{{org_field_logo}}
{{org_field_name}}
Registration Number: {{org_field_registration_no}}
Caldicott Principles, Confidentiality and Service User Information Policy
1. Purpose
The purpose of this policy is to ensure that {{org_field_name}} lawfully, fairly, securely and transparently manages confidential service user information in accordance with the UK General Data Protection Regulation (UK GDPR), Data Protection Act 2018, Data (Use and Access) Act 2025, the common law duty of confidentiality, the Human Rights Act 1998, the Mental Capacity Act 2005, the Care Act 2014, the Health and Social Care Act 2008, the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014, the Care Quality Commission (Registration) Regulations 2009, CQC guidance, and the current eight Caldicott Principles.
This policy applies to all confidential information about people using the service, whether described as service user information, care records, health information, social care information, personal data, special category data, or confidential patient or service user information. The policy supports safe, person-centred care by ensuring that information is protected when it should be protected and shared when there is a lawful and necessary reason to share it, including for safeguarding, continuity of care, serious risk, public interest, legal obligation, or CQC regulatory requirements.
2. Scope
This policy applies to all staff, volunteers, contractors, agency workers, and external service providers who have access to confidential service user information, personal data, special category data, care records, staff records, and information required for the safe management of the regulated activity within {{org_field_name}}. It governs:
- Collection, storage, and sharing of patient information
- Compliance with the Caldicott Principles
- Legal and ethical considerations in data handling
- Roles and responsibilities in managing confidential information
- Procedures for handling data breaches
- Training, monitoring, and compliance
- Lawful bases for processing personal data and special category data
- Data subject rights, including subject access requests, rectification, restriction, erasure where applicable, objection, portability where applicable, and rights relating to automated decision-making
- Privacy notices and transparency with service users, representatives and staff
- Data protection complaints and escalation to the ICO
- Records required by CQC Regulation 17, including service user care records, staff records and management records
- Data protection impact assessments, information sharing agreements and processor contracts where required
- Retention, archiving and secure disposal of records
3. Legal and Regulatory Compliance
3.1 CQC Regulations and Health and Social Care Act Requirements
{{org_field_name}} will comply with the Health and Social Care Act 2008, the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014 and the Care Quality Commission (Registration) Regulations 2009. This policy particularly supports compliance with the following CQC requirements:
- Regulation 9 – Person-centred care: information must be used and shared appropriately to assess, plan, deliver and review care and support that meets each person’s needs and preferences.
- Regulation 10 – Dignity and respect: people’s privacy, dignity, confidentiality and autonomy must be respected when information is collected, recorded, discussed, stored or shared.
- Regulation 11 – Need for consent: where consent is the lawful basis for a care decision or information sharing decision, consent must be valid, informed and recorded. Where a person lacks capacity, decisions must be made in accordance with the Mental Capacity Act 2005 and best interests requirements.
- Regulation 12 – Safe care and treatment: accurate and accessible information must be available to staff and relevant professionals to support safe care, including information about risks, medicines, allergies, health needs, safeguarding concerns, communication needs and emergency arrangements.
- Regulation 13 – Safeguarding service users from abuse and improper treatment: information must be shared promptly and lawfully where this is necessary to prevent abuse, neglect, exploitation or avoidable harm. Confidentiality must not be used as a reason to delay or prevent necessary safeguarding action.
- Regulation 16 – Receiving and acting on complaints: concerns or complaints about confidentiality, data protection, records or information sharing must be recorded, investigated, responded to and used to improve practice.
- Regulation 17 – Good governance: the provider must maintain securely accurate, complete and contemporaneous records for each service user, staff records and management records, and must operate effective systems to assess, monitor and improve the quality and safety of the service, including information governance and information processing.
- Regulation 18 – Staffing: staff must receive appropriate training, supervision and support to understand confidentiality, information sharing, record keeping, data protection, safeguarding and the Caldicott Principles.
- Regulation 20 – Duty of candour: where a notifiable safety incident involves information handling, records, confidentiality or communication failures, {{org_field_name}} will act openly and honestly, apologise where appropriate, provide a truthful account, and keep a written record of the response.
- Care Quality Commission (Registration) Regulations 2009: notifications to CQC will be made where required, including where an information governance incident is connected to a notifiable event affecting the safety or welfare of people using the service.
3.2 Data Protection Legislation
- UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018: set out the legal framework for processing personal data and special category data, including lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, confidentiality and accountability.
