GDPR01 – Overarching UK GDPR policy & procedure

This policy outlines the key principles of UK GDPR. It has been reviewed and the associated policies in the Data Protection category of the system are listed in the Further Reading section. The link to the Records Management Code of Practice 2021, which provides guidance on how to keep records, including how long to keep different types of records, has also been updated. References have been checked and updated.

Relevant legislation

  • HSCA 2008 (Regulated Activities) Regulations 2014
  • The Data Protection Act 2018


Underpinning knowledge – What have we used to ensure that the policy is current

Author: Information Commissioner’s Office, (2018), Special Category Data – What are the conditions for processing?. [Online] Available from: organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation- gdpr/special-category-data/what-are-the-conditions-for-processing/ [Accessed: 9/2/2023]

Author: GOV UK, (2017), National Data Guardian Review of Data security, consent and opt-outs. [Online] Available from: data-security-consent-and-opt-outs [Accessed: 9/2/2023]

Author: CQC, (2022), Regulation 17: Good governance. [Online] Available from:

-governance [Accessed: 9/2/2023]

Author: Information Commissioner’s Office, (2018), Guide to the UK General Data Protection Regulation (UK GDPR). [Online] Available from: organisations/guide-to-the-general-data-protection-regulation-gdpr/ [Accessed: 9/2/2023]


Suggested action

Encourage sharing the policy through the use of the QCS App


Equality impact assessment

QCS have undertaken an equality analysis during the review of this policy. This statement is a written record that demonstrates that we have shown due regard to the need to eliminate unlawful discrimination, advance equality of opportunity and foster good relations with respect to the characteristics protected by equality law.



  1. The purpose of this policy is to ensure that NL Group Limited understands the key principles of UK GDPR.
  2. This policy sets out the steps that need to be taken by NL Group Limited to ensure that NL Group Limited handles, uses and processes personal data in a way that meets the requirements of UK GDPR. It should be read alongside the suite of NL Group Limited UK GDPR policies, procedures and guidance.
  3. This policy applies to all staff at NL Group Limited who process personal data about other staff, Service Users and any other living individuals as part of their role.
  4. To support NL Group Limited in meeting the following Key Lines of Enquiry/Quality Statements (New):
  5. To meet the legal requirements of the regulated activities that {NL Group Limited} is registered to provide:
  • HSCA 2008 (Regulated Activities) Regulations 2014
  • The Data Protection Act 2018



The following roles may be affected by this policy:

  • All staff

The following Service Users may be affected by this policy:

  • Service Users

The following Stakeholders may be affected by this policy:

  • Family
  • Advocates
  • Representatives
  • Commissioners
  • External health professionals
  • Local Authority
  • NHS



  • The objective of this policy is to ensure staff have a working knowledge into the principles and requirements of UK GDPR.
  • Alongside the suite of policies, procedures and guidance available NL Group Limited can demonstrate that appropriate steps are taken to ensure NL Group Limited complies with UK GDPR when handling and using personal data provided by both staff and Service Users.
  • This policy will assist with defining accountability and establishing ways of working in terms of the use, storage, retention and security of personal data.
  • This policy will assist with understanding the obligations of NL Group Limited in respect of the rights of the staff and Service Users who have provided personal data and the steps NL Group Limited should take if it breaches UK GDPR.



GDPR Background

GDPR came into force on the 25 May 2018 and replaced the Data Protection Act 1998. Following the UK departure from the EU, UK GDPR was incorporated into domestic law that applies in the UK. UK GDPR provides greater protection to individuals and places obligations on organisations, but can be dealt with in bite-size chunks to ensure that any impact on the provision of care and services is minimised. All staff need to ensure the ways in which they handle personal data meet the requirements of UK GDPR.


NL Group Limited’s Approach to UK GDPR

NL Group Limited is required to take a proportionate and appropriate approach to UK GDPR compliance. NL Group Limited understands that not all organisations will need to take the same steps – it will depend on the volume and types of personal data processed by a particular organisation, as well as the processes already in place to protect personal data. We understand that if we process significant volumes of

personal data, including special categories of data, or have unusual or complicated processes in place in terms of the way we handle personal data, we will consider obtaining legal advice specific to the processing we conduct and the steps we may need to take.

UK GDPR does not apply to any personal data held about someone who has died. Both the Access to Medical Reports Act 1988 and the Access to Health Records 1990 will continue to apply.


Process for Promoting Compliance at NL Group Limited

To ensure NL Group Limited complies with UK GDPR, a suite of Data Protection policies and resources are available and should be read in conjunction with this overarching policy.


