{{org_field_logo}}

{{org_field_name}}

Registration Number: {{org_field_registration_no}}


Caldicott Principles, Confidentiality and Service User Information Policy

1. Purpose

The purpose of this policy is to ensure that {{org_field_name}} lawfully, fairly, securely and transparently manages confidential service user information in accordance with the UK General Data Protection Regulation (UK GDPR), Data Protection Act 2018, Data (Use and Access) Act 2025, the common law duty of confidentiality, the Human Rights Act 1998, the Mental Capacity Act 2005, the Care Act 2014, the Health and Social Care Act 2008, the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014, the Care Quality Commission (Registration) Regulations 2009, CQC guidance, and the current eight Caldicott Principles.

This policy applies to all confidential information about people using the service, whether described as service user information, care records, health information, social care information, personal data, special category data, or confidential patient or service user information. The policy supports safe, person-centred care by ensuring that information is protected when it should be protected and shared when there is a lawful and necessary reason to share it, including for safeguarding, continuity of care, serious risk, public interest, legal obligation, or CQC regulatory requirements.

2. Scope

This policy applies to all staff, volunteers, contractors, agency workers, and external service providers who have access to confidential service user information, personal data, special category data, care records, staff records, and information required for the safe management of the regulated activity within {{org_field_name}}. It governs:

3. Legal and Regulatory Compliance

3.1 CQC Regulations and Health and Social Care Act Requirements

{{org_field_name}} will comply with the Health and Social Care Act 2008, the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014 and the Care Quality Commission (Registration) Regulations 2009. This policy particularly supports compliance with the following CQC requirements:

3.2 Data Protection Legislation

4. Understanding the Caldicott Principles

The Caldicott Principles apply to the use of confidential information within health and social care organisations and when such information is shared with other organisations or individuals. {{org_field_name}} follows the current eight Caldicott Principles and applies them to identifiable service user information, including health information, social care information, care records and other information that people would reasonably expect to be kept private.

4.1 Principle 1: Justify the purpose for using confidential information

Every instance of patient information use must be justified. Staff must:

Every proposed use or disclosure of confidential service user information must have a clearly identified purpose and must be necessary, lawful and proportionate. Staff must record the reason for access or disclosure where the reason is not already clear from the person’s care and support plan, safeguarding record, risk assessment or legal requirement.

4.2 Principle 2: Use confidential information only when it is necessary

Wherever possible, anonymised or pseudonymised data should be used instead of personally identifiable information. Staff must:

4.3 Principle 3: Use the minimum necessary confidential information

Staff must:

4.4 Principle 4: Access to confidential information should be on a strict need-to-know basis

4.5 Principle 5: Everyone with access to confidential information should be aware of their responsibilities

4.6 Principle 6: Understand and Comply with the Law

4.7 Principle 7: The Duty to Share Information Can Be as Important as the Duty to Protect Confidentiality

Staff must never delay urgent safeguarding or emergency information sharing because consent has not been obtained, where there is a lawful basis to share and delay may place the person or another person at risk of harm. The reason for sharing without consent must be recorded, including what was shared, with whom, when, by whom, and why it was necessary and proportionate.

4.8 Principle 8: Inform people about how their confidential information is used

{{org_field_name}} will ensure that people using the service, and where appropriate their representatives, are provided with clear, accessible and transparent information about how their confidential information is collected, used, stored, shared and protected. This will normally be done through the organisation’s privacy notice, service user guide, care planning process and direct discussions with the person.

Information must be provided in a way the person can understand, taking account of disability, communication needs, language, literacy, mental capacity, sensory impairment, learning disability, autism or other needs. Staff must record where information has been provided in an alternative format or where a representative, advocate, attorney, deputy or best interests decision-maker has been involved.

4.9 Caldicott Guardian or nominated confidentiality lead

Where {{org_field_name}} is required to appoint, or chooses to appoint, a Caldicott Guardian, the Caldicott Guardian will provide senior advice and oversight on the use and sharing of confidential service user information. Where a Caldicott Guardian is not appointed, {{org_field_name}} will identify a senior nominated confidentiality lead who will work with the Registered Manager, Data Protection Lead and safeguarding lead to support lawful, ethical and proportionate information sharing.

The Caldicott Guardian or nominated confidentiality lead will be involved in complex decisions about information sharing, particularly where there is a conflict between confidentiality, consent, safeguarding, public interest, serious risk, legal duties or the person’s expressed wishes. Decisions and advice must be documented.

