{{org_field_logo}}

{{org_field_name}}

Registration Number: {{org_field_registration_no}}


Confidentiality, Information Governance and Data Protection (UK GDPR)-Staff Policy

1. Purpose

The purpose of this policy is to ensure that all staff at {{org_field_name}} understand and comply with their responsibilities for confidentiality, information governance and data protection when handling information about the people we support, staff, relatives, representatives, professionals, visitors, contractors and other stakeholders.

{{org_field_name}} will process personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the Data (Use and Access) Act 2025 where in force, the Human Rights Act 1998, the common law duty of confidentiality, the Care Act 2014, the Mental Capacity Act 2005, and applicable CQC requirements under the Health and Social Care Act 2008 and the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014.

This policy supports safe, lawful and person-centred supported living services by ensuring that confidential information is only accessed, used, shared, stored, retained and disposed of where there is a lawful and legitimate reason to do so. It also supports compliance with CQC expectations that providers maintain accurate, complete, secure and up-to-date records and have effective governance systems to assess, monitor and improve service quality and safety.

2. Scope

This policy applies to all staff, including permanent staff, temporary staff, agency workers, bank staff, contractors, volunteers, students, directors, managers and any person acting on behalf of {{org_field_name}} who may access, use or share personal, confidential or sensitive information.

This policy applies to all formats of information, including paper records, electronic care records, staff files, emails, text messages, photographs, audio or video recordings, CCTV where used, medicines records, financial records, incident records, safeguarding records, rotas, supervision records, audits and information shared verbally.

This policy applies when staff are working in supported living settings, people’s own homes, offices, community settings, vehicles, remotely, or when using mobile phones, laptops, tablets, electronic care planning systems or any other digital system approved by {{org_field_name}}.

3. Related Policies

4. Legal and Regulatory Framework

{{org_field_name}} will comply with the following legal and regulatory requirements, as applicable to the service:

For CQC-regulated supported living services, this policy particularly supports compliance with Regulation 9, Regulation 10, Regulation 12, Regulation 13, Regulation 16, Regulation 17 and Regulation 20 of the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014, where relevant to the information being processed.

5. Policy Statement

{{org_field_name}} is committed to protecting the confidentiality, privacy, dignity, rights and safety of the people we support and everyone whose information we process. Personal data and confidential information will be processed lawfully, fairly, transparently and securely, and only where there is a clear and legitimate reason connected with the delivery, management, quality assurance or legal administration of the service.

Staff must treat all information about the people we support as confidential. This includes information about a person’s care, support, health, medication, finances, relationships, risks, capacity, safeguarding concerns, complaints, preferences, routines, family circumstances and any other private matter learned during the course of work.

Confidentiality does not prevent appropriate information sharing where this is necessary and lawful, including where information is needed to provide safe care and support, protect a person or others from abuse or harm, comply with a legal duty, support safeguarding, respond to emergencies, assist regulators or commissioners, or meet contractual or statutory obligations.

6. Data Protection Principles

When processing personal data, {{org_field_name}} will comply with the UK GDPR principles:

7. Types of Information Covered

This policy covers personal data, special category data, confidential information and, where relevant, criminal offence data.

Personal data means any information relating to an identified or identifiable living person. In supported living this may include names, addresses, dates of birth, contact details, photographs, care records, support plans, risk assessments, daily notes, incident reports, medicines records, financial records, staff records and communication records.

Special category data requires additional protection. This may include information about a person’s health, disability, mental health, race or ethnic origin, religion or belief, sex life, sexual orientation, biometric data used for identification, or trade union membership.

Criminal offence data includes information about criminal convictions, offences, allegations, safeguarding-related police information or relevant risk information. This must only be processed where lawful, necessary and authorised.

Confidential information includes information shared in circumstances where the person would reasonably expect it to be kept private, including information about care, support, health, finances, family matters, relationships, safeguarding, complaints and personal circumstances.

8. Lawful Basis for Processing

{{org_field_name}} will identify and document an appropriate lawful basis before processing personal data. Depending on the circumstances, this may include:

Consent will not be used as the default lawful basis for care and support records where another lawful basis is more appropriate. Where consent is used, it must be freely given, specific, informed and unambiguous, and the person must be able to withdraw consent.

Where special category data is processed, {{org_field_name}} will also identify an appropriate UK GDPR Article 9 condition and, where required, a condition under the Data Protection Act 2018. This may include processing necessary for the provision of health or social care, safeguarding, employment obligations, substantial public interest, legal claims or explicit consent, depending on the circumstances.

Staff must not assume that consent is always required before sharing information. Staff must seek advice from the Registered Manager or Data Protection Lead where they are unsure about the lawful basis for using or sharing information.

