GDPR Policy

Policy Statement

All Next Steps employees are responsible for compliance and ensuring that personal information maintained by Next Steps is not disclosed orally or in writing or accidentally or otherwise to any unauthorised third party. Any deliberate breach of this policy by any employee may lead to disciplinary action being taken against them. These regulations set out procedures which are to be followed when dealing with personal data. The procedures set out herein are followed by Next Steps, its employees, contractors, agents, consultants, partners and any other parties working on behalf of Next Steps. Next Steps views the correct and lawful handling of personal data as the key to its success and dealings with third parties and its employees. Next Steps shall ensure that it handles all personal data correctly and lawfully.

GDPR Seven Key Principles:

Principle Detail
Lawfulness, fairness and transparency Processed lawfully, fairly and in a transparent manner in relation to individuals
Purpose limitation Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes
Data minimisation Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Accuracy Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
Storage limitation Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals.
Integrity and confidentiality (security) Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
Accountability The controller shall be responsible for, and be able to demonstrate compliance

Caldicott Principles

Developed during 1997, after a review into how patient information was handled across the NHS, The Caldicott Principles have been set out so that organisations have a standard to follow so that personal data relating to people who use their services is protected and only used when it is appropriate to do so. The Principles were extended to adult social care records in 2000. Next Steps will comply with the Caldicott Principles when processing personal data relating to people who use our services.

The principles are:

Principle Details
Principle 1 – Justify the purpose(s) for using confidential information Every proposed use or transfer of confidential personal data within or from an organisation should be clearly  defined, scrutinised and documented, with continuing uses regularly reviewed, by an appropriate guardian.
Principle 2 – Don’t use personal confidential data unless it is absolutely necessary Confidential personal data items should not be included unless it is essential for the specified purpose(s) of that flow. The need for people who use care services to be identified should be considered at each stage of satisfying the purpose(s).
Principle 3 – Use the minimum necessary personal confidential data Where use of confidential personal data is considered to be essential, the inclusion of each individual item of data should be considered and justified so that the minimum amount of confidential personal data is transferred or accessible as is necessary for a given function to be carried out.
Principle 4 – Access to personal confidential data should be on a strict need-to-know basis Only those individuals who need access to confidential personal data should have access to it, and they should only have access to the data items that they need to see. This may mean introducing access controls or splitting data flows where one data flow is used for several purposes.
Principle 5 – Everyone with access to personal confidential data should be aware of their responsibilities Action should be taken to ensure that those handling confidential personal data – both clinical and non-clinical staff – are made fully aware of their responsibilities and obligations to respect patient and service-user confidentiality.
Principle 6 – Comply with the law Every use of confidential personal data must be lawful. Someone in each organisation handling personal confidential data should be responsible for ensuring that the organisation complies with legal requirements.
Principle 7 – The duty to share information can be as important as the duty to protect patient confidentiality Health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by these principles. They should be supported by the policies of their employers, regulators and professional bodies

Next Steps will have a Caldicott Guardian who will advise on, and monitor compliance with, the Caldicott Principles within the organisation.


Personal Data

Personal data is defined as data which relates to a living individual who can be identified from that data or other information which in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual. The regulations also define “sensitive personal data” as personal data relating to the racial or ethnic origin of the data subject; their political opinions; their religious (or similar) beliefs; trade union membership; their physical or mental health condition; their sexual life; the commission or alleged commission by them of any offence; or any proceedings for any offence committed or alleged to have been committed by them, the disposal of such proceedings or the sentence of any court in such proceedings.

Employees’ Personal Data

Next Steps only holds personal data which is directly relevant to its employees. That data will be held and processed in accordance with the data protection principles and with these regulations. The following are examples of data which may be collected, held and processed by Next Steps:

  • Identification information relating to employees including, but not limited to, names and contact details.
  • Equal opportunities monitoring information including age, gender, race, nationality and religion;
  • Health records including details of sick leave, medical conditions, disabilities and prescribed medication.
  • Employment records including, but not limited to, interview notes, curricula vitae, application forms, assessments, performance reviews and similar documents;
  • Details of salaries including increases, benefits and expenses.
  • Records of disciplinary matters including reports and warnings, both formal and informal;
  • Details of grievances including documentary evidence, notes from interviews, procedures followed and outcomes.

Other Person’s Personal Data

Information relating to individuals will be obtained for the delivery of services. This could include confidential information such as names, addresses, personal circumstances, credit or debit card details, bank details etc. Care is taken to ensure that the information being obtained is adequate, relevant and not excessive for the purpose it is intended to be used for. The information will not be processed or stored in any manner incompatible with that purpose. The information will be kept safe from unauthorised access, accidental loss or destruction, and will not be maintained for longer than is necessary.

Access to Data

Only the necessary people will have access to the data. On our document management and storage system (SharePoint), access to specific folders, and therefore the data contained within them, is restricted based on the employee’s job title, and/or the services they work in. On our time & attendance system (ADP), access to employees information (e.g. timesheets, annual leave, contract information etc.) is restricted based on the employee’s job title, the borough they oversee, and/or the services they work in.

Right of Access by the Data Subject

The people we support, employees and other individuals that Next Steps hold information about have the right to access any personal data maintained about them electronically or in paper files. The application must be made in writing, accompanied by the correct fee before the application is processed. Upon receipt of a Subject Access Request, Next Steps shall have a maximum period of 30 days within which to respond.


Next Steps ensure that any request for consent will be verbal, prominent and separate from any business terms and conditions that may need agreeing to. We will specify in clear, plain language why we require personal data and what our intentions are relating to the data. Next Steps will name our organisation and any third parties that data may be shared with in any communication or correspondence relating directly to consent. Next Steps will not use personal data for the act of marketing so no consent will be required for this purpose. In the event that consent if deemed necessary for this purpose, Next Steps will make it clear and easy for the individuals to withdraw their consent at any time and publicise how to do so. Next Steps will act on withdrawals of consent as soon as practicably possible and no individual will be penalised for wishing to withdraw their consent.


All new staff should be encouraged to read the policies on data protection and on confidentiality as part of their induction process. Existing staff will be offered training to National Training Organisation standards covering basic information about confidentiality.

Monitoring Compliance

Reports and audits carried out by the HR & Quality Manager and Business Analyst Manager will assess compliance with data protection law and with this policy. These reports will be presented to the Data Protection Officer and Caldicott Guardian where key issues of compliance and performance will be reported and discussed.

In accordance with Article 38(3) of GDPR, the Data Protection Officer will not be instructed or restricted in the performance of their tasks.

Last Modified: Feb 2024