Information Governance and Data Protection Policy

Contents

• Introduction
• Purpose and principles of data protection
• Scope
• Definitions
• Evolution of Data Protection Law
• Duties and responsibilities
• Procedures for Maintaining Effective Information Governance
• Maintaining Confidentiality and Data Security
• Monitoring Compliance with This Policy

Introduction

Clinical Partners Ltd. (the Company) recognises the importance of reliable information and the contribution it makes to the objective of the company which is to provide access to the highest quality mental health outpatient care. Clinical Partners is committed to operating robust arrangements for information governance to ensure that it uses data in a secure and effective way. The organisation is always mindful of the client’s right to be assured of confidentiality and in a way that seeks always to minimise the risk of loss or misuse of personal identifiable data.

The Board of Clinical Partners recognises its responsibilities under the Data Protection Act 2018 and the GDPR, to maintain the security and confidentiality of all person identifiable data that it handles and has developed procedures to ensure that this occurs. Clinical Partners seeks to work in a transparent and accountable manner when handling information relating to individuals.

In recognition of recent legislative and regulatory changes, Clinical Partners is actively reviewing and enhancing its information governance practices to align with the following:

• Mental Health Bill 2025: particularly provisions on Advance Choice Documents and enhanced rights for individuals with learning disabilities and autism.
• Gender Identity Services Policy: ensuring data protection and confidentiality of gender identity data, including obligations under the Gender Recognition Act 2004.
• ISO/IEC 27001:2022 Amendment 1: including climate change risk in the context of information security.
• NHS Data Security and Protection Toolkit: aligned with the Cyber Assessment Framework.
• NHS England Operating Model and Single Assessment Framework: with expectations around integrated data sharing and safeguarding.
• Online Safety Act 2023: particularly in relation to safeguarding children and vulnerable individuals in digital environments
• ICO Data Protection Audit Framework: as a benchmark for compliance and internal auditing against UK GDPR accountability principles.

The organisation is undertaking a structured policy review to ensure continued compliance with the Data Protection Act 2018, UK GDPR, and all associated standards and frameworks. This policy forms part of the Clinical Partners Core Integrated Management System (IMS) and underpins both our ISO 9001:2015 Quality Management System and our ISO/IEC 27001:2022 Information Security Management System.

Purpose and principles of data protection

The Information Governance and Data Protection Policy sets out how the Company will ensure that information is used effectively, efficiently, securely and legally, and the steps that it will take to minimise loss/breach of confidential data that it manages.

The principles of GDPR are based on accountability. The organisation will ensure that all information relates to the following principles:

• It is lawful, fair and transparent
• It is collected and retained for a specific purpose
• The information is relevant and accurate
• Information is held securely
• Individuals’ rights are observed

These principles apply across all operations within the Clinical Partners Integrated Management System (IMS) and support both ISO 9001:2015 (clause 7.5) and ISO/IEC 27001:2022 (clauses 5.1, 6.1, 8.1, and Annex A controls A.5.1–A.5.36 and A.8.1–A.8.12).

As part of our ongoing policy review, Clinical Partners is evaluating the effectiveness of our data handling processes in light of:

• The Mental Health Bill 2025, to ensure personal data is used to support advance decision-making and protect patient rights
• The Gender Identity Services Policy and Gender Recognition Act 2004, to strengthen privacy of gender-related data
• The Online Safety Act 2023, to review online service environments for compliance with safety and age-appropriate design standards
• The NHS DSPT and Cyber Assessment Framework, to align with health and care sector accountability and assurance requirements
• The ICO Data Protection Audit Framework, to benchmark our performance and guide internal audit programmes

This ongoing work reinforces our commitment to a robust, rights-focused and risk-based approach to information governance and data protection.

Scope

This policy covers the use and management of information in all formats (e.g. paper, electronic), including the security, availability, collection, processing, storage, communication and disposal of information.

The introduction of GDPR 2018 applies across the whole of the EU and affects any non-EU business offering services to EU citizens.