- Freedom of Information Act 2000: this will apply only where {{org_field_name}} is a public authority for the purposes of the Act or where information is held on behalf of a public authority. Requests for personal information will be managed under UK GDPR and Data Protection Act 2018 subject access arrangements, not as Freedom of Information requests.
- Human Rights Act 1998: Ensures respect for an individual’s private and family life, directly impacting how patient information is managed.
- Data (Use and Access) Act 2025: updates aspects of UK data protection law and requires organisations to maintain an appropriate data protection complaints process. From 19 June 2026, {{org_field_name}} will ensure data protection complaints are acknowledged, investigated and responded to without undue delay, and that people are informed of their right to complain to the ICO.
- Common law duty of confidentiality: confidential service user information will not be disclosed unless the person has given valid consent, there is another lawful basis or legal requirement, disclosure is necessary in the public interest, or disclosure is required to protect the person or others from serious harm.
- Health and Social Care Act 2008, section 20A: recognises CQC functions in relation to the processing of relevant information by registered persons, including patient information and other information generated through health and adult social care.
- Care Act 2014: supports lawful information sharing for adult safeguarding enquiries, safeguarding adults boards, care and support functions, assessment, review and protection from abuse or neglect.
- Mental Capacity Act 2005: applies where a person may lack capacity to make a decision about information sharing, consent, access to records, or involvement of representatives. Capacity must be decision-specific and time-specific, and any best interests decision must be documented.
- Equality Act 2010 and Accessible Information Standard: information must be provided in a format and communication method that meets the person’s needs, including reasonable adjustments for disability, sensory impairment, learning disability, autism, language, literacy or communication needs.
4. Understanding the Caldicott Principles
The Caldicott Principles apply to the use of confidential information within health and social care organisations and when such information is shared with other organisations or individuals. {{org_field_name}} follows the current eight Caldicott Principles and applies them to identifiable service user information, including health information, social care information, care records and other information that people would reasonably expect to be kept private.
4.1 Principle 1: Justify the purpose for using confidential information
Every instance of patient information use must be justified. Staff must:
- Clearly define why data is needed before accessing or sharing it.
- Ensure that all data-sharing activities align with service user care and safety.
- Conduct regular audits to assess the necessity of ongoing data processing.
Every proposed use or disclosure of confidential service user information must have a clearly identified purpose and must be necessary, lawful and proportionate. Staff must record the reason for access or disclosure where the reason is not already clear from the person’s care and support plan, safeguarding record, risk assessment or legal requirement.
4.2 Principle 2: Use confidential information only when it is necessary
Wherever possible, anonymised or pseudonymised data should be used instead of personally identifiable information. Staff must:
- Evaluate if identifiable data is essential before sharing information.
- Use reference codes or initials where full disclosure is unnecessary.
- Ensure that only relevant team members have access to identifiable information.
4.3 Principle 3: Use the minimum necessary confidential information
Staff must:
- Share only the minimum amount of data required to achieve the intended purpose.
- Avoid excessive or irrelevant data collection and sharing.
- Regularly review data retention and remove unnecessary records in line with GDPR requirements.
- Check that the amount of information shared is adequate, relevant and limited to what is necessary for the stated purpose. For example, a safeguarding referral should include enough information to protect the person from harm, but should not include unrelated personal details.
4.4 Principle 4: Access to confidential information should be on a strict need-to-know basis
- Access is restricted to authorised personnel only.
- Information is shared within a secure, controlled environment.
- Access logs and permissions are reviewed regularly to prevent unauthorised use.
- Access permissions must reflect the person’s role and responsibilities. Managers must review access rights when staff change role, leave employment, move service location, or no longer require access. Shared logins must not be used for systems containing personal or confidential information.
4.5 Principle 5: Everyone with access to confidential information should be aware of their responsibilities
- All staff handling patient data must undergo mandatory data protection training.
- Clear policies and guidelines are provided to ensure staff understand their responsibilities.
- Breach of confidentiality is treated as a serious offence and may result in disciplinary action.
- Staff must understand that confidentiality is not absolute. They must know when information should be protected and when it must be shared to protect the person or others from harm, support safe care, comply with law, or meet CQC and safeguarding requirements.
4.6 Principle 6: Understand and Comply with the Law
- Staff must be familiar with legal requirements surrounding data protection and sharing.
- Policies are reviewed to ensure ongoing compliance with GDPR, CQC, and NHS Digital guidance.
- The Data Protection Officer, where one is legally required or appointed by {{org_field_name}}, or the nominated Data Protection Lead, will oversee data protection compliance, advise on information governance issues, support breach management, maintain relevant records and escalate concerns to senior management.
