1. Introduction

Each organisation must collect, use, store and retain (for a specified time period) information about people with whom it works. This includes:

  • adults and their families who use the service, including their children, and those who are no longer in receipt of services;
  • current, past and prospective staff; and
  • current, past and prospective staff; and
  • suppliers.

In addition, it may be required to collect and use information in order to comply with the requirements of central government, such as in the case of a Safeguarding Adults Review or Care Quality Commission inspection.

The organisation must comply with the requirements of the Data Protection Act 2018 and the UK General Data Protection Regulation (GDPR).

The organisation must ensure through its procedures and working practices that all employees, including contractors, consultants, suppliers and partners who have access to any personal data held by or on behalf of the organisation, are fully aware of and abide by their duties and responsibilities under the GDPR.

Personal information must be handled and dealt with in accordance with legislation regardless of how it is collected, recorded, stored and used, and whether it be on paper, on computer or digital records or recorded in any other way.

2. Legislation

2.1 Data Protection Act 2018

The Data Protection Act 2018 aims to ensure that UK data protection legislation keeps pace with technological change, and the impact that has on the collection and use of personal data.

It also provides additional functions and clarification of the role of the Information Commissioner and the Information Commissioner’s Office.

2.2 UK General Data Protection Regulation

The UK GDPR is the UK General Data Protection Regulation (see UK GDPR Guidance and Resources -ICO) which came into effect on 01 January 2021. It sets out the key principles, rights and obligations for processing personal data.

It is based on the EU GDPR (which applied in the UK before the above date) with some changes to make it more effective. The EU GDPR is regulated separately by European supervisory authorities.


  • gives individuals greater control of their data by improving consent processes;
  • introduces the ‘right to be forgotten’ which enables the data subject to have their data ‘forgotten’ once it is no longer being used for the purpose which it was collected. The ‘right to data portability’ allows individuals to acquire and reuse their personal data across different services.

If staff receive a query about personal data, they should contact their Information Governance team for advice.

3. Principles of Data Protection: Article 5 DPA

These principles are legally enforceable and set out the requirements for processing personal data (see also 3.2 What is personal data under Article 4 GDPR?). Processing data includes the collecting, recording and sharing of data. To comply with the DPA, this must be:

  • lawful and fair and in a transparent manner in relation to the data subject. (lawfulness, fairness and transparency principle);
  • specified, explicit and legitimate and not further processed for other purposes incompatible with those purposes (purpose limitation principle);
  • adequate, relevant and not excessive to what is necessary in relation to the purposes for which data is processed (the data minimisation principle);
  • accurate and kept up to date (the accuracy principle);
  • kept for no longer than is necessary for the purposes for which the personal data is processed (the storage limitation principle); and
  • stored in a way that ensures appropriate security including protection against unauthorised or unlawful processing and accidental loss, destruction or damage, using appropriate technical or organisational measures (the integrity and confidentiality principle and the accountability principle).

3.1 Handling personal or sensitive information

The DPA outlines conditions for the processing of personal data, and make a distinction between personal data and sensitive personal data.

Personal data is defined as, data relating to a living individual who can be identified from that data and other information which is in the possession of, or is likely to come into the possession of, the data controller and includes an expression of opinion about the individual and any indication of the intentions of the data controller, or any other person in respect of the individual.

Data controllers are, in many circumstances, required to notify the Information Commissioner of this processing.

3.2 What is personal data under Article 4 GDPR?

Personal data is:

  • any information relating to an identified or identifiable natural person;
  • an identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as:
    • a name;
    • a number;
    • location data;
    • an online identifier; or
    • factors specific to the physical or genetic, mental, economic cultural or social identity of that natural person.

Personal data can include email addresses, IP addresses, DNA, facial analysis, fingerprints and encrypted data etc.

3.3 Special Categories of Data (sensitive personal data): GDPR Article 9

Sensitive personal data is defined as personal data consisting of information as to:

  • racial or ethnic origin;
  • political opinion;
  • religious or other beliefs;
  • trade union membership;
  • physical or mental health or condition;
  • sexual life and sexual orientation;
  • criminal proceedings or convictions, including biometric data for the purpose of uniquely identifying an individual.