Overview of Key Principles and Documents
Key terms:

The key principles and themes of each of the documents listed above are summarised below:

UK GDPR places obligations on all organisations that process personal data about a Data Subject. A brief description of those three key terms is included in the Definitions section of this document and are expanded upon in the Key Terms Guidance.

The requirements that NL Group Limited need to meet vary depending on whether NL Group Limited is a Data Controller or a Data Processor. We recognise that in most scenarios, NL Group Limited will be a Data Controller. The meaning of Data Controller and Data Processor, together with the roles they play under UK GDPR, are explained in the Key Terms Guidance.

Special categories of data attract a greater level of protection, and the consequences for breaching UK GDPR in relation to special categories of data may be more severe than breaches relating to other types of personal data. This information is also covered in more detail in the Key Terms Guidance.


Key principles: 

There are 7 key principles of UK GDPR which NL Group Limited must comply with. These 7 principles are very similar to the key principles that were set out in the Data Protection Act 1998. They are:

  • Lawful, fair and transparent use of personal data
  • Using personal data for the purpose for which it was collected
  • Ensuring that the personal data is adequate and relevant
  • Ensuring that the personal data is accurate
  • Ensuring that the personal data is only retained for as long as it is needed
  • Ensuring that the personal data is kept safe and secure
  • Accountability – taking responsibility for what you do with personal data and how you comply with the other principles. NL Group Limited must have appropriate measures and records in place to be able to demonstrate compliance

These key principles are explained in more detail in the guidance entitled ‘UK GDPR – Key Principles’.

NL Group Limited recognises that in addition to complying with the key principles, NL Group Limited must be able to provide documentation to the Information Commissioner’s Office (ICO) on request, as evidence of compliance. We understand that we must also adopt ‘privacy by design’. This means that data protection issues should be considered at the very start of a project, or engagement with a new Service User. Data protection should not be an after-thought. These ideas are also covered in more detail in the Key Principles Guidance.


Processing personal data

The position has been improved under UK GDPR in terms of the ability of care sector organisations to process special categories of data. The provision of health or social care or treatment or the management of health or social care systems and services is now expressly referred to as a reason for which an organisation is entitled to process special categories of data.

In terms of other types of personal data, NL Group Limited must only process personal data if it is able to rely on one of a number of grounds set out in UK GDPR. The grounds which are most commonly relied on are:

  • The Data Subject has given his or her consent to the organisation using and processing their personal data
  • The organisation is required to process the personal data to perform a contract; and
  • The processing is carried out in the legitimate interests of the organisation processing the data – note that this ground does not apply to public authorities

The other grounds which may apply are:

  • The processing is necessary to comply with a legal obligation
  • The processing is necessary to protect the vital interests of the Data Subject or another living person
  • The processing is necessary to perform a task carried out in the public interest

The grounds set out above and the impact of the changes made in respect of special categories of data are explained in more detail in the guidance entitled ‘UK GDPR – Processing Personal Data’.


Data Protection Officers

NL Group Limited understands that some organisations will need to appoint a formal Data Protection  Officer under UK GDPR (a “DPO”). The DPO benefits from enhanced employment rights and must meet certain criteria, so we recognise that it is important to know whether NL Group Limited requires a DPO. This requirement is outlined in the policy and procedure on Data Protection Officers.

Whether or not NL Group Limited needs to appoint a formal Data Protection Officer, NL Group Limited will appoint a single person to have overall responsibility for the management of personal data and compliance with UK GDPR.


Data Security and Retention 

Two of the key principles of UK GDPR are data retention and data security.

  • Data retention refers to the period for which NL Group Limited keeps the personal data that has been provided by a Data Subject. At a high level, NL Group Limited must only keep personal data for as long as it needs the personal data
  • Data security requires NL Group Limited to put in place appropriate measures to keep data secure These requirements are described in more detail in the policy and procedure entitled Data Security and Data Retention.
Website Privacy and Cookies Policy and Procedure 

Where NL Group Limited collects personal data via a website, we understand that we will need a UK GDPR compliant website privacy policy. The privacy policy explains how and why personal data is collected, the purposes for which it is used and how long the personal data is kept. A template website policy is provided.


Subject Access Requests

One of the key rights of a Data Subject is to request access to and copies of the personal data held about them by an organisation. Where NL Group Limited receives a Subject Access Request, we understand that we will need to respond to the Subject Access Request in accordance with the requirements of UK GDPR. To help staff at NL Group Limited understand what a Subject Access Request is and how they should deal with a Subject Access Request, a Subject Access Request Policy and Procedure is available to staff. A NL Group Limited process map to follow when responding to a Subject Access Request, as well as a Subject Access Request letter template is also included.

