{{org_field_logo}}
{{org_field_name}}
Registration Number: {{org_field_registration_no}}
Accessing Data of People Receiving Care – GDPR Compliance Policy
1. Purpose
The purpose of this policy is to ensure that {{org_field_name}} processes personal data and special category data about people receiving care lawfully, fairly, transparently and securely. This policy supports compliance with the UK General Data Protection Regulation, the Data Protection Act 2018, the Data (Use and Access) Act 2025 insofar as its provisions are in force, and applicable Scottish social care legislation and regulatory requirements, including the Public Services Reform (Scotland) Act 2010, the Social Care and Social Work Improvement Scotland (Requirements for Care Services) Regulations 2011, the Health and Social Care Standards, Care Inspectorate guidance, and the Scottish Social Services Council Codes of Practice.
This policy ensures that:
- People receiving care have full transparency on how their personal data is used.
- Staff follow clear and legally compliant data-handling procedures.
- The rights of individuals under UK GDPR and data protection laws are upheld.
- Data security measures prevent unauthorised access, breaches, or misuse.
- A structured approach to accessing and sharing data is in place, ensuring ethical and professional data handling.
2. Scope
This policy applies to:
- All employees, including care workers, supervisors, and management, who access or handle personal data.
- Agency and temporary staff, ensuring they follow the same GDPR-compliant procedures as permanent staff.
- Third parties, including external professionals and service providers, who process data on behalf of {{org_field_name}}.
- People receiving care and their families, ensuring they are aware of their rights regarding data access and security.
3. Legal and Regulatory Framework
This policy should be read and applied in accordance with the following legislation, standards and guidance, as amended or replaced from time to time:
- UK General Data Protection Regulation (UK GDPR) – governing the lawful, fair, transparent and secure processing of personal data.
- Data Protection Act 2018 – providing UK-specific data protection rules, including rules for special category data and safeguarding processing.
- Data (Use and Access) Act 2025 – amending aspects of UK data protection law, including subject access, complaints, automated decision-making, recognised legitimate interests and international transfers, as relevant when provisions come into force.
- Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) – where the service uses electronic marketing, website cookies or similar technologies.
- Human Rights Act 1998 – including respect for private and family life.
- Public Services Reform (Scotland) Act 2010 – establishing the Scottish care-service regulatory framework operated by the Care Inspectorate.
- Social Care and Social Work Improvement Scotland (Requirements for Care Services) Regulations 2011 – including requirements relating to the welfare of people using services and personal planning.
- Adults with Incapacity (Scotland) Act 2000 – where information relates to adults who lack capacity and decisions involve guardians, attorneys, interveners or other authorised persons.
- Adult Support and Protection (Scotland) Act 2007 – where information must be shared or recorded for adult protection purposes.
- Health and Social Care Standards: My support, my life – including dignity, privacy, involvement, choice, safety and wellbeing.
- Care Inspectorate quality frameworks, records guidance and notification guidance for adult services – including requirements to keep accurate records and submit required notifications.
- Scottish Social Services Council Codes of Practice for Social Service Workers and Employers 2024 – including duties to respect confidential information, maintain accurate records, protect rights and uphold public trust.
Freedom of Information: The Freedom of Information (Scotland) Act 2002 applies to Scottish public authorities. It will only apply to {{org_field_name}} where the organisation is legally subject to it or is responding to information requests on behalf of a public authority under contractual arrangements. It does not replace UK GDPR rights of access to personal data.
4. Principles of GDPR in Handling Care Data
{{org_field_name}} follows the seven key principles of UK GDPR to ensure ethical and legal data processing:
4.1 Lawfulness, Fairness, and Transparency
- Personal data must be processed lawfully, fairly, and transparently.
- Individuals must be informed why their data is being collected and how it will be used.
- Privacy notices are provided to individuals outlining their data rights.
