Policy Statement

This organisation adheres fully to Data Protection legislation which states: all records required for the protection of Service Users and the effective and efficient running of the organisation should be maintained accurately and should be up-to-date; that Service Users should have access to records and information about them held by the organisation; and that all individual records and organisation records should be kept confidentially and securely. This organisation is fully aware of the GDPR and its framework within the Data Protection Act 2018.

The Policy

This policy is intended to set out the values, principles and policies underpinning this organisation’s approach to access to records. The organisation aims to ensure that Service Users can be assured that the protection of their privacy and confidentiality are given the highest consideration.

Access to Records/Files Policy

This organisation believes that access to information and the security/privacy of data is an absolute right of every service user and that service users are entitled to see a copy of all personal information held about them and be given the opportunity to correct any error or omission. Therefore, in this organisation:

  • Service users should have access to their records and information about them held by the organisation, as well as opportunities to help maintain their personal records in the case of records kept in the home.
  • Individual records and organisation records required for the protection of Service Users should at all times be kept securely and should be constructed, maintained, and used in accordance with data protection legislation and other statutory requirements.

Any service user requiring access to their files should contact the head of the organisation to make arrangements to view them. Service users with sensory or other disabilities should be given appropriate help and support from an independent source as required, e.g. an advocacy service.

The viewing of certain records may only be refused in the following circumstances, as consistent with data protection legislation:

  • Where disclosing the personal data would reveal information that relates to and identifies another person unless that person has consented to the disclosure or it is reasonable to comply with the request without that consent.
  • Where permitting access to the data would be likely to cause serious harm to the physical or mental health or condition of the data subject or any other person.
  • Where the access request is made by another on behalf of the data subject, access can be refused, if the data subject had either: provided the information with the expectation it would not be disclosed to the applicant or had indicated it should not be so disclosed, or if the data was obtained as a result of any examination or investigation to which the data subject consented on the basis that information would not be so disclosed.

Before deciding whether the above restrictions apply, the head of the organisation should consult the health professional responsible for the clinical care of the service user: if there is more than one, the most suitable available health professional; if there is none, then the head of the organisation should consult a health professional with the necessary qualifications and experience to advise on the matters to which the information requested relates. Third-party information can only be accessed with the consent of the third party and third-party subject access rules will apply.

Service Users who have a complaint about the way that the organisation keeps files about them, or who are refused access to files that they believe they should have access to, should be referred to the Data Protection Information Commissioner.

Information Commissioner`s Office

All relevant providers must be registered with the above so that they may collect, hold, store, and retrieve personal information. They must identify a Data Controller within the organisation  [INSERT DATA CONTROLLER]

Related Policies

Data Protection Legislative Framework (GDPR)

Record Keeping

Services Users Record (HOME)


Related Guidance

Information Commissioner’s Office


Tel: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number

Training Statement

All staff, during induction, are made aware of the organisation’s policies and procedures, all of which are used for training updates. All policies and procedures are reviewed and amended where necessary, and staff are made aware of any changes. Observations are undertaken to check skills and competencies. Various methods of training are used, including one to one, online, workbook, group meetings, and individual supervisions. External courses are sourced as required


Date Reviewed: October 2022

Person responsible for updating this policy:

Next Review Date: October 2023



Scroll to Top