Personal information

Find out how follow the Data Protection Act when we collect, store or process personal information about someone.

Upholding the Data Protection Act 1998

The Commission for Social Care Inspection is committed to working within the Data Protection Act 1998 and upholding the data protection principles.

The Data Protection Act 1998 came into force on 1 March 2000. The Act regulates the ways that organisations (data controllers) collect, store and process information (personal data) about individuals (data subjects). It also strengthens the rights of data subjects to access their personal data and have any mistakes corrected.

The Commission is a data controller required to notify under the Data Protection Act 1998, our register entry is number Z8550768.

• Search for our register entry: this link goes to the Information Commissioner's website.

The data protection principles

There are eight legally enforceable principles that all data controllers must apply when they process personal data.

Personal data must:

• be processed fairly and lawfully
• only be processed for lawful and specified purposes
• be adequate, relevant for the purpose and not excessive
• be accurate and, where necessary, kept up to date
• be kept no longer than necessary
• be processed in accordance with the data subject's rights
• be kept safe and secure against loss or damage or destruction
• not be transferred to other countries without adequate protection for the rights and freedoms of the data subject

What is personal data?

Personal data is any information which, on its own or referenced against other information that the data controller holds now or might get in future, can be used to identify a living individual.

This includes all the obvious details the Commission might hold about you like name, address, reference number. It might also include expressions of opinion about you and our intentions towards you.

What does processing mean?

Processing personal data includes obtaining, storing, accessing, changing and destroying any information about you.

The amount of personal data we hold about you and how we process it depends on the nature of your relationship with us.

We mainly process personal data about individuals who are registered as providers or managers of the services that we regulate and inspect. We also process some personal data about Commissioners, our staff, the people who use social care services, social care workers and other people that we meet during inspection.

Occasionally we need to share some of your personal data with other relevant organisations like local authorities or central government departments as part of our regulatory function under the Care Standards Act 2000 or the Health and Social Care (Community Health and Standards) Act 2003.

We increasingly work in partnership with other inspectorates like the Healthcare Commission, the Audit Commission and the Office for Standards in Education (OFSTED) and may need to share your personal data when we carry our joint inspections.

Commission members and staff process your personal data for their official duties, but only the data needed for a specific purpose. They will not disclose your personal data to anyone else without your knowledge, unless legally permitted or obliged to do so.

The Commission has a statutory duty to register and inspect a range of social care and independent health care establishments under the Care Standards Act 2000. The registers and inspection reports will contain personal data that can be viewed by anyone attending at the appropriate office. Some limited information is also available on the Commission's website.

We will need to process your personal data to investigate any complaint you make about a registered service provider or about the Commission. We may need to share your personal data with the service provider or other organisations as part of the investigation. Whenever possible we will let you know if we need to share your personal data with others.

We will try to keep your complaint and personal data confidential if you ask us to, but we cannot guarantee confidentiality. We may be legally obliged to provide information about the complaint to organisations like the police, social services, a court or tribunal. For example, if our investigation raises serious concerns about the safety of vulnerable adults.

We may also use your personal data for research or statistical purposes and to help us plan for the future, but we will not include any personal data in those reports and plans.

How does the Commission obtain my personal data?

The Commission obtains some personal data directly from you when you fill in a form or contact the customer service unit or use the online feedback form on our website. We also obtain personal data from a number of other sources during registration and inspection, like social services, health practitioners, banks and service users.

As part of the inspection process, our inspectors consult service users about the quality of the service they receive, which may include collecting personal data. Sometimes we ask service providers for personal data about service users so that we can contact them directly to ask their opinion of the service they use or to take part in other consultations to improve care standards.

The legislation that the Commission operates under gives us extensive powers to enter and inspect local councils and care services, including the power to inspect documents and files that contain personal data. We may undertake inspection on the premises, make copies to take away or, in exceptional circumstances, remove the originals.

Occasionally we take photographs during our inspections or when we consult with service users, for promotional leaflets or other publicity purposes. Some of our publications containing these photographs will also appear on our website.