{{org_field_name}} will identify and document the lawful basis for each type of processing before personal data is processed. Depending on the purpose, lawful bases may include contract, legal obligation, vital interests, public task or legitimate interests. Consent will only be used as the lawful basis where it is appropriate, freely given, specific, informed and capable of being withdrawn. Consent for receiving care, consent to share information, and consent as a UK GDPR lawful basis are separate matters and must not be confused.
4.2 Purpose Limitation
- Data must only be collected for specified, explicit, and legitimate purposes.
- Personal data cannot be used for unrelated purposes without consent.
4.3 Data Minimisation
- Only the minimum necessary personal data should be collected and processed.
- Staff must not access data unless it is essential for delivering care.
4.4 Accuracy
- Personal data must be accurate, up-to-date, and corrected when necessary.
- People receiving care have the right to request corrections to their records.
4.5 Storage Limitation
- Personal data must be kept only for as long as necessary.
- Retention schedules ensure that outdated data is securely deleted or archived.
4.6 Integrity and Confidentiality (Security)
- Data must be kept secure and protected from unauthorised access, loss, or breaches.
- Staff must follow strict data security policies, including encryption and access controls.
4.7 Accountability
{{org_field_name}} must be able to demonstrate compliance with UK GDPR.
{{org_field_name}} will appoint a Data Protection Officer where this is legally required. Where a formal Data Protection Officer is not legally required, the organisation will appoint a named Data Protection Lead with responsibility for day-to-day data protection compliance, advice, monitoring, training, breach coordination and liaison with the Information Commissioner’s Office where necessary.
4.8 Special Category Data
Information about a person’s physical or mental health, care needs, medication, disability, support arrangements, safeguarding concerns, religious or cultural needs, and other sensitive matters may be special category data under UK GDPR. Where {{org_field_name}} processes special category data, it will identify both:
- a lawful basis under Article 6 UK GDPR; and
- a special category condition under Article 9 UK GDPR.
For direct care and support, the relevant Article 9 condition may include processing necessary for the provision of health or social care, subject to appropriate confidentiality safeguards. Where safeguarding, adult protection, legal claims, vital interests or substantial public interest conditions apply, the organisation will record the relevant condition and any additional safeguards required by the Data Protection Act 2018. Where required, {{org_field_name}} will maintain an Appropriate Policy Document explaining how special category data is protected, retained and deleted.
5. Handling and Accessing Personal Data
5.1 Collecting and Storing Personal Data
{{org_field_name}} will only collect personal data that is necessary, relevant and proportionate for the purpose of assessing, planning, delivering, reviewing and evidencing safe care and support. This may include:
- name, date of birth, address, contact details and emergency contacts;
- personal plans, care plans, risk assessments, reviews and daily care records;
- health information, medication information, allergies, mobility needs, nutrition and hydration needs, communication needs and support preferences;
- information about representatives, guardians, attorneys, advocates, carers, relatives and professionals involved in the person’s care;
- consent records, information-sharing records and records of decisions made in the person’s best interests or under legal authority;
- incident, accident, complaint, safeguarding, adult protection and notification records;
- records relating to money, property or financial transactions where staff support the person with these matters;
- equality, diversity, cultural, religious or language information where this is needed to provide person-centred support;
- records required by the Care Inspectorate, commissioners, regulators or other lawful authorities.
Electronic records will be stored in secure systems with role-based access controls. Paper records will be stored securely and only accessed by authorised staff who need the information to perform their role.
5.2 Accessing Personal Data
Personal data must only be accessed by authorised staff for a legitimate work-related purpose. Staff must not access records because of curiosity, personal interest, family connection, friendship, dispute or any other non-work reason. Access will be based on role, responsibility and need to know.
- Care and support staff may access the person’s personal plan, daily care notes, risk assessments, medication information and other information necessary to provide safe care during their duties.
- Supervisors and managers may access care records, staffing records, incident records, complaints, safeguarding records and audit information where needed to manage and improve the service.
