Confidentiality of Service Users’ Information Policy
This care service works on the principle that it has a duty of confidentiality to its service users. The service regards this as being of the utmost importance and key to building trusting, caring relationships, where service users are safe in the knowledge that their confidences will be kept and where information about them will be protected safely.
It is the service’s policy that all the information we receive about or from service users is confidential and that only those people who need to know the information will have access to it. The service will always seek the written permission of its users prior to sharing personal information about them with anyone else.
The service complies with Care Quality Commission (CQC) guidance, which requires the registered manager of a service to make sure that service users know that information about them is handled appropriately, and that their confidences are kept.
Procedures
To comply with this policy staff must:
ensure that all files or written information of a confidential nature are stored securely, kept in a safe place (in a service user’s own home) and are only accessed by staff who have a need and a right to access them
wherever practical or reasonable, fill in all care records and service users’ notes in the presence of and with the co-operation of the service user concerned
ensure that all care records and service users’ notes, including care plans, are signed and dated.
Situations can arise which give rise to exceptions to this duty, where confidential information may relate to harm to other service users or harm to the person sharing the confidence. In such circumstances, the service reserves the right for staff to break their duty of confidentiality and to take the information to a senior member of staff.
In such circumstances:
the relevant service user will be informed of the service’s position and full details will be discussed with the service user
appropriate notes will be made in the service user plan and these notes will be open to inspection by the service user
the information will only be given to those who absolutely need to know and wider issues of confidentiality of that information will still apply
the service user will be free to make a complaint through the service’s complaints procedure if they consider that the information held about them has not been treated in the confidential manner they should expect.
Initial Assessment Policy
New service users and prospective service users are made aware of the statement below and have it explained to them and their representatives so that they can understand it as fully as possible and sign it.
Every effort is made by staff to ensure that service users fully understand the implications of the policy. The member of staff performing the assessment is expected to ensure that the new service user understands and has read the following statement.
“To help us make an assessment of your needs, we will need to ask you for personal information about your circumstances and to record this information. We will not share this information with anyone, including friends and relatives, without your agreement (unless they have legal authority as guardian or attorney) and it will be kept in a confidential file which will be kept securely.
Only care staff with permission to see the file will be able to access it. Care staff will record in the file on a daily basis information relevant to your care and will pass on information relevant to your day-to-day care to your key worker or to whoever is in charge of each shift.
You may have access to your notes at any time to see what is actually being recorded. It is the care service’s policy that all the information we receive about or from service users is confidential and that only those people who need to know the information will have access to it.
The care service will always ask your permission before we share with anyone else the information you have given us.
In certain circumstances, however, we may need to share information in your best interests and may do so to fulfil our duty of care to you to keep you safe from risk of harm by following the procedures that are set out in the service’s safeguarding policy.”
Signed (service user/lawful representative): ___________________________
Countersigned (manager/representative): ___________________________
Date: ___________________________
Requests for Information
The service will not provide information to relatives, spouses, friends or advocates without the consent of the individual service user concerned. If the person is unable to give their consent a decision will be taken in line with “best interests” procedures set by the Mental Capacity Act 2005.
All enquiries for information, even if they are from close relatives, should be referred back to the service user or the service user’s permission sought before disclosure. If the relative or person who seeks to have access to this information objects to the decision they will be asked to make a formal written complaint, which will be addressed through the service’s complaints procedure.
The service is also often asked for reports by insurance companies, solicitors, employers, etc. Before providing these reports we shall require written consent from the service user concerned and will never divulge information without consent unless obliged to by law.
Record Keeping
We keep files on all our service users but only keep relevant information to ensure that the care we offer as an organisation is of the highest quality. The files are only available to staff who need to use them. We keep very personal letters or notes securely.
This service makes sure that:
records required for the protection of service users and for the effective and efficient running of the service are maintained, are up to date and are accurate
service users have access to their records and information about them held by the service, as well as opportunities to help maintain their personal records
individual records and care service records are kept in a secure fashion, are up to date and in good order, and are constructed, maintained and used in line with the General Data Protection Regulation and the Data Protection Act 2018 and other statutory requirements.
