As part of our business, staff may be required to handle data on our behalf of for our customers. This procedure sets down the basic rules for our staff performing these functions. Staff not following these processes will be subject to disciplinary action and possible legal action.


If you have an issue, please contact the SIRO via the contact us links on this site, or by telephone.


All data must be used ONLY for the purpose for which it was supplied to us. The only time an exception to this rule may apply is if there is:

  • A serious risk in not reusing the information to the data subject or others which may result in harm, e.g. protecting the vital interests of a person
  • There is a legal requirement to do so e.g. a court order

Staff MUST consult the SIRO in the event this issue arises.

Staff must NOT discuss any data received in the course of business with any person outside the business.

Staff leaving the business must NOT copy any data outside the organisation unless agreed with the SIRO.

Data Security

All data is to be stored only on company equipment or approved mobile/home use devices. These are required to be encrypted to a minimum standard defined by the company.

Data sent by email must also be encrypted if it contains personal data. Selecting a classification of EXTERNAL OFFICIAL-SENSITIVE (for our mail system) and putting “[secure]” in the subject line (where NHS mail accounts are used) ensure appropriate security.

Multi-factor authentication is required for access to all devices and systems storing sensitive personal information.

Passwords for administrator and corporate social media accounts must be chosen based on the “3 words” guidance i.e. three random words from any language, in mixed case, separated by random punctuation characters.

If your password is found to be compromised, or you tell us it has been compromised, we will immediately lock it out for investigation. As soon as it is secure, we will issue you a new temporary password; when you login you will be asked to change the password immediately.

Data Retention

Data retention is defined in our privacy policy. Staff must ensure data is deleted at the expiry periods noted there.

Data Quality

Staff must check data before input and at any opportunity to ensure correctness. This includes confirming, for example, contact details with customers at suitable points e.g. an annual review.

Systems are designed to reduce errors by ensuring validation of fields and data, but it remains a staff responsibility to work at all times to minimise error.

Data Breaches

In the event of a data breach being discovered, the SIRO must be involved at once. Data breaches will be recorded on the NHS DSP Toolkit, even if not related to NHS data.

Spot checks and Monitoring

Spot checks on compliance are carried out quarterly by the SIRO. All data use is logged, audited and subject to random or targeted checks.

Administrator Access

Administration access to systems is limited to the SIRO. The SIRO undertakes to ensure that this access is not abused and all use of administrator rights follows our policies. All administrator access use is logged.

National Data Opt-Out

The NHS National data opt-out policy requires that we do not use NHS data for non-care uses where people have opted out. We do not have any such uses, but staff are made aware of this as policy and procedure change will be required if at any time if the future this occurs.


This policy is reviewed annually. The last review date was 27 Mar 2024.