Data Protection Policy

1. Policy Statement & Commitment

1st Healthcare Group Limited is fully committed to complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We recognise that the personal data we handle - including sensitive health and care data - deserves the highest standard of protection.

This policy applies to all employees, directors, contractors, agency workers, volunteers, and any other persons working on behalf of 1st Healthcare Group Limited who access personal data in the course of their duties.

Breach of this policy may result in disciplinary action, up to and including dismissal, and may also result in civil or criminal liability under the Data Protection Act 2018.

2. The UK GDPR Data Protection Principles

All personal data must be processed in accordance with the following six principles. Data must be:

1. Lawfully, Fairly and Transparently Processed

There must always be a lawful basis for processing. Individuals must be informed about how their data is used.

2. Collected for Specified, Explicit and Legitimate Purposes

Data collected for one purpose cannot be used for an incompatible purpose without further consent.

3. Adequate, Relevant and Limited to What is Necessary

We only collect and hold data that is strictly necessary for the stated purpose (data minimisation).

4. Accurate and Kept Up to Date

Inaccurate data must be corrected or deleted without delay. Staff must report inaccuracies promptly.

5. Kept No Longer Than Necessary

Data is retained only as long as needed for its purpose or as required by law, then securely deleted.

6. Processed with Appropriate Security

Appropriate technical and organisational measures protect data against unauthorised access, loss, or destruction.

3. Roles & Responsibilities

• Directors / Senior Management: Accountable for overall compliance. Ensure sufficient resources and training are in place.

• All Staff: Responsible for handling personal data in line with this policy. Must complete data protection training and report any suspected breaches immediately.

• Data Protection Lead (DPL): 1st Healthcare Group Limited has designated [Insert Name/Role] as the internal Data Protection Lead. Contact: privacy@1sthealthcaregroup.co.uk

• IT / Systems Administrators: Responsible for implementing and maintaining technical security measures.

4. Special Category Data

As a healthcare organisation, we regularly handle special category data under Article 9 UK GDPR. This includes:

• Health and medical information about service users and staff

• Racial or ethnic origin (where relevant to culturally appropriate care)

• Criminal conviction data (DBS checks for staff)

Special category data receives additional protections. It is only processed where there is explicit consent or another Schedule 1 condition under the Data Protection Act 2018 applies, including healthcare provision.

5. Data Security Requirements

All staff must observe the following security requirements:

• Use strong, unique passwords and never share login credentials

• Lock screens when leaving workstations unattended

• Never transfer personal data via personal email or unsecured channels

• Ensure paper records containing personal data are stored securely and shredded when no longer needed

• Do not access personal data on public Wi-Fi without a VPN

• Report lost or stolen devices immediately to management

• Only use Company-approved systems and software to store or share data

6. Data Breach Procedure

A personal data breach is any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.

1. Identify & Contain

Immediately stop further data loss and secure any affected systems or paper records.

2. Report Internally

Report to your line manager and the Data Protection Lead within 1 hour of discovery.

3. Assess Risk

The DPL assesses whether the breach poses a risk to individuals' rights and freedoms.

4. Report to ICO (if required)

If the breach is likely to result in a risk to individuals, it must be reported to the ICO within 72 hours.

5. Notify Affected Individuals

Where there is a high risk to individuals, they must be notified directly without undue delay.

7. Training & Awareness

All staff and contractors must:

• Complete data protection induction training before handling personal data

• Complete annual data protection refresher training

• Read and sign acknowledgement of this policy on joining and upon any significant update

8. Data Protection Lead 📋

Email: privacy@1sthealthcaregroup.co.uk
Regulatory body: Information Commissioner's Office - ico.org.uk

1st Healthcare Group Limited - Registered in England & Wales
Company Registration No; 12248763
Registered Address: Unit 29 Highcroft Industrial Estate, Enterprise Road, Waterlooville, England, PO8 0BT

Policies last reviewed: May 202625  /  Questions? info@1sthealthcaregroup.co.uk