PURPOSE AND SCOPE
· This policy sets out how Lilac Heart Homecare complies with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
· It applies to all personal data held or processed by the Company in relation to clients (service users), staff, job applicants, contractors, and others.
This policy also supports compliance with:
· The Health and Social Care Standards (Scotland, 2018) – particularly “My privacy is respected, and my personal information is kept secure and confidential.”
· The Public Services Reform (Scotland) Act 2010
· Care Inspectorate notification requirements for incidents affecting confidentiality or welfare.
POLICY STATEMENT
· The Company recognises that clients trust us with sensitive personal and health information. We are committed to protecting that information, ensuring confidentiality, and respecting the rights and dignity of all individuals whose data we process.
· We will handle all personal data lawfully, fairly, and transparently, in line with both data protection legislation and Care Inspectorate guidance.
LEGAL AND REGULATORY FRAMEWORK
This policy ensures compliance with:
· UK GDPR and the Data Protection Act 2018.
· Health and Social Care Standards (2018).
· Care Inspectorate’s Notification Guidance for Care Services (2023).
· ICO guidance on data protection and confidentiality in care settings.
PRINCIPLES OF DATA PROTECTION
All personal data processed by the Company will be:
· Lawful, fair and transparent.
· Collected for specific, explicit and legitimate purposes.
· Adequate, relevant and limited to what is necessary.
· Accurate and kept up to date.
· Retained only as long as necessary.
· Processed securely to maintain confidentiality and integrity.
· Accountable – we must demonstrate compliance with these principles.
LAWFUL BASIS FOR PROCESSING
We process personal data under one or more lawful bases defined in UK GDPR Article 6, including:
· Consent (e.g., client agreement to share information).
· Contractual necessity (to deliver care services).
· Legal obligation (compliance with employment and care regulations).
· Vital interests (to protect someone’s life).
· Legitimate interests (for safe and effective operation of services).
· For special category data (e.g., health or care needs), processing will be based on Article 9(2)(h) – provision of health or social care – or Article 9(2)(g) – substantial public interest.
ROLES AND RESPONSIBILITIES
· Data Controller: Lilac Heart Homecare Ltd.
· Data Protection Lead: Karen McCambridge
· Registered Manager: Ensures compliance across the service.
· All Staff: Must follow this policy, maintain confidentiality, and report any data breaches immediately.
RIGHTS OF DATA SUBJECT
Individuals have the right to:
· Be informed about how their data is used.
· Access their personal data.
· Request correction or deletion.
· Restrict or object to processing.
· Request data portability (where applicable).
· Be informed about automated decision-making (if any).
· Requests must be handled promptly and recorded in a Data Subject Request Log.
PRIVACY NOTICES
We will provide clear and accessible privacy notices to clients, employees, and others explaining:
· Who we are and how to contact us.
· What data we collect and why.
· The lawful basis for processing.
· How data will be stored, shared, and retained.
· The right to complain to the Information Commissioner’s Office (ICO).
DATA RETENTION AND DISPOSAL
The Company will retain personal data only for as long as required by:
Care Inspectorate and local authority regulations.
Statutory requirements (e.g., employment, payroll, care records).
Example retention periods:
Client care records: Minimum 6 years after service ends
Client care records: 6 years after leaving employment
Financial records: 6 years
Incident / complaint records: 6 years or longer if required
Records will be securely destroyed by shredding or permanent electronic deletion when no longer required.
DATA SECURITY
We will maintain appropriate technical and organisational measures to protect personal data, including:
· Password protection and access control.
· Encryption of electronic records.
· Secure email and storage systems.
· Locked filing cabinets for paper records.
· Confidentiality agreements for staff and contractors.
· Privacy controls when working remotely or using mobile devices.
· All staff receive mandatory induction and annual data protection training.
DATA BREACH MANAGEMENT
A data breach is any event that leads to the loss, unauthorised disclosure, or access to personal data.
Procedure:
· Staff must report suspected breaches immediately to the Data Protection Lead or Manager.
· The Data Protection Lead will assess risk and record it in the Breach Log.
· If the breach is likely to affect individuals’ rights or freedoms:
Ø The ICO will be notified within 72 hours.
Ø Affected individuals will be informed without undue delay.
· If the breach affects a service user’s privacy or welfare, the Care Inspectorate will also be notified in accordance with its Notification Guidance for Care Services.
Note: All breaches, even if minor or contained, must be recorded, investigated, and reviewed.
STAFF TRAINING AND AWARENESS
All staff, including agency and relief workers, must:
· Complete data protection and confidentiality training at induction and annually thereafter.
· Understand how to handle client information in line with the Health and Social Care Standards.
· Sign the Confidentiality Agreement.
Training records will be maintained as evidence for inspection by the Care Inspectorate.
DATA SHARING AND THIRD-PARTY PROCESSORS
The Company may share personal data with:
· NHS, local authorities, and other care professionals (for care co-ordination).
· Payroll and HR service providers.
· IT and system suppliers (data processors).
Before sharing, we will:
· Ensure a lawful basis exists.
· Use Data Processing Agreements that meet UK GDPR standards.
· Verify that third parties have adequate security and confidentiality controls.
PRIVACY BY DESIGN AND DATA PROTECTION IMPACT ASSESSMENTS (DPIA)
New systems or changes to existing processes that involve high-risk personal data will undergo a DPIA to ensure privacy risks are identified and mitigated before implementation.
MONITOR, AUDIT AND REVIEW
· The Company will conduct regular audits of data protection compliance.
· This policy will be reviewed annually or sooner if legislation or guidance changes.
· Outcomes of audits and breaches will be reported to senior management for action.
ALIGNMENT WITH CARE INSPECTORATE STANDARDS
This policy supports compliance with the following Health and Social Care Standards:
· Standard 1.23: “My needs, as agreed in my personal plan, are fully met, and my wishes respected.”
· Standard 1.25: “I can choose to have my personal information kept confidential.”
· Standard 2.7: “My privacy is respected.”
· Standard 4.11: “I experience high-quality care and support based on relevant evidence, guidance and best practice.”
The Company also complies with the Care Inspectorate Notification Guidance, ensuring:
· Prompt notification of any incidents affecting client confidentiality, privacy, or welfare.
· Evidence of ongoing staff training and awareness.
· Secure and accurate record keeping for all care activities.
RELATED POLICIES
This policy should be read with:
· Confidentiality Policy
· Record Keeping Policy
· Incident Reporting and Notification Policy
· Information Security Policy
· Staff Training Policy
· Privacy Notices (Clients & Staff)
· Data Breach Response Procedure
· Records Retention Schedule
ACCOUNTABILITY AND GOVERNANCE
Senior management are responsible for ensuring:
· Adequate resources for compliance.
· Regular reviews and audits.
· That all staff are trained and understand their responsibilities.
· The Data Protection Lead will act as the point of contact for all data protection matters, including liaison with the ICO and Care Inspectorate when required.
CONSEQUENCES OF NON-COMPLIANCE
Failure to comply with this policy may result in:
· Disciplinary action (up to dismissal).
· Enforcement action or fines by the ICO.
· Regulatory action by the Care Inspectorate.
· Reputational damage to the Company.
REVIEW AND APPROVAL
This policy will be reviewed annually by the Data Protection Lead and Registered Manager to ensure ongoing compliance with:
· UK GDPR & Data Protection Act 2018
· Health and Social Care Standards (2018)
· Care Inspectorate guidance and regulatory expectations
