Care enquiries 0800 0121 247 Careers 0800 2100 149 Mon - Fri 08:00 - 18:00

Search form

Text Size

Delivering quality care for over 30 years

You are here

Confidentiality, Data Protection and Disclosure Policy

1. Purpose of this Document

This Policy applies to Agincare and all employees, contractors, suppliers, directors and volunteers; it concerns records held and processed by Agincare in any format. 

This policy covers all aspects of information within the organisation, including (but not limited to):

  • Staff/client/service user information
  • Personal information
  • Organisational information

This document is held in accordance with the requirements of The Data Protection Act 1998 and section 250 of the Health and Social Care Act SCCI1605 Accessible Information Standard.

2. Roles and Responsibilities

The Chief Executive Officer (CEO) has ultimate responsibility for the Data Protection, Confidentiality & Disclosure Policy within Agincare. Implementation of, and compliance with this policy is delegated to the Caldicott Guardian and Information Governance (IG) is managed by the members of the Policy Review Group.

The Caldicott Guardian is responsible for protecting the confidentiality of service users, and enabling appropriate information sharing with external agencies and advises on options for lawful and ethical processing of information.

The Policy Review Group is responsible for promoting and supporting the day to day IG function and works closely with the Caldicott Guardian on confidentiality and Data Protection maters such as, training, investigations and IG Compliance.

Senior Managers and Heads of Departments are responsible for ensuring this policy is complied with and for contribution to policy review and updates of best practice guidance through Agincare’s Policy Review Group as well as being responsible for ensuring sufficient resources are available to enable all staff to be appropriately trained and aware of their responsibilities for good information governance and protecting the privacy rights of people who use services

Registered Managers are responsible for effective implementation of this policy within their registered location and that all staff engaged with people in receipt of support with medication management are aware of this policy and guidance. 

Registered Managers will identify training needs and ensure staff are appropriately trained and will record all training which will be incorporated into staff performance review using the process of assessing competency.

Registered Managers will ensure that any breaches of confidentiality are reported, reviewed and investigated.

Care and support staff (including office staff of all departments, ancillary staff and volunteers) are responsible for ensuring confidentiality and correct handling of all information they have access to in the organisatio

3. Our legal obligations

Data Protection Act 1998 lays down regulations for the handling of personal data. For all such data it is essential to abide by the eight principles which govern the care and use made of the data. Personal information must:

  1. be fairly and lawfully processed
  2. be processed for limited purposes
  3. be adequate, relevant and not excessive
  4. be accurate and up to date
  5. not be kept for longer than is necessary
  6. be processed in line with the data subjects’ rights
  7. be secure
  8. not be transferred to other countries without adequate protection

The Data Protection Act regulates when and how a person’s personal data may be obtained, held, used, disclosed and generally processed. Personal data is information relating to a person from which they can be identified, e.g. name, address, tax details or national insurance number. It lays various obligations on Agincare concerning the handling of the information that we hold on individuals. 

The Act also dictates that information must only be disclosed on a need to know basis. 

The DPA requires every organization that processes personal information to register with the Information Commissioner’s Office (ICO) Agincare is responsible for its own records under the terms of the Data Protection Act and is registered with the Information Commissioners Office Data Protection Register. Registration Number: Z1166299

The Health and Social Care Act 2012 is that used by the Care Quality Commission (CQC) to regulate health and social care providers; the CQC can use the Act to enforce other pieces of relevant legislation such as the Data Protection Act. 

4. Consent

In order to be able to lawfully process the personal or sensitive information of an individual Agincare must first obtain their consent; this is applicable to both people who use services and staff; this is fairly straightforward for staff who recruiting managers will inform by means of their appointment as information is contained within their contract of employment which they must sign. For people who use services it is very important that reasonable efforts are made to ensure that they understand how their information is to be used to support their care and support, how their information might be shared with others involved in their care and ensuring they have no objections. In some circumstances some people requiring care and support may lack the capacity to extend this trust but this does not diminish the duty of confidence that their information will not be used or disclosed for purposes other than for which it was provided (See also Agincare’s Mental Capacity Act Policy and Safeguarding Adults at Risk Policy). 

