{{org_field_logo}}

{{org_field_name}}

Registration Number: {{org_field_registration_no}}

---

Confidentiality, Information Sharing and Data Protection (UK GDPR) – Service User Privacy Notice and Policy

1. Introduction

At {{org_field_name}}, we respect every service user’s right to privacy, dignity, confidentiality and safe care. We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the common law duty of confidentiality, the Human Rights Act 1998, the Health and Social Care Act 2008, and the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014. This includes our duties to treat people with dignity and respect, to protect privacy, to maintain secure, accurate and contemporaneous records, to respond properly to complaints, and to share relevant information lawfully where this is necessary for safe care, safeguarding or legal purposes. We also work in line with the Caldicott Principles and, where applicable, the Accessible Information Standard.

2. Purpose

The purpose of this policy is to:

• explain how we collect, use, store, retain and dispose of personal data and confidential information relating to service users;
• explain when information may be shared for care, safeguarding, legal or regulatory reasons;
• tell service users, relatives, representatives and advocates about their privacy rights and how to exercise them;
• explain how complaints about confidentiality or data protection will be handled;
• support compliance with UK GDPR, the Data Protection Act 2018, the common law duty of confidentiality, CQC requirements, and records management requirements applicable to adult social care; and
• ensure that information is provided in a way that is accessible and easy to understand.

3. Scope

This policy applies to all personal data and confidential information processed by {{org_field_name}} in relation to service users, prospective service users, former service users, and where relevant their family members, next of kin, advocates, attorneys, deputies and representatives. It applies to information held in paper records, electronic systems, emails, text messages, care planning systems, incident logs, CCTV or door-entry systems where used, and any other format in which service user information is recorded. It covers personal data, special category data, and where relevant criminal offence or safeguarding information.

4. Data Collection

We collect and record only the information that is necessary, relevant and proportionate for the provision, management, quality assurance and safety of supported living services. This may include:

• personal identifiers, such as name, date of birth, NHS number where relevant, address, contact details and proof of identity;
• health and care information, such as assessments, care and support plans, risk assessments, medication information, daily notes, incident records, appointments, outcomes and correspondence with health or social care professionals;
• mental capacity, consent and best-interests information, including records of decisions, representatives, attorneys, deputies or advocates;
• safeguarding information, including concerns, referrals, investigations and protective actions;
• information about communication, accessibility, equality, cultural, religious or dietary needs where relevant to safe and person-centred care;
• contact details for family members, next of kin, emergency contacts and professionals involved in the service user’s care;
• financial and contractual information required for charging, billing or managing the service agreement; and
• complaint, compliment, feedback and quality-monitoring records.

We usually obtain information directly from the service user or their representative. We may also receive information from local authorities, commissioners, GPs, hospitals, community health teams, pharmacies, emergency services, advocates, family members, or other agencies involved in the person’s care or safety.

5. Lawful Basis for Processing

Because we provide supported living and related care services, we must identify both:

1. a lawful basis under Article 6 UK GDPR; and
2. an additional condition under Article 9 UK GDPR where we process special category data, including health and care information.

Depending on the purpose, our Article 6 lawful bases may include:

• performance of a contract, where processing is necessary to deliver agreed services or manage the service arrangement;
• legal obligation, where we must comply with health and social care law, safeguarding duties, CQC requirements, records management duties, or other legal obligations;
• vital interests, where processing is necessary to protect life or prevent serious harm in an emergency;
• legitimate interests, where processing is necessary for safe service delivery, governance, quality assurance, security or prevention of misuse, and those interests are not overridden by the rights of the individual; and
• consent, but only where consent is genuinely optional and can be freely withdrawn, such as for a photograph, testimonial, or another non-essential use.

Where we process health, care or other special category data, our Article 9 conditions may include:

• Article 9(2)(h): processing necessary for health or social care purposes, including the management of health or social care systems and services;
• Article 9(2)(c): processing necessary to protect someone’s vital interests where they are physically or legally incapable of giving consent;
• Article 9(2)(g): processing necessary for reasons of substantial public interest, for example safeguarding or prevention and detection of unlawful acts, where applicable under the Data Protection Act 2018; and
• Article 9(2)(a): explicit consent, where we rely on consent for a specific optional purpose.

We do not rely on consent for routine care records, safeguarding, incident recording, complaints handling, legal compliance or core service delivery where another lawful basis is more appropriate.

6. Use of Personal Data

We use personal data and confidential information to:

• assess needs and plan, deliver, review and improve person-centred care and support;
• maintain accurate care, medication, risk, incident and safeguarding records;
• communicate with service users in ways they can understand and access, and record their communication needs and preferences;
• work with families, representatives, advocates and professionals involved in care where appropriate and lawful;
• protect service users and others from abuse, neglect, avoidable harm or serious risk;
• investigate complaints, incidents, accidents and concerns;
• meet legal, contractual, insurance, safeguarding, commissioning and regulatory requirements, including those of the CQC; and
• monitor, audit and improve the quality, safety and governance of our services.

7. Data Sharing

We share personal data only where this is necessary, lawful and proportionate. Information may be shared, on a need-to-know basis, with:

• GPs, hospitals, pharmacies, community teams and other health or social care professionals involved in the person’s care;
• local authorities, commissioners, integrated care system partners, safeguarding teams or other bodies involved in assessment, funding, review or protection of the service user;
• emergency services where urgent action is required to protect life, health or safety;
• regulators, inspectors, coroners, courts, police or other public authorities where disclosure is required or authorised by law;
• advocates, attorneys, deputies, representatives or family members where the person has agreed, where it is within the representative’s lawful authority, or where sharing is otherwise lawful and appropriate; and
• approved third-party service providers, such as IT system providers, record storage providers, payroll, legal, audit or insurance providers, under written confidentiality and data processing arrangements where required.

