POLICY AND PROCEDURE
DATA PROTECTION AND GDPR
Policy Number: OB DP Compiled by: Homes Manager
Version: 1.0
Date Issued: 02.02.2024 Review due: 02.02.2025
Version: Date Reason for Revision Authorised by
Version 2
PURPOSE
This document sets out Bubbly Homes Limited Policy and Procedure in relation to data protection and GDPR. Our
organisation expects all employees to meet the needs of this policy.
The Registered Manager has a responsibility for ensuring that employees are made aware of the Policy and
Procedure.
INTRODUCTION
Our organisation has a responsibility to protect and manage data across all of its functions. This policy has been
written encompassing the existing Data Protection Act (DPA,1998), and the General Data Protection Regulations
(GDPR, 2018).
As a business we process data to allow us to enable our people to be appropriately supported and cared for. In order
to do this correctly we must ensure that our practices uphold and safeguard the integrity of the registration we hold
and the services that we provide. This requires us, as a business to collect, store and process the data of people, their
families, our employees and external stakeholders.
We do this with a full commitment to the GDPR and its underlying principles. This document demonstrates how we
comply, what rights individuals have, and how to take action if individuals feel that we are in breach of this policy and
the GDPR.
RECORDS
In our role as a registered supported living provider we have to process and retain records regarding our people and
the staff that we employ. We hold information about family members and friends of our residents. We also hold
information about external professionals such as Social Workers, Dr’s, Occupational Therapists, Salt’s. These records
ensure that the staff that are employed are safe and of good character to work within our registered provision. The
personal care records provide us with the necessary and essential data necessary to provide safe and effective care
and support.
In our role as a registered supported living provider we process and retain records that provide us with the data
necessary to support the ’s journey of care and support. We process and retain records that allow us to employ staff
that are safe and competent within a care environment and meet the regulatory requirements for their employment.
It is the duty of our organisation to safeguard the consistency and integrity of the data that is held. Registered
Providers that fail to comply with the record keeping requirements and cannot demonstrate safe and effective
methods for obtaining, retaining and destroying data may have sanctions imposed on them by Ofsted and non-
compliances will be referred to the regulator. For this reason, how we mange that data must comply with the GDPR.
We do not hold all of the same data for all of our People or staff, this is because we only collect data that is essential
to carry out that function. Our initial assessments and care plans are written on an individualised basis. The records
that we hold for staff will depend upon their personal circumstances. For example, if a staff member declares a
disability, it may be necessary to hold a document that outlines how we will provide reasonable adjustments to support
that member of staff.
All information collected on staff or people is confidential and will be kept confidential.
It will not be disclosed to any third party without the prior written consent of the person (or their social worker) unless
such disclosure is in accordance with the guidelines provided by the General Medical Council, or the General Dental
Council, or the British Medical Association, or the British Dental Association, or the United Kingdom Central Council
for Nursing Midwifery and Health Visiting, or the Data Protection Act.
Access to files containing medical or other confidential information or the sharing of medical information shall be
limited to providing access to, or sharing information with, people who have a proper medical reason to read it or be
provided with it.
The general principles of the GDPR will inform our decision to obtain, use, retain and destroy data collected as part of
our daily processes.
