Adult social care: how we use your data

Adult social care privacy notice

Everything we do with your personal information must comply with the UK GDPR and the Data Protection Act 2018. A key part of this is being open about how we use information and what rights you have in respect of it.

This notice tells you what information we collect and process about you when you ask for help, obtain support, or interact with our Adult Social Care services. Read our General Privacy Notice.

What personal information do we hold?

We collect and process information about people who have agreed to have support from our Adult Social Care services or who have been referred to our adult safeguarding services by others concerned for their welfare. The information we hold about you varies according to the service you are having but might include the following:

  • name
  • address
  • date of Birth
  • ethnicity
  • contact details
  • next of kin
  • relationships and details of people who are Next of Kin, including those you have asked to act on your behalf
  • information recorded as part of your referral to our services
  • information recorded in an assessment of your support needs
  • health information
  • relevant case Information including records of visits or contacts with you, made as part of your care, including your opinion, views, or information relating to your personal circumstances
  • information about your mental capacity
  • details about other agencies involved in supporting you
  • financial information and National Insurance Number
  • risks
  • NHS number

If you are receiving support from Adult Social Care, then the NHS may share your NHS number with Adult Social Care. This is so that the NHS and adult social care are using the same number to identify you whilst providing your care. By using the same number, the NHS and adult social care can work together more closely to improve your care and support. We will use this Number in an integrated care record system across a number of support services including GPs, hospitals, community matrons, district nurses and social care practitioners. If you wish to opt-out from the use of your NHS Number for social care purposes, please talk with your practitioner.

The information we collect is recorded in paper files, in databases and in electronic folders on our secure network where it is accessible only to authorised staff who need to see it to do their jobs. Staff who visit you might keep paper notes about their conversation with you, but these will be destroyed once relevant information is transcribed to our electronic systems. Some of the information in our databases can be accessed remotely on mobile devices, by staff who visit you in your home.

Why do we have it and what do we use it for?

If you approach us for help, we will need to process your information to meet our statutory duties to you.

Lawful basis for processing personal information

We need to collect and use your personal data in order to comply with the relevant legislation for providing care to you. This legislation includes the:

  • Health and Social Care Act 2012
  • Care Act 2014
  • Safeguarding Vulnerable Groups Act 2006
  • Mental Capacity Act 2005

Our lawful basis for processing is therefore defined by Article 6 (1) (e) of the UK General Data Protection Regulation (GDPR) - processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller and Article 6(1)(c) UK GDPR - processing is necessary for compliance with a legal obligation to which the controller is subject.

Some of the personal information we need to process is classed as special category information (primarily ethnicity, gender, and health information). Our lawful basis for processing this data is provided by Article 9(2)(h) UK GDPR – the provision of health or social care. The condition for processing this special category information is Data Protection Act 2018 Schedule 1, Part 1, Paragraph 1, 2 and 3.

In addition, we rely upon the lawful basis at Article 9 (2)(g) UK GDPR – processing is necessary for reasons of substantial public interest and the applicable conditions for processing are Data Protection Act 2018 Schedule 1, Part 2, Part 2 Paragraphss 6, 8, 17, 18 and 19.

Where we rely on the lawful basis of consent to process your data, we will ask on an individual basis.

The Care Act 2014 places a duty on us to work closely with Health colleagues to ensure the best level of care is delivered to our citizens. It also requires us to consider whether any universal preventative services or other services available locally could help adults and older people stay well for longer and to safeguard people from harm. The Mental Capacity Act requires us to ensure that people make their own decisions about care and support wherever possible and to ensure that where they cannot, decisions are made for them in their best interests.

We use the information we have about you or your representative to assess your care needs, to draw up a plan of support with you, manage and monitor the quality of our services and to make our statutory statistical returns to government.

We collect only the information that we need to carry out these functions and we ensure that it is used and stored safely and securely.

All staff who have access to information about you will have received mandatory training on data protection and information security and they work to a contractual obligation which requires them to respect the confidentiality of the information about you that they have access to in order to do their jobs.

Who we share information with and why

In order to deliver the services you request/ agree to receiving, or that we are required by law to deliver, we may need to work with and share information about you with the following people and agencies:

  • hospitals and community health services
  • your GP
  • care home providers
  • family members and other people who might be helping care for you
  • members of community or voluntary services
  • housing providers
  • courts, legal representatives
  • the police
  • our finance and legal departments along with other internal departments, where there is a necessity and lawful basis to do this
  • national government departments
  • independent regulators or investigators where this is necessary to deal with complaints
  • local partner authorities and agencies
  • We will also use the NHS number in an integrated care record across a number of support services including GPs and hospitals. This is known as the Share for Care Record and further details can be found by clicking on Share for Care BLMK.

