GDPR guidance & advice

The information contained here is for general guidance purposes only, you will need to refer to the ICO for the most up to date accurate information. 

Due to the breadth of organisations across the care provider sector, you will need to assess the materials on this site, and external sites, for suitability to your organisation. Professional legal advice should be consulted for specific issues.

General Data Protection Regulations come into force from 25th May 2018. ​Every organisation that holds and processes personal data will be affected. This includes your care service!

GDPR is a legal requirement on ALL organisations across all business and charity sectors to be able to evidence compliance by May 25th 2018. If your business is compliant with the Data Protection Act then whilst GDPR is more onerous it should not be too difficult to become compliant with GDPR. 

The key principles of GDPR: 

  1. Processing should be lawful, fair and transparent - individuals/data subjects must be clear on what personal data you are processing and why.
  2. Personal data shall be collected for specified, explicit and legitimate purposes - if you wish to use personal data for another purpose you will need additional consent/grounds for processing.
  3. Personal data must be adequate, relevant and limited to what is necessary - care providers should only have access to relevant health and medical records. 
  4. Personal data shall be accurate and kept up to date - out of date or inaccurate information should be deleted/removed and under regular review.
  5. Personal data shall be kept for no longer than is necessary - personal data no longer needed should be destroyed or anonymised. (You must still comply with statutory requirements to keep documents for their relevant retention period.)
  6. There must be appropriate security in place in respect of the personal data - security measures are needed to prevent unauthorised processing or destruction and all staff must know the steps to protect the data. 

Personal data includes but is not limited to; any information that can identify an individual, email addresses, telephone numbers, HR records, DBS information, medical records, photos, ID numbers and home addresses. 

ICO Guide to GDPRThe Guide to the GDPR explains the provisions of the GDPR to help organisations comply with its requirements. It is for those who have day-to-day responsibility for data protection. DSP Toolkit Guidance from NCA working as part of the Care Provider Alliance & Digital Social CareEvidencing compliance with the DSP Toolkit will provide evidence to the Information Commissioners Office that you are also compliant with the clinical elements of GDPR. General Data Protection Regulation (GDPR) FAQsStill confused by GDPR? Take a look at the FAQ's on the Digital Social Care website

Under the new regulations you must ensure that your care service has a lawful basis for processing personal data, otherwise it must not take place. You may process personal data if: 

  • You have received consent from the individual
  • If there is 'legitimate interest' of the data controller
  • If you are performing under a contract
  • If you are protecting the vital interests of the individual - will only apply under a life or death situation such as the provision of emergency medical care, otherwise consent must be sought
  • Special categories: processing for employment and processing for the provision of health or social care or treatment. 

NCA sponsor QCS applies the principle of legitimate interest to care providers: "it is in the legitimate interest of a care home to process the service user's name, contact information and next of kin. This may also be permitted on the grounds of fulfillment of a contract." 

Legitimate interest will not apply if personal data is used for any other purpose, for example where the interests of the organisation override the interests, rights or freedoms of the individual / data subject. 

Staff Data - You can process your staff's personal data in relation to usual HR / Admin purposes. Consent will be needed if their data is used for any other purposes, for example phoning an employee on their personal phone regarding work. 

First steps for your Care Service: 


  • If you have not already started, begin now to integrate the guidance materials into your quality system.
  • Check out what your contracting requirements are – identify if you should work through the Data Security and Protection Toolkit (read only version) to ensure you know how you are going to comply.
  • Define what information you do share and with whom and begin to document this now


Make sure you are doing the simple things:

  • Download and install the latest software and app updates
  • Use strong secure passwords which are changed regularly and do not share passwords
  • Do not use unsupported software, eg Windows XP
  • Use anti-virus software


  • Deciding who will take responsibility for Information Governance.
  • Register for the HEE E-Learning system.
  • Start awareness training all your staff.

Reviewing your data processes

  1. Complete a data audit - who can view and access data and by what means?
  2. Complete a data flow analysis - where does your data come from? How is it transferred and stored? Is the process secure? 
  3. Systems review - Is the data you hold secure, are your staff trained and aware of the importance of Data Protection?
  4. Review your data protection policies and asses any potential risk to data security
  5. Check your suppliers have adequate systems in place
  6. Review your consent methods for storing personal data and contacting individuals.

"The rules governing how personal information is used will become much stricter and GDPR introduces regulations that significantly widen the control owners of personal data have. This means that companies will have to clearly demonstrate that they have consent to hold personal data and justify why they need it, switching the onus from an opt out approach to ensuring that individuals opt in, the regulations are consent centric." Hallidays

Example Care Provider Information Flow Map

Credit: NHS Digital

Credit: NHS Digital

Cyber security 

Cyber security is the the safeguards taken to avoid disruption from an attack on data, computers or mobile devices, covering safeguarding confidentiality and privacy and the availability and integrity of data.