5. Managing Service User Information Safely and Lawfully

5.1 Secure Data Collection and Storage

All records must be accurate, complete, legible, dated, timed where relevant, attributable to the person making the entry, and updated as soon as practicable after the event or decision being recorded. Records must clearly show the care and support provided, decisions made, risks identified, actions taken, reviews completed, information shared and the rationale for significant decisions.

Records must be stored securely whether they are paper-based, electronic, verbal, photographic, audio, video, email-based, text-based or held in a care management system. Staff must not store service user information on personal devices, personal email accounts, unapproved cloud storage, messaging applications or removable media unless this has been expressly authorised, risk assessed and protected by appropriate security controls.

Where digital systems are used, access must be controlled by individual user accounts, strong passwords or multi-factor authentication where available, role-based permissions, audit trails, back-up arrangements and prompt removal of access when staff leave or change role.

5.2 Records required by CQC Regulation 17

{{org_field_name}} will maintain securely the following records required for the safe and effective management of the regulated activity:

Records must be available to authorised staff when needed for safe care and must be made available to CQC or other lawful authorities where required.

5.3 Retention, archiving and secure disposal

{{org_field_name}} will retain service user, staff and management records only for as long as there is a lawful reason to do so, taking account of legal, regulatory, contractual, safeguarding, insurance, commissioning and limitation requirements. Retention periods will be set out in the organisation’s retention schedule.

When records reach the end of their retention period, they must be reviewed and securely destroyed, deleted, anonymised or archived in accordance with the retention schedule. Secure disposal must be recorded where appropriate. Paper records must be shredded or disposed of through an approved confidential waste process. Electronic records must be deleted securely and in a way that prevents unauthorised recovery where practicable.

5.4 Information sharing procedures

Information will be shared only where there is a lawful basis, a clear purpose and a need to share. Information sharing must be necessary, proportionate, relevant, adequate, accurate, timely and secure. Staff must consider the Caldicott Principles, UK GDPR, Data Protection Act 2018, common law confidentiality, safeguarding duties, Mental Capacity Act 2005, Care Act 2014, contractual requirements and CQC requirements before sharing confidential service user information.

Information may be shared with health professionals, local authorities, commissioners, safeguarding teams, emergency services, advocates, attorneys, deputies, family members, representatives, CQC, the ICO, police or other agencies where this is lawful and necessary for care, safeguarding, risk management, legal compliance, regulatory oversight, public interest or protection from harm.

Where information is shared, staff must record what was shared, with whom, when, by whom, the method of sharing, the reason for sharing, the lawful basis where required, whether consent was obtained or why it was not required, and any follow-up action.

Where routine or repeated information sharing takes place with another organisation, {{org_field_name}} will use an information sharing agreement, data processing agreement or contract where appropriate. These agreements must describe the purpose of sharing, types of information shared, lawful basis, responsibilities, security arrangements, retention, breach reporting and contact points.

Staff must use approved secure communication methods. Confidential information must not be sent by unencrypted personal email, personal messaging accounts or insecure channels. Where information is sent by email, staff must check the recipient, use secure email where available, include only the minimum necessary information, and follow organisational procedures for encryption or password protection where required.

5.5 Consent, lawful basis and mental capacity

Consent is important, but it is not the only lawful basis for using or sharing personal information. {{org_field_name}} will identify and record the appropriate lawful basis under UK GDPR Article 6 and, where special category data is used, the relevant Article 9 condition and Data Protection Act 2018 Schedule 1 condition where required.

Where consent is used, it must be freely given, specific, informed and unambiguous. Explicit consent must be obtained where this is legally required. The person must be told what information will be shared, who it will be shared with, why it is being shared, and that consent can be withdrawn. Consent decisions must be recorded and reviewed where circumstances change.

Where consent is not the appropriate lawful basis, information may still be used or shared where there is another lawful basis, including where sharing is necessary for the provision of care and support, safeguarding, prevention of harm, vital interests, legal obligation, public interest, regulatory requirement, contract management, legitimate interests where applicable, or another lawful condition under data protection legislation.

A person’s refusal to consent should normally be respected unless there is a lawful reason to override it, such as serious risk of harm, safeguarding concerns, legal requirement, vital interests, public interest, or risk to others. The decision to share without consent must be authorised by an appropriate manager unless urgent circumstances require immediate action. The reason must be clearly recorded.

Where there is doubt about a person’s capacity to make a specific decision about information sharing, staff must assess capacity in accordance with the Mental Capacity Act 2005. Capacity must be assumed unless there is evidence otherwise, and people must be supported to make their own decision wherever possible. If the person lacks capacity, any decision must be made in their best interests, must be the least restrictive option, and must involve relevant representatives where appropriate.