A list of the records that we may hold for different functions can be found on the next page:
|
Regulatory (Ofsted, HMRC etc) |
Staff Records |
People’s records |
Family members
|
External Professionals |
Members of the public/contractors |
Agency staff |
Volunteers |
||
|
PERSONAL DATA |
|||||||||
|
Full Name |
X |
X |
X |
X |
X |
X |
X |
X |
|
|
National Insurance Number |
X |
X |
|||||||
|
Address |
X |
X |
X |
X |
X |
||||
|
Date of birth |
X |
X |
X |
||||||
|
Gender |
X |
X |
|||||||
|
Contact email address |
X |
X |
X |
X |
X |
||||
|
Phone number |
X |
X |
X |
X |
X |
||||
|
Mobile phone number |
X |
X |
X |
X |
X |
||||
|
Workplace address |
X |
X |
X |
X |
X |
||||
|
DBS Information |
X |
X |
X |
||||||
|
Next of Kin |
X |
X |
|||||||
|
Next of Kin contact emergency details |
X |
X |
|||||||
|
References |
X |
X |
X |
||||||
|
Right to work checks |
X |
X |
X |
||||||
|
Power of Attorney or Care Order |
X |
X |
X |
||||||
|
Training and Qualifications (certificates) |
X |
X |
X |
X |
|||||
|
Interview summary |
X |
X |
|||||||
|
GP medical reports/Occupational Health reports |
X |
X |
X |
X |
|||||
|
Personal Risk Assessment |
X |
X |
X |
X |
|||||
|
Disability status |
X |
X |
X |
X |
|||||
|
Reasonable adjustments to role |
X |
X |
X |
||||||
|
Photographs |
X |
X |
X |
X |
|||||
|
PIN Number |
X |
X |
X |
||||||
|
PEOPLE’ S RECORDS |
|||||||||
|
Medical and health information |
X |
||||||||
|
Medication information and administration records |
X |
||||||||
|
Personal profile |
X |
||||||||
|
Care plans |
X |
||||||||
|
MCA and DOLS |
X |
||||||||
|
Risk Assessments |
X |
||||||||
|
Personal care and support records |
X |
||||||||
|
Nutrition and hydration records |
X |
||||||||
|
Financial records and audits |
X |
||||||||
|
Transition planning |
X |
||||||||
|
Medical appointments, admissions and discharge |
X |
||||||||
|
Health assessments and guidance |
X |
||||||||
|
Birth certificates/passport |
X |
||||||||
|
History and chronology |
X |
||||||||
|
Court orders |
X |
||||||||
|
Education outcomes/ ECHP |
X |
||||||||
|
Solicitors |
X |
||||||||
|
Permissions |
X |
||||||||
|
Targets/outcomes |
X |
||||||||
|
Incidents, accidents, notifications |
X |
||||||||
|
PEP information |
X |
||||||||
|
Admission and Discharge |
X |
||||||||
|
STAFF RECORDS |
|||||||||
|
Supervision Records |
X |
X |
X |
||||||
|
Appraisal Records |
X |
X |
X |
||||||
|
Capability/disciplinary records |
X |
X |
X |
||||||
|
Safeguarding referrals |
X |
X |
X |
||||||
|
ID Checks |
X |
||||||||
|
Bank details |
X |
||||||||
|
40 hours opt out |
X |
||||||||
|
Schedule 2 information |
X |
X |
X |
||||||
|
Agency details |
X |
||||||||
|
SERVICE RECORDS |
|||||||||
|
Signing in and out records |
X |
X |
X |
X |
X |
X |
X |
||
|
Accident book and records |
X |
X |
X |
X |
X |
X |
X |
||
|
Health and safety audits and records |
X |
||||||||
|
Signature sheets |
X |
X |
X |
||||||
|
Website |
X |
||||||||
|
Safeguarding logs and records |
X |
X |
X |
X |
X |
X |
X |
||
|
Concerns, complaints, compliments and feedback |
X |
X |
X |
X |
X |
X |
X |
||
|
Quality assurance records |
X |
X |
X |
X |
X |
X |
X |
||
|
Communication book |
X |
X |
X |
X |
|||||
|
Ofsted Notifications |
X |
X |
X |
X |
X |
X |
X |
||
Registered providers are required to retain the aforementioned records for a differing period of time. The Records
Management Code of Practice for Health and Social Care 2016 provides the appendix that shows the agreed length
of time for retention and destruction. Such records must be stored securely and retained for inspection by various
regulators as required. Once the records have past their retention date the records are securely destroyed.
HOW THE INFORMATION WE COLLECT IS USED AND WHY WE NEED IT
The information that we collect allows us to fulfil our obligations to the regulator, Ofsted, and the Information
Commissioners Office (ICO).
• Process applications and offers of employment
The processing of this data is necessary for us to perform our official functions, is in the public interest and
has a clear basis in law. In order to be able to successfully process applications and make offers of
employment we must hold the personal information listed. This allows us as an employer to fulfil our duties to
employ staff who are capable and of good character. It allows us to demonstrate to the inspectorate that we
have fulfilled regulation and taken all reasonable steps to seek references and check the applicant’s status via
the Disclosure and Barring Service (DBS), right to work and confirm their identity.
• Provide agreed plans of care and support
The processing of this data is necessary to deliver the agreed contract of care that we hold for the individual.
In order to be able to provide high levels of care and support, we need to hold information about each of our
people, we also need to work in partnership with other external organisations/individuals such as Social
Workers, Education Providers, G.P Surgeries, Allied Health Professionals, Families and Hospitals. This
enables us to ensure safe, effective and responsive care and support. We will need to hold information that
relates to the medical needs of the person. We will hold information relating to the care plans of
individuals. We need to hold information relating to the general health and wellbeing of individuals-
assessments undertaken daily. We may need to hold records relating to the history of the person, in some
cases this may be sensitive information. We may need to hold details regarding criminal proceedings and
outcomes relating to people.