In order to promote a service which is open and transparent Agincare has developed an information leaflet which provides people with specific information about how their information will be collected, stored, used and shared for the provision of continued care and support.  (sharepoint/forms and letters/service user/service user and family information leaflets)

In accordance with Principle 6 of the DPA, people have the right to object to the processing of their personal and/or sensitive data that is likely to cause or is causing damage or distress. 

Where Agincare receives written instruction from an individual that they wish to object to the processing of their personal data, this objection will be considered by the Caldicott Guardian. Their decision will be fully documented and retained for future reference. Agincare will endeavour to comply with the request from the individual; however this may not always be possible

5. Relatives or carers

Some people may wish to restrict the amount of information about their care and support to their relatives; they should be encouraged to be very explicit if there is anyone that they do not want to be given information.  In the event of the person being unable to give permission a advocate (see Agincare’s Mental Capacity Act Policy) must be identified to act on behalf of the person and permission obtained from him/her. It should however be noted that relatives, carers and even those documented as next of kin, do not necessarily have the right to access the personal or sensitive records of a person

6. Disclosure under the Data Protection Act & Confidentiality

In certain circumstances personal information may be disclosed, however it is vital that staff make an assessment of the need to disclose the information and document that the information has been released to whom for what reason.

7. Disclosing Information against the person’s wishes without consent

The responsibility of whether or not information should be withheld or disclosed without a person’s consent, lies with the Manager involved at the time or the Senior Manager of the department or service and cannot be delegated. Circumstances where the person’s right to confidentiality may be overridden are rare; examples of these situations are:

  • Where the individual lacks capacity and has a power of attorney in place for health and welfare who agrees
  • Following an incident where Duty of Candour applies and it is deemed appropriate for the relatives and other involved in an individual’s life to be notified (NB: Where the person to whom the incident relates has capacity to understand the circumstances, our duty of candour is toward them directly)
  • Where the information is in the form of a summary or collection of anonymised information so framed that it is not possible to ascertain from it information relating to any particular person. 
  • When there is a serious risk of harm to the individual, as in a threatened suicide.
  • Where the person is in such poor health that he/she is unable to consent but requires emergency lifesaving treatment. 
  • To protect others.  For example, information about possible abuse should be disclosed to the appropriate agency. 
  • To prevent a serious criminal act, especially where others may be endangered. Though there is no obligation in general to pass on knowledge of a crime, it is a criminal offence to:
  • Deliberately mislead the police. 
  • Receive a reward of any kind in return for not notifying the police about a criminal act. 
  • Fail to notify the police about an act that could be construed as an act of terrorism.
  • Fail to notify the police about an act that could be construed as drug trafficking. 
  • Knowingly take monies from a benefits agency fraudulently. 

8. Working and sharing information

Data sharing must be carried out under a written agreement, setting out the scope and limits of the sharing; people using the service sign their consent to agree to any contract with Agincare agreeing that information can be shared with relevant personnel for the purpose of safeguarding their well-being. Staff sign their contract and terms and conditions of employment which references the sharing of their information where required. Any disclosure of personal data will be in line with all legislative requirements. 

Every member of staff is personally responsible to take precautions to ensure and maintain the security of confidential personal information both whilst it is in their possession and when it is being transferred from one person or organisation to another. 