The Rights of a Data Subject

In addition to the right to place a Subject Access Request, Data Subjects benefit from several other rights, including the right to be forgotten, the right to object to certain types of processing and the right to request that their personal data be corrected by NL Group Limited. All rights of the Data Subject are covered in detail in the corresponding guidance.


Breach Notification Under UK GDPR

We understand, that in certain circumstances, if NL Group Limited breaches UK GDPR, we must notify the ICO and potentially any affected Data Subjects. There are strict timescales in place for making such notifications. A policy and procedure for breach notification that can be circulated to all staff, together with a process map for NL Group Limited to follow if a breach of UK GDPR takes place is available.

We understand that this requirement is likely to have less impact on NHS organisations that are already used to reporting using the NHS reporting tool.


Fair Processing Notice and Consent Form

Organisations are required to provide Data Subjects with certain information about the ways in which their personal data is being processed. The easiest way to provide that information is in a Fair Processing Notice. A Fair Processing Notice template is available for NL Group Limited to use and adapt on a case by case basis.

The Fair Processing Notice sits alongside a consent form which can be used to ensure that NL Group Limited obtains appropriate consent, particularly from the Service User, to the various ways in which NL Group Limited uses the personal data. The Consent Form contains advice and additional steps to take if the Service User is a child or lacks capacity.


Transfer of Data

If NL Group Limited wishes to transfer personal data to a third party, we understand that we should put in place an agreement to set out how the third party will use the personal data. The transfer would include, for example, using a data centre in a non-EU country. If that third party is based outside the European Economic Area, we recognise that further protection will need to be put in place and other aspects considered before the transfer takes place. Guidance has been produced to explain the implications of transferring personal data in more detail.


Privacy Impact Assessments

NL Group Limited must carry out Privacy Impact Assessments each time it processes personal data in a way that presents a “high risk” for the Data Subject. Examples of when a Privacy Impact Assessment should be conducted are provided in the relevant policy and procedure. Given the volume of special categories of data that are frequently processed by organisations in the health and care sector, there are likely to be a number of scenarios which require a Privacy Impact Assessment to be completed.

The Privacy Impact Assessment template may also be used to record any data protection incidents, such as breaches or ‘near misses’.


Compliance with UK GDPR

NL Group Limited understands that there are two primary reasons to ensure that compliance with UK GDPR is achieved:

  • It promotes high standards of practice and care, and provides significant benefits for staff and, in particular, Service Users
  • Compliance with UK GDPR is overseen in the UK by the ICO. Under UK GDPR, the ICO has the ability to issue a fine of up to 20 million Euros (approximately £17,000,000) or 4% of the worldwide turnover of an organisation, whichever is higher. The potential consequences are therefore significant.

NL Group Limited appreciates that it is important to remember, however, that the intention of the ICO is to educate and advise, not to punish. The ICO wants organisations to achieve compliance. A one-off, minor breach may not attract the attention of the ICO but if NL Group Limited persistently breaches UK GDPR or commits significant one-off breaches (such as the loss of a large volume of personal data, or the loss of special categories of data), it may be subject to ICO enforcement action. In addition to imposing fines, the

ICO also has the power to conduct audits of NL Group Limited and our data protection policies and processes. NL Group Limited realises that the ICO may also require NL Group Limited to stop providing services, or to notify Data Subjects of the breach, delete certain personal data we hold or prohibit certain types of processing.


  1. All staff should review the UK GDPR policies and procedures and guidance that will be produced over the next few months.
  2. NL Group Ltd will nominate a person or team to be responsible for data protection and UK GDPR compliance (if a formal Data Protection Officer is not required, somebody with an understanding of the requirements who can act as a day-to-day point of contact will be chosen).
  3. Debra Dunne RN, MSc should ensure all staff understand the policies and procedures provided, including how to deal with a Subject Access Request and what to do if a member of staff breaches UK GDPR.
  4. Debra Dunne RN, MSc will consider providing training internally about UK GDPR (in particular, the Key Principles of UK GDPR) to all staff members.
  5. NL Group Limited will delete any personal data that NL Group Limited no longer needs, based on the results of the audit conducted, taking into account any relevant guidance, such as the Records Management Code of Practice – NHSX management-code/.
  6. NL Group Limited will, if necessary, put in place new measures or processes to ensure that personal data continues to be processed in line with UK GDPR.
  7. NL Group Limited will, if necessary, finalise and circulate a Fair Processing Notice to Service Users.
  8. NL Group Limited will ensure proper consent is obtained from each Service User in line with UK

GDPR regulations (the Consent Form provided can be used for this purpose). NL Group Limited will review the additional steps that NL Group Limited should be taken to ensure that NL Group Limited obtains consent from parents, guardians, carers or other representatives where NL Group Limited works with children or those who lack capacity.