The policy applies to all employees and contractors working for or supplying services to or for the Company.

This policy also applies to all data processing carried out by Clinical Partners in support of its clinical services, operational systems and digital service platforms - including patient portals, referral management systems and communication tools where personal or sensitive data may be exchanged.

As part of our Integrated Management System, this policy sits within the core IMS documentation and supports:

• ISO 9001:2015 – Clause 4.3 (Scope of the management system), Clause 8.2 (Customer requirements) and Clause 9.1 (Monitoring and evaluation)
• ISO/IEC 27001:2022 – Clause 4.3 (Scope of the ISMS), Clause 6.1 (Information security risk management) and Annex A controls relating to data handling and privacy
• NHS Data Security and Protection Toolkit (DSPT) – with application across all 10 Data Security Standards
• NHS England’s expectations for integrated care information governance and safe data sharing
• Online Safety Act 2023 – where relevant to digital environments involving service users
• Mental Health Bill 2025 and Single Assessment Framework – where handling personal data informs treatment decisions or safeguarding

All Clinical Partners platforms, whether developed internally or provided by third-party processors (e.g. referral portals, scheduling tools, assessment platforms), must comply with this policy and be subject to appropriate data protection controls, audits and contractual clauses.

Definitions

The following terms are used within this policy:

Under GDPR, new responsibilities are placed on Data Processors. The Data Controller is responsible for ensuring that any Data Processor is compliant with GDPR through due diligence and contractual obligations. This may include audits of processor operations.

Clinical Partners also recognises additional terminology relevant to its operations and regulatory context, including:

• Advance Choice Document – A written record created by a patient under the Mental Health Bill 2025 to express preferences about future mental health treatment
• Special Category Data – As defined in Article 9 of UK GDPR, including health data, gender identity, sexual orientation, and ethnicity, which require enhanced protections
• Integrated Care Systems (ICS) – A regional NHS-led partnership of organisations working together to plan and deliver health and care services. Shared data processing within ICSs must comply with DSPT and this policy
• Online Harms – Risks defined under the Online Safety Act 2023, including content or service-related interactions that could pose safety concerns for children or vulnerable adults

Evolution of Data Protection Law

In May 2018, the General Data Protection Regulation (GDPR) came into force across Europe. In the UK, it has since been retained as UK GDPR and sits alongside the Data Protection Act 2018.

These regulations significantly impacted how organisations collect, process and protect personal data, with increased emphasis on individual rights, lawful processing and accountability.

Key areas affected include:

• Consent – Organisations must ensure clear, unambiguous, opt-in consent mechanisms. Consent must be freely given, specific, informed and recorded without detriment. Individuals can withdraw consent at any time.
• Scope – The regulation applies to any organisation offering goods or services to, or monitoring the behaviour of, individuals in the UK, regardless of where the organisation is based.
• Accountability – Both controllers and processors must document processing activities and demonstrate compliance through records, policies and audits.
• Children – All communication aimed at children must use child-friendly language. Consent from a parent or guardian is required for those under the age of 13 in the UK.
• Rights – Individuals have enhanced rights including access, rectification, erasure, restriction, objection and portability. No fees can be charged unless requests are unfounded or excessive.
• Data Processors – Controllers must ensure processors are GDPR-compliant and that roles and responsibilities are clearly documented in contracts.
• Breaches and Fines – Breaches must be documented and reported where necessary. Fines can reach up to £17.5 million or 4% of annual global turnover, whichever is higher.

UK GDPR continues to evolve through legislative and regulatory developments, including:

• Mental Health Bill 2025 – which introduces legal obligations to consider patients' Advance Choice Documents and preferences in care
• Gender Recognition Act 2004 – reinforced by guidance on processing gender identity information, including the offence of unauthorised disclosure
• Online Safety Act 2023 – which affects organisations offering digital services or information to the public, particularly children and vulnerable users
• Data Protection and Digital Information (No.2) Bill – expected to introduce further refinements to UK GDPR, subject to parliamentary approval
• ICO Data Protection Audit Framework – which remains the benchmark for best practice and internal readiness against audit criteria

Duties and responsibilities

Clinical Partners recognises that strong leadership and clear accountability are fundamental to effective information governance. Roles and responsibilities for data protection and information security are defined below.