The following is a list of recommended procedures to ensure the safe transfer of information:

  •  Envelopes must be securely sealed, clearly addressed to a known contact and marked “confidential” and “addressee only”. A return postal code should also be marked on the envelope.
  • Telephone validation or “call back” procedures must be followed before disclosing information to someone you do not know to confirm their identity and authorisation. 
  • E-mailing confidential information is only permitted via the use of secure networks, or if it is appropriately encrypted. Refer to the IT Acceptable Use Policy for additional guidance.
  • When anonymised information is shared, care must be taken to ensure that the method used is effective and individuals cannot be identified from the limited data set e.g. CQC Notification use of unique ID’s

Accessible Information

The Accessible Information standard of the Health and Social Care Act 2012 requires providers of health and social care to provide information which is able to be read or received and understood by the individual or group for which it is intended. Where people who use services have specific communication requirements, the need for information to be produced in different formats will be assessed and information provided accordingly. This standard is implemented throughout other policy documents and procedural guidance available to Agincare staff; i.e. person centred care planning guidance which requires an assessor to understand and assess a person’s communication needs, mental capacity guidance which instructs assessors to identify a person’s needs and abilities to communicate any decisions about their care or the processes involved.  

A glossary of terms is available at Appendix 1 showing alternative formats or resources either available or which can be sourced or signposted to.

9. Information Governance

The Information Governance assessment (toolkit) enables Agincare to measure its compliance with the information handling requirements by assessing themselves against the following initiatives:

  • Clinical Information Assurance.
  • Secondary Uses Assurance.
  • Corporate Information Assurance.
  • Information Governance Management.
  • Confidentiality and Data Protection Assurance.
  • Information Security Assurance.

The Toolkit assessment is submitted annually at the end of March

10. Document and Data Control

The Policy Review Group (PRG), a sub group of the Quality Management Committee (QMC) will:

  • Approve the content of all Policies and Procedure prior to their issue.  
  • Maintain a register of all controlled documents.  This will include all documents that bear on the quality of the service which will be marked with an appropriated control (issue) number.  
  • Ensure that all amendments are approved.  
  • Ensure all procedures are reviewed on a regular and planned basis.
  • Ensure that all amended documents are approved and issued by the PRG are immediately incorporated in the system, any printed versions will require updating as directed.
  • Approve all proposed amendments to the control documents prior to their incorporation and use.
  • Ensure all out of issue documents are withdrawn and archived

11. Data Retention

In accordance with principle 5 of the DPA, all data held should be kept for the time periods as detailed in Appendix 2

12. Consequences of a Breach of Policy


A deliberate breach of this policy will be considered a serious disciplinary matter and will be dealt with accordingly. Examples of offences which may be considered to be gross misconduct (the list is not exhaustive) which may result in immediate dismissal are:

  • Unlawful disclosure of Personal Data and Sensitive Personal Data
  • Inappropriate use of Personal Data and Sensitive Personal Data
  • Accessing client or staff personal data in the absence of a legitimate professional relationship (including accessing your own records)
  • Misuse of the Personal Data and Sensitive Personal Data which results in any claim being made against Agincare

13. Training

It is required through the Health and Social Information Care (HSCIC) and Care Quality Commission (CQC) IG Toolkit, that all staff must complete Information Governance Training annually. Data Protection and confidentiality will be available to all staff as workbook based training. 

The training will ensure general awareness of the Data Protection and Caldicott Principles. 

All new employees must attend an induction; for care and support staff this will comprise of the Selection Assessment Training (SAT) and for office based staff this will be included in their local, departmental internal induction. All staff will be provided with dedicated Data Protection, Caldicott and Confidentiality training. 

Ongoing supervision and training is provided to all staff as part of a core training and development programme.  The office manager ensures training courses are attended by appropriate staff within agreed timescales. 

Contractual impact

Agincare’s policies and procedures are to be followed in conjunction with the requirements of the contracts under which you provide services. There may be occasions where the contract contains requirements which appear to contradict or be in addition to, standard company policy. In these instances you are to:

  • If the requirement is in addition to standard company policy - adhere to the terms and conditions of your contracts 
  • If the requirement is lesser than standard company policy - follow company policies and procedures

If you require any further clarification please contact the Commercial Team for guidance 


Review of this document is recorded on the controlled index and reviewed annually as part of the management review process. 

