{{org_field_logo}}

{{org_field_name}}

Registration Number: {{org_field_registration_no}}


Accessing Data of People Receiving Care – GDPR Compliance Policy

1. Purpose

The purpose of this policy is to ensure that {{org_field_name}} processes personal data and special category data about people receiving care lawfully, fairly, transparently and securely. This policy supports compliance with the UK General Data Protection Regulation, the Data Protection Act 2018, the Data (Use and Access) Act 2025 insofar as its provisions are in force, and applicable Scottish social care legislation and regulatory requirements, including the Public Services Reform (Scotland) Act 2010, the Social Care and Social Work Improvement Scotland (Requirements for Care Services) Regulations 2011, the Health and Social Care Standards, Care Inspectorate guidance, and the Scottish Social Services Council Codes of Practice.

This policy ensures that:

2. Scope

This policy applies to:

3. Legal and Regulatory Framework

This policy should be read and applied in accordance with the following legislation, standards and guidance, as amended or replaced from time to time:

Freedom of Information: The Freedom of Information (Scotland) Act 2002 applies to Scottish public authorities. It will only apply to {{org_field_name}} where the organisation is legally subject to it or is responding to information requests on behalf of a public authority under contractual arrangements. It does not replace UK GDPR rights of access to personal data.

4. Principles of GDPR in Handling Care Data

{{org_field_name}} follows the seven key principles of UK GDPR to ensure ethical and legal data processing:

4.1 Lawfulness, Fairness, and Transparency

{{org_field_name}} will identify and document the lawful basis for each type of processing before personal data is processed. Depending on the purpose, lawful bases may include contract, legal obligation, vital interests, public task or legitimate interests. Consent will only be used as the lawful basis where it is appropriate, freely given, specific, informed and capable of being withdrawn. Consent for receiving care, consent to share information, and consent as a UK GDPR lawful basis are separate matters and must not be confused.

4.2 Purpose Limitation

4.3 Data Minimisation

4.4 Accuracy

4.5 Storage Limitation

4.6 Integrity and Confidentiality (Security)

4.7 Accountability

{{org_field_name}} must be able to demonstrate compliance with UK GDPR.

{{org_field_name}} will appoint a Data Protection Officer where this is legally required. Where a formal Data Protection Officer is not legally required, the organisation will appoint a named Data Protection Lead with responsibility for day-to-day data protection compliance, advice, monitoring, training, breach coordination and liaison with the Information Commissioner’s Office where necessary.

4.8 Special Category Data

Information about a person’s physical or mental health, care needs, medication, disability, support arrangements, safeguarding concerns, religious or cultural needs, and other sensitive matters may be special category data under UK GDPR. Where {{org_field_name}} processes special category data, it will identify both:

For direct care and support, the relevant Article 9 condition may include processing necessary for the provision of health or social care, subject to appropriate confidentiality safeguards. Where safeguarding, adult protection, legal claims, vital interests or substantial public interest conditions apply, the organisation will record the relevant condition and any additional safeguards required by the Data Protection Act 2018. Where required, {{org_field_name}} will maintain an Appropriate Policy Document explaining how special category data is protected, retained and deleted.

5. Handling and Accessing Personal Data

5.1 Collecting and Storing Personal Data

{{org_field_name}} will only collect personal data that is necessary, relevant and proportionate for the purpose of assessing, planning, delivering, reviewing and evidencing safe care and support. This may include:

Electronic records will be stored in secure systems with role-based access controls. Paper records will be stored securely and only accessed by authorised staff who need the information to perform their role.

5.2 Accessing Personal Data

Personal data must only be accessed by authorised staff for a legitimate work-related purpose. Staff must not access records because of curiosity, personal interest, family connection, friendship, dispute or any other non-work reason. Access will be based on role, responsibility and need to know.

Access permissions will be reviewed regularly, including when staff change role, leave employment, move service area or no longer require access.

5.3 Sharing and Disclosing Data

{{org_field_name}} will share personal data only where there is a lawful basis and the sharing is necessary, proportionate and in the person’s interests or otherwise legally justified. Information may be shared:

The person’s wishes and choices about information sharing will be respected wherever possible. However, information may be shared without consent where this is necessary for safeguarding, adult protection, vital interests, legal obligations, regulatory requirements or the provision of safe care. Staff must record what information was shared, with whom, when, why, the lawful basis relied upon, and any decision not to inform the person.

