Spire Homecare Ltd – Privacy and Information Security Policy
Updated: 11 April 2025

Policy Statement

Spire Homecare Ltd is committed to protecting all information assets—whether relating to service users, staff, or corporate operations—to a consistently high standard. This policy applies to both physical and digital data and is designed to guard against potential threats including loss, misuse, unauthorised access, and cyberattacks.

We recognise that data breaches, including cyberattacks, are increasing in scope and sophistication. Therefore, our approach to data protection and information security incorporates the latest guidance from the UK Government, NHS, and Information Commissioner’s Office (ICO).

This policy sets out the measures we take to safeguard personal and sensitive information, maintain business continuity, and comply with legal obligations under the Data Protection Act 2018 and UK GDPR.

Scope

This policy applies to:

• Paper-based and electronic record systems
• All information recording and processing systems, including email, video, photographic and audio
• All Spire Homecare staff, contractors, and volunteers
• Data shared with external partners and agencies

Core Objectives

1. Maintain the confidentiality of personal and sensitive information.
2. Ensure the integrity and accuracy of the data we hold.
3. Preserve the availability of our information systems to authorised personnel.

Physical and Digital Security Measures

• All staff must wear ID badges and challenge unbadged individuals in secure areas
• Visitors must sign in and be accompanied by a staff member at all times
• Entry codes for secure areas must be changed regularly
• All devices must be locked when unattended
• Passwords must never be shared and should be updated routinely
• Staff must never use personal USBs or external storage without written authorisation from the Managing Director
• Any suspicious individuals or cyber threats should be reported immediately to management
• Only designated staff may dispose of confidential waste or old devices
• Staff are required to implement a “clear desk” policy, especially when handling personal data

IT and Network Security

• IT infrastructure is maintained by our contracted provider: Computers Dot Com, 6 Edison Rd, Churchfields, Salisbury SP2 7NU (Tel: 01722 343640)
• All hardware and software installations must be authorised by the Managing Director
• Regular cybersecurity training is provided to all staff
• Daily backups of critical data are performed and tested

Incident Management

• All breaches or suspected breaches must be reported to the Managing Director (Data Protection Officer)
• The Managing Director will conduct a timely investigation and initiate any required notifications to the ICO and affected parties
• A log of all incidents and outcomes will be maintained

Information Sharing

Staff must only share information:

• When it is lawful, necessary, and proportionate
• On a strict need-to-know basis
• With appropriate authorisation from the Data Controller (Luke Donohue)
• Using secure methods (e.g., encrypted email or approved courier services)

Staff should always:

• Explain clearly to the person why and how their information may be shared
• Seek consent where appropriate, unless overridden by safeguarding or legal requirements
• Document any decisions to share (or not share) information

Legal and Regulatory Framework

• UK GDPR and Data Protection Act 2018
• Care Act 2014
• Human Rights Act 1998
• Freedom of Information Act 2000
• Crime and Disorder Act 1998
• Common Law Duty of Confidentiality
• Caldicott Principles

Training and Awareness

• All staff must complete annual information governance training
• New staff receive a data protection briefing as part of induction
• Awareness is reinforced through internal audits, newsletters, and refresher modules

Review and Maintenance

This policy is reviewed annually or following any significant incident or legislative change.

Policy Owner: Luke Donohue, Managing Director, luke@spirehomecare.co.uk.
Next Review Date: April 2026