NL Group Limited will ensure that processes and procedures are in place to respond to requests made by Data Subjects (including Subject Access Requests) and to deal appropriately with any breaches or potential breaches of UK GDPR.

Debra Dunne RN, MSc will maintain a log of decisions taken and incidents that occur in respect of the personal data processed by NL Group Limited using the NL Group Limited Privacy Impact Assessment template.



Data Subject

The individual about whom NL Group Limited has collected personal data

Data Protection Act 2018

The Data Protection Act 2018 is a United Kingdom Act of Parliament that updates data protection laws in the UK. It sits alongside the General Data Protection Regulation and implements the EU’s Law Enforcement Directive

Personal Data

Any information about a living person including but not limited to names, email addresses, postal addresses, job roles, photographs, CCTV and special categories of data, defined below

Process or Processing

Doing anything with personal data, including but not limited to collecting, storing, holding, using, amending or transferring it. You do not need to be doing anything actively with the personal data – at the point you collect it, you are processing it

Special Categories of Data

Has an equivalent meaning to “Sensitive Personal Data” under the Data Protection Act 2018. Special Categories of Data include but are not limited to medical and health records (including information collected as a result of providing health care services) and information about a person’s religious beliefs, ethnic origin and race, sexual orientation and political views


The UK GDPR is the retained EU law version of GDPR that forms part of English law. It was adopted on 14 April 2016 and after a two-year transition period became enforceable on 25 May 2018

Information Commissioner’s Office

The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals


Key Facts – Professionals

Professionals providing this service should be aware of the following:

  • This is the overarching policy and provides a high level reference to all areas that are important for compliance with UK GDPR
  • Understanding of the content of this policy should be embedded with all staff at NL Group Limited
  • NL Group Limited must appoint a person with overall responsibility for managing UK GDPR. This person may be an official Data Protection Officer (DPO) or a person appointed to oversee privacy, governance and data protection
  • UK GPDR provides greater protection for staff and Service Users in respect of their personal data
  • NL Group Limited has adopted an appropriate and proportionate approach what is right and necessary for NL Group Limited may not be right for another organisation
  • Compliance is mandatory, not optional
  • Achieving compliance with UK GDPR will not only reduce the risk of ICO enforcement or fines but will also promote a better quality service for Service Users and an improved working environment for staff


Key Facts – People affected by the service

People affected by this service should be aware of the following:

  • Your personal data will be protected
  • You have a right to see what information we hold about you
  • You will be asked for your consent before we obtain your personal data in line with UK GDPR requirements
  • In addition to the UK GDPR regulations, our staff will continue to follow confidentiality policies in relation to all aspect of your care


Further Reading

As well as the information in the ‘underpinning knowledge’ section of the review sheet we recommend that you add to your understanding in this policy area by considering the following materials:

NHS England – Transformation Directorate – Records Management Code of Practice 2021 (provides guidance on how to keep records, including how long to keep different types of records. It replaces previous versions):

GOV.UK – New Health Data Security Standards and Consent/opt-out Model:

  • Consent Authorisation Policy and Procedure
  • Subject Access Requests Policy and Procedure
  • Data Quality Policy and Procedure
  • Clear Desk Policy and Procedure
  • Data Security and Data Retention Policy and Procedure
  • Privacy Impact Assessment Policy and Procedure
  • Appointing a Data Protection Officer Policy and Procedure
  • Breach Notification Policy and Procedure
  • Fair Processing Notice Policy and Procedure
  • Website Privacy and Cookies Policy and Procedure
  • Legitimate Interests Assessment Policy and Procedure
  • National Data Opt-Out Policy and Procedure
  • Caldicott Guardian Policy and Procedure


Outstanding Practice

To be ‘outstanding’ in this policy area you could provide evidence that:

  • The wide understanding of the policy is enabled by proactive use of the QCS App
  • NL Group Limited conducts Privacy Impact Assessments for each new processing activity carried out, whether or not the processing presents a ‘high risk’ to the Data Subjects
  • There is evidence that NL Group Limited conducts regular (6 monthly or annual) audits of the personal data that is processed to ensure continued compliance with UK GDPR
  • NL Group Limited can evidence that there are processes in place for ensuring NL Group Limited remains up to date with guidelines and recommendations relating to data protection, including ICO guidance and guidance issued by NHS Digital and this information is effectively cascaded to all relevant staff
  • NL Group Limited provides training to all staff in respect of UK GDPR and the new policies and processes that have adopted



Currently there is no form attached to this policy.