Data Protection Policy

Overview

Brown Edge House is committed to maintaining the highest standards of data protection and confidentiality. We ensure that all personal and sensitive data is handled in accordance with the Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR).

This policy outlines how we manage, protect, and govern personal data within our organisation.

Our Responsibilities

Brown Edge House acts as a Data Controller for the personal data we process. We are responsible for ensuring that:

  • Personal data is processed lawfully, fairly, and transparently

  • Data is collected for specified, explicit, and legitimate purposes

  • Only relevant and necessary data is processed (data minimisation)

  • Data is accurate and kept up to date

  • Data is retained only for as long as necessary

  • Appropriate security measures are in place

Categories of Data We Handle

We process personal data in the course of delivering our services, including:

  • Resident and service user information

  • Health and care records (special category data)

  • Staff employment records

  • Visitor and enquiry information

Special category data is processed strictly in line with health and social care requirements and confidentiality standards.

Data Protection Principles

We adhere to the core principles of UK GDPR:

  1. Lawfulness, fairness, and transparency

  2. Purpose limitation

  3. Data minimisation

  4. Accuracy

  5. Storage limitation

  6. Integrity and confidentiality (security)

  7. Accountability

All staff are expected to understand and apply these principles in their daily work.

Data Security Measures

We implement robust safeguards to protect personal data, including:

  • Secure storage systems (both digital and physical)

  • Access controls to restrict data to authorised personnel only

  • Password protection and secure IT infrastructure

  • Staff training on confidentiality and data protection

  • Procedures for secure disposal of records

Staff Responsibilities

All employees at Brown Edge House are required to:

  • Handle personal data confidentially

  • Access only the data necessary for their role

  • Report any data breaches or concerns immediately

  • Complete relevant data protection training

Failure to comply may result in disciplinary action.

Data Retention

We retain personal data in accordance with legal, regulatory, and operational requirements, including guidance relevant to the care sector.

When data is no longer required, it is securely deleted or destroyed.

Data Sharing

Personal data may be shared where necessary and appropriate, including with:

  • Healthcare professionals

  • Local authorities and safeguarding bodies

  • Regulatory organisations such as the Care Quality Commission (CQC)

All data sharing is conducted securely and only when there is a lawful basis.

Data Breach Procedures

We have procedures in place to detect, report, and investigate data breaches.

Where required, breaches will be reported to the Information Commissioner’s Office (ICO) within statutory timeframes, and affected individuals will be informed where there is a high risk to their rights and freedoms.

Individual Rights

While detailed information on individual rights is outlined in our Privacy Policy, we ensure systems and processes are in place to support:

  • Subject Access Requests (SARs)

  • Data correction and updates

  • Requests for restriction or erasure (where applicable)

Governance and Accountability

We regularly review our data protection practices to ensure compliance. This includes:

  • Internal audits and policy reviews

  • Staff training updates

  • Monitoring of data handling practices

Where appropriate, a designated person oversees data protection compliance within the organisation.

Contact

For data protection matters, please contact:

Policy Review

This policy is reviewed regularly to ensure ongoing compliance and effectiveness.

Last reviewed:31/03/2026