4.7 Principle 7: The Duty to Share Information Can Be as Important as the Duty to Protect Confidentiality
- In cases where information sharing is essential for safeguarding, protection from harm, or public interest, staff must disclose necessary information in line with legal requirements.
- Justifications for sharing data without consent must be clearly documented.
- All disclosures must align with local safeguarding procedures and national laws.
Staff must never delay urgent safeguarding or emergency information sharing because consent has not been obtained, where there is a lawful basis to share and delay may place the person or another person at risk of harm. The reason for sharing without consent must be recorded, including what was shared, with whom, when, by whom, and why it was necessary and proportionate.
4.8 Principle 8: Inform people about how their confidential information is used
{{org_field_name}} will ensure that people using the service, and where appropriate their representatives, are provided with clear, accessible and transparent information about how their confidential information is collected, used, stored, shared and protected. This will normally be done through the organisation’s privacy notice, service user guide, care planning process and direct discussions with the person.
Information must be provided in a way the person can understand, taking account of disability, communication needs, language, literacy, mental capacity, sensory impairment, learning disability, autism or other needs. Staff must record where information has been provided in an alternative format or where a representative, advocate, attorney, deputy or best interests decision-maker has been involved.
4.9 Caldicott Guardian or nominated confidentiality lead
Where {{org_field_name}} is required to appoint, or chooses to appoint, a Caldicott Guardian, the Caldicott Guardian will provide senior advice and oversight on the use and sharing of confidential service user information. Where a Caldicott Guardian is not appointed, {{org_field_name}} will identify a senior nominated confidentiality lead who will work with the Registered Manager, Data Protection Lead and safeguarding lead to support lawful, ethical and proportionate information sharing.
The Caldicott Guardian or nominated confidentiality lead will be involved in complex decisions about information sharing, particularly where there is a conflict between confidentiality, consent, safeguarding, public interest, serious risk, legal duties or the person’s expressed wishes. Decisions and advice must be documented.
5. Managing Service User Information Safely and Lawfully
5.1 Secure Data Collection and Storage
- Electronic records are stored on encrypted and password-protected systems.
- Paper records are kept in locked cabinets, accessible only to authorised staff.
- Data retention policies ensure information is not kept longer than necessary.
All records must be accurate, complete, legible, dated, timed where relevant, attributable to the person making the entry, and updated as soon as practicable after the event or decision being recorded. Records must clearly show the care and support provided, decisions made, risks identified, actions taken, reviews completed, information shared and the rationale for significant decisions.
Records must be stored securely whether they are paper-based, electronic, verbal, photographic, audio, video, email-based, text-based or held in a care management system. Staff must not store service user information on personal devices, personal email accounts, unapproved cloud storage, messaging applications or removable media unless this has been expressly authorised, risk assessed and protected by appropriate security controls.
Where digital systems are used, access must be controlled by individual user accounts, strong passwords or multi-factor authentication where available, role-based permissions, audit trails, back-up arrangements and prompt removal of access when staff leave or change role.
5.2 Records required by CQC Regulation 17
{{org_field_name}} will maintain securely the following records required for the safe and effective management of the regulated activity:
- An accurate, complete and contemporaneous record for each person using the service, including care and support plans, assessments, risk assessments, reviews, communication needs, consent and capacity records, medicines support information where applicable, safeguarding information, incidents, complaints, health appointments, professional contacts and decisions made about care and support.
- Records relating to staff employed or engaged in carrying on the regulated activity, including recruitment checks, training, supervision, competency, conduct, confidentiality agreements and access permissions.
- Records relating to the management of the regulated activity, including audits, governance checks, quality assurance, complaints, incidents, safeguarding referrals, data protection incidents, lessons learned, business continuity, policies and procedures, and evidence of improvement actions.
Records must be available to authorised staff when needed for safe care and must be made available to CQC or other lawful authorities where required.
5.3 Retention, archiving and secure disposal
{{org_field_name}} will retain service user, staff and management records only for as long as there is a lawful reason to do so, taking account of legal, regulatory, contractual, safeguarding, insurance, commissioning and limitation requirements. Retention periods will be set out in the organisation’s retention schedule.
When records reach the end of their retention period, they must be reviewed and securely destroyed, deleted, anonymised or archived in accordance with the retention schedule. Secure disposal must be recorded where appropriate. Paper records must be shredded or disposed of through an approved confidential waste process. Electronic records must be deleted securely and in a way that prevents unauthorised recovery where practicable.
