld, we will document the legal basis and explain the reason(s) to the requester.

Staff Responsibilities

All staff members are responsible for ensuring compliance with this policy. Failure to adhere to record-keeping and confidentiality standards may result in disciplinary action. Key responsibilities include:

• Recording accurate and timely information.
• Maintaining the confidentiality of service user and organisational records.
• Reporting any suspected breaches of confidentiality immediately.
• Attending training and updates on data protection and confidentiality procedures.

Review and Updates

This policy will be reviewed annually or sooner if required to reflect changes in legislation, best practices, or operational requirements. Any updates will be communicated to all staff, and training will be provided as necessary.

---

Responsible Person: {{org_field_registered_manager_first_name}} {{org_field_registered_manager_last_name}}
Reviewed on: {{last_update_date}}
Next Review Date: {{next_review_date}}
Copyright © {{current_year}} – {{org_field_name}}. All rights reserved.