Data Protection and Access Policy
The Crescent believes that all records required for the protection of Service Users
and for the effective and efficient running of the organisation should be collected,
maintained and kept according to the Data Protection Act 1998.
The Crescent should be registered under the Data Protection Act 1998 and all
storage and processing of personal data held in manual records and on computers in
the organisation should comply with the Act. The Crescent understands that,
according to the Data Protection Act 1998, personal data should:
• Be obtained fairly and lawfully
• Be held for specified and lawful purposes
• Be processed in accordance with the person’s rights under the DPA
• Be adequate, relevant and not excessive in relation to that purpose
• Be kept accurate and up to date
• Not be kept for longer than is necessary for its given purpose
• Be subject to appropriate safeguards against unauthorised use, loss or
• Be transferred outside the European Economic Area only if the recipient
country has adequate data protection
Under the Data Protection Act 1998, The Crescent should have a nominated Data
The Data Protection officer for this organisation is Paula Chamberlain.
All new The Crescent employees and Care Workers are encouraged to read the
policies on data protection and on confidentiality as part of their induction process.
Current The Crescent employees and Care Workers will be offered training to
National Training Organisation standards covering basic information about
confidentiality, data protection and access to records. Training in the correct method
for entering information in Service User’s records should be given to all care coordinators.
The nominated Data Protection Officer for the Organisation should be
trained appropriately in the Data Protection Act 1998. Those who need to use the
computer system should be thoroughly trained in its use.
Access to Records and Files
The Crescent adheres to regulations requiring the rights and best interest of Service
Users are safeguarded by the agency keeping accurate and up-to-date records.
The Crescent also adheres fully to the Data Protection Act 1998 which states that all
records required for the protection of Service Users and for the effective and
efficient running of the organisation should be maintained accurately and should be
up to date, that Service Users should have access to records and information about
them held by The Crescent, and that all individual records and The Crescent records
should be kept in a confidential and secure fashion.
This policy is intended to set out the values, principles and policies underpinning The
Crescent’s approach to access to records. It is The Crescent’s aim to ensure that
Service Users can be assured that the protection of their privacy and confidentiality
are given the highest consideration.
The Crescent believes that access to information and security / privacy of data is an
absolute right of every Service User and that Service Users are entitled to see a copy
of all personal information held about them and be given the opportunity to correct
any error or omission.
Therefore The Crescent maintains:
• Service Users should have access to their records and information about them
held by the organisation, as well as opportunities to help maintain their
personal records in the case of records kept in the home
• Individual records and The Crescent records required for the protection of
Service Users should at all times be kept in a secure fashion and should be
constructed, maintained and used in accordance with the Data Protection Act
1998 and other statutory requirements.
Any Service Users requiring access to their files should contact the Registered
Manager to make arrangements to view. Service Users with sensory or other
disabilities must be given appropriate help and support from an independent source
The viewing of certain records may only be refused in the following circumstances as
consistent with the Data Protection Act 1998:
• Where disclosing the personal data would reveal information which relates to
and identifies another person unless that person has consented to the
disclosure or it is reasonable to comply with the request without that consent
• Where permitting access to the data would be likely to cause serious harm to
the physical or mental health or condition of the data subject or any other
• Where the request for access is made by another on behalf of the data
subject, access can be refused if the data subject had either provided the
information in the expectation it would not be disclosed to the applicant or
had indicated it should not be disclosed, or if the data was obtained as a
result of any examination or investigation to which the data subject consented
on the basis that information would not be so disclosed.
Before deciding whether the above restrictions apply, the Registered Manager should
consult the Health Professional responsible for the clinical care of the Service User,
or if there is more than one, the most suitable available health professional. If there
is none then the Registered Manager should consult a health professional with the
necessary qualifications and experience to advise on the matters to which the
information requested relates.
Service Users who have a complaint about the way that the organisation keeps files
about them, or who are refused access to files that they believe they should have
access to, should be referred to the Information Commissioner.
All data, and particularly sensitive or confidential data, must be stored securely.
Where data is stored electronically on a computer, as in the main offices of a
domiciliary care service, the following steps should be considered:
1) Check regularly on the accuracy of data being entered (remember that the
organisation may be liable for inaccurate or erroneous data).
2) Ensure that the computer system is secure by checking that it has a
backup system, that lost data can be removed and that backups are
stored in a safe and secure place.
3) Ensure the all staff that needs to use the domiciliary care database are
thoroughly trained in its use.
4) Ensure that passwords are being used for access to different parts of the
system, that these are regularly changed and not abused by being passed
on to people who should not have them.
5) Review the terminal positions to ensure that unauthorised individuals or
service users cannot casually view personal data on screen.
6) Ensure that confidential or private printouts are stored securely and safely
and that they are collected immediately if printed onto a networked