Security breaches can occur when we use paper records, send information using fax machines and even verbally. Or the can occur with digital information which is potentially more severe, with information poteyntially distributed to a wider audience with ease. This can cost a business in terms of expense, recovery time and through damage to reputation. All staff must be aware of how to implement protective measures. 

Digital working - the safe storage, collection and sharing of confidential Information.  "This is the responsibility of everyone who works in social care. It’s a vital component of how we ensure the dignity and privacy of the people we support and a requirement of law." (Skills for Care)

Data should only be accessed by the people who legitimately need it. Hold all Data securely and allow for controls that mean anyone who doesn’t need access to certain files to conduct their day-to-day job, can’t have it.

Also see a Cyber Security Guide

Cyber Aware - security training for business from GOV.UKFree online training courses to help business protect against cyber threats and online fraud. Information Governance - Data Awareness e-Learninge-LfH data awareness e-learning is freely available for social care providers, it is a mandatory part of the basic training requirements for DSP Toolkit compliance.

Care Sector Guidance Documents

  • GDPR Implications for Social Care Employers (VIEW)
  • Data Protection and Security Requirements (VIEW)
  • Information sharing for Social Care employers (VIEW)
  • Core digital skills in Social Care (VIEW)
  • Data Security & Protection Toolkit (DSPT) - prototype (VIEW)
  • E-learning for Healthcare (VIEW)
  • QCS guidance, policies and procedures (VIEW)
  • To Share or Not to Share: Caldicott Review (VIEW)
  • National Data Guardian for Health and Care 2017 Report (VIEW)
  • Your Data: Better Security, Better Choice, Better Care (VIEW)
  • ISO/IEC 27002: 2013 (VIEW)
  • ISCO/IEC 27001: 2013 (VIEW)
  • NCA Guidance on the new DSP Toolkit (Data Security and Protection (DSP) Toolkit)

Useful Sources of Advice and Information

  • Digital Social Care (VIEW)
  • Information Commissioner's Office (VIEW)
  • ICO Guide to the GDPR (VIEW)
  • ICO Guide to data protection (VIEW)
  • ICO Data Protection Self Assessment (VIEW)
  • ICO GDPR 12 steps to take now (VIEW)
  • ICO Lawful Basis for processing (VIEW)
  • ICO Legitimate Interest (VIEW)
  • National Data Guardian (VIEW)
  • 2017/18 Data Security and Protection Requirements from Department of Health & Social Care (VIEW)
  • NHS Digital - GDPR guidance (VIEW)
  • NHS Digital frequently asked questions (VIEW)
  • Health Education England (VIEW)
  • National Cyber Security Centre (VIEW)
  • Get Safe Online (VIEW)
  • Cyber Essentials (VIEW)
  • Caldicott Guardian Council (VIEW)

Information Commissioners Office (ICO) Helpline

The ICO has launched a new helpline aimed at SMEs and charities to advise you how to be GDPR compliant by 25 May 2018. The service includes an additional, personal support feature for those that have specific questions.

Call 0303 123 1113 and select option 4.

How can our sponsors and suppliers assist?

GDPR guidance, policies and proceduresTake a look at what QCS can offer with GDPR guidance, policies and procedures. As a NCA members you can receive a discount on the Quality Compliance Systems (QCS) subscription Howden GDPR Insurance Understanding the regulatory environment and compliance challenges you face and can help you to prepare for the unexpected.


anonymisation - a process to ensure that data can no longer identify any person.

consent - to gain consent/permission individuals must 'opt in'. Consent must be a "freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she by statement or clear affirmative action, signifies agreement to the process of personal data relating to him or her."

contract - for GDPR a contract is one of the 6 lawful bases for processing personal data. This means that you can rely on this basis if you need to process someone’s data in order to fulfil a contractual obligation.

cyber - computers or other digital information systems.

cyber security - methods undertaken to protect digital information systems.

data breach - incident resulting in personal or sensitive data being lost, altered or viewed by unauthorised individuals.

data controller - person/public authority/body who decides how data is going to be processed and why it needs to be processed.

data processor - those who processes data on behalf of a data controller.

data subject - the living individual which the data is about.

fair processing - conditions which must be met to legally process personal data.

legitimate interest - means the data subject would reasonably expect you to process their data in the manner in which it is being processed.

personal data - data or information is personal when it can be used to identify a living individual.

processing - any way in which data can be collected, stored, used or organised.