Chief Executive Officer

The Chief Executive Officer (CEO) has ultimate responsibility for all elements of governance, including information governance, within the Company.

The CEO works with staff, the Governance and Risk Adviser, and externally contracted experts to ensure that Clinical Partners takes all reasonable steps to develop and implement systems and processes that effectively protect confidential data about patients, staff and clinicians.

The CEO ensures that Clinical Partners aligns with its obligations under ISO 9001:2015 (clauses 5.1 and 5.3), ISO/IEC 27001:2022 (clauses 5.1–5.3) and the NHS Data Security and Protection Toolkit’s leadership accountability requirements.

The CEO is also responsible for ensuring the organisation upholds patients' legal rights under the Mental Health Bill 2025, including respecting and storing Advance Choice Documents and supporting decision-making preferences.

Data Protection Officer

The CEO currently also acts as the Data Protection Officer (DPO) and can be contacted at Clinical Partners, Unit 6 Chaldicott Barns, Tokes Lane, Semley, SP7 9AW.

The DPO provides independent oversight of the organisation’s compliance with data protection law and reports to senior leadership.

The DPO’s duties are informed by UK GDPR Articles 37–39 and include monitoring internal compliance, advising on data protection impact assessments, providing training and serving as a point of contact with the ICO.

The DPO ensures that Clinical Partners fulfils NHS DSPT obligations, including annual assessment submissions and evidence maintenance aligned with the Cyber Assessment Framework.

As part of our ongoing policy alignment, the DPO is reviewing our use and storage of sensitive data such as gender identity information, in compliance with the Gender Recognition Act 2004 and guidance relating to special category data.

The DPO is also responsible for ensuring our digital interfaces meet the safety and risk expectations of the Online Safety Act 2023, particularly where vulnerable groups may interact with our services online.

All Staff and Partners Supplying Clinical Services

All staff working for the Company and partners engaged to provide patient services must:

• Work within this policy
• Remain vigilant to information risks
• Actively risk assess the information elements they manage
• Escalate any risks or incidents beyond their control

All staff must also be aware of and support compliance with Advance Choice Document handling (Mental Health Bill 2025), the handling of special category data (including gender identity) and the organisational duty to protect patients and staff in digital and clinical environments.

Mandatory training will be provided and refreshed at intervals aligned with NHS DSPT expectations and internal compliance cycles

Procedures for Maintaining Effective Information Governance

Meeting Legal Compliance

The Company is registered for holding personal data as required under the Data Protection Act 2018 and GDPR 2018. Requirements for legal compliance are referred to above.

The Privacy Policy for Clinical Partners is under review to reflect GDPR requirements. This is available on the Clinical Partners website and all prospective users are encouraged to read and accept its terms.

All clinical staff and Clinical Partners employees have been informed of the changes in data protection law and their obligations under GDPR.

The Company ensures digital compliance by regularly analysing data, documenting findings and implementing system improvements.

Where Data Processors are involved, the Company ensures compliance through formal audit processes and detailed contractual terms.

The Company regards all identifiable personal information relating to clients, partners, staff and contractors as confidential. Data is stored securely in locked filing cabinets (for paper records) or on secure servers (for digital records). Local storage on hard drives is not permitted.

Access to person-identifiable data is restricted to those who require it for direct service delivery or operational administration. All access is granted on a strict ‘need-to-know’ basis.

Contracts with Data Processors include explicit clauses on GDPR compliance, data protection by design and the handling of special category data, as required by UK GDPR Articles 28–32 and ISO/IEC 27001:2022 Annex A.5.19 and A.5.20.]

