Audio & Quick Read Summary

CQC Quality Statement

Theme 4 – Leadership: Governance, management and sustainability

We statement

We have clear responsibilities, roles, systems of accountability and good governance. We use these to manage and deliver good quality, sustainable care, treatment and support. We act on the best information about risk, performance and outcomes and we share this securely with others when appropriate.

1. Introduction

Data protection legislation should not be seen as an obstacle to sharing information, but as a framework of best practice which helps to ensure that when the local authority uses, records and shares information it does so safely and in a way which is transparent and in line with the law.

The local authority collects, uses, stores and retains (for specified time periods) information about people with whom it works. This includes:

  • adults and their families who use the service, including their families and any children, and those who no longer in receipt of services;
  • current, past and prospective staff; and
  • current, past and prospective staff; and
  • suppliers.

When processing data in this way, the local authority must comply with the requirements of the Data Protection Act 2018 (DPA) and the UK General Data Protection Regulation (UK GDPR) (see Section 2, Legislation).

It must also ensure, through its procedures and working practices, that all employees, contractors, consultants, suppliers and partners who have access to any personal data held by or on its behalf, are fully aware of and abide by their duties and responsibilities under data protection legislation. Any contracts with service providers must be clear about the different parties’ responsibilities for data processing and information sharing.

Personal information must be handled and dealt with in accordance with data protection legislation however it is collected, recorded, stored and used, and whether it be on paper, on computer or digital records or recorded in any other way.

In addition, the local authority may also be required to collect and use information in order to comply with the requirements of central government, such as in the case of a Safeguarding Adults Review or Care Quality Commission inspection.

2. Legislation

2.1 Data Protection Act 2018

The Data Protection Act 2018 aims to ensure that UK data protection legislation keeps pace with technological changes, and the impact these have had on the collection and use of personal data.

The Act provides additional functions and clarification of the role of the Information Commissioner and the Information Commissioner’s Office.

2.2 UK General Data Protection Regulation

The UK General Data Protection Regulation (UK GDPR) (see UK GDPR: Guidance and Resources, Information Commissioner’s Office).


  • gives individuals greater control of their data by improving consent processes; and
  • introduced the ‘right to be forgotten’ which enables the data subject to have their data ‘forgotten’ once it is no longer being used for the purpose which it was collected. This is not an absolute right, however; it applies only to data held at the time the request is received. It does not apply to data that may be created in the future.

If staff receive a query about the collection or processing of personal data, they should contact the Knowlsey Information Governance team for advice.

3. Principles of Data Protection: Article 5 GDPR

Anyone processing personal data must comply with the principles laid down in the DPA and UK GDPR.  These are legally enforceable and require that when personal data is processed (see also Section 3.2, What is personal data under Article 4?) it must be:

  • lawful and fair and carried out in a transparent manner in relation to the data subject. (lawfulness, fairness and transparency principle);
  • specified, explicit and legitimate and not further processed for other purposes incompatible with those purposes (purpose limitation principle);
  • adequate, relevant and not excessive to what is necessary in relation to the purposes for which data is processed (the data minimisation principle);
  • accurate and kept up to date (the accuracy principle);
  • kept for no longer than is necessary for the purposes for which the personal data is processed (the storage limitation principle); and
  • stored in a way that ensures appropriate security including protection against unauthorised or unlawful processing and accidental loss, destruction or damage, using appropriate technical or organisational measures (the integrity and confidentiality principle and the accountability principle).

3.1 Handling personal data and sensitive personal data

The DPA outlines conditions for the processing of personal data, and makes a distinction between personal data and sensitive personal data.

Personal data is any information relating to a living person who can be identified or who is identifiable, directly from that information, or who can be indirectly identified from that information in combination with other information.

3.2 What is personal data under Article 4 GDPR?

Personal data is:

  • any information relating to an identified or identifiable natural person such as;
    • a name;
    • an identification number;
    • location data;
    • an online identifier such as an IP address or cookies; or
    • an email address.

3.3 Special categories of data (sensitive personal data):  GDPR Article 9

Special category data is personal data that needs more protection because it is sensitive. It includes personal data which reveals:

  • racial or ethnic origin;
  • political opinion;
  • religious or other beliefs;
  • trade union membership;
  • physical or mental health or conditions;
  • sexual life or sexual orientation.

