Purpose: To provide information and guidance on what Westcliffe House expects of staff in relation to the personal data provided from service users and staff to ensure the records are fit for purpose and securely maintained.

Policy: Westcliffe House expects that all personal data required and maintained for the protection and wellbeing of service users and the employment of staff, complies with the General Data Protection Regulation (GDPR). Westcliffe expects staff to be accountable for the processing, management, regulation, storage and retention of all personal data held in the form of written and electronic records.

This means that staff are expected to keep personal data safe, and that when things go wrong, staff will take the appropriate emergency action necessary to deal with any breaches, to report the incident in the correct way and to take part in any activity that will help to reduce similar breaches in the future.

Scope: This policy contains information and guidance from legislation and from relevant bodies that all staff are expected to adhere to including:

  • Health and Social Care Act 2008 (Regulated Activities) Regulations 2014
  • Care Quality Commission (Registration) Regulations 2009
  • Data Protection Act 1998
  • EU General Data Protection Regulations 2018

The policy applies to all manual and electronic records kept by the service in relation to service users, staff, and any third parties (agencies and professionals), with whom anyone’s personal data information is held by the service and might need to be disclosed or shared.

Managers will check guidance from relevant bodies on a regular basis to ensure they are up-to-date with the latest information about data protection and will amend this policy and its procedures accordingly.

Staff are expected to adhere to this legislation through implementation of the policy and procedures.


  1. Stay Within the Law when Processing Data
    Staff should stay within the law when processing people’s data by ensuring that they obtain data fairly and lawfully i.e.

    • Keeping the data in order to enter into or fulfil your contract with the person and/or
    • Keeping the data to comply with a legal obligation and/or
    • Keeping the data to ensure the effective running of the business.                                  If data is not held on one of these grounds, written and specific consent is required to keep the data. Staff should ensure that data is only held for the purposes specified.
  2. Ensure People’s Rights are Upheld
    People have the following rights and these should be upheld by staff whenever possible.

    • Data is accurate and any inaccuracies should be corrected when requested.
    • To have information deleted (e.g. if inaccurate or inappropriately included).
    • To restrict the processing of the data to the purpose intended.
    • To have the information sent elsewhere as requested or consented to (e.g. when transferring to another care provider).
    • To be adequate, relevant and not excessive in relation to the purpose for which it is used.
    • To object to the inclusion of any information they consider irrelevant.
    • To be kept accurate and up to date, using whatever recording means are used or agreed (eg manual or electronic).
    • Not be kept for longer than is necessary for its given purpose (eg in line with legislation and data retention guidance.
    • To have appropriate security systems to prevent unauthorised use, loss or damage to personal data.
    • To have any breaches of data security investigated and actions taken to prevent loss or damage.
  3. Employ Staff to Protect Data
    Westcliffe will employ Senior Staff to be accountable for data protection, reviewing data systems, auditing systems and ensuring data is stored and disposed of safely. There will be clear lines of responsibility with each role.
  4. Inform Service Users, Staff and Others About the Data it Holds
    Westcliffe will provide information to service users and others about the personal data it holds, where it comes from, and who it might be shared with. As well as giving information about their data protection rights, how it uses the personal data, and how it protects it.
  5. Keeping Data Secure
    • Staff will inform Manager/Senior if they detect or suspect any breaches in data.
    • Manager/Senior will carry out a full investigation of any suspected breach within 24 hours, informing the people involved when necessary.
    • Staff will take action to prevent security breaches if data is compromised.
    • Staff will keep records of any breaches in data security.
    • Staff will inform the ICO of any security breaches that may cause significant harm or compromise people’s security within 72 hours of this becoming known.
    • Westcliffe will class intentional data security breaches as misconduct and will be subject to disciplinary action.
  6. Training
    Staff attend training during induction, and update information sessions annually or more frequently if desired, to make them aware of the importance of protecting people’s personal data, to teach them how to do this and to understand how to treat information confidentially. Training will include:

    • The General Data Protection Regulation Policy
    • How to maintain data confidentiality.
    • Training in the correct method for entering information in service users’ written and electronic records including how to use the computer system to protect individual’s private data and data security.
    • The role of data controller/auditors/protection officers.
    • The consequences of any breaches of the service’s policies and procedures.