Where data is shared with Integrated Care Systems (ICS) or NHS partners, Data Sharing Agreements (DSAs) are required and must reflect DSPT, Caldicott principles and UK data protection legislation.

The Company will ensure that where any digital services or communication tools are made available to patients, appropriate safety-by-design controls are in place to comply with the Online Safety Act 2023. This includes ensuring that children and vulnerable adults are not exposed to harm via digital interfaces.

Information Security

The Company maintains effective security arrangements for access to and management of confidential information.

Full HR checks are completed before appointing staff.

A Privacy Policy for employees outlines how staff data is used and retained.

All staff and contracted clinicians are issued with and must accept a written statement of personal responsibility regarding confidentiality.

Strict password protocols are in place. Disciplinary or contractual action may be taken in cases of wilful breach.

Clinical Partners uses an industry-standard data management system (Clinic Office v5), which meets modern security expectations.

All personal records are stored electronically on externally hosted, web-accessed, password-controlled servers. Paper records are used only where necessary and are stored securely.

Financial records are managed via a secure third-party provider (WorldPay).

Paper-based records such as complaints correspondence are stored in locked cabinets with limited access.

Information security controls are mapped to ISO/IEC 27001:2022 Annex A - including:

• Policies for information security
• Access rights
• Physical security
• Information lifecycle controls

All Data Processors must provide evidence of security controls in line with ISO/IEC 27001 or equivalent. Where relevant, third parties are subject to information governance due diligence and DSPT equivalence checks.

Processor Compliance and Due Diligence

The Company will ensure that all third-party data processors demonstrate GDPR compliance through:

• Documented due diligence
• Contractual clauses outlining roles and responsibilities
• Routine audits and evidence of technical and organisational measures

Contracts will reference data protection by design, ISO 27001-aligned controls, breach reporting expectations and restrictions on sub-processing.

DSPT and NHS England guidance will be used to assess equivalence when working with NHS-connected processors.

Confidentiality by Design

The Company regards all identifiable personal information relating to clients, staff, contractors and clinicians as confidential.

Confidentiality will be preserved through layered access controls, training and systems architecture that supports least privilege.

Where data is shared between organisations (e.g. during transition of care or multi-agency support), sharing will be guided by the Caldicott Principles, ICO data sharing code of practice and Data Sharing Agreements where applicable.

Clinical Partners acknowledges its duty under the Gender Recognition Act 2004 to protect the confidentiality of an individual’s gender identity or history. Breach of this confidentiality may be a criminal offence.

Data Subject Rights and Requests

Clinical Partners recognises the rights of all individuals under the Data Protection Act 2018 and UK GDPR, including:

• Right to be informed
• Right of access
• Right to rectification
• Right to erasure
• Right to restriction of processing
• Right to data portability
• Right to object
• Rights in relation to automated decision-making

Individuals may contact Clinical Partners to exercise their rights via the published contact channels. Identity verification will be required.

Requests from children, parents or legal representatives will be handled with reference to Mental Capacity Act principles, safeguarding

Requests involving sensitive data (e.g. relating to gender, adoption or safeguarding) will be escalated to the DPO for appropriate review.

External Audit and Assurance

The Company will fully co-operate with any official audits (e.g. by the Information Commissioner’s Office, NHS bodies or safeguarding authorities) as required.

In the case of supplier audits, no identifiable personal data will be disclosed unless legally required or contractually agreed under GDPR-compliant terms.

Where suppliers or commissioners request information governance assurance, Clinical Partners will provide a systems-level audit report, policy summaries or evidence of DSPT completion — without disclosing patient-level data.

All audits will be aligned with the ICO Data Protection Audit Framework and will feed into the internal audit programme under ISO/IEC 27001:2022 Clause 9.2 and DSPT requirements.