3.4 Section 35 DPA: fair and lawful

Processing for law enforcement is lawful if it is based on law and either of these two conditions are met:

  1. when an individual consents to processing; or
  2. it is necessary for performance of public task carried out by competent authority.

3.5 Criminal offences and convictions: Article 10 GDPR and Section 10 DPA

  • Data about the commission of offences, criminal proceedings or sentences has additional conditions to be met when processing (Schedule 1 Part 3 DPA);
  • personal data relating to criminal convictions and offences or related security measures include personal data relating to:

(a) the alleged commission of offences by the data subject, or

(b) proceedings for an offence committed or alleged to  have been committed by the data subject or the disposal of such proceedings, including sentencing.

3.6 Schedule 8 DPA: lawful sensitive processing

It is lawful to process sensitive information if any of the following grounds exist:

  • Para 1 – statutory purpose;
  • Para 2 – administration of justice;
  • Para 3 – protecting individual’s vital interests;
  • Para 4 – protecting children and individuals at risk;
  • Para 5 – Legal proceedings;
  • Para 6- preventing fraud.

4. Data Protection Practice

The organisation must:

  • observe fully conditions regarding the fair collection and use of personal information;
  • meet its legal obligations to specify the purpose for which information is used;
  • collect and process appropriate information and only to the extent that it is needed to fulfil operational needs or to comply with any legal requirements;
  • ensure the quality of information used;
  • apply strict checks to determine the length of time information is held;
  • take appropriate technical and organisational security measures to safeguard personal information;
  • ensure that personal information is not transferred abroad without suitable safeguards;
  • ensure that the rights of people about whom the information is held can be fully exercised under data protection legislation. These include:
  • the right to be informed that processing is being undertaken;
  • the right of access to one’s personal information within the statutory timescale;
  • the right to prevent processing in certain circumstances;
  • the right to correct, rectify, block or erase information regarded as wrong information.

In addition, the organisation should ensure that:

  • there is someone with specific responsibility for data protection in the organisation;
  • everyone managing and handling personal information understands that they are contractually responsible for following good data protection practice;
  • everyone managing and handling personal information is appropriately trained to do so;
  • everyone managing and handling personal information is appropriately supervised;
  • anyone wanting to make enquiries about handling personal information, whether a member of staff or a member of the public, knows what to do;
  • queries about handling personal information are promptly and courteously dealt with;
  • methods of handling personal information are regularly assessed and evaluated;
  • performance with handling personal information is regularly assessed and evaluated;
  • data sharing is carried out under a written agreement, setting out the scope and limits of the sharing. Any disclosure of personal data will be in compliance with approved procedures.

All employees should be aware of this policy and of their duties and responsibilities under the DPA.

All managers and staff will take steps to ensure that personal data is kept secure at all times against unauthorised or unlawful loss or disclosure and in particular will ensure that:

  • paper files and other records or documents containing personal / sensitive data are kept in a secure environment;
  • personal data held on computers and computer systems is protected by the use of secure passwords, which where possible have forced changes periodically;
  • individual passwords should be such that they are not easily compromised.

All contractors, consultants, suppliers and partners of the organisation must:

  • ensure that they and all of their staff who have access to personal data held or processed for or on its behalf, are aware of this policy and are fully trained in and are aware of their duties and responsibilities under the DPA. Any breach of any provision of the DPA will be deemed as being a breach of any contract between the organisation and that individual, partner or firm (see Report a Breach, Information Commissioner’s Office);
  • allow data protection audits by the organisation of data held on its behalf (if requested);
  • indemnify the organisation against any prosecutions, claims, proceedings, actions or payments of compensation or damages, without limitation.

All contractors and suppliers who use personal information supplied by the organisation will be required to confirm that they abide by the requirements of the DPA in relation to such information supplied by the organisation.