• Confirm identity, right to work in the UK and obtain Criminal Record Information
The processing of this data is a legal obligation as a health and social supported living provider.
This allows us to confirm that individuals working in and residing in the home are who they say they are. It
enables us to ensure that we have recruited individuals safely. Staff being provided with an offer of
employment will be required to prove their identity. Staff will be expected to show an acceptable form of
identification, this allows us to conduct DBS and Right to Work checks. The approved staff member
Administrator/ Registered Manager) will confirm that they have seen these original documents, no copies or
information will be held from the ID. The approved staff member will confirm that they have checked all
documents and take responsibility for the staff member’s right to work in the UK. We will retain DBS
information for all employees.
• Respond to enquiries and send information
The processing of this data is necessary to deliver the agreed contract of care that we hold for the individual.
This information is vital to keep in touch with staff, professionals, families, contractors throughout the day to
day running of the home. It enables us to ensure responsive and effective care. It means that as professionals
we are able to act upon our concerns immediately and keep our residents safe from harm. It allows us to
respond as a business to our clients, and to maintain relationships with a number of stakeholders. We ensure
that all information sent electronically is password protected and encrypted end to end.
• Monitor equal opportunities information
We will process this information only if the individual provides explicit consent to do so. The individual has a
right to refuse to complete this documentation. This information is anonymous at collection and is in no way
able to be linked to the individual. We ask potential candidates for employment to submit their equal
opportunities monitoring form separately in a separate envelope. We use the information that we obtain in
order to monitor our effectiveness in applying and adhering to the Equality Act 2010 once obtained,
raw data is extracted and reported against annually.
• Undertake customer satisfaction surveys to help plan and improve services
We will process this information only if the individual provides explicit consent to do so. The individual has a
right to refuse to complete this documentation. Feedback is an essential element of our business; it is
how we continue to improve and develop. People, their representatives their families, visitors and staff
are invited at every opportunity to provide us with feedback. We may also seek explicit approval to publish
feedback on our website and publicity materials.
• Produce statistical information for quality monitoring and contract requirements.
The processing of this data is necessary to deliver the agreed contract of care that we hold for the individual.
We gather information that is used to inform Regulators, Government Departments and Local Authorities. We
have a duty to report on key information obtained from the home. This informs others of the homes
contractual and regulatory compliance. Data is anonymous so that no individual can be identified.
• Participate fully in quality audits and checks to confirm our capability and capacity as a regulated
provider
The processing of this data is necessary to deliver the agreed contract of care that we hold for the individual.
To safeguard and uphold the quality and the integrity of the delivery of care that we offer, we believe that
quality audits and checks allow us to monitor our practices internally and ensure that we are able to identify
any gap and potential issues. The monthly audits also provide us with a further opportunity to ensure effective
due-diligence and governance within the home and to keep executive directors informed of key information.
• Ensuring the effective running of the business
The processing of this data is necessary for our legitimate interests. If organisations/individuals are in debt to
us, we may give other people information for the purpose of recovering the debt.
• Completing Notifications
The processing of this data is necessary for us to perform our official functions, is in the public interest and
has a clear basis in law. It is a regulatory responsibility to notify regulators/authorities of significant events
that occur in the home. This includes OFSTED, CQC, Local Safeguarding Board, RIDDOR. We hold a
document within the home that provides each resident and staff member with a unique identifying code. This
will be used to provide detailed information whilst protecting identity.
CONSENT TO HOLD DATA
All residents, staff, external professionals, and families engaging with our organisation will be provided with a copy of
this policy. Before any data can be collected, and used to carry out our business functions, it must obtain explicit and
verifiable written consent to hold, retain and transmit this data from the named individual. This consent declaration can
be found at the bottom of every document that gathers information from others. In the case of residents, we will
obtain an overall consent to gather data upon admission- this will identify the information that will be gathered. We will
hold information sharing agreements with all external providers, this will outline the agreement to share and hold data.
We will seek authorised permissions from the Local Authority and person’s social worker to share their information
with key visitors to the home including the homes independent visitor and Ofsted. This permission will be held in the
person’s file.
I herby give my expressed consent for Bubbly Homes Limited to gather, hold and exchange the information supplied
within this record. This is to enable Bubbly Homes Limited to deliver regulated provision.
