{{org_field_logo}}

{{org_field_name}}

Registration Number: {{org_field_registration_no}}


Accessing Staff Data – UK GDPR, Data Protection and Confidentiality Policy

1. Purpose

The purpose of this policy is to ensure that {{org_field_name}} manages staff personal data lawfully, fairly, transparently and securely in accordance with the UK General Data Protection Regulation, the Data Protection Act 2018, the Data (Use and Access) Act 2025 where in force, and all applicable Scottish social care regulatory requirements. This policy applies to how staff data is collected, accessed, used, shared, stored, retained and securely destroyed. It supports safe recruitment, workforce regulation, effective care governance, confidentiality, accountability and the protection of staff rights.

Our commitments include:

2. Scope

This policy applies to all staff personal data processed by {{org_field_name}}, including data relating to:

This policy applies to staff data held in paper files, electronic files, emails, HR systems, payroll systems, rostering systems, training systems, supervision records, messaging systems, mobile devices, cloud storage, archived records and backup systems.

3. Legal and Regulatory Framework

This policy aligns with the following legislation, regulatory requirements, standards and guidance, where applicable:

The Freedom of Information (Scotland) Act 2002 applies only where {{org_field_name}} is a Scottish public authority or is otherwise legally subject to freedom of information obligations. Where the Act does not apply directly, {{org_field_name}} will still cooperate with lawful information requests from commissioners, regulators and statutory bodies.

4. Lawful Processing of Staff Data

{{org_field_name}} will only process staff personal data where there is a lawful basis under Article 6 of the UK GDPR. The lawful basis will depend on the purpose of processing and may include:

Where {{org_field_name}} processes special category data, such as health information, disability information, sickness records, occupational health information, trade union information, biometric data, racial or ethnic origin, religious or philosophical belief, or sexual orientation, it will identify both a lawful basis under Article 6 and a separate condition under Article 9 of the UK GDPR. This may include employment, social security and social protection law obligations; occupational medicine; assessment of working capacity; health and safety obligations; equality monitoring; safeguarding; legal claims; or explicit consent where appropriate.

Where {{org_field_name}} processes criminal offence data, including PVG, disclosure, barring, conviction or fitness-to-practise information, it will do so only where authorised by law and where necessary for safe recruitment, ongoing suitability checks, safeguarding, regulatory compliance, employment decisions or protection of people receiving care.

4.1 Staff Privacy Notice and Transparency

{{org_field_name}} will provide staff, workers, applicants, volunteers and contractors with clear privacy information explaining how their personal data is collected, used, shared, retained and protected. This information will normally be provided through a staff privacy notice at recruitment, induction and whenever there is a significant change to how staff data is processed.

The staff privacy notice will include:

5. Categories of Staff Data Collected

{{org_field_name}} may collect and process the following categories of staff data where necessary and proportionate:

{{org_field_name}} will not collect more staff data than is necessary for the specified purpose and will keep staff data accurate and up to date.

5.1 PVG, Disclosure Scotland and SSSC Registration Data

For roles that are regulated roles with children, protected adults, or both, {{org_field_name}} will ensure that the individual has appropriate PVG scheme membership before carrying out that regulated role. PVG and disclosure information will only be accessed by authorised staff, used for safe recruitment, suitability, safeguarding and regulatory compliance purposes, and retained only for as long as necessary.

{{org_field_name}} will record the outcome of PVG and disclosure checks, the date checked, the role type, the decision made, any risk assessment completed, and any restrictions or conditions required. Full disclosure certificates or detailed vetting information will not be copied or retained unless there is a lawful, necessary and proportionate reason to do so.

Where a role requires SSSC registration, {{org_field_name}} will check and record registration status, conditions, renewal requirements and any relevant fitness-to-practise restrictions. Any concerns about a worker’s fitness to practise will be handled in line with the SSSC Codes of Practice, safeguarding procedures, disciplinary procedures and regulatory reporting duties.

6. Data Access and Authorisation

Access to staff data is strictly controlled and based on the principles of confidentiality, least privilege, need-to-know access, role-based access and accountability.

Staff data may only be accessed where access is necessary for a legitimate and authorised purpose. Access must be proportionate to the role and limited to the minimum information required.

Authorised access may include:

Staff must not access their own HR record, another worker’s record, or any colleague’s personal data through care, HR, rota, payroll or IT systems unless expressly authorised to do so. Unauthorised access, browsing, sharing, downloading, photographing, copying or disclosure of staff data may be treated as misconduct or gross misconduct.

{{org_field_name}} will maintain access permissions, review them regularly, remove access promptly when roles change or employment ends, and investigate any suspected unauthorised access.

6.1 Data Sharing, External Providers and Data Processing Agreements

{{org_field_name}} will only share staff personal data where there is a lawful basis, a defined purpose and a need to share the information. Data sharing must be proportionate, relevant, accurate and limited to the minimum information necessary.