We will always explain how we will use and share your information as this will vary depending on the services you are receiving, and we will always try to respect your wishes regarding who we share information with. However, it is important to remember that if we are not able to pass your information to other organisations, this may then reduce the options available, delay, or on occasion prevent you from getting the help you need.

In some circumstances your personal information may need to be shared if there is a legal requirement and lawful basis for us to do so. We must give information to courts if there are legal proceedings or a court order, or to prevent crime, or fraud, or if there is a risk of harm to you or another person.

Many of the services we deliver are fully integrated with health. This means that where you are receiving support from both health and social care, records made about you might be accessible by both health and social care professionals. We enable access to shared records to prevent you from having to tell your story more than once to different professionals, and to make sure that the people supporting you know everything they need to support you well.

All information sharing is done with reference to the UK GDPR and Data Protection Act 2018. This requires anyone we share information with, or who uses it on our behalf, such as our commissioned providers or partner organisations or agencies, to adhere to data protection law and to handle information securely.

The sharing of information in health and social care is guided by the Caldicott principles. These are:

  • Principle 1 - Justify the purpose(s) for using confidential information
  • Principle 2 - Don't use personal confidential data unless it is absolutely necessary
  • Principle 3 - Use the minimum necessary personal confidential data
  • Principle 4 - Access to personal confidential data should be on a strict need-to-know basis
  • Principle 5 - Everyone with access to personal confidential data should be aware of their responsibilities
  • Principle 6 - Comply with the law
  • Principle 7 - The duty to share information can be as important as the duty to protect patient confidentiality

We receive information about adults who might be at risk of harm via our Multi-Agency Safeguarding Hub (MASH). Our safeguarding duties mean that we will share information with a range of partners including the police, housing, drug and alcohol services in order to assess risk and to make sure that, where necessary, actions to safeguard are taken promptly. We are required to do this by law (Care Act).

How long we keep information for

We only keep information for as long as it is needed. This will be based on either a legal requirement (where a law says we must keep information for a specific period of time) or accepted business practice. For most records about your support from Adult Services this will be for 7 years after we have ceased to work with you. More detail can be found in our retention schedule.

NHS National Data Opt-out

What is a privacy notice?

A privacy notice is a statement that explains some or all the ways in which an organisation gathers, uses, discloses and manages a person’s information. It fulfils a legal requirement to protect a person’s privacy.

How the NHS and care services use your information

We are one of many organisations working in the health and care system to improve care for patients and the public.  

Whenever you use a health or care service, such as attending A&E (accident and emergency) or using community care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance, to help with:

  • improving the quality and standards of care provided
  • research into the development of new treatments 
  • preventing illness and diseases
  • monitoring safety
  • planning services

Using your information in this way may only take place when there is a clear legal basis to do so. All these uses help to provide better health and care for you, your family and future generations.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement. Research and planning data is usually anonymised so that you cannot be identified in which case your confidential patient information isn’t needed.


You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.
People who wish to opt out of data collection will be able to set their national data opt-out choice online and you can change your mind at any time. 

Find out more or register your choice to opt out.

More information

Find out more about how patient information is used by:

View our general privacy notice.

Your rights

Under data protection legislation you have the following personal data rights:

  • Right to request access (to receive a copy of your personal data)
  • Right to request rectification (to request data is corrected inaccurate)
  • Right to request erasure (to request that data is deleted)
  • Right to request we restrict processing (to request we don’t use your data in a certain way)
  • Right to data portability (in some cases, you can ask to receive a copy of your data in a commonly used electronic format so that it can be given to someone else)
  • Right to object (to request we stop to stop processing your personal data)
  • Right to have explained if there will be any automated decision-making, including profiling, based on your data and for the logic behind this to be explained to you

Any such request can be submitted to the Data Protection Officer. Some of these rights are not absolute. Whether we can agree to your request will depend on the specific circumstances and the lawful basis we are processing your information. If we cannot then we will explain the reasons why.

If you are unhappy with any aspect of how your information has been collected or used, you can make a complaint to the Data Protection Officer.

You can also report your concerns to the Information Commissioner’s Office.

To contact our Data Protection Officer

Telephone: 0300 300 5765

Write to:

Data Protection Officer
Information Governance
Central Bedfordshire Council
Priory House
Monks Walk
SG17 5TQ