I understand my rights in relation to this data as outlined in the Bubbly Homes Limited policy- Record Keeping and
Data Protection.
Bubbly Homes Limited will process this information in accordance with the General Data Protection Regulations
(2018).
I understand that I have the right to withdraw my consent at any time
Individuals have a right to refuse the sharing of data with our organisation and its associated 3 rd parties. However, this
does mean that we will be unable to process employee applications or provide contracted regulated support and care.
People need to be aware of their right to object to certain uses and disclosures of confidential information, which
identifies them, however in particular circumstances our legal duty of care overrides their personal preferences.
Where we can, we will always try and meet the expressed requests of the people.
In certain cases, if people choose to prohibit information being disclosed to other health and social care professionals
involved in providing care, this may mean that the care provided is limited and, in extremely rare circumstances, that it
is not possible to offer certain treatment or other service options. People must be informed if their decisions about
disclosure could have implications for the provision of future care or treatment. Clinicians cannot usually treat patients
safely, nor provide continuity of care, without having relevant information about a person’s condition and medical
history. (An example of this may be if a person attends a sexual health clinic, but does not disclose all of their
symptoms or refuses treatment)
Similarly, the ability of social care professionals to provide the best service to people may be constrained if they are
not aware of the full picture of a resident’s history and circumstances.
People must be informed of all the choices they have in respect of how information about them may be used or
disclosed. If they are not able to understand the choices or the overall position, the decisions may need to be made on
their behalf by their legal representative, relatives or by an independent advocate.
RIGHTS
The GDPR outlines 8 rights regarding information, this next section highlights how we will enable those rights with the
information we obtain, hold and share.
The right to be informed
This section highlights this right, with the emphasis being on transparency, openness and integrity in how we operate
our business and apply our responsibilities under the GDPA.
The right of access
Under the GDPR, individuals have right of access to a copy of the information comprised in their personal data.
Requests should be made in writing, either by email to [email protected] or by post to the address
below:
Individuals will not be charged for this request. However, repeat or excessive requests for data, may incur an
administrative charge. In most cases, information requested must be provided within 28 days of receipt. However for
large claims of data, individuals may be informed that further time is necessary to allow for this information to be
correctly processed. In all circumstances individuals will be kept informed.
Individuals making data requests will need to verify their identity before the information can be released.
The right to rectification
Individuals are entitled to have their personal data rectified if it is inaccurate or incomplete. Individuals must make us
aware of the inaccuracy in writing. We have the responsibility to rectify this within 28 days and inform the individual of
the changes made.
Where information has been shared with third parties, we have the responsibility to inform them of the rectification.
We must also inform the individual of the 3 rd party information that has been shared.
If the decision is taken to not rectify the information, our organisation must provide the individual with the reasoning for
this. Should the individual be unsatisfied with this response, they have a right to complain (see who you should
contact if you have any concerns).
The right to erasure
Individuals have a right to have their personal data erased. Our organisation systematically reviews all data that it
collects, ensuring that the purpose for which it is obtained and retained is lawful.
Due to the nature of the business (Health and Social Care), it is necessary that some documents are retained, and as
such we are legally obliged to retain them for a designated length of time. Any data that we collect that is defined as a
public task, or we have a legal obligation to obtain, the data does not have the automatic right to erasure.
Requests for full erasure must be made in writing, it will be necessary to see a form of identification. Individuals will be
notified of the decision and the reasoning for this. Should the individual be unsatisfied with this response, they have a
right to complain (see who you should contact if you have any concerns).
The right to restrict processing
Individuals have a right to ‘block’ or suppress the processing of personal data. Where this is the case, we are
permitted to store the information, but not to further process it.
Requests for restrictive processing must be made in writing, it will be necessary to see a form of identification.
Individuals will be notified of the decision and the reasoning for this. Should the individual be unsatisfied with this
response, they have a right to complain (see who you should contact if you have any concerns).
The right to data portability
Data portability means that individuals have a right to obtain and re-use their personal data for their own purposes,
across different services. It relates only data that is processed through automated means, for example downloading a
CSV. bank statement to upload to a price comparison site. We do not process data in this way at present.
The right to object
Individuals have a right to object to their data being processed, for example direct marketing. Individuals can ‘opt in’ to
our marketing emails. However, they may also at any time choose to ‘opt out’. In the case of marketing, any request to
remove an individual from our correspondence list will result in immediate removal.
Rights in relation to automated decision making and profiling
Individuals have the right not to be subject to decisions that are potentially damaging where the information is based
on automated profiling. We do not process data in this way at present.