3.4 Identifying a lawful basis for sharing information

Article 6 of the UK GDPR providers practitioners with a number of lawful bases for sharing information. At least one of these must apply whenever personal data is processed,

Where practitioners need to process and share special category data (sensitive personal data), they need to identify both a lawful basis for processing under Article 6 of the UK GDPR and a special category condition for processing in compliance with Article 9 (see Information Commissioner’s Office, Lawful basis for processing).

4. Data Protection Practice

The local authority must:

  • observe fully conditions regarding the fair collection and use of personal information;
  • meet its legal obligations to specify the purpose for which information is used;
  • collect and process appropriate information and only to the extent that it is needed to fulfil operational needs or to comply with any legal requirements;
  • ensure the quality of information used;
  • apply strict checks to determine the length of time information is held;
  • take appropriate technical and organisational security measures to safeguard personal information;
  • ensure that personal information is not transferred abroad without suitable safeguards;
  • ensure that the rights of people about whom the information is held can be fully exercised under data protection legislation. These include:
    • the right to be informed that processing is being undertaken;
    • the right of access to one’s personal information within the statutory timescale;
    • the right to prevent processing in certain circumstances;
    • the right to correct, rectify, block or erase information regarded as wrong information.

In addition, the local authority should ensure that:

  • there is someone with specific responsibility for data protection;
  • everyone managing and handling personal information understands that they are contractually responsible for following good data protection practice;
  • everyone managing and handling personal information is appropriately trained to do so;
  • everyone managing and handling personal information is appropriately supervised;
  • anyone wanting to make enquiries about handling personal information, whether a member of staff or a member of the public, knows what to do;
  • queries about handling personal information are promptly and courteously dealt with;
  • methods of handling personal information are regularly assessed and evaluated;
  • performance with handling personal information is regularly assessed and evaluated;
  • data sharing is carried out under a written agreement, setting out the scope and limits of the sharing. Any disclosure of personal data will be in compliance with approved procedures.

All employees should be aware of the local authority’s data protection policy and of their duties and responsibilities under the DPA.

All managers and staff will take steps to ensure that personal data is kept secure at all times against unauthorised or unlawful loss or disclosure and in particular will ensure that:

  • paper files and other records or documents containing personal / sensitive data are kept in a secure environment;
  • personal data held on computers and computer systems is protected by the use of secure passwords, which where possible have forced changes periodically;
  • passwords must not be easily compromised and must not be shared with others;
  • personal data must only be accessible to team members with appropriate access levels;
  • data in all forms must be disposed of by secure means in accordance with local policies.

All contractors, consultants, suppliers and partners must:

  • ensure that they and all of their staff who have access to personal data held or processed for or on behalf of the local authority, are aware of this policy and are fully trained in and are aware of their duties and responsibilities under data protection legislation. Any breach of any provision of the legislation will be deemed as being a breach of any contract between the local authority and that individual, partner or firm (see Report a Breach, Information Commissioner’s Office);
  • allow data protection audits by the local authority of data held on its behalf (if requested);
  • indemnify the local authority against any prosecutions, claims, proceedings, actions or payments of compensation or damages, without limitation.

All contractors and suppliers who use personal information supplied by the local authority will be required to confirm that they abide by the requirements of data protection legislation in relation to such information supplied by the local authority.

The local authority must also:

  • ensure data subjects are given greater control of their data by improving consent processes. Consent must be freely given, specific, informed and give a clear indication of their wishes. This must be provided by a statement or clear affirmative action, signifying the individual’s agreement to the processing of their personal data;
  • must ensure that data subjects have the ‘right to be forgotten’ which enables them to have their data ‘forgotten’. This is not an absolute right, however; it only applies to information which is data held at the time the request is received. It does not apply to data that may be created in the future.
  • keep a record of data operations (mapping data flow within the local authority) and activities and assess if it has the necessary data processing agreements in place, and take action to remedy if not;
  • carry out data protection impact assessments (DPIAs) on its products and systems;
  • designate a data protection officer (DPO) for the local authority;
  • review processes for the collection of personal data;
  • be aware of the duty to notify the Information Commissioner’s Office of a data breach (the relevant supervisory authority);
  • ensure ‘privacy by design’ and ‘privacy by default’ in new products (such as a new case recording system) and assess whether existing products used by the local authority meets the new data protection standards and take action accordingly to ensure compliance.