The organisation must also:

  • ensure data subjects are given greater control of their data by improving consent processes. Consent must be freely given, specific, informed and give a clear indication of their wishes. This must be provided by a statement or clear affirmative action, signifying the individual’s agreement to the processing of their personal data;
  • must ensure that data subjects have the ‘right to be forgotten’ which enables them to have their data ‘forgotten’ once it is no longer being used for the purpose which it was collected. The ‘right to data portability’ also allows individuals to acquire and reuse their personal data across different services;
  • keep a record of data operations (mapping data flow within the organisation) and activities and assess if it has the necessary data processing agreements in place, and take action to remedy if not;
  • carry out privacy impact assessments (PIAs) on its products and systems;
  • designate a data protection officer (DPO) if applicable to the organisation;
  • review processes for the collection of personal data;
  • be aware of the duty to notify the Information Commissioner’s Office of a data breach (the relevant supervisory authority);
  • ensure ‘privacy by design’ and ‘privacy by default’ in new products (such as a new case recording system) and assess whether existing products used by the organisation meets the new data protection standards and take action accordingly to ensure compliance.

Please note: Privacy by design is an approach to projects that promotes privacy and data protection compliance from the start for example when:

  • building new IT systems for storing or accessing personal data;
  • developing legislation, policy or strategies that have privacy implications;
  • embarking on a data sharing initiative; or
  • using data for new purposes.

Such systems should automatically provide privacy by default, rather than requiring activation by the user.

5. Redaction of Third Party Data

When redacting personal data about third parties the following points should be remembered:

  • third party personal data must be redacted. A typical example would be processing information about other residents in a care home setting;
  • workers do not need to redact staff information;
  • redaction should be effective.

6. Rights of the Data Subject

Any person whose information is being accessed has the following rights:

  1. to be informed of data processing (for example a privacy notice);
  2.  to be able to access information free of charge (also known as a Subject Access Request) – there is a one month time limit to respond to any request;
  3. to have inaccuracies corrected;
  4. to have information erased;
  5. to restrict processing;
  6. to have data portability;
  7. intervention in respect of automated decision making;
  8. to be able to withdraw consent;
  9. to complain to the ICO.

Restrictions can be placed on these rights for law enforcement purposes, where it is necessary and proportionate.

6.1 Right to be informed (Section 44 DPA)

An person whose information is being processed should receive a privacy notice, setting out:

  1. lawful basis for processing;
  2. who the Data Protection Officer (DPO) is;
  3. what information will be processed;
  4. who it may be shared with and why;
  5. how long it may be held;
  6. details of rights;
  7. how to complain.

6.2 Rectification (Section 46 DPA)

A person whose information is being processed has the following rights:

  • to rectify or correct inaccurate information;
  • if information is incomplete it must be completed;
  • rectification or correction can be achieved by the provision of a supplementary statement;
  • where the rectification is of information maintained for the purposes of evidence, instead if rectifying, the processing should be restricted;
  • be informed in writing if request has been granted and if not the reasons for this.

7. What is a Data Breach?

A breach of security which can be either accidental or unlawful and which involves:

  1. destruction;
  2. loss;
  3. alteration;
  4. unauthorised disclosure;
  5. unauthorised access.

A breach covers accidental and deliberate causes and is more than just losing personal data.

7.1 Examples of data breaches

These are commonly occurring breaches:

  1. access by an unauthorised third party;
  2. deliberate or accidental action (or inaction) by a controller or processor;
  3. sending personal data to an incorrect recipient;
  4. computing devices containing personal data being lost or stolen;
  5. alteration of personal data without permission; and
  6. loss of availability of personal data

7.2 What constitutes a serious data breach?

A serious data breach:

  • is where it is likely to result in a risk to the rights and freedoms of individuals. If unaddressed such a breach is likely to have a significant detrimental effect on individuals – for example, result in discrimination, damage to reputation, risk of physical harm, financial loss, loss of confidentiality or any other significant economic or social disadvantage;
  • must be assessed on a case by case basis;
  • must consider these factors: detriment / nature of data / volume (detriment includes emotional distress as well as both physical and financial damage).

All serious data breaches must be reported to the ICO within 72 hours of becoming aware of the breach.

Appendix 1: Brexit Legislation

Brexit legislation amends the DPA 2018 from the end of the implementation period to include:

  1. amendments to the DPA 2018 so that it operates with the UK GDPR and other UK data protection laws following the end of the implementation period;
  2. merger of the ‘applied GDPR’ regime into the UK GDPR.

The implementation period is due to end on 31 December 2021, unless arrangements are put in place to extend it.

Following the Brexit implementation period, the DPA 2018 covers the processing of personal data:

  1. under the UK GDPR;
  2. by competent authorities for law enforcement purposes;
  3. by the intelligence services.