- The Data Protection Officer or Data Protection Lead may access information required to monitor compliance, investigate breaches, respond to rights requests, complete audits and provide advice.
- External professionals may receive information only where there is a lawful basis, a legitimate care, safeguarding or legal purpose, and the disclosure is necessary and proportionate.
Access permissions will be reviewed regularly, including when staff change role, leave employment, move service area or no longer require access.
5.3 Sharing and Disclosing Data
{{org_field_name}} will share personal data only where there is a lawful basis and the sharing is necessary, proportionate and in the person’s interests or otherwise legally justified. Information may be shared:
- with the person receiving care and, where appropriate, their authorised representative, guardian, attorney, advocate or carer;
- with health and social care professionals involved in assessing, planning, delivering or reviewing the person’s care;
- with commissioners, local authorities, NHS services, the Care Inspectorate, SSSC, Police Scotland, adult protection services or other lawful authorities where required or justified;
- where necessary to prevent or respond to harm, abuse, neglect, exploitation, serious risk or medical emergency;
- where required by law, contract, court order, regulatory requirement or safeguarding duty.
The person’s wishes and choices about information sharing will be respected wherever possible. However, information may be shared without consent where this is necessary for safeguarding, adult protection, vital interests, legal obligations, regulatory requirements or the provision of safe care. Staff must record what information was shared, with whom, when, why, the lawful basis relied upon, and any decision not to inform the person.
5.4 Confidentiality and Professional Duties
All staff must treat information about people receiving care as confidential. Staff must follow this policy, the organisation’s confidentiality procedures, their contract of employment, and the SSSC Codes of Practice. Staff must not discuss personal information in public places, on social media, with unauthorised colleagues, with family or friends, or with any person who does not have a legitimate need to know. Staff must explain confidentiality arrangements to people receiving care and carers in a way they can understand, including when information may need to be shared to keep people safe or meet legal duties.
6. Rights of People Receiving Care under Data Protection Law
People receiving care have rights under data protection law. These include:
- the right to be informed about how their personal data is used;
- the right of access to their personal data, commonly known as a Subject Access Request;
- the right to rectification of inaccurate or incomplete data;
- the right to erasure, where this applies;
- the right to restrict processing in certain circumstances;
- the right to object to processing in certain circumstances;
- the right to data portability, where this applies;
- rights relating to automated decision-making and profiling, where applicable;
- the right to withdraw consent where consent is the lawful basis for processing.
Requests must be passed immediately to the Data Protection Officer or Data Protection Lead. {{org_field_name}} will verify the identity and authority of the requester before disclosing information. Subject Access Requests will normally be responded to within one month. Where a request is complex or where multiple requests have been made, the response period may be extended where permitted by law. Where further information is reasonably required from the requester to clarify the request, the response time may be paused until the information is received, in line with current data protection law.
Information will usually be provided free of charge. A reasonable fee may only be charged, or a request refused, where the law permits this, for example where a request is manifestly unfounded or excessive. Any refusal or partial refusal must be documented and explained to the requester, including their right to complain to the Information Commissioner’s Office.
6.1 Requests from Relatives, Carers, Attorneys, Guardians and Representatives
Relatives, carers and friends do not have an automatic right to access a person’s care records. Information may be shared with them where the person has consented, where they have legal authority, where sharing is necessary for the person’s care and support, or where another lawful basis applies.
Where a request is made by an attorney, guardian, intervener, advocate or other representative, staff must check the scope of that person’s authority before sharing information. Where the person receiving care has capacity, their wishes must be sought and respected wherever possible. Where the person lacks capacity, information sharing must be necessary, proportionate and in line with the Adults with Incapacity (Scotland) Act 2000 and any relevant legal authority.
6.2 Data Protection Complaints
People receiving care, their representatives, staff and others may raise a data protection complaint if they are concerned about how their personal data has been collected, used, shared, stored, retained or deleted. {{org_field_name}} will provide a clear route for making data protection complaints, including an electronic method of complaint where required.