The service adheres fully to the current standards on record keeping as set by the CQC.
The service considers that access to information and security and privacy of data is an absolute right of every service user and that service users are entitled to see a copy of all personal information held about them and to correct any error or omission in it.
Under the Data Protection Act 2018, the service should have a nominated data user/data controller.
The data user/data controller for this service is Rahul Kumar.
Training
New staff are required to read and understand the policies on data protection and confidentiality as part of their induction.
All staff are offered training to national occupational standards covering basic information about confidentiality, data protection and access to records.
Training in the correct method for entering information in service users’ records is given to all care staff.
The nominated data user/data controller for the service is trained appropriately in the Data Protection Act 2018.
All staff who use the computer system are thoroughly trained in its use.
Employee Data Policy
The care service aims to fulfil its obligations under the Data Protection Act 2018 and the General Data Protection Regulation (GDPR) to the fullest extent. This policy states the rights of employees under current data protection laws to access any personal information that is held on them by their employer. GDPR also requires that employers need to obtain the active consent of their employees to the holding of their personal information, and to provide information on how long they need to keep it.
Personal data may include information held in manual files, on the organisation’s computer system, in emails, mobile phones or on CCTV footage.
The organisation endorses fully and adheres to the six principles of data protection as set out in the Article 5 of GDPR.
Data will be processed lawfully, fairly and in a transparent manner.
Data will be collected for specified, explicit and legitimate purposes and not processed in a manner that is incompatible with those purposes.
Data will be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
Data will be accurate and, where necessary, kept up to date.
Data will be kept for no longer than is necessary for the purposes for which it was collected.
Data will be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Employees whose roles involve access to personal data must follow these principles at all times when processing or using employees’ personal information.
Procedure
GDPR permits employees to have access to personal data about them held by an organisation. This Act requires the care service to respond to requests for access to personal data within 40 days.
Details of an employee’s personal data are available upon request in line with the principles of GDPR (see paragraph 1, above).
Employees are required to read this information carefully and inform the Branch Manager at the earliest opportunity if they believe that any of their personal data are inaccurate or untrue, or if they are dissatisfied with the information in any way.
GDPR gives data subjects the right to have access to their personal data on request at reasonable intervals. The care service believes that complying with a request for a copy of the data annually will satisfy this requirement. Should employees wish to request access to their personal data, the request must be addressed to the Branch Manager. The request will be judged in the light of the nature of the personal data and the frequency with which they are updated. The employee will then be informed whether or not the request is to be granted. If it is, the information will be provided within 40 days of the date of the request.
In the event of a disagreement between an employee and the care service regarding personal data, the matter should be taken up under the care service’s formal grievance procedure.
Data Security
All employees whose roles involve access to personal data are responsible for ensuring that the data they hold is kept securely and that it is not disclosed, whether accidentally or otherwise, to any unauthorised third party.
Personal information should be kept in a locked filing cabinet, drawer or safe. If it is computerised, it should be coded, encrypted or password protected both on a local hard drive and on a network drive that is regularly backed up. If a copy is kept on removable storage media, that media must itself be kept in a locked filing cabinet, drawer or safe.
Any unauthorised disclosure will normally be regarded as a disciplinary matter, and may be considered gross misconduct in some cases.
Access to Personal Data
All employees are responsible for ensuring that the personal data they provide to the organisation is complete, accurate and up-to-date. Any changes to information, eg changes of address, must be notified promptly to Branch Manager.
Employees have the right to access their personal data at reasonable intervals. The organisation believes that complying with a request for a copy of the data annually will satisfy this requirement.
If an employee wishes to request access to their personal data, the request must be in writing and addressed to Branch Manager. The request should, as far as possible, specify what information the employee is seeking.
In the event of a reasonable written request for access, the information requested will be provided without delay and at the latest within one month of receipt of the request.
Employees should inform the Branch Manager at the earliest opportunity if they believe that any of their personal data are inaccurate or untrue, or if they are dissatisfied with the information in any way.
In the event of a disagreement between an employee and the organisation regarding personal data, the matter should be taken up under the organisation’s formal grievance procedure.
For more information on our policies on privacy and anything else, please do get in touch.