5.4 Information sharing procedures
Information will be shared only where there is a lawful basis, a clear purpose and a need to share. Information sharing must be necessary, proportionate, relevant, adequate, accurate, timely and secure. Staff must consider the Caldicott Principles, UK GDPR, Data Protection Act 2018, common law confidentiality, safeguarding duties, Mental Capacity Act 2005, Care Act 2014, contractual requirements and CQC requirements before sharing confidential service user information.
Information may be shared with health professionals, local authorities, commissioners, safeguarding teams, emergency services, advocates, attorneys, deputies, family members, representatives, CQC, the ICO, police or other agencies where this is lawful and necessary for care, safeguarding, risk management, legal compliance, regulatory oversight, public interest or protection from harm.
Where information is shared, staff must record what was shared, with whom, when, by whom, the method of sharing, the reason for sharing, the lawful basis where required, whether consent was obtained or why it was not required, and any follow-up action.
Where routine or repeated information sharing takes place with another organisation, {{org_field_name}} will use an information sharing agreement, data processing agreement or contract where appropriate. These agreements must describe the purpose of sharing, types of information shared, lawful basis, responsibilities, security arrangements, retention, breach reporting and contact points.
Staff must use approved secure communication methods. Confidential information must not be sent by unencrypted personal email, personal messaging accounts or insecure channels. Where information is sent by email, staff must check the recipient, use secure email where available, include only the minimum necessary information, and follow organisational procedures for encryption or password protection where required.
5.5 Consent, lawful basis and mental capacity
Consent is important, but it is not the only lawful basis for using or sharing personal information. {{org_field_name}} will identify and record the appropriate lawful basis under UK GDPR Article 6 and, where special category data is used, the relevant Article 9 condition and Data Protection Act 2018 Schedule 1 condition where required.
Where consent is used, it must be freely given, specific, informed and unambiguous. Explicit consent must be obtained where this is legally required. The person must be told what information will be shared, who it will be shared with, why it is being shared, and that consent can be withdrawn. Consent decisions must be recorded and reviewed where circumstances change.
Where consent is not the appropriate lawful basis, information may still be used or shared where there is another lawful basis, including where sharing is necessary for the provision of care and support, safeguarding, prevention of harm, vital interests, legal obligation, public interest, regulatory requirement, contract management, legitimate interests where applicable, or another lawful condition under data protection legislation.
A person’s refusal to consent should normally be respected unless there is a lawful reason to override it, such as serious risk of harm, safeguarding concerns, legal requirement, vital interests, public interest, or risk to others. The decision to share without consent must be authorised by an appropriate manager unless urgent circumstances require immediate action. The reason must be clearly recorded.
Where there is doubt about a person’s capacity to make a specific decision about information sharing, staff must assess capacity in accordance with the Mental Capacity Act 2005. Capacity must be assumed unless there is evidence otherwise, and people must be supported to make their own decision wherever possible. If the person lacks capacity, any decision must be made in their best interests, must be the least restrictive option, and must involve relevant representatives where appropriate.
Staff must check whether there is a valid and applicable Lasting Power of Attorney, Court of Protection deputy, advance decision, advocate, litigation friend or other legally recognised representative before sharing information with someone acting on the person’s behalf.
5.6 Privacy notices and transparency
{{org_field_name}} will provide a clear and accessible privacy notice explaining what personal information is collected, why it is used, the lawful basis for processing, who it may be shared with, how long it is kept, how it is protected, the person’s rights, how to complain, and how to contact the Data Protection Lead or Data Protection Officer where appointed.
The privacy notice must be made available to service users, representatives and staff. It must be reviewed at least annually or sooner if there are significant changes in how information is used. Where a person has communication needs, the privacy notice must be provided in an accessible format, such as easy read, large print, translated information, verbal explanation, pictorial format or other reasonable adjustment.
5.7 Data subject rights and subject access requests
People using the service, staff and other individuals have rights under UK data protection law. These include the right to be informed, right of access, right to rectification, right to erasure where applicable, right to restrict processing, right to data portability where applicable, right to object, and rights relating to automated decision-making where applicable.
Requests for access to personal information must be treated as subject access requests and forwarded immediately to the Data Protection Lead or Data Protection Officer where appointed. {{org_field_name}} will verify the requester’s identity and authority to act, respond within the statutory timescale, and only withhold or redact information where a lawful exemption applies, including protection of third-party information, safeguarding, legal privilege, serious harm or other applicable restrictions.