Policy Review Group

Issue no: 12 Date:    April 2017             

Appendix 1

Accessible information alternative formats




A tactile reading format used by people who are blind, deafblind or who have some visual loss. Readers use their fingers to ‘read’ or identify raised dots representing letters and numbers. Although originally intended (and still used) for the purpose of information being documented on paper, braille can now be used as a digital aid to conversation, with some smartphones offering braille displays. Refreshable braille displays for computers also enable braille users to read emails and documents 

British Sign Language (BSL) 

BSL is a visual-gestural language that is the first or preferred language of many d/Deaf people and some deafblind people; it has its own grammar and principles, which differ from English. 

BSL interpreter 


A person skilled in interpreting between BSL and English. A type of communication support which may be needed by a person who is d/Deaf or deafblind. 


Communication tool / communication aid 


A tool, device or document used to support effective communication with a disabled person. They may be generic or specific / bespoke to an individual. They often use symbols and / or pictures. They range from a simple paper chart to complex computer-aided or electronic devices 



A person who identifies as being deaf with a lowercase d is indicating that they have a significant hearing impairment. Many deaf people have lost their hearing later in life and as such may be able to speak and / or read English to the same extent as a hearing person. A person who identifies as being Deaf with an uppercase D is indicating that they are culturally Deaf and belong to the Deaf community. Most Deaf people are sign language users who have been deaf all of their lives. For most Deaf people, English is a second language and as such they may have a limited ability to read, write or speak English. 



The generally accepted definition of Deafblindness is that persons 

are regarded as Deafblind “if their combined sight and hearing impairment causes difficulties with communication, access to information and mobility. This includes people with a progressive sight and hearing loss” (Department of Health 2014)



The Equalities Act 2010 defines disability as follows, “A person (P) has a disability if — (a) P has a physical or mental impairment, and (b) the impairment has a substantial and long-term adverse effect on P's ability to carry out normal day-to-day activities.” The data Dictionary Definition of a Disability includes disabilities such as sight, hearing or speech loss or impairment

Easy Read

Written information in an ‘easy read’ format in which straightforward words and phrases are used supported by pictures, diagrams, symbols and / or photographs to aid understanding and to illustrate the text. 


A person able to transfer meaning from one spoken or signed language into another signed or spoken language. 

Large Print

Printed information enlarged or otherwise reformatted to be provided in a larger font size. A form of accessible information or alternative format which may be needed by a person who is blind or has some visual loss. Different font sizes are needed by different people. Note it is the font or word size which needs to be larger and not the paper size. 


A way of understanding or supporting understanding of speech by visually interpreting the lip and facial movements of the speaker. Lipreading is used by some people who are d/Deaf or have some hearing loss and by some deafblind people. 

Text to speech

Various providers of text to speech technology are available to assist people with sight impairment to read electronic communications such as emails or sent attachments such as assessments, care plans or policy documents. Computer applications read most documents with naturally sounding voices and convert text


A person able to translate the written word into a different signed, spoken or written language. For example a sign language translator is able to translate written documents into sign language. 

Appendix 2

Data Retention Timeframes




Risk assessments

Retain the latest risk assessment until a new one replaces it

Purchasing excluding medical devices and medical equipment

18 months

General operating policies and procedures 


Retain the current version and previous version for three years

Any incidents, events or occurrences that require notification to the Care Quality Commission

3 years

Use of restraint or the deprivation of liberty


3 years

Maintenance of the premises


3 years

Maintenance of equipment


3 years

Electrical testing


3 years

Fire safety


3 years

Water safety


3 years

Medical gas safety, storage and transport


3 years

Money or valuables deposited for safe keeping


3 years

Staff employment

3 years following date of last entry

Duty rosters

4 years after the year to which they relate

Purchasing of medical devices and medical equipment

11 years

Final annual accounts


30 years

Care files


3 years from date of last entry unless local commissioners require longer periods specific to their contract

Looked after children records

80 years



0800 0121 247
(Mon-Fri 8am-6pm)
Care Assessment
Book a free home visit
Brochure Download
For further information