5.4 Confidentiality and Professional Duties

All staff must treat information about people receiving care as confidential. Staff must follow this policy, the organisation’s confidentiality procedures, their contract of employment, and the SSSC Codes of Practice. Staff must not discuss personal information in public places, on social media, with unauthorised colleagues, with family or friends, or with any person who does not have a legitimate need to know. Staff must explain confidentiality arrangements to people receiving care and carers in a way they can understand, including when information may need to be shared to keep people safe or meet legal duties.

6. Rights of People Receiving Care under Data Protection Law

People receiving care have rights under data protection law. These include:

Requests must be passed immediately to the Data Protection Officer or Data Protection Lead. {{org_field_name}} will verify the identity and authority of the requester before disclosing information. Subject Access Requests will normally be responded to within one month. Where a request is complex or where multiple requests have been made, the response period may be extended where permitted by law. Where further information is reasonably required from the requester to clarify the request, the response time may be paused until the information is received, in line with current data protection law.

Information will usually be provided free of charge. A reasonable fee may only be charged, or a request refused, where the law permits this, for example where a request is manifestly unfounded or excessive. Any refusal or partial refusal must be documented and explained to the requester, including their right to complain to the Information Commissioner’s Office.

6.1 Requests from Relatives, Carers, Attorneys, Guardians and Representatives

Relatives, carers and friends do not have an automatic right to access a person’s care records. Information may be shared with them where the person has consented, where they have legal authority, where sharing is necessary for the person’s care and support, or where another lawful basis applies.

Where a request is made by an attorney, guardian, intervener, advocate or other representative, staff must check the scope of that person’s authority before sharing information. Where the person receiving care has capacity, their wishes must be sought and respected wherever possible. Where the person lacks capacity, information sharing must be necessary, proportionate and in line with the Adults with Incapacity (Scotland) Act 2000 and any relevant legal authority.

6.2 Data Protection Complaints

People receiving care, their representatives, staff and others may raise a data protection complaint if they are concerned about how their personal data has been collected, used, shared, stored, retained or deleted. {{org_field_name}} will provide a clear route for making data protection complaints, including an electronic method of complaint where required.

Data protection complaints will be acknowledged, investigated and responded to without undue delay. The response will explain the outcome of the complaint, any action taken, and the person’s right to complain to the Information Commissioner’s Office if they remain dissatisfied. Data protection complaints will be recorded and reviewed as part of the organisation’s governance and quality assurance processes.

7. Data Security Measures

{{org_field_name}} will apply appropriate technical and organisational measures to protect personal data and special category data. These measures will include, where applicable:

Staff must ensure that care records are not left visible or accessible to unauthorised people in a person’s home, vehicle, office, public place or electronic device.

8. Reporting Personal Data Breaches

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. Examples include sending information to the wrong person, losing paper records, unauthorised access to electronic records, cyber incidents, stolen devices, verbal disclosure to the wrong person, or failure to secure records in a person’s home or staff vehicle.

All suspected or actual data breaches must be reported immediately to the Data Protection Officer or Data Protection Lead. Staff must not delay reporting while trying to investigate the matter themselves.

The Data Protection Officer or Data Protection Lead will:

  1. identify what happened, when it happened, what data was involved and who was affected;
  2. contain the breach and reduce the risk of further harm;
  3. assess the likely risk to the rights and freedoms of affected individuals;
  4. decide whether the breach must be reported to the Information Commissioner’s Office within 72 hours of the organisation becoming aware of it;
  5. decide whether affected individuals must be informed without undue delay because the breach is likely to result in a high risk to them;
  6. notify the Care Inspectorate, commissioners, local authority, NHS partner, Police Scotland, adult protection services or other bodies where required by law, contract, regulation or safeguarding duties;
  7. record the breach, decision-making, action taken and lessons learned, whether or not the breach is reported externally.

All breaches and near misses will be reviewed to identify learning, improve systems and reduce recurrence.