9. Handling Personal Data

9.1 Collection of Data

Personal data must only be collected where it is necessary, proportionate and connected to a lawful purpose. Staff must only collect information that is required to provide safe and effective care and support, meet legal or contractual duties, manage employment, protect people from harm, evidence service quality, or administer the service.

People must be told, in a clear and accessible way, why their information is being collected, how it will be used, who it may be shared with, how long it will be kept, and what rights they have. This will normally be provided through a privacy notice and, where appropriate, through verbal explanation, easy-read information, translated information or support from a representative.

Where a person lacks capacity to understand a specific information decision, staff must follow the Mental Capacity Act 2005 and act in the person’s best interests. Information must still be handled lawfully, confidentially and in the least restrictive way.

9.2 Storing and Securing Data

All records must be stored securely and protected from unauthorised access, loss, damage or inappropriate disclosure.

Paper records containing personal or confidential information must be kept in locked cabinets, locked rooms or secure storage when not in use. They must not be left unattended in communal areas, vehicles, people’s homes, reception areas, staff rooms or other locations where unauthorised people may see them.

Electronic records must only be stored on systems approved by {{org_field_name}}. Staff must use secure passwords, multi-factor authentication where required, role-based access, secure networks and approved devices. Passwords must not be shared or written down where they can be accessed by others.

Staff must not store confidential information on personal phones, personal laptops, personal email accounts, USB sticks, messaging apps or cloud storage unless this has been expressly authorised by {{org_field_data_protection_officer_first_name}} {{org_field_data_protection_officer_last_name}} or the Registered Manager and appropriate security controls are in place.

Staff must log out of electronic systems when not in use and must ensure screens cannot be viewed by unauthorised people. Printed information must be collected promptly from printers and disposed of securely when no longer required.

9.3 Digital Records, Mobile Working and Remote Access

Where {{org_field_name}} uses digital care planning, electronic medicines records, rostering systems, HR systems or other digital platforms, staff must use these systems in accordance with their role, training and access permissions.

Staff must ensure that digital records are accurate, factual, timely, complete and written respectfully. Records must clearly show the care and support provided, any changes in need or risk, actions taken, decisions made, and any follow-up required.

Remote access to systems must only take place using authorised devices, approved systems and secure connections. Staff must take extra care when working in public places, shared accommodation, people’s homes or vehicles to prevent information being seen or overheard by others.

Staff must not take photographs, videos or audio recordings of people we support, staff or confidential documents unless this is necessary, lawful, authorised and in line with {{org_field_name}} policy.

9.4 Access to Data

Access to personal data will be granted on a need-to-know basis and according to the person’s role. Staff must only access records where this is necessary for their work. Accessing records out of curiosity, for personal reasons, or without a legitimate work-related reason is prohibited and may result in disciplinary action.

Managers must ensure that staff access rights are appropriate, reviewed regularly and removed promptly when a staff member changes role, leaves employment or no longer requires access.

Where electronic systems allow audit trails, access may be monitored to detect inappropriate access, misuse, errors or security risks.

Staff must not disclose information to relatives, friends, neighbours, other people receiving support, visitors, landlords, contractors or professionals unless there is a lawful basis and the disclosure is necessary and appropriate.

9.5 Sharing Information

Information must only be shared where there is a lawful basis, a legitimate reason and the sharing is necessary and proportionate. Information sharing may be appropriate for the delivery of care and support, health appointments, medication management, safeguarding, mental capacity assessments, emergencies, complaints, audits, commissioning, regulatory requirements, legal claims, employment matters or protection of the person or others.

Before sharing information, staff must consider:

Information must be shared securely. Emails containing confidential information must be sent only to verified recipients and encrypted or password-protected where appropriate. Staff must check email addresses, postal addresses and telephone numbers before sending or discussing confidential information.

Where information is shared regularly with another organisation, such as commissioners, local authorities, healthcare professionals, payroll providers, electronic care record providers or external HR advisers, {{org_field_name}} will ensure appropriate contracts, data processing agreements or information sharing arrangements are in place.

9.6 Safeguarding, Public Interest and Confidentiality

Confidentiality must never be used as a reason to ignore or conceal abuse, neglect, exploitation, unsafe care, criminal activity or serious risk. Where staff have concerns that a person is experiencing or at risk of abuse or neglect, they must follow the Safeguarding Adults from Abuse and Improper Treatment Policy and report concerns immediately.

Information may be shared without consent where this is necessary and lawful to protect the person or another person from harm, prevent or detect crime, comply with a legal duty, support a safeguarding enquiry, respond to an emergency or act in the substantial public interest.

Where possible and safe, the person should be informed about what information is being shared and why. If informing the person would increase risk, prejudice an investigation or place another person at risk, staff must seek advice from the Registered Manager, Safeguarding Lead or Data Protection Lead.

