This policy has been written to ensure that the processing of Personal Data in connection with employees and Service Users will comply with the UK Data Protection Act 1998, which implements within the UK the requirements of the EC Data Protection Directive (EC/95/46).

The basic requirement is that the processing, both automated and manual, shall comply with the following data protection principles, which require that personal data shall:

  • Be processed fairly and lawfully
  • Be obtained only for specified and lawful purposes, and not be processed in any incompatible manner
  • Be adequate, relevant and not excessive
  • Be accurate and, where necessary, kept up to date
  • Not be kept longer than necessary
  • Shall be processed in accordance with the rights of Data Subjects
  • Be protected by appropriate security measures
  • Not be transferred outside the EEA unless adequate level of data protection exist

Rights of Access:

Service Users and employees have the right to be supplied with a copy of their personal data the company retains. All requests are to be made to the Manager who is the – “Data Protection Co-ordinator”. In their absence the company’s responsible individual is to be contacted.

When requesting to view personal data, Service Users and employees are required to complete Form DP001.

An authorised representative may be allowed to view the data provided the Registered Manager or Responsible individual is satisfied that permission has been given i.e. signature on FORM DP001 and proof of identity seen.

The company will respond to any request for personal data within ten days.

If a request is made more than once in any twelve-month period a Fee of £5.00 may be charged to cover administration costs.

Viewing of the document/s will be in the presence of the Registered Manager or responsible individual. This is for security reasons i.e. so that no material can be removed or destroyed.

Service Users and employees are requested to inform the company of any changes in their circumstances that could affect the accuracy of the data.

Every effort will be made to resolve any disagreement between the company and the data subject, but in situations were the matter cannot be resolved, the following procedures are to be followed:

Service Users are requested to use the company’s formal complaints procedure.

Employees are requested to use the company’s formal grievance procedure.

Retention of Records

Service User Records:

Service User records covered by this policy shall be retained, after the actual date of the Service User leaving for the following period – 5 years, after that period the records will be destroyed.

What may Service User records contain?

They may contain any information legitimately required for the purposes of:

Statutory records required by legislation, regulations or at the request of the registration authority

Operational management and administration that will enable the company to give quality care

These may include the following:

  • Service User Agreement
  • Service User Assessment Details
  • Service User Care Plan
  • Service User Financial Account
  • Service User Medical Records (Depending on Circumstances)
  • Risk assessment forms associated with the Service User

These are examples only and there will be other legitimate entries that may be included.

What may not be included is information, data or other material that cannot legitimately be shown to be related directly or indirectly to affording the Service User quality care.

Record Review:

To ensure accuracy of personal data all records will be reviewed once every 12 months. The Home Care Co-Ordinator is responsible for carrying out the above review. A note will be put on the Service Users file that an annual review has taken place.


Information held on computer is password controlled. Only the Registered Manager, designated Senior Members of Staff and the registered individual are allowed access. Any information transferred to disc is held in a locked cabinet.

All information held on computer relating to Service Users or employee’s is backed-up once per week. This is done for cover in case of a disaster.

No new computer or computer software may by used without the prior permission from the Registered Manager. The Registered Manager is to check to see if the register entry needs to be amended – (Register which has been compiled to include all data registered with the Data Protection Authority).

Written private Service User information i.e. Service User Agreement, financial records etc are filed in a locked cabinet in the main office, only the most senior members of staff are allowed access to this information. Documents used for the care of a Service User i.e. care plans, risk assessment forms etc are accessible by all qualified care staff, and trainees will be allowed access under the supervision of qualified staff.