1.1 The primary purpose of this policy is to ensure that Better Care and Support fully adheres to the key principles of the General Data Protection Regulation (GDPR). We are committed to protecting the privacy and rights of every individual we interact with.
1.2 This policy outlines the essential steps taken by Better Care and Support to ensure that all personal data is handled, stored, and processed in strict compliance with GDPR requirements. This document should be reviewed in conjunction with our broader suite of internal policies, operating procedures, and data governance guidance.
1.3 This policy is mandatory for all staff members at Better Care and Support who, as part of their professional role, process personal data related to colleagues, service users, clients, or any other living individuals.
2.1 Internal Roles This policy applies to all staff members within Better Care and Support. It is the responsibility of every employee to ensure that data protection standards are maintained at all times.
2.2 Individuals Covered The privacy and personal information of our Service Users and Clients are protected under this policy. We ensure that their data is handled with transparency and the highest level of security.
2.3 Stakeholders Key external stakeholders, including Commissioners and regulatory partners, are also affected by this policy, ensuring that all collaborative data processing meets legal requirements.
3.1 Knowledge & Awareness The primary objective of this policy is to empower our team at Better Care and Support with a thorough working knowledge of the principles and legal requirements of GDPR.
3.2 Compliance & Documentation Through our comprehensive suite of policies and procedures, Better Care and Support demonstrates that proactive and appropriate steps are taken to remain fully compliant with GDPR. This applies to all personal data provided by both our staff and our Service Users/Clients.
3.3 Accountability & Standards This policy serves to define clear lines of accountability and establish standardized ways of working regarding the collection, use, storage, retention, and security of all personal data.
3.4 Rights & Obligations This framework ensures that Better Care and Support understands its obligations toward the rights of staff and service users. It also outlines the critical steps and protocols to be followed in the unlikely event of a data breach.
4.1 Evolution of Data Laws The General Data Protection Regulation (GDPR) officially came into force on 25 May 2018, replacing the Data Protection Act 1998. This transition marked a significant shift toward more robust data privacy standards.
4.2 Post-Brexit Continuity Regardless of the impact of Brexit, the core principles of GDPR remain firmly in place within our legal framework. Better Care and Support continues to uphold these standards to ensure seamless data protection.
4.3 Protection and Responsibility GDPR provides individuals with greater control over their personal information and places enhanced obligations on organizations. At Better Care and Support, we manage these requirements through a structured, “bite-size” approach. This ensures full compliance while minimizing any impact on the day-to-day provision of high-quality care and services.
Personal Data of Deceased Individuals It is important to note that GDPR does not apply to the personal data of individuals who have passed away. Data protection laws for deceased persons are managed under different legal frameworks.
Continued Statutory Compliance While GDPR governs living individuals, Better Care and Support continues to comply with the Access to Medical Reports Act 1988 and the Access to Health Records Act 1990. These acts remain the primary legislation for accessing health-related information in specific circumstances.
Better Care and Support is required to take a proportionate and appropriate approach to GDPR compliance. We understand that not all organisations will need to take the same steps – it depends on the volume and types of personal data processed, as well as the processes already in place to protect that data.
We understand that if we process significant volumes of personal data, including special categories of data, or have unusual or complicated processes in place in terms of how we handle personal data, we will consider obtaining legal advice specific to the processing we conduct and the steps we may need to take.
GDPR does not apply to personal data held about someone who has deceased. However, both the Access to Medical Reports Act 1988 and the Access to Health Records 1990 will continue to apply in these instances
To ensure Better Care and Support’s compliance with GDPR, a suite of documents is available and should be read in conjunction with this overarching policy to provide a framework:
- Initial Privacy Impact Assessment Policy & Procedure
- GDPR – Key Terms Guidance
- GDPR – Key Principles Guidance
- GDPR – Processing Personal Data Guidance
- Appointing a Data Protection Officer Guidance
- Data Security and Retention Policy & Procedure
- Website Privacy Policy & Procedure
- Subject Access Requests Policy & Procedure
- Subject Access Requests Process Map Policy & Procedure
- Subject Access Requests – Request Letter Policy & Procedure
- Rights of a Data Subject Guidance
- Breach Notification Policy & Procedure
- Breach Notification Process Map Policy & Procedure
- Fair Processing Notice Policy & Procedure
- Consent Form
- GDPR – Transfer of Data Guidance
- Privacy Impact Assessment Policy & Procedure
The key principles and themes of each of the documents listed above are summarised below:
Initial Audit and Privacy Impact Assessment Better Care and Support understands that we should conduct an audit of the personal data we currently process. This can be carried out internally by Better Care and Support with the assistance of key staff members. The audit will reveal whether the way Better Care and Support processes personal data meets the requirements of GDPR and will also indicate whether we should delete some of the personal data currently held. An initial Privacy Impact Assessment template is provided as part of the GDPR documentation.
Better Care and Support understands that there are two primary reasons to ensure that compliance with GDPR is achieved:
It promotes high standards of practice and support, providing significant benefits for staff and, in particular, our Service Users/Clients.
Compliance with GDPR is overseen in the UK by the ICO. Under GDPR, the ICO has the ability to issue a fine of up to 20 million Euros (approximately £17,000,000) or 4% of the worldwide turnover of an organisation, whichever is higher.