Rights of the Data Subject

Under UK GDPR and the Data Protection Act 2018, individuals have the following rights:

• To request access to the personal data we hold about them, free of charge unless the request is unfounded or excessive
• To have inaccurate or incomplete data corrected
• To object to the use of their personal data for direct marketing
• To withdraw consent and stop any consent-based processing
• To request that their data be transferred to another medical practitioner or organisation (data portability)

Requests can be made verbally or in writing, including through social media or third-party platforms, and must be actioned within one calendar month of receipt.

Requests should be directed to:

• Email: [email protected]
• Phone: 0203 326 9160

We will ask for proof of identity before proceeding with any request. If someone is acting on behalf of the data subject, written authority will be required.

If we choose not to act on a request, we will explain our reasons and inform the individual of their right to lodge a complaint with the Information Commissioner’s Office (ICO).

Right of Access to Health Records

The Data Protection Act 2018 provides individuals with the right to access their health records, regardless of the care setting or when the records were created.

The following individuals may lawfully request access:

• Competent adult patients
• Children aged 12 or over who are assessed as having capacity to understand the nature of the request
• Parents or guardians, unless the child objects and is deemed competent
• Individuals with legal parental responsibility, including adoptive parents and court-appointed guardians
• Deputies or attorneys appointed under the Mental Capacity Act 2005 or Adults with Incapacity (Scotland) Act 2000
• Solicitors with written patient consent
• Police, under Section 29 of the Data Protection Act 2018 or with a court order or warrant

We may lawfully decline to provide access if:

• It would likely cause serious harm to the individual or another person
• We cannot verify the identity of the requester
• The person requesting access does not have the right to do so (e.g. a parent whose child is competent and objects)

In complex cases or where there is doubt, Clinical Partners will seek legal advice before disclosing information.

Requests involving another individual’s data will be assessed for risk to the rights and freedoms of others. Redactions may be applied as appropriate.

Where a client seeks access to records not held by Clinical Partners (e.g. by an external clinician), they will be directed to the clinician in writing.

Upon valid request, we will provide the following:

• Confirmation that personal data is being processed
• Access to the personal data
• The purpose of processing
• Categories of personal data held
• Recipients of the data or categories of recipients
• Expected retention period or retention criteria
• The individual’s rights to rectification, erasure, restriction or objection
• The right to lodge a complaint with the ICO
• The source of data if not provided directly by the data subject
• Whether automated decision-making or profiling is involved

Right to Erasure (Right to Be Forgotten)

Under UK GDPR Article 17, data subjects have the right to request erasure of their personal data. We will erase personal data without undue delay where:

• The data is no longer necessary for the purposes it was collected
• Consent has been withdrawn and no other lawful basis applies
• The individual objects to processing and there are no overriding legitimate interests
• The data has been unlawfully processed
• The data must be erased to comply with a legal obligation
• The data was collected in connection with the provision of online services to a child

This right does not apply if the data must be retained to comply with another law or to defend legal claims.

Requests for erasure must be responded to within one calendar month and may be made verbally or in writing.

Requests relating to children’s data will be prioritised for safeguarding review and compliance with the Online Safety Act 2023 and the Children’s Code.

Responding to Data-Related Incidents

Any member of staff who identifies a potential or actual data breach must report it immediately via the Incident Reporting Procedure.

The CEO will oversee investigations and may involve the DPO or external experts as appropriate.

All incidents will be assessed in line with UK GDPR and the Data Protection Act 2018. If a breach is likely to result in a risk to the rights and freedoms of individuals, it will be reported to the ICO within 72 hours.

If a breach is likely to result in a high risk to individuals, those affected will be informed directly and without undue delay.

Reports to the ICO will include:

• A description of the breach
• Categories and approximate number of individuals affected
• Categories and approximate number of records involved
• Likely consequences of the breach
• Measures taken or proposed to address the breach and mitigate its effects

All breach records will be logged and reviewed as part of internal audit activities under ISO/IEC 27001:2022 Clause 9.2 and DSPT reporting requirements.