Data protection complaints will be acknowledged, investigated and responded to without undue delay. The response will explain the outcome of the complaint, any action taken, and the person’s right to complain to the Information Commissioner’s Office if they remain dissatisfied. Data protection complaints will be recorded and reviewed as part of the organisation’s governance and quality assurance processes.
7. Data Security Measures
{{org_field_name}} will apply appropriate technical and organisational measures to protect personal data and special category data. These measures will include, where applicable:
- role-based access to electronic care systems;
- strong passwords and multi-factor authentication where available;
- secure storage of paper records in locked cabinets or locked bags when transported;
- encryption or equivalent protection for laptops, tablets, mobile phones and portable media;
- secure email or approved secure messaging when sharing confidential information;
- audit logs and access monitoring for electronic systems;
- prompt removal of access when staff leave or change role;
- clear-desk and clear-screen arrangements;
- secure disposal of confidential waste by shredding or approved confidential-waste disposal;
- prohibition on storing care records on personal phones, personal email accounts, personal cloud storage or unauthorised devices;
- procedures for remote working, lone working and use of mobile devices in the community;
- regular review of suppliers, processors and electronic care-planning systems;
- cyber security controls, including anti-malware protection, updates, back-ups and incident response arrangements.
Staff must ensure that care records are not left visible or accessible to unauthorised people in a person’s home, vehicle, office, public place or electronic device.
8. Reporting Personal Data Breaches
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. Examples include sending information to the wrong person, losing paper records, unauthorised access to electronic records, cyber incidents, stolen devices, verbal disclosure to the wrong person, or failure to secure records in a person’s home or staff vehicle.
All suspected or actual data breaches must be reported immediately to the Data Protection Officer or Data Protection Lead. Staff must not delay reporting while trying to investigate the matter themselves.
The Data Protection Officer or Data Protection Lead will:
- identify what happened, when it happened, what data was involved and who was affected;
- contain the breach and reduce the risk of further harm;
- assess the likely risk to the rights and freedoms of affected individuals;
- decide whether the breach must be reported to the Information Commissioner’s Office within 72 hours of the organisation becoming aware of it;
- decide whether affected individuals must be informed without undue delay because the breach is likely to result in a high risk to them;
- notify the Care Inspectorate, commissioners, local authority, NHS partner, Police Scotland, adult protection services or other bodies where required by law, contract, regulation or safeguarding duties;
- record the breach, decision-making, action taken and lessons learned, whether or not the breach is reported externally.
All breaches and near misses will be reviewed to identify learning, improve systems and reduce recurrence.
8.1 Care Inspectorate Notifications and Data Protection
Where an incident involves both a notifiable care-service event and personal data, staff must follow both the Care Inspectorate notification procedure and this data breach procedure. Data protection law must not be used as a reason to delay or prevent a required safeguarding, adult protection, regulatory or contractual notification. Information included in notifications must be accurate, relevant, proportionate and consistent with the organisation’s records.
8.2 Data Protection Impact Assessments
{{org_field_name}} will complete a Data Protection Impact Assessment before introducing any new processing, technology, system or data-sharing arrangement that is likely to result in a high risk to individuals. This includes new electronic care-planning systems, remote monitoring systems, large-scale processing of special category data, new data-sharing arrangements, use of artificial intelligence or automated decision-making, and any system that significantly changes how care records are accessed or shared. DPIAs will identify risks, safeguards, responsibilities and actions required before implementation.
9. Staff Training and Compliance
All staff, including agency and temporary staff, must complete data protection and confidentiality training during induction and at regular intervals thereafter. Training will cover:
- UK GDPR, the Data Protection Act 2018 and this policy;
- confidentiality and professional responsibilities under the SSSC Codes of Practice;
- recognising and protecting special category data;
- lawful access to care records and role-based access controls;
- secure use of electronic care systems, mobile devices and paper records;
- Subject Access Requests and requests from relatives or representatives;
- information sharing for care, safeguarding, adult protection and emergencies;
- recognising and reporting data breaches and cyber incidents;
- phishing, password security and safe communication.