9.7 Personal Data Breaches and Security Incidents

A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. Examples include sending information to the wrong person, losing paperwork, losing a device, unauthorised access to a care record, discussing confidential information where others can hear, cyber incidents, ransomware, phishing, or failing to secure records.

All actual or suspected personal data breaches must be reported immediately to {{org_field_data_protection_officer_first_name}} {{org_field_data_protection_officer_last_name}}, the Registered Manager or the nominated senior person on duty. Staff must not delay reporting because they are unsure whether an incident is reportable.

The manager or Data Protection Lead will ensure that the incident is contained, investigated, risk assessed, recorded and escalated. The assessment must consider the nature of the data, the people affected, the likely consequences, the level of risk, whether the ICO must be notified, whether affected individuals must be informed, and what action is needed to prevent recurrence.

Where a breach is likely to result in a risk to people’s rights and freedoms, {{org_field_name}} will report it to the ICO without undue delay and, where feasible, within 72 hours of becoming aware of it. Where a breach is likely to result in a high risk to people’s rights and freedoms, affected individuals will be informed without undue delay unless a lawful exemption applies.

All breaches, including breaches not reported to the ICO, must be recorded in the data breach log with actions taken, decisions made, reasons for decisions and lessons learned.

9.8 Retention and Disposal of Data

Personal data must be retained only for as long as necessary for the purpose for which it was collected, unless a longer retention period is required by law, contract, safeguarding requirements, insurance requirements, employment law, regulatory expectations or legitimate business need.

{{org_field_name}} will maintain a records retention schedule covering care and support records, staff records, recruitment records, training records, supervision records, medication records, financial records, complaints, safeguarding records, incidents, audits, governance records and business records.

Records must not be destroyed if they are required for an active complaint, safeguarding enquiry, investigation, legal claim, audit, CQC inspection, commissioner review, police enquiry or employment matter.

Paper records must be disposed of by confidential shredding or secure disposal. Electronic records must be permanently deleted or securely archived in accordance with the retention schedule and system capability. Disposal must be recorded where required.

Staff must not dispose of confidential waste in domestic bins, public bins, ordinary office waste or recycling containers.

9.9 Accuracy, Record Keeping and CQC Evidence

Records must be accurate, complete, clear, factual, respectful, up to date and created as soon as possible after the event or support provided. Staff must not falsify records, pre-complete records, retrospectively amend records without making this clear, omit relevant information, or use disrespectful language.

Records must support safe and person-centred care. They must evidence the person’s needs, preferences, risks, choices, consent or best interest decisions, communication needs, support provided, incidents, outcomes, professional advice, medicines support, safeguarding actions and any changes in presentation or risk.

Where an error is identified, it must be corrected in a way that preserves the original entry where required and clearly records who made the correction, when and why. Staff must inform a manager where an error may affect care, safety, safeguarding, medication, legal compliance or CQC evidence.

Records may be reviewed by managers, auditors, commissioners, safeguarding authorities and CQC where lawful and necessary. Staff must cooperate with lawful requests for records and must not obstruct access to records required for regulatory purposes.

10. Rights of Individuals

People whose personal data is processed by {{org_field_name}} have rights under data protection law. These may include the right to be informed, the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object, and rights relating to automated decision-making, where applicable.

Requests from people we support, staff, relatives, representatives or others to access, correct, delete or restrict information must be passed immediately to the Registered Manager or Data Protection Lead. Staff must not ignore, refuse or respond to such requests without advice.

Subject access requests must be handled within the legal timescales. Before information is disclosed, {{org_field_name}} must verify the identity and authority of the requester and consider whether information about third parties, safeguarding, confidential references, legal privilege or other exemptions apply.

People we support must be supported to understand their data protection rights in a way that meets their communication needs. This may include easy-read information, advocacy, interpretation, involvement of representatives or additional time and support.

11. Privacy Notices and Transparency

{{org_field_name}} will provide clear privacy information explaining how personal data is collected, used, shared, retained and protected. Privacy information will be provided to people we support, staff and other relevant individuals.

Privacy notices must be accessible and easy to understand. Where necessary, information should be made available in alternative formats such as large print, easy-read, translated versions or verbal explanations.

Privacy notices must be reviewed regularly and updated when there are significant changes to how {{org_field_name}} processes personal data.

12. Data Protection Complaints

{{org_field_name}} will have a clear process for receiving, investigating and responding to complaints about how personal data has been handled. Data protection complaints may include concerns about access to records, inaccurate information, inappropriate sharing, breach of confidentiality, failure to respond to rights requests, excessive data collection, or concerns about security.

All data protection complaints must be acknowledged, recorded, investigated and responded to in line with {{org_field_name}}’s complaints procedure and data protection requirements. The response must explain the outcome, any action taken, and the person’s right to raise concerns with the ICO where appropriate.