The potential consequences are therefore significant. Better Care and Support appreciates that it is important to remember, however, that the intention of the ICO is to educate and advise, not to punish. The ICO wants organisations to achieve compliance.
A one-off, minor breach may not attract the attention of the ICO, but if Better Care and Support persistently breaches GDPR or commits significant one-off breaches (such as the loss of a large volume of personal data, or the loss of special categories of data), it may be subject to ICO enforcement action. In addition to imposing fines, the ICO also has the power to conduct audits of Better Care and Support and our data protection policies and processes.
5. Implementation Steps and Responsibilities
5.1 Policy Review All staff are required to review the GDPR policies, procedures, and guidance that will be produced over the coming months.
5.2 Data Protection Oversight Better Care and Support will nominate a person or team to be responsible for data protection and GDPR compliance. If a formal Data Protection Officer is not required, a designated point of contact with a thorough understanding of the requirements will be appointed.
5.3 Management Responsibility The Registered Manager must ensure all staff understand the provided policies and procedures, specifically how to handle Subject Access Requests and the protocol for GDPR breaches.
5.4 Staff Training The Registered Manager will evaluate the need for internal GDPR training for all staff members, focusing particularly on the Key Principles of GDPR.
5.5 Data Audit Better Care and Support will conduct a comprehensive audit of all currently held personal data using the provided Initial Privacy Impact Assessment template.
5.6 Data Retention & Disposal Based on audit results and the Records Management Code of Practice for Health and Social Care 2016, Better Care and Support will delete any personal data that is no longer required.
5.7 Continuous Compliance If necessary, Better Care and Support will implement new measures or processes to ensure that personal data processing remains fully aligned with GDPR standards.
5.8 Fair Processing Where required, Better Care and Support will finalize and circulate a Fair Processing Notice to all Service Users and Clients.
5.9 Consent Protocols We will ensure proper consent is obtained from each Service User/Client using the provided Consent Form. Better Care and Support will also implement additional steps to secure consent from parents, guardians, or representatives when working with children or individuals lacking capacity.
5.10 Response Procedures Better Care and Support will ensure robust procedures are in place to respond to Data Subject requests (including Subject Access Requests) and to manage any potential GDPR breaches appropriately.
5.11 Decision & Incident Logging The Registered Manager will maintain a detailed log of all decisions and incidents related to personal data processing using the Better Care and Support Privacy Impact Assessment template.
6.1 Data Subject The individual about whom Better Care and Support has collected personal data.
6.2 Data Protection Act 2018 A United Kingdom Act of Parliament that updates data protection laws in the UK, sitting alongside GDPR and implementing the EU’s Law Enforcement Directive.
6.3 GDPR The General Data Protection Regulation (EU) 2016/679 is a regulation on data protection and privacy for all individuals. It became enforceable on 25 May 2018.
6.4 Personal Data Any information about a living person including names, email addresses, postal addresses, job roles, photographs, CCTV, and special categories of data.
6.5 Processing Any action performed on personal data, including collecting, storing, holding, using, amending, or transferring it. Processing begins the moment data is collected.
6.6 Special Categories of Data Equivalent to “Sensitive Personal Data,” this includes medical/health records, religious beliefs, ethnic origin, sexual orientation, and political views.
Key Facts – Professionals
GDPR provides enhanced protection for staff and Service Users/Clients regarding their data.
Compliance is mandatory, not optional.
Better Care and Support has adopted a proportionate approach tailored to our specific organizational needs.
Compliance reduces the risk of ICO fines and promotes a better-quality service and working environment.
This overarching policy serves as a high-level reference for all GDPR compliance areas.
Better Care and Support will appoint a designated person (DPO or Privacy Lead) to manage GDPR responsibilities.
Key Facts – People Affected by The Service
Your data will be strictly protected.
You have the right to access the information we hold about you.
We will obtain your clear consent before collecting your data, in line with GDPR requirements.
Our staff will continue to follow strict confidentiality policies regarding all aspects of your support.
As well as the information in the ‘Underpinning Knowledge’ section of the review sheet, we recommend that you enhance your understanding of this policy area by considering the following materials:
Better Care and Support refers to The Records Management Code of Practice for Health and Social Care 2016, which has been issued by the Information Governance Alliance for the Department of Health. This document is a key resource and is available through the NHS Digital website for further reference on best practices in record keeping and data management.
To demonstrate an ‘Outstanding’ level of practice in this policy area, Better Care and Support provides evidence of the following:
Comprehensive Training: We provide specialized training to all staff regarding GDPR and the specific policies and processes adopted by Better Care and Support.
Proactive Assessments: We conduct Privacy Impact Assessments for every new processing activity, ensuring data protection is considered even when activities do not present a ‘high risk’ to Data Subjects.
Regular Audits: Better Care and Support conducts consistent audits (every 6 to 12 months) of all processed personal data to ensure ongoing GDPR compliance.
Up-to-Date Knowledge: We maintain robust processes to stay current with the latest guidelines from the ICO and NHS Digital. This updated information is effectively cascaded to all relevant staff members.
Digital Integration: A wide understanding of this policy is promoted and maintained through the proactive use of our digital management systems and applications.