Requests from relatives, advocates, attorneys, deputies, commissioners, police, local authorities, health professionals or other third parties must be checked carefully. Information must not be disclosed simply because the person asking is involved in the person’s life. The organisation must confirm the lawful basis, authority and necessity for disclosure.
5.8 Handling personal data breaches and confidentiality incidents
A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes lost records, emails sent to the wrong person, unauthorised access to care records, cyber incidents, verbal disclosure to the wrong person, missing paper files, lost devices, ransomware, inappropriate staff access, or failure to keep information secure.
All suspected or actual breaches must be reported immediately to the Registered Manager and Data Protection Lead or Data Protection Officer where appointed. Staff must not attempt to conceal a breach or delay reporting. The breach must be recorded on the data breach log, including the date and time identified, the nature of the breach, people affected, information involved, immediate containment action, risk assessment, notifications made, outcome and lessons learned.
The Data Protection Lead or Data Protection Officer where appointed will assess whether the breach is likely to result in a risk to individuals’ rights and freedoms. Where required, {{org_field_name}} will report the breach to the ICO without undue delay and, where feasible, within 72 hours of becoming aware of it. If reporting is delayed beyond 72 hours, the reason for the delay must be recorded and provided to the ICO where required.
Where the breach is likely to result in a high risk to the rights and freedoms of the affected person or people, {{org_field_name}} will inform those individuals without undue delay. The communication will describe the nature of the breach, likely consequences, action taken or proposed, steps the person can take to protect themselves, and who to contact for further information.
Where a data breach is also a safeguarding concern, incident, complaint, cyber security incident, notifiable safety incident or CQC-notifiable event, the Registered Manager will ensure that the relevant safeguarding, incident reporting, duty of candour, CQC notification, commissioner notification and business continuity procedures are followed.
Following any breach, {{org_field_name}} will complete a lessons learned review and take action to reduce recurrence. This may include staff supervision, retraining, disciplinary action, changes to access permissions, system changes, policy updates, additional audits, improved contracts or improved physical security.
5.9 Data protection complaints
{{org_field_name}} will maintain a clear data protection complaints process in accordance with UK data protection law, including the Data (Use and Access) Act 2025. A data protection complaint may include a concern about access to records, accuracy of records, confidentiality, information sharing, privacy notices, data breaches, failure to respond to a rights request, or how personal information has been used.
Data protection complaints must be acknowledged, recorded, investigated and responded to without undue delay. The response must explain the outcome, any action taken, and the person’s right to complain to the Information Commissioner’s Office if they remain dissatisfied. Complaints must be reviewed for learning and improvement and cross-referenced with the Complaints Policy, Duty of Candour Policy, Safeguarding Policy and Incident Reporting Policy where relevant.
5.10 Data Protection Impact Assessments
{{org_field_name}} will complete a Data Protection Impact Assessment where a proposed activity is likely to result in a high risk to individuals’ rights and freedoms. This includes introducing new digital care record systems, remote monitoring, surveillance or CCTV, large-scale processing, new information sharing arrangements, new technology, automated decision-making, or processing involving vulnerable adults where the risks are increased.
The assessment will identify the purpose of processing, lawful basis, necessity, proportionality, risks to individuals, measures to reduce risk, consultation required and approval arrangements. High-risk processing must not begin until risks have been assessed and appropriate safeguards are in place.
5.11 Photographs, video, CCTV and digital communications
Photographs, video recordings, audio recordings and CCTV images are personal data and may be special category data where they reveal health, disability or care needs. They must only be taken, stored or shared where there is a lawful basis, clear purpose and appropriate safeguards. Consent must be obtained where required, particularly for promotional, website, social media or non-care purposes.
Staff must not use personal phones, personal cameras, personal social media accounts or personal messaging applications to record, store or share service user information unless expressly authorised in an emergency or in line with an approved organisational procedure. Any emergency use must be reported to a manager and the information transferred to the approved system and deleted from the personal device as soon as safely possible.
6. Training and Staff Responsibilities
6.1 Training Requirements
All staff, volunteers, agency workers and relevant contractors must complete confidentiality, Caldicott Principles, record keeping, information sharing, cyber security awareness and data protection training during induction and at least annually thereafter. Training must be appropriate to the person’s role and the level of access they have to service user, staff or organisational information.