Staff must check whether there is a valid and applicable Lasting Power of Attorney, Court of Protection deputy, advance decision, advocate, litigation friend or other legally recognised representative before sharing information with someone acting on the person’s behalf.

5.6 Privacy notices and transparency

{{org_field_name}} will provide a clear and accessible privacy notice explaining what personal information is collected, why it is used, the lawful basis for processing, who it may be shared with, how long it is kept, how it is protected, the person’s rights, how to complain, and how to contact the Data Protection Lead or Data Protection Officer where appointed.

The privacy notice must be made available to service users, representatives and staff. It must be reviewed at least annually or sooner if there are significant changes in how information is used. Where a person has communication needs, the privacy notice must be provided in an accessible format, such as easy read, large print, translated information, verbal explanation, pictorial format or other reasonable adjustment.

5.7 Data subject rights and subject access requests

People using the service, staff and other individuals have rights under UK data protection law. These include the right to be informed, right of access, right to rectification, right to erasure where applicable, right to restrict processing, right to data portability where applicable, right to object, and rights relating to automated decision-making where applicable.

Requests for access to personal information must be treated as subject access requests and forwarded immediately to the Data Protection Lead or Data Protection Officer where appointed. {{org_field_name}} will verify the requester’s identity and authority to act, respond within the statutory timescale, and only withhold or redact information where a lawful exemption applies, including protection of third-party information, safeguarding, legal privilege, serious harm or other applicable restrictions.

Requests from relatives, advocates, attorneys, deputies, commissioners, police, local authorities, health professionals or other third parties must be checked carefully. Information must not be disclosed simply because the person asking is involved in the person’s life. The organisation must confirm the lawful basis, authority and necessity for disclosure.

5.8 Handling personal data breaches and confidentiality incidents

A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes lost records, emails sent to the wrong person, unauthorised access to care records, cyber incidents, verbal disclosure to the wrong person, missing paper files, lost devices, ransomware, inappropriate staff access, or failure to keep information secure.

All suspected or actual breaches must be reported immediately to the Registered Manager and Data Protection Lead or Data Protection Officer where appointed. Staff must not attempt to conceal a breach or delay reporting. The breach must be recorded on the data breach log, including the date and time identified, the nature of the breach, people affected, information involved, immediate containment action, risk assessment, notifications made, outcome and lessons learned.

The Data Protection Lead or Data Protection Officer where appointed will assess whether the breach is likely to result in a risk to individuals’ rights and freedoms. Where required, {{org_field_name}} will report the breach to the ICO without undue delay and, where feasible, within 72 hours of becoming aware of it. If reporting is delayed beyond 72 hours, the reason for the delay must be recorded and provided to the ICO where required.

Where the breach is likely to result in a high risk to the rights and freedoms of the affected person or people, {{org_field_name}} will inform those individuals without undue delay. The communication will describe the nature of the breach, likely consequences, action taken or proposed, steps the person can take to protect themselves, and who to contact for further information.

Where a data breach is also a safeguarding concern, incident, complaint, cyber security incident, notifiable safety incident or CQC-notifiable event, the Registered Manager will ensure that the relevant safeguarding, incident reporting, duty of candour, CQC notification, commissioner notification and business continuity procedures are followed.

Following any breach, {{org_field_name}} will complete a lessons learned review and take action to reduce recurrence. This may include staff supervision, retraining, disciplinary action, changes to access permissions, system changes, policy updates, additional audits, improved contracts or improved physical security.

5.9 Data protection complaints

{{org_field_name}} will maintain a clear data protection complaints process in accordance with UK data protection law, including the Data (Use and Access) Act 2025. A data protection complaint may include a concern about access to records, accuracy of records, confidentiality, information sharing, privacy notices, data breaches, failure to respond to a rights request, or how personal information has been used.

Data protection complaints must be acknowledged, recorded, investigated and responded to without undue delay. The response must explain the outcome, any action taken, and the person’s right to complain to the Information Commissioner’s Office if they remain dissatisfied. Complaints must be reviewed for learning and improvement and cross-referenced with the Complaints Policy, Duty of Candour Policy, Safeguarding Policy and Incident Reporting Policy where relevant.

5.10 Data Protection Impact Assessments

{{org_field_name}} will complete a Data Protection Impact Assessment where a proposed activity is likely to result in a high risk to individuals’ rights and freedoms. This includes introducing new digital care record systems, remote monitoring, surveillance or CCTV, large-scale processing, new information sharing arrangements, new technology, automated decision-making, or processing involving vulnerable adults where the risks are increased.

