GDPR

Our organisation has comprehensive technical and organisational measures in place to ensure compliance with UK data protection legislation, including the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and confidentiality requirements applicable to supported living services.

We operate a robust information governance framework supported by policies, procedures, staff training, secure digital systems, and regular monitoring processes designed to protect the confidentiality, integrity, availability, and resilience of personal data processing systems and services.

Confidentiality, Integrity, Availability and Resilience

We maintain strict controls to ensure that personal data relating to service users, families, staff and professionals is processed securely and only by authorised personnel. Measures include:

  • Role-based access controls to electronic records and systems, ensuring staff can only access information necessary for their role.
  • Password-protected devices, multi-factor authentication where available, encrypted email systems, and secure cloud-based storage solutions.
  • Anti-virus software, firewalls, endpoint protection, and routine software updates across all company devices.
  • Secure backup and disaster recovery arrangements to ensure continuity of access to care records and operational systems.
  • Secure retention and disposal procedures for both electronic and paper records, including confidential shredding.
  • Business continuity and cyber incident response procedures to minimise disruption and ensure resilience of services.

All staff receive mandatory data protection, confidentiality, cyber security, and information governance training during induction and through annual refresher training. Staff are also required to sign confidentiality agreements as part of their employment.

Data Subject Rights

We have documented procedures to ensure compliance with the rights of data subjects under UK GDPR, including the rights to:

  • receive transparent privacy information;
  • request access to personal data;
  • request rectification of inaccurate information;
  • request erasure where applicable;
  • restrict or object to processing;
  • request portability of personal data where appropriate.

Privacy notices are provided to service users, staff, relatives, and other stakeholders explaining how personal information is collected, used, stored, and shared.

Subject Access Requests (SARs) are managed through a formal process with clear timescales, audit trails, and oversight by senior management and the designated Data Protection Lead. Requests are logged, monitored, and responded to within statutory deadlines.

Consent Management

Where processing is based on consent, we ensure consent is:

  • freely given;
  • specific and informed;
  • actively obtained;
  • capable of being withdrawn at any time.

Consent records are securely maintained and auditable. Care staff are trained to understand the principles of mental capacity, best interests decision-making, and lawful bases for processing personal data within health and social care settings.

International Data Transfers

Where personal data may be transferred or accessed outside the UK, appropriate legal safeguards are implemented in accordance with UK GDPR requirements. These safeguards may include:

  • use of UK adequacy regulations;
  • International Data Transfer Agreements (IDTAs);
  • approved contractual clauses with suppliers;
  • due diligence assessments of third-party providers.

We ensure that any third-party systems or software providers used by the organisation demonstrate appropriate levels of security and compliance.

Monitoring, Testing and Continuous Improvement

We regularly test, assess and evaluate the effectiveness of our technical and organisational measures through:

  • internal audits and compliance monitoring;
  • policy reviews;
  • incident reporting and lessons learned reviews;
  • staff competency checks and supervision;
  • cyber security monitoring and software updates;
  • review of supplier compliance and contracts.

Any data breaches or security incidents are managed through a formal breach reporting procedure, with escalation, investigation, corrective actions, and reporting to the Information Commissioner’s Office (ICO) where required.

Through these measures, we are committed to maintaining high standards of information governance, protecting the rights of individuals, and ensuring secure and lawful handling of personal data throughout the delivery of supported living services.

cropped-Care-Advocates-Logo.png

Empowering independence. Delivering compassionate, person-centred supported living services across the United Kingdom.

Quick Links

Policy

Location

  • Unit 11C, 22 Carlton Road, South Croydon, CR2 0BD
  • 0345 116 8290

Follow -US

Facebook Linkedin Youtube

© 2025 Care Advocates LTD. All rights reserved.