Where possible and appropriate, we will explain to the service user how their information will be shared. However, consent is not always required where there is another lawful basis to share, for example for direct care, safeguarding, legal obligation, prevention of serious harm, or regulatory purposes. We will share the minimum necessary information and record the reason for significant disclosures.

7.1. Confidentiality and Information Sharing

All staff, agency workers, contractors and volunteers must keep service user information confidential and only access or share it where they have a legitimate work-related need and a lawful basis for doing so. Confidential information will normally be shared with the service user’s knowledge and in line with their wishes where possible. However, information may be shared without consent where this is necessary for direct care, safeguarding, prevention of serious harm, legal proceedings, crime prevention or detection, regulatory action, court orders, coronial processes, or other lawful reasons. Where a service user lacks capacity to make a relevant decision, information sharing will be considered in line with the Mental Capacity Act 2005 and the person’s best interests. Decisions to share confidential information must be proportionate, necessary, recorded and limited to the minimum information required.

8. Data Security

We use appropriate technical and organisational measures to protect personal data and confidential information from unauthorised access, alteration, loss, misuse or destruction. These measures include, where appropriate:

• role-based access controls and confidentiality agreements;
• secure passwords, multi-factor authentication and user account management;
• secure email, encrypted devices and approved digital systems;
• locked cabinets and secure storage for paper records;
• audit trails and monitoring of access to electronic records;
• secure transfer, archiving and disposal of records;
• information governance, confidentiality and safeguarding training for staff; and
• procedures for identifying, reporting, investigating and learning from information security incidents and breaches.

Records must be accurate, complete, up to date, securely maintained and available to authorised staff who need them for lawful care or governance purposes.

8.1. International Transfers and Use of Third-Party Systems

Where we use third-party digital systems or service providers to store or process personal data on our behalf, we will ensure that appropriate contractual and security measures are in place. If personal data is transferred outside the UK, we will only do so where this is lawful and where appropriate safeguards are in place under data protection law. Information about relevant recipients and any international transfers will be provided in our privacy information.

9. Data Retention

We keep personal data and care records in line with our Records Retention Schedule and applicable legal, regulatory and professional requirements. Our retention periods are based on the Records Management Code of Practice 2021 and other relevant legal requirements. Retention periods vary depending on the type of record, the nature of the service provided, any safeguarding concerns, complaints, claims, investigations, inquests, public inquiry holds, or other legal reasons why records must be kept for longer. At the end of the retention period, records will be securely deleted, destroyed or anonymised in accordance with our records management procedures. Service users may request further information about the retention period that applies to a particular type of record.

10. Rights of Service Users

Service users have the following rights in relation to their personal data, subject to any lawful exemptions or restrictions:

• the right to be informed about how their personal data is used;
• the right of access to their personal data, usually by making a subject access request;
• the right to ask for inaccurate or incomplete information to be corrected;
• the right to request erasure in certain circumstances;
• the right to request restriction of processing in certain circumstances;
• the right to object to processing where the lawful basis allows this;
• the right to data portability where this applies;
• the right to withdraw consent at any time where we rely on consent;
• the right to complain to the Information Commissioner’s Office (ICO); and
• the right not to be subject to a decision based solely on automated processing where this applies.

Some rights are not absolute and may be limited where we must keep records for legal, safeguarding, health or social care, regulatory or public interest reasons. Requests should normally be responded to within one calendar month, although this can be extended where the law permits. To exercise any of these rights, service users or their representatives should contact:
{{org_field_data_protection_officer_first_name}} {{org_field_data_protection_officer_last_name}}
Email: {{org_field_data_protection_officer_email}}
Phone: {{org_field_data_protection_officer_phone}}

If you remain unhappy with how we have handled your information, you may raise a concern with the Information Commissioner’s Office.

10.1. Requests Made by Representatives, Attorneys, Deputies and Personal Representatives

Where a request is made on behalf of a service user, we may need evidence that the person making the request has the authority to do so, for example as an attorney, deputy, litigation friend, parental responsibility holder where relevant, or another authorised representative. Where a service user lacks capacity to make a particular decision, we will consider requests and disclosures in line with the Mental Capacity Act 2005 and the person’s best interests. Requests for access to records of deceased persons will be considered in line with the Access to Health Records Act 1990 where applicable.

11. Data Breaches

In the event of an actual or suspected personal data breach, we will act promptly to contain the incident, assess the risk, take appropriate remedial action, and keep a record of the breach and our response. Where required by law, we will report the breach to the Information Commissioner’s Office within 72 hours of becoming aware of it. Where the breach is likely to result in a high risk to the rights and freedoms of individuals, we will inform affected individuals without undue delay, unless a lawful exemption applies. We will also review the incident to identify lessons learned and reduce the risk of recurrence.

12. Policy Review

This policy will be reviewed at least annually and sooner if there is a change in legislation, CQC requirements, ICO guidance, organisational practice, digital systems, or following any significant confidentiality, information governance or data breach incident. The current version will be made available to service users in accessible formats on request.

---

Responsible Person: {{org_field_registered_manager_first_name}} {{org_field_registered_manager_last_name}}
Reviewed on: {{last_update_date}}
Next Review Date: {{next_review_date}}
Copyright © {{current_year}} – {{org_field_name}}. All rights reserved.