5. Redaction of Third Party Data

Before sharing information, the local authority must redact (or remove) personal data relating to third parties, to protect their privacy. For example, where social work records include references to other people, such as the adult’s family and friends, it is like some of this information will need to be withheld (redacted) before the record can be shared.

Under the Data Protection Act, it is for each local authority to weigh up how ‘reasonable’ it is to share another person’s information in each case (for example it may be reasonable to share information about another family members’ health condition if is likely to be hereditary). The Act is clear however that any person who appears in records because they were employed to provide care or received payment for providing a service, or acted in an official capacity, should not be treated as ‘third party’. This means that the names and information of social workers and other professionals should not be redacted.

6. Rights of the Data Subject

Any person whose information is being processes by the local authority has the following rights:

  1. to be informed of data processing (for example a privacy notice);
  2.  to be able to access information free of charge (also known as a Subject Access Request) – there is a one month time limit for the local authority to respond to any request;
  3. to have inaccuracies corrected;
  4. to have information erased (although this is not an absolute right);
  5. to restrict processing;
  6. to have data portability;
  7. intervention in respect of automated decision making;
  8. to be able to withdraw consent;
  9. to complain to the Information Commissioner’s Office (ICO).

6.1 Right to be informed (section 44 DPA)

A person whose information is being processed should have access to a privacy notice (available on the council website), setting out:

  1. lawful basis for processing;
  2. contact details for the Data Protection Officer (DPO);
  3. what information will be processed;
  4. who it will be shared with and why;
  5. how long it will be held;
  6. details of rights;
  7. how to complain.

6.2 Rectification (Section 46 DPA)

A person whose information is being processed has the following rights:

  • to rectify or correct inaccurate information;
  • if information is incomplete it must be completed;
  • rectification or correction can be achieved by the provision of a supplementary statement;
  • where the rectification is of information maintained for the purposes of evidence, instead if rectifying, the processing should be restricted;
  • be informed in writing if request has been granted and if not the reasons for this.

7. Action if there is a Data Breach

A breach of security which can be either accidental, deliberate or unlawful and can involve:

  • destruction;
  • loss;
  • alteration;
  • unauthorised disclosure;
  • unauthorised access.

A breach covers accidental and deliberate causes and is more than just losing personal data.

7.1 Examples of data breaches

These are commonly occurring breaches:

  • access by an unauthorised party, including a third party;
  • deliberate or accidental action (or inaction) by a controller or processor;
  • sending personal data to an incorrect recipient;
  • computing devices containing personal data being lost or stolen;
  • alteration of personal data without permission; and
  • loss of availability of personal data.

7.2 What constitutes a serious data breach?

A serious data breach:

  • is where it is likely to result in a risk to the rights and freedoms of individuals. If unaddressed such a breach is likely to have a significant detrimental effect on individuals – for example, result in discrimination, damage to reputation, risk of physical harm, financial loss, loss of confidentiality or any other significant economic or social disadvantage;
  • must be assessed on a case by case basis;
  • must consider these factors: detriment / nature of data / volume (detriment includes emotional distress as well as both physical and financial damage).

All serious data breaches must be reported to the ICO within 72 hours of becoming aware of the breach. See UK GDPR Data Breach Reporting (ICO) for further information.

8. Further Reading

8.1 Relevant chapters

Information Sharing and Confidentiality

Case Recording

8.2 Relevant information

Guide to Data Protection: for Organisations (Information Commissioner’s Office)

Working from Home (Information Commissioner’s Office) 


  • Now complete the 5 minute ePractice Quiz to test your understanding and provide evidence for CPD.

  • Tick all that apply:
  • Tick all that apply:

  • The information submitted above will not be given to any third parties. See our Terms & Conditions and Privacy Policy.
Was this helpful?
Thanks for your feedback!