The assessment will identify the purpose of processing, lawful basis, necessity, proportionality, risks to individuals, measures to reduce risk, consultation required and approval arrangements. High-risk processing must not begin until risks have been assessed and appropriate safeguards are in place.

5.11 Photographs, video, CCTV and digital communications

Photographs, video recordings, audio recordings and CCTV images are personal data and may be special category data where they reveal health, disability or care needs. They must only be taken, stored or shared where there is a lawful basis, clear purpose and appropriate safeguards. Consent must be obtained where required, particularly for promotional, website, social media or non-care purposes.

Staff must not use personal phones, personal cameras, personal social media accounts or personal messaging applications to record, store or share service user information unless expressly authorised in an emergency or in line with an approved organisational procedure. Any emergency use must be reported to a manager and the information transferred to the approved system and deleted from the personal device as soon as safely possible.

6. Training and Staff Responsibilities

6.1 Training Requirements

All staff, volunteers, agency workers and relevant contractors must complete confidentiality, Caldicott Principles, record keeping, information sharing, cyber security awareness and data protection training during induction and at least annually thereafter. Training must be appropriate to the person’s role and the level of access they have to service user, staff or organisational information.

Training will include UK GDPR, Data Protection Act 2018, Data (Use and Access) Act 2025, the eight Caldicott Principles, common law confidentiality, safeguarding information sharing, Mental Capacity Act 2005, subject access requests, breach reporting, secure communication, accurate record keeping, CQC Regulation 17 and the organisation’s internal reporting procedures.

Staff supporting people with learning disability and autistic people must receive learning disability and autism training appropriate to their role where required by the Health and Social Care Act 2008 requirements and current code of practice. Training must support staff to provide information in accessible formats and to understand communication, consent, capacity and reasonable adjustments.

6.2 Confidentiality agreements and access controls

All staff, volunteers, agency workers and relevant contractors must agree to comply with confidentiality, data protection and information governance requirements before being given access to confidential information. Access to systems and records will be granted only where required for the person’s role. Access must be removed promptly when a person leaves, changes role or no longer requires access.

6.3 Monitoring, audit and compliance

The Registered Manager, Data Protection Lead or Data Protection Officer where appointed, and senior management team will monitor compliance with this policy through regular audits and governance checks. These will include care record audits, access permission reviews, breach log reviews, subject access request monitoring, privacy notice reviews, staff training compliance, information sharing checks, retention checks and review of complaints involving information governance.

Audit findings will be recorded, analysed and used to improve practice. Actions will be allocated to named persons with timescales and reviewed until completed. Where audits identify poor record keeping, inappropriate access, insecure sharing, repeated breaches or failure to follow procedure, the organisation will take prompt corrective action, including supervision, retraining, disciplinary action, system changes or escalation to external bodies where required.

Governance findings will be reported through the organisation’s quality assurance process and used to demonstrate compliance with CQC Regulation 17.

6.4 Staff responsibilities

All staff are responsible for protecting confidential information and for sharing information lawfully when required. Staff must:

6.5 Registered Manager and senior management responsibilities

The Registered Manager is responsible for ensuring that this policy is implemented in day-to-day practice. This includes ensuring that staff are trained, records are accurate and secure, breaches are reported and investigated, audits are completed, information sharing is lawful, CQC requirements are met, and learning from incidents, complaints and audits is embedded into service improvement.

Senior management must ensure that appropriate resources, systems, contracts, security arrangements and governance processes are in place to support compliance with UK data protection law, the Caldicott Principles and CQC requirements.

7. Related Policies

This policy should be read in conjunction with:

8. Policy Review

This policy will be reviewed at least annually or sooner where there are changes in legislation, CQC guidance, ICO guidance, National Data Guardian guidance, safeguarding requirements, commissioning requirements, organisational structure, digital systems, information sharing arrangements, or following a significant data breach, complaint, safeguarding concern, CQC inspection finding or governance audit finding.

The review will consider whether the policy remains effective, whether staff understand and follow it, whether records and information sharing are safe and lawful, whether privacy information remains accurate, and whether lessons learned from breaches, complaints, audits and feedback have been implemented.


Responsible Person: {{org_field_registered_manager_first_name}} {{org_field_registered_manager_last_name}}
Reviewed on:
{{last_update_date}}
Next Review Date:
{{next_review_date}}
Copyright © {{current_year}} – {{org_field_name}}. All rights reserved.

Leave a Reply

Your email address will not be published. Required fields are marked *