If you can be identified from this type of photograph, we will explain why we want it and ask for your consent beforehand.

Can I see my personal data?

Data subjects have a general right of access to their own personal data if it is held and processed in an automated system or in a relevant manual filing system that is structured in relation to individuals.

A recent Court of Appeal judgement held that each manual file must be structured so that it is clear from the start whether there will be information in the file about that individual. It is not a structured file if someone has to search through each record in the file to find any or every mention of the individual.

The only files that the Commission holds that are likely to meet these criteria are personal files for its employees, and registration application files for registered providers and managers.

On 1 January 2005 the Freedom of Information Act 2000 amended the Data Protection Act 1998 as it applies to public authorities like the Commission. It added another category of personal data known as category (e) or unstructured data.

Any information we hold about people, such as people who use care services, care workers, advocates or complainants, is most likely to fall into category (e). This is because it is not usually held on computer or in a structured manual filing system. We may also hold some information about registered providers and managers that falls into category (e).

You can only access personal data that falls into category (e) if you can describe it and give us a reasonable idea of where it is likely to be located. We may refuse your request for category (e) data if the estimated cost of complying is more than £450.

Subject access requests must be made in writing, with enough information to find the data requested and proof that you are the data subject.

We need two proofs of identity like a copy of your birth certificate, passport, driving licence, council tax bill or a letter to you from us or from a government department. At least one item must include your photograph or your signature.

You can request access to your personal data using our subject access form, available from the link below or from our customer service unit by telephoning 0845 015 0120. The form is designed to help you give us the information we need to find your personal data but you do not have to use it. You can send a letter by post to the address below, or email to enquiries@csci.gsi.gov.uk if you prefer.

If you do not make your subject access request by post, you will need to send the fee and proof of your identity separately. We will not process your request until we receive these.

• Download the subject access request form (Word, 688 KB)

Please send your subject access request with a crossed cheque for £10, made payable to Commission for Social Care Inspection', and two proofs of identity, to:

Subject Access Requests
CSCI customer service unit
4th Floor, St Nicholas Building
St Nicholas Street
Newcastle upon Tyne
NE1 1NB

Once we have all the information we need to deal with your request, including the fee, we will respond within 40 days confirming:

• a description of the personal data
• why the data is held
• who else the data might have been given to
• a copy of the data
• an explanation of any technical terms or abbreviations
• any information about the original source of the data

Can I see everything in the file?

There are some exemptions to the right of subject access. For example, we can withhold data that refers to other people who have not consented to disclosure, if disclosure might prejudice the Commission's regulatory function or might cause serious harm to you or anyone else.

You only have the right to access your own personal data. You do not have the right to access personal data about other members of your family or your friends unless you have written proof of your authority to act on their behalf.

Even if you meet this requirement we may need to ask you for more information before replying or refuse your request because of our duty to keep personal data confidential.

Is my personal data accurate?

The best way to be sure is to tell us about any relevant changes in your circumstances.

Under the Data Protection Act, we must try to keep your personal data accurate and up to date. If you think that your personal data is inaccurate, you can write explaining why and asking us to correct it.

We will reply within 21 days to let you know what we have done about your request.

How do I complain?

If you would like to to complain about the way we respond to your subject access request, please contact the person who responded in the first instance.

If this does not resolve your complaint or you would like to complain about the way we process your personal data you can ask for an internal review. Please contact the Access to Information Adviser by email on Enquiries.PublicAccess2info@csci.gsi.gov.uk or in writing to the customer service unit address above.

If you wish to complain about the Commission or services that it regulates, please see our complaints procedure.

What is a cookie?

Cookies are strings of text containing information about you, which can be stored in your computer and sent to other web sites. The Commission does not use cookies and will not collect any information about you when you visit our web site, except that required for system administration.

Where can I get more information?

You can get more information about your rights from the Information Commissioner's web site at:

• www.informationcommissioner.gov.uk