Failure to follow this policy may result in disciplinary action, referral to the SSSC where appropriate, reporting to regulators or authorities, and/or legal action.
10. Monitoring, Audit and Quality Assurance
{{org_field_name}} will monitor compliance with this policy through governance and quality assurance arrangements. This will include:
- regular audits of care-record access and role-based permissions;
- checks of paper-record storage, transport and disposal;
- review of Subject Access Requests, data protection complaints, breaches and near misses;
- review of data-sharing arrangements and processor contracts;
- review of privacy notices and consent/information-sharing forms;
- review of retention and disposal schedules;
- completion and review of Data Protection Impact Assessments where required;
- feedback from people receiving care and representatives about how information is used and explained;
- action plans where audits identify improvement needs.
Findings from audits and incidents will be used to improve training, systems, supervision and practice.
10.1 Retention and Secure Disposal
{{org_field_name}} will maintain a records retention schedule setting out how long different categories of records are kept, the legal or regulatory reason for retention, and how records will be securely destroyed or archived. Retention periods will take account of care-service regulation, contractual requirements, safeguarding needs, insurance requirements, limitation periods, professional guidance and data protection principles.
Records must not be destroyed where they are required for an ongoing complaint, investigation, safeguarding matter, adult protection inquiry, legal claim, regulatory inspection, Subject Access Request or other lawful purpose. When records reach the end of their retention period, they will be securely destroyed in a way that protects confidentiality. The decision to destroy care records must be authorised and recorded.
10.2 Data Processors and Third-Party Systems
Where {{org_field_name}} uses third-party organisations to process personal data on its behalf, including electronic care-planning systems, payroll providers, IT support, cloud storage, training systems or confidential waste providers, a written contract or data processing agreement must be in place. The agreement must set out the processor’s responsibilities, confidentiality requirements, security measures, breach reporting duties, sub-processor controls, audit rights, retention and deletion arrangements, and instructions for processing.
{{org_field_name}} will carry out appropriate due diligence before using systems or suppliers that process personal data and will review supplier compliance periodically.
10.3 International Transfers
Personal data must not be transferred outside the UK unless there is a lawful transfer mechanism and appropriate safeguards are in place. Before using any system, supplier or cloud service that stores or accesses personal data outside the UK, {{org_field_name}} will check the transfer arrangements, document the safeguards relied upon, and ensure the transfer complies with UK data protection law.
10.4 Automated Decision-Making and Artificial Intelligence
{{org_field_name}} will not make decisions about a person’s care, support, access to services, risk level or safeguarding response based solely on automated processing unless this is lawful, necessary and subject to appropriate safeguards. Where automated decision-making or artificial intelligence tools are used, the organisation will ensure transparency, human oversight, the ability to challenge decisions, and compliance with data protection law. A Data Protection Impact Assessment must be completed before introducing such tools where they may create a high risk to individuals.
11. Related Policies
This policy should be read alongside:
- Data Protection and Confidentiality Policy
- Safeguarding and Protection Policy
- Whistleblowing Policy
- Incident Reporting Policy
- Training and Continuing Professional Development Policy
12. Policy Review
This policy will be reviewed at least annually and sooner where there are changes in legislation, ICO guidance, Care Inspectorate guidance, SSSC Codes of Practice, contractual requirements, technology, systems, data-sharing arrangements, organisational structure or identified learning from incidents, complaints, audits or inspections. Any amendments will be communicated to staff and relevant stakeholders, and staff will receive additional training where required.
Responsible Person: {{org_field_registered_manager_first_name}} {{org_field_registered_manager_last_name}}
Reviewed on: {{last_update_date}}
Next Review Date: {{next_review_date}}
Copyright © {{current_year}} – {{org_field_name}}. All rights reserved.