DATA PROTECTION AND UK GDPR POLICY
1. Policy Statement
Home at Peace Ltd holds personal and sensitive data about employees, service users, suppliers, and other individuals for clear, defined healthcare and operational purposes. This policy sets out how we protect personal data and ensures that staff understand the rules governing data access in the course of their work.
Staff must ensure that the Data Protection and Operational Lead is formally consulted before any significant new data processing activity is initiated to ensure that all statutory compliance steps are executed. This policy reflects our dedication to the Data Protection Act 2018 and UK GDPR, fulfilling our regulatory obligations under the CQC Single Assessment Framework
2. Core Definitions
- Business Purposes: The necessary operational activities for which personal data is processed by us, including personnel, administration, financial, regulatory compliance, corporate governance, payroll, and care delivery logistics.
- Data Controller: Home at Peace Ltd determines the purposes and lawful methods by which personal data is processed. The controller demonstrates continuous compliance with data principles and pays the statutory data protection fee to the Information Commissioner’s Office (ICO).
- Data Processor: Any external organization, agent, or subcontractor that handles personal data solely in accordance with the strict instructions of Home at Peace Ltd. Processors must maintain precise records and hold legal liability under UK law for data breaches.
- Personal Data: Information relating to identifiable individuals, such as job applicants, current and former employees, agency or contract staff, service users, and suppliers. This includes contact details, financial/pay details, educational backgrounds, CVs, and qualifications.
- Special Category (Sensitive) Data: Personal data revealing an individual’s racial or ethnic origin, political opinions, religious beliefs, trade union memberships, physical or mental health conditions, biometric/genetic profiles, criminal offences, or related proceedings. Any use of special category data must be strictly controlled under this policy.
- Processing: Any automated or manual operation performed upon personal data, including collecting, recording, organizing, storing, disclosing, using, or destroying it.
3. Scope and System Infrastructure
This policy applies to all staff members without exception. It supplements our existing IT security protocols, including our Clear Desk Policy (MF 55) and Password Policy (MF 61).
The management team must enforce the following security parameters:
- Physical files containing sensitive care data must be kept locked in secure filing cabinets to prevent unauthorized access.
- Printed data must be commercially shredded as soon as it is no longer required
- Digital systems must use strong passwords that are changed regularly.
- All cloud services used for storing data must receive formal approval from the Data Protection Lead.
- Servers and databases containing personal data must reside in secure, approved geographical locations.
- Data networks must be backed up systematically in line with standard business continuity procedures.
- Staff must never save confidential care data or personal files directly to the local storage of mobile devices such as personal laptops, tablets, or smartphones.
4. Personnel Responsibilities
4.1 Data Protection and Operational Oversight
Overall data protection accountability, Data Controller duties, and daily operational oversight for Home at Peace Ltd are managed directly by Carol Henry. Responsibilities include:
- Informing and advising the team regarding data risks and UK GDPR obligations.
- Reviewing all internal data handling procedures annually.
- Coordinating compulsory training for all staff members during induction and every two years thereafter.
- Answering compliance questions from staff, management, and external stakeholders.
- Responding completely to individuals who submit inquiries or formal rights requests regarding their data.
- Reviewing and approving third-party processor agreements and contracts to guarantee security compliance.
- Conducting formal Data Protection Impact Assessments (DPIAs) for any high-risk IT or data configuration projects.
5. UK GDPR Principles for Fair Processing
Home at Peace Ltd processes all data in compliance with the core principles of data protection law, ensuring that processing is always necessary to deliver our services, serves legitimate business interests, and does not prejudice individual privacy:
- Lawfulness, Fairness, and Transparency: Data is processed fairly based on clear legal grounds, supported by open Privacy Notices.
- Purpose Limitation: Data is obtained only for specific, lawful, and explicit operational and regulatory purposes.
- Data Minimisation: Collected data must be adequate, relevant, and strictly limited to what is necessary for the specified purpose.
- Accuracy: Personal data must be accurate and kept up to date. If an individual disputes data accuracy, the fact must be logged and escalated immediately.
- Storage Limitation: Data must not be held for any longer than necessary, strictly adhering to our Data Clearance Policy (MF 68) and statutory care records retention schedules.
- Integrity and Confidentiality: Data must be protected using appropriate physical, organizational, and technological security controls.
- Accountability: The organization must document compliance and log appropriate justifications for processing sensitive data, including mandatory legal justifications for criminal record (DBS) checks.
6. Individual Rights Handling
6.1 Privacy Transparency
We provide clear, accessible Privacy Notices to service users, employees, and stakeholders at the initial intake or onboarding stage. These notices detail exactly what information is collected, who collects it, why it is collected, and how rights are protected. Data processing is underpinned by active, clear consent which can be withdrawn by the data subject at any time.
6.2 Subject Access Requests (SARs)
Individuals are legally entitled to request access to the information held about them. Any staff member who receives a SAR must forward the request immediately to the Data Protection Lead. Home at Peace Ltd will fulfill valid requests within one calendar month and without charging a fee.
6.3 Data Portability, Rectification, and Erasure
- Data Portability: Data subjects have the right to request a copy of their data in a structured, machine-readable format or have it transferred directly to another system for free.
- Right to be Forgotten (Erasure): Data subjects may request that their data be deleted. While statutory health and social care records preservation laws override erasure requests for care charts, non-statutory files must be removed promptly unless a valid legal exemption applies.
7. International Transfers
There are strict legal controls on transferring personal data outside of the United Kingdom. Personnel must not transfer or store personal data outside the UK without first verifying that adequate levels of protection and explicit consent parameters are securely met.
8. Reporting Breaches and Non-Compliance
All staff members have an explicit contractual obligation to report actual, suspected, or potential data protection compliance failures immediately to management.
- Internal Logging: Every failure will be fully investigated, remedial steps will be executed, and details will be logged in our Non-conformance Log to identify preventative operational patterns.
- Regulatory Notification: The Data Protection Lead will formally notify the Information Commissioner’s Office (ICO) of any material data breach that risks individual rights and freedoms within 72 hours of discovery.
- Consequences of Breach: Failure to adhere to the requirements of this policy or undermining data security protocols puts our service users at risk and will result in disciplinary action under company procedures, up to and including summary dismissal.
Company Name: Home at Peace Ltd
Address: 5 Brayford Square, London, E1 0SG
Contact: 0207 870 8162
Policy Reviewed and Approved By: Carol Henry, Director & Data Protection Lead