Training will include UK GDPR, Data Protection Act 2018, Data (Use and Access) Act 2025, the eight Caldicott Principles, common law confidentiality, safeguarding information sharing, Mental Capacity Act 2005, subject access requests, breach reporting, secure communication, accurate record keeping, CQC Regulation 17 and the organisation’s internal reporting procedures.
Staff supporting people with learning disability and autistic people must receive learning disability and autism training appropriate to their role where required by the Health and Social Care Act 2008 requirements and current code of practice. Training must support staff to provide information in accessible formats and to understand communication, consent, capacity and reasonable adjustments.
6.2 Confidentiality agreements and access controls
All staff, volunteers, agency workers and relevant contractors must agree to comply with confidentiality, data protection and information governance requirements before being given access to confidential information. Access to systems and records will be granted only where required for the person’s role. Access must be removed promptly when a person leaves, changes role or no longer requires access.
6.3 Monitoring, audit and compliance
The Registered Manager, Data Protection Lead or Data Protection Officer where appointed, and senior management team will monitor compliance with this policy through regular audits and governance checks. These will include care record audits, access permission reviews, breach log reviews, subject access request monitoring, privacy notice reviews, staff training compliance, information sharing checks, retention checks and review of complaints involving information governance.
Audit findings will be recorded, analysed and used to improve practice. Actions will be allocated to named persons with timescales and reviewed until completed. Where audits identify poor record keeping, inappropriate access, insecure sharing, repeated breaches or failure to follow procedure, the organisation will take prompt corrective action, including supervision, retraining, disciplinary action, system changes or escalation to external bodies where required.
Governance findings will be reported through the organisation’s quality assurance process and used to demonstrate compliance with CQC Regulation 17.
6.4 Staff responsibilities
All staff are responsible for protecting confidential information and for sharing information lawfully when required. Staff must:
- access records only where this is necessary for their role;
- keep records accurate, complete, factual, respectful, dated and signed or attributable;
- record care, support, risks, incidents, decisions and information sharing promptly;
- check identity and authority before disclosing information;
- use approved secure systems and communication methods;
- report breaches, near misses or confidentiality concerns immediately;
- support people to understand how their information is used;
- follow the Mental Capacity Act 2005 where capacity is in question;
- share information promptly where required for safeguarding, serious risk, emergency care, legal duty or CQC requirement; and
- seek advice from a manager, safeguarding lead, Data Protection Lead, Data Protection Officer or Caldicott Guardian/nominated confidentiality lead where unsure.
6.5 Registered Manager and senior management responsibilities
The Registered Manager is responsible for ensuring that this policy is implemented in day-to-day practice. This includes ensuring that staff are trained, records are accurate and secure, breaches are reported and investigated, audits are completed, information sharing is lawful, CQC requirements are met, and learning from incidents, complaints and audits is embedded into service improvement.
Senior management must ensure that appropriate resources, systems, contracts, security arrangements and governance processes are in place to support compliance with UK data protection law, the Caldicott Principles and CQC requirements.
7. Related Policies
This policy should be read in conjunction with:
- SL02 – Confidentiality and Data Protection Policy
- SL07 – Safeguarding Policy
- SL13 – Incident Reporting and Risk Assessment Policy
- SL19 – IT and Cybersecurity Policy
- SL25 – Complaints and Whistleblowing Policy
- Records Management and Record Keeping Policy
- Access to Records / Subject Access Request Policy
- Data Breach and Incident Response Policy
- Retention and Disposal Policy
- Mental Capacity Act and Best Interests Policy
- Duty of Candour Policy
- Information Sharing Policy
- Privacy Notice
- Data Protection Complaints Procedure
- Equality, Diversity and Accessible Information Policy
- Business Continuity and Cyber Incident Response Policy
- Medication Policy, where medicines support records are processed
8. Policy Review
This policy will be reviewed at least annually or sooner where there are changes in legislation, CQC guidance, ICO guidance, National Data Guardian guidance, safeguarding requirements, commissioning requirements, organisational structure, digital systems, information sharing arrangements, or following a significant data breach, complaint, safeguarding concern, CQC inspection finding or governance audit finding.
The review will consider whether the policy remains effective, whether staff understand and follow it, whether records and information sharing are safe and lawful, whether privacy information remains accurate, and whether lessons learned from breaches, complaints, audits and feedback have been implemented.
Responsible Person: {{org_field_registered_manager_first_name}} {{org_field_registered_manager_last_name}}
Reviewed on: {{last_update_date}}
Next Review Date: {{next_review_date}}
Copyright © {{current_year}} – {{org_field_name}}. All rights reserved.