SECURITY AND CONFIDENTIALITY
Our organsiation takes the confidentiality of every resident's information extremely seriously, and employees who do
not comply with our confidentiality policy will be subject to disciplinary action and may face the possibility of
prosecution for a breach of the Data Protection Act 1998, The General Data Protection Regulations 2018 or the
Computer Misuse Act 1990.
All employees will be given clear guidance for the secure handling and release of any confidential information relating
to residents.
Our organisation’s data storage, e-mails and web browser are protected by multiple firewalls and passwords. E-mail
transmissions are encrypted and the web interface between our organisation and individuals is supported by Secure
Sockets Layer (SSL) which securely transmits data from browser to the Web server, or from the server to browser.
The GDPR 2018 requires that the information held be accurate, relevant and up-to-date and should not be deemed
‘excessive’. Information will be kept secure (either in a locked filing cabinet or for electronic information in a restricted
folder).
We take security very seriously. All staff are made aware of the security procedures they must follow when handling
personal information. Information is protected from unauthorised access, and we are confident no one will be able to
access an individual’s information unlawfully.
Where we store data on external servers this is password protected and authentication keys are used to ensure
secure and authorised access.
Physical security of the service includes accessibility through keypad access only and individual dedicated office
space which is securely locked at all times when unoccupied. Lockable cabinets for storage of hard copy files are in a
dedicated locked office.
Please note that internet email is never a 100% secure way of communicating. By using it, individuals agree that they
send any information by email at your own risk. We will encrypt all emails which contain sensitive data. Further
safeguards include ensuring that under no circumstances do staff employed by our organisation use identifiable
information in its communication via email. We recommend that any emails sent to us use encryption and documents
are password protected.
People must be made aware that the information they give may be recorded, may be shared in order to provide them
with care and or support, and may be used to assist clinical/care or other service audit and other work to monitor the
quality of care or support provided.
People have the right to expect that the staff will respect their right to privacy and will act appropriately when dealing
with confidential information about a resident, even although the resident may not have sufficient capacity to
understand their rights in relation to confidential information.
People’s health, social care and other personal information and their interests must be protected through a number of
measures:
putting in place procedures to ensure that all staff, contractors and volunteers are at all times fully aware
of their responsibilities regarding confidentiality
recording information accurately and consistently
keeping information private
keeping information secure
disclosing and using information with appropriate care and or support.
Our organisation recognises it is essential that a People’s records are kept confidential at all times.
3RD PARTIES
We are committed to the data-protection principles of good practice for handling information. All personal information
is held in secure computer and manual files, and we will only transfer data within our organisation on a ‘need-to-know’
basis.
The 3 rd parties that we maintain an on-going and regulatory relationship with include Ofsted, Local Authorities, Local
Health Authorities, HSE, RIDDOR, Local Safeguarding Boards, Food Standards Agency, HMRC and DBS. Data that
is shared is encrypted and, on a need, to know only basis.
Individual’s data will only be transferred within the UK.
TRAINING
All new staff will be informed about the policies on data protection, and on confidentiality, as part of their induction
process. Existing staff will be offered training covering information about confidentiality, data protection and access to
records.
Training in the correct methods for entering information in people’s records will be given to all care staff. All staff who
need to use the computer system will be thoroughly trained in its use.
Records of the training provided will be kept.
WHO SHOULD YOU CONTACT IF YOU HAVE ANY CONCERNS?
[email protected]
If you are unhappy with the data breach way that Bubbly Homes Limited have handled your concerns, please contact
the ICO, the following link provides full details of how to address your concerns: [email protected]
Alternatively, you can call them on 07851 680476
Bubbly Homes Limited has a legal obligation to notify the supervisory authority and the individuals concerned where
there has been a personal data breach that has led to the destruction, loss, alteration, unauthorised disclosure of or
access to personal data.
Staff are provided with copies of this policy and are trained to understand the severe nature of data breach’s and how
to use the internal data breech reporting form.
MONITORING AND REVIEW
This policy will be reviewed annually as part of our self-evaluation arrangements and revised as necessary in
response to lessons learnt, customer feedback, changes in legislation and guidance from the ICO and Regulators.
Our review of the policy will ensure that our procedures continue to be consistent with the regulatory criteria and are
applied appropriately and equitably.
If you have any queries about the content of the policy or you wish to give feedback, then please contact us on 07851
680476 or email us on: [email protected]
REVIEW
This policy and procedure will be reviewed annually,