Staff must immediately pass any data protection complaint to the Registered Manager or Data Protection Lead.

13. Data Protection Impact Assessments

{{org_field_name}} will complete a Data Protection Impact Assessment where processing is likely to result in a high risk to the rights and freedoms of individuals. This may include introducing new digital care record systems, electronic medicines systems, monitoring technologies, CCTV, large-scale processing, new data sharing arrangements, new apps, remote monitoring, artificial intelligence tools or other technologies that affect people we support or staff.

A Data Protection Impact Assessment will consider the purpose of the processing, necessity and proportionality, risks to individuals, security measures, confidentiality, access controls, retention, transparency, and actions needed to reduce risk.

Staff must not introduce new systems, apps, forms, devices, recording methods or data sharing arrangements without approval from the Registered Manager and Data Protection Lead.

14. Staff Responsibilities

All staff must:

Managers must:

The Data Protection Lead or Data Protection Officer, where appointed, will:

Where {{org_field_name}} is not legally required to appoint a formal Data Protection Officer, it will still nominate a senior person as Data Protection Lead with responsibility for overseeing data protection compliance.

15. Confidentiality Agreement and Professional Conduct

All staff must sign a confidentiality agreement as part of induction and must comply with confidentiality requirements throughout their employment or engagement with {{org_field_name}}. Confidentiality obligations continue after a staff member leaves the organisation.

Breaches of confidentiality may result in disciplinary action, dismissal, referral to professional bodies, referral to the Disclosure and Barring Service where relevant, reporting to the ICO, safeguarding action, legal action or criminal investigation, depending on the seriousness of the breach.

Staff must not use information obtained through work for personal advantage, curiosity, gossip, social media, personal relationships, financial gain or any purpose unrelated to their role.

16. Confidentiality in Supported Living Settings

Supported living services are usually delivered in a person’s own home. Staff must respect the person’s home, privacy, dignity, relationships and right to private and family life.

Staff must not discuss one person’s information with another person receiving support, other tenants, neighbours, visitors, landlords or family members unless there is a lawful and necessary reason to do so.

Where staff support more than one person in shared accommodation, records, medicines information, financial information and personal documents must be kept separate and secure for each person.

Staff must take care when completing records in shared areas to prevent other people from seeing or hearing confidential information. Handover discussions must take place discreetly and only with staff who need the information.

Information about tenancy matters, housing-related support, care and support, finances, health, safeguarding and family matters must only be shared with landlords, housing providers, appointees, deputies, attorneys, relatives or advocates where there is a lawful basis and the sharing is necessary and appropriate.

17. Training and Competency

All staff will receive confidentiality, information governance and data protection training during induction and refresher training at intervals set by {{org_field_name}}. Training will include confidentiality, UK GDPR principles, lawful basis, special category data, secure records, breach reporting, information sharing, safeguarding, supported living confidentiality risks and use of electronic systems.

Managers will ensure staff are competent to use care record systems, medicines systems, email, mobile devices and other information systems before being given access.

Additional training or supervision will be provided where audits, incidents, complaints or breaches identify concerns about staff practice.

18. CQC Compliance

This policy supports compliance with CQC requirements and the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014, including:

{{org_field_name}} will ensure that records and information governance arrangements provide evidence of safe, effective, caring, responsive and well-led care and support.

19. Access to Records by CQC, Commissioners and Other Authorities

{{org_field_name}} will cooperate with lawful requests for information from CQC, commissioners, safeguarding authorities, local authorities, NHS bodies, police, courts, coroners and other authorised bodies.

Before information is shared, staff must verify the identity and authority of the person or organisation requesting the information, unless this is already known or the request is part of an established process.

Information shared with external authorities must be relevant, necessary, proportionate and securely transferred. A record must be kept of what was shared, with whom, when, why and by whom, unless this is already captured through an approved system.

Staff must immediately inform the Registered Manager of any request from CQC, commissioners, police, safeguarding authorities, legal representatives or courts.

20. Policy Review

This policy will be reviewed at least annually or sooner where there are changes in legislation, ICO guidance, CQC requirements, contractual requirements, technology, systems, organisational structure, serious incidents, data breaches, complaints, safeguarding concerns, audits or lessons learned.

The review will consider whether the policy remains effective, accessible, legally compliant and reflective of current practice in supported living services in England.

The Registered Manager and Data Protection Lead will ensure that staff are informed of significant changes and receive additional training where required.


Responsible Person: {{org_field_registered_manager_first_name}} {{org_field_registered_manager_last_name}}
Reviewed on:
{{last_update_date}}
Next Review Date:
{{next_review_date}}
Copyright © {{current_year}} – {{org_field_name}}. All rights reserved.

Leave a Reply

Your email address will not be published. Required fields are marked *