8.1 Care Inspectorate Notifications and Data Protection

Where an incident involves both a notifiable care-service event and personal data, staff must follow both the Care Inspectorate notification procedure and this data breach procedure. Data protection law must not be used as a reason to delay or prevent a required safeguarding, adult protection, regulatory or contractual notification. Information included in notifications must be accurate, relevant, proportionate and consistent with the organisation’s records.

8.2 Data Protection Impact Assessments

{{org_field_name}} will complete a Data Protection Impact Assessment before introducing any new processing, technology, system or data-sharing arrangement that is likely to result in a high risk to individuals. This includes new electronic care-planning systems, remote monitoring systems, large-scale processing of special category data, new data-sharing arrangements, use of artificial intelligence or automated decision-making, and any system that significantly changes how care records are accessed or shared. DPIAs will identify risks, safeguards, responsibilities and actions required before implementation.

9. Staff Training and Compliance

All staff, including agency and temporary staff, must complete data protection and confidentiality training during induction and at regular intervals thereafter. Training will cover:

Failure to follow this policy may result in disciplinary action, referral to the SSSC where appropriate, reporting to regulators or authorities, and/or legal action.

10. Monitoring, Audit and Quality Assurance

{{org_field_name}} will monitor compliance with this policy through governance and quality assurance arrangements. This will include:

Findings from audits and incidents will be used to improve training, systems, supervision and practice.

10.1 Retention and Secure Disposal

{{org_field_name}} will maintain a records retention schedule setting out how long different categories of records are kept, the legal or regulatory reason for retention, and how records will be securely destroyed or archived. Retention periods will take account of care-service regulation, contractual requirements, safeguarding needs, insurance requirements, limitation periods, professional guidance and data protection principles.

Records must not be destroyed where they are required for an ongoing complaint, investigation, safeguarding matter, adult protection inquiry, legal claim, regulatory inspection, Subject Access Request or other lawful purpose. When records reach the end of their retention period, they will be securely destroyed in a way that protects confidentiality. The decision to destroy care records must be authorised and recorded.

10.2 Data Processors and Third-Party Systems

Where {{org_field_name}} uses third-party organisations to process personal data on its behalf, including electronic care-planning systems, payroll providers, IT support, cloud storage, training systems or confidential waste providers, a written contract or data processing agreement must be in place. The agreement must set out the processor’s responsibilities, confidentiality requirements, security measures, breach reporting duties, sub-processor controls, audit rights, retention and deletion arrangements, and instructions for processing.

{{org_field_name}} will carry out appropriate due diligence before using systems or suppliers that process personal data and will review supplier compliance periodically.

10.3 International Transfers

Personal data must not be transferred outside the UK unless there is a lawful transfer mechanism and appropriate safeguards are in place. Before using any system, supplier or cloud service that stores or accesses personal data outside the UK, {{org_field_name}} will check the transfer arrangements, document the safeguards relied upon, and ensure the transfer complies with UK data protection law.

10.4 Automated Decision-Making and Artificial Intelligence

{{org_field_name}} will not make decisions about a person’s care, support, access to services, risk level or safeguarding response based solely on automated processing unless this is lawful, necessary and subject to appropriate safeguards. Where automated decision-making or artificial intelligence tools are used, the organisation will ensure transparency, human oversight, the ability to challenge decisions, and compliance with data protection law. A Data Protection Impact Assessment must be completed before introducing such tools where they may create a high risk to individuals.

11. Related Policies

This policy should be read alongside:

12. Policy Review

This policy will be reviewed at least annually and sooner where there are changes in legislation, ICO guidance, Care Inspectorate guidance, SSSC Codes of Practice, contractual requirements, technology, systems, data-sharing arrangements, organisational structure or identified learning from incidents, complaints, audits or inspections. Any amendments will be communicated to staff and relevant stakeholders, and staff will receive additional training where required.


Responsible Person: {{org_field_registered_manager_first_name}} {{org_field_registered_manager_last_name}}
Reviewed on:
{{last_update_date}}
Next Review Date:
{{next_review_date}}
Copyright © {{current_year}} – {{org_field_name}}. All rights reserved.

Leave a Reply

Your email address will not be published. Required fields are marked *