Maintaining Confidentiality and Data Security

Responsibilities of Staff and Contractors

All staff and contractors working for the Company are responsible for ensuring that:

• They avoid holding person-identifiable data wherever possible
• Any personal data held is kept securely, either electronically in a password-protected system or physically in a locked cabinet
• Personal data is not disclosed orally or in writing to any unauthorised third party
• Reasonable efforts are made to prevent accidental disclosure

Staff must immediately report any potential or actual breaches of confidentiality via the established Incident Reporting Procedure.

Where digital tools or communication platforms are used to support patient care or operations, staff must apply safeguarding and privacy considerations in line with the Online Safety Act 2023 and DSPT Data Security Standards 4 and 5.

Data Retention and Storage

The Company adopts data retention recommendations set out by the Department of Health and follows legal advisory timescales for access and disclosure.

Person-Identifiable Data Retention Periods:

Clinicians are required to return all client records to Clinical Partners Head Office via recorded delivery upon ending their engagement.

These retention periods align with the NHS Records Management Code of Practice 2021 and are subject to annual review by the DPO.

All records, digital or paper-based, must be stored securely with appropriate access controls, audit trails and lifecycle management. No identifiable data may be stored locally outside secured environments.

Monitoring Compliance with This Policy

Monitoring Approach

Clinical Partners is committed to maintaining a proactive approach to data protection and information governance compliance.

Compliance with this policy will be monitored through a rolling programme of audits, data reviews, incident monitoring and mandatory staff training.

Audits will be planned and conducted in accordance with:

• ISO/IEC 27001:2022 Clause 9.2
• ISO 9001:2015 Clause 9.2
• NHS Data Security and Protection Toolkit (DSPT) annual self-assessment requirements
• ICO Data Protection Accountability Framework

Internal Audits

Internal audits will assess compliance with documented processes, identify risks or non-conformities and inform improvement actions.

Audit findings will be recorded and reported to the CEO, DPO and relevant governance forums.

The audit programme will include specific checks on:

• Subject access request handling
• Data retention and disposal practices
• Contracted processor compliance
• Advance Choice Document management (as introduced under the Mental Health Bill 2025)
• Safeguarding of gender identity data and children’s data
• Data sharing controls within Integrated Care Systems

Incident Reporting and Review

All data incidents reported under Section 7.10 will be reviewed as part of the compliance monitoring process.

Trends and repeated issues will be logged and used to inform training, system changes or root cause analysis.

High-risk incidents will be reviewed under the DSPT breach reporting process and relevant mitigation will be monitored.

Staff Training and Awareness

All staff must complete mandatory data protection and information governance training as part of induction and refresher cycles.

Training records will be monitored by HR and reviewed during internal audits.

Training content will be reviewed annually to ensure it reflects legislative updates including the Mental Health Bill 2025, Online Safety Act 2023, NHS operating model changes and emerging ICO guidance.

Policy Review and Maintenance

This policy will be reviewed annually or earlier if there is a significant change in legislation, guidance or organisational activity.

Reviews will be coordinated by the Governance Manager and Compliance Manager and documented using the IMS document control procedure.

Review triggers include changes to NHS guidance, new case law, regulatory inspection feedback and updates to the NHS DSPT, ISO standards or UK Government legislation.

Right to Lodge a Complaint

Clinical Partners acknowledges the right of any data subject to lodge a complaint with the Information Commissioner’s Office (ICO) if they believe that the processing of their personal data is unlawful or infringes their rights under UK GDPR.

Individuals may raise concerns directly with Clinical Partners using the contact details in Section 7.7.3. However, they are also entitled to escalate concerns to the ICO at any time without first contacting the organisation.

Contact details for the ICO:

• Website: www.ico.org.uk
• Helpline: 0303 123 1113
• Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

This right supports the principle of accountability under UK GDPR Article 5(2) and ISO/IEC 27001:2022 Clause 9.1 by ensuring transparent and independent oversight.

Control, Regulation and Legislative References

Last updated: 16 May 2025

Date of issue: September 2014