Where an external organisation processes staff data on behalf of {{org_field_name}}, such as payroll, HR software, rostering, training, occupational health, pension, cloud storage or IT support providers, {{org_field_name}} will ensure that a written contract or data processing agreement is in place. This must require the processor to process data only on documented instructions, keep data secure, support staff rights, assist with breaches, use approved sub-processors only where permitted, and return or securely delete data at the end of the contract.

Where staff data is shared with another controller, such as HMRC, Disclosure Scotland, the SSSC, the Care Inspectorate, pension providers, insurers, occupational health clinicians, legal advisers, police or safeguarding authorities, the sharing must be documented and justified.

Staff data must not be transferred outside the UK unless appropriate safeguards are in place and the transfer complies with UK data protection law.

7. Data Storage and Security Measures

7.1 Physical Security

7.2 Digital Security

8. Data Retention and Disposal

8.1 Data Retention Periods

{{org_field_name}} will retain staff data only for as long as necessary for the purpose for which it was collected, including employment, payroll, tax, pension, regulatory, safeguarding, insurance, legal, audit and service-continuity purposes. Retention periods will be recorded in the organisation’s retention schedule and reviewed regularly.

Unless a longer or shorter period is justified and documented, the following retention periods will normally apply:

Records must not be destroyed where they are subject to a live complaint, investigation, safeguarding concern, legal claim, regulatory enquiry, subject access request or instruction to preserve evidence.

8.2 Secure Data Disposal

A record of confidential destruction will be kept where staff records are securely destroyed, including the type of record destroyed, date of destruction, method of destruction and person authorising destruction.

9. Staff Rights Under GDPR

All staff have the following rights regarding their personal data:

Staff may exercise their data rights verbally or in writing by contacting {{org_field_data_protection_officer_first_name}} {{org_field_data_protection_officer_last_name}}, Data Protection Officer, using the contact details in this policy. {{org_field_name}} will verify the identity of the requester where necessary and will normally respond without undue delay and within one month. This period may be extended by up to two further months where a request is complex or where multiple requests have been received, and the staff member will be informed of the reason for any extension.

Staff also have the right to raise a data protection complaint with {{org_field_name}}. Complaints may relate to how staff data has been collected, used, accessed, shared, retained, deleted or otherwise handled. {{org_field_name}} will acknowledge, investigate and respond to data protection complaints within a reasonable timescale and will explain any action taken. Staff may also complain to the Information Commissioner’s Office.

10. Data Breaches and Incident Response

10.1 Reporting a Data Breach

All suspected data breaches must be reported immediately to the Data Protection Officer (DPO). Examples of breaches include:

Contact:

Email: {{org_field_data_protection_officer_email}}

Phone: {{org_field_data_protection_officer_phone}}

10.2 Incident Management

The Data Protection Officer or appointed data protection lead will record and investigate all suspected or confirmed personal data breaches. The investigation will assess:

Where a breach is likely to result in a risk to individuals’ rights and freedoms, {{org_field_name}} will notify the ICO without undue delay and, where feasible, within 72 hours of becoming aware of the breach. Where a breach is likely to result in a high risk to affected individuals, {{org_field_name}} will inform those individuals without undue delay.

All breaches, including those not reported to the ICO, will be recorded in the organisation’s breach log, together with the reasons for any reporting decision, containment action, lessons learned and follow-up actions.

11. Staff Responsibilities

All staff at {{org_field_name}} must:

Failure to comply with data protection policies may result in disciplinary action.

12. Monitoring and Continuous Improvement

To ensure ongoing compliance, {{org_field_name}} will:

12.1 Staff Monitoring and System Access Logs

{{org_field_name}} may monitor use of work systems, emails, devices, electronic care systems, rota systems, access logs and communication systems where this is lawful, necessary and proportionate. Monitoring may be used for information security, safeguarding, service continuity, audit, prevention and detection of misconduct, investigation of complaints, regulatory compliance and protection of people receiving care.

Staff will be informed about routine monitoring through the staff privacy notice, IT policy, electronic communications policy or other relevant policy. Covert monitoring will only be used in exceptional circumstances, where lawful, authorised at senior level, time-limited, proportionate and necessary to investigate suspected serious misconduct, safeguarding risk, criminal activity or serious breach of policy.

Monitoring information will only be accessed by authorised persons and will not be used in a way that is excessive, unfair or incompatible with the purpose for which it was collected.

13. Related Policies

This policy should be read alongside:

14. Policy Review

This policy will be reviewed at least annually or sooner where required because of changes in legislation, ICO guidance, Care Inspectorate guidance, SSSC requirements, Disclosure Scotland requirements, contractual arrangements, technology, working practices, audit findings, complaints, data breaches or regulatory feedback.

The review will check whether this policy remains accurate, effective and aligned with current law and practice in Scotland.


Responsible Person: {{org_field_registered_manager_first_name}} {{org_field_registered_manager_last_name}}
Reviewed on:
{{last_update_date}}
Next Review Date:
{{next_review_date}}
Copyright © {{current_year}} – {{org_field_name}}. All rights reserved.

Leave a Reply

Your email address will not be published. Required fields are marked *