Information Governance Policy and Procedures


Information Governance gives assurance to data subjects, including employees, individuals and patients that personal information is dealt with legally, securely, efficiently and effectively in order to deliver the best possible care. Extracellular recognises that it is of paramount importance to ensure that information is effectively managed and that appropriate policies, procedures, management accountability and structures provide a robust governance framework for information management.


Policy Statement

All employees must comply with this policy. In order to discharge its requirements. Extracellular must ensure that clear policies and procedures are in place and that are supported by effective awareness training. It is Extracellular’s policy that personal data will be:

  • obtained, held and processed fairly
  • held for specific purposes and used only for these purposes
  • processed in accordance with the rights of the data subject
  • relevant, accurate and kept up to date
  • corrected if shown to be inaccurate
  • kept for no longer than necessary and destroyed when no longer required, in line with best practice
  • protected against loss or unauthorised or unlawful processing, accidental loss and destruction or damage using appropriate technical or organisational measures. 

This policy should be read in conjunction with the Patient Confidentiality Policy.



This policy applies to all employees of Extracellular who should ensure that they are aware of their responsibilities in relation to information governance.

This policy applies to all personal data processed by Extracellular relatable to any identifiable living person. 



Data subject: the individual about whom Extracellular has collected personal data.

Data Protection Act 2018: an Act of Parliament that updates data protection laws in the UK. It sits alongside the General Data Protection Regulation and implements the EU’s Law Enforcement Directive.

General Data Protection Regulation (EU) 2916/679: a regulation in EU law on data protection and privacy for all individuals within the European Union. The relevance of the GDPR is not impacted by UK’s departure from the European Union.

Personal data: any information about a living person including, but not limited to, names, email addresses, postal addresses, job roles, photographs, CCTV and special categories of data, as defined below.

Process or processing: doing anything with personal data, including, but not limited to, collecting, storing, holding, using, amending or transferring it. You do not need to be doing anything actively with the personal data; at the point you collect it, you are processing it.

Special categories of data: has an equivalent meaning to ‘sensitive personal data’ under the Data Protection Act 2018. Special categories of data include, but are not limited to, medical and health records (including information collected as a result of providing health care services) and information about a person’s religious beliefs, ethnic origin and race, sexual orientation and political views.

Data controller: the main decision-maker over the management of the data in question. They exercise overall control over the purposes and means of the processing of personal data. For the purposes of this policy. Extracellular considers itself to be a data controller in respect of all employees and patients.

Data processor: acts on behalf of and only on the instructions of the relevant controller. For the purposes of this policy Extracellular considers that they are the data processor in relation to the service delivered to its patients. 


Personal Data Audits

Extracellular will carry out PID (Personally Identifiable Data) Audits. The data audit will be carried out by the Data Protection Officer (supplied by the Primary Care Development Centre) or a person to whom the Data Protection Officer has delegated this task responsibility and the results collated. The personal data audit will identify the following:

  • whom the information is held about
  • what personal information is held, including any sensitive personal data 
  • in which format the personal data is being collected (e.g., name, address, telephone number etc.)
  • how the PID is stored (e.g., on a computer, manual files or both)
  • who has access to this information
  • the purpose(s) for which Extracellular holds the personal data
  • how the PID is collected
  • whom the PID is collected from.

A Personal Data Audit form is available from the Data Protection Officer. The Data Protection Officer will use the outcome of the Personal Data Audit to update the Information Asset Register. 


Information Asset Register

Computerised and manual filing systems containing information relating to an identifiable person who can be directly or indirectly identified, such as name, identification number, location data or online identifier, must be documented in the Information Asset Register. The Asset Register will record:

  • the Service Area to which the entry relates
  • the name of the computer system, manual files or both in which the data is stored 
  • whom the information is held about
  • what personal information is held, including any sensitive personal data that is being held
  • how the data is protected (e.g., restricted access or protected access).

Such systems must be managed to comply with GDPR/Data Protection principles. 


Access to Information and Disclosure Outside of Extracellular

Employees will be granted access to the information that they need to carry out their work. Employees have a duty to keep the information they use confidential. 

There are a number of occasions where it will be necessary for Extracellular to share PID. The correct parameters of when it is appropriate to share and disclose data include relevant agreements and protocols that are in place that allow for the exchange of information between Extracellular and other organisations. Any information disclosed must be necessary for the purpose for which it is disclosed. Therefore, employees should not, for example, disclose details of an employees religious beliefs if only their name and National Insurance number is required by the HMRC.

If it is necessary to discuss individual data subjects in reports or at meetings, a pseudonymisation process should be followed (e.g., Nurse A). 

Individual Awareness

It is Extracellular’s policy that:

  • Information Governance training will be classified as ‘mandatory’ in the induction programme
  • all new employees to the business will receive information governance training relevant to their role, as soon as possible on commencement of their employment
  • all individuals associated with Extracellular, whether employed or contracted, will receive information governance training at least every 12 months 
  • guidance and support is available to all members of staff who process PID.


Security Breach Notification and Investigation 

Any breach or suspected breach of the GDPR must be reported immediately to the Data Protection Officer, providing as much information as possible. A breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability or personal data. There will be a personal data breach whenever personal data is lost, destroyed, corrupted or disclosed, as well as if someone accesses the data or passes it on without proper authorisation or if the data is made unavailable, for example when it has been encrypted by ransomware or accidentally lost or destroyed. 

The Data Protection Officer will investigate and, if appropriate, produce a report for the Senior Management Team. The Data Protection Officer will provide advice to the Senior Management Team on whether the breach requires notification to the Information Commissioner’s Office. This advice should take account of the information provided on the ICO’s website regarding the reporting of breaches. 

The Data Protection Officer is required to notify the ICO of any breach that is likely to present a risk to the rights and freedoms of data subjects. If a decision is made not to report a breach to the ICO, the rationale must be documented so that it can be justified at a later date if required.

Individual Rights – The Right to be Informed

Extracellular’s privacy notice supplied to employees in regards to the processing of their personal data will be written in a clear, plain language, which is concise, transparent, easily accessible and free of charge. 

In relation to data obtained both directly from the data subject and not obtained directly from the data subject, the following information will be supplied within the privacy notice:

  • the identity and contact details of Extracellular and the Data Protection Officer
  • the purpose of and the legal basis for processing the data
  • the legitimate interest of Extracellular (if applicable) or a third party
  • any recipient categories of recipients of the personal data
  • any international transfers of data
  • how long the data will be stored for
  • the existence of the data subject’s rights, including the right to withdraw consent at any time and the right to lodge a complaint with a supervisory authority.

Where data is obtained directly from the data subject, information regarding whether the provision of personal data is part of a statutory or contractual requirement and the details of the categories of personal data, as well as any possible consequences of failing to provide the personal data, will be provided. 

Individual Rights – Subject Access Requests (SARS)

Individuals have the right to obtain confirmation that their data is being processed. They also have the right to submit a subject access request (SAR) to gain access to their personal data in order to verify the lawfulness of the processing.

The GDPR requires that the data subject is provided with access to their personal data within 1 month of their request being validated by Extracellular. Extracellular may extend the period of compliance by a further 2 months, where requests are complex or numerous. If this is the case, Extracellular will inform the individual within 1 month of receipt of the request and explain why the extension is necessary.

Extracellular will verify the identity of the person making the request before any information is supplied. The Data Protection Officer must be advised of all subject access requests and keep a record of these to demonstrate compliance with the requirements of the legislation. The response time will not commence until all of the conditions identified above been satisfied. All requests will be responded to without delay and at the latest, within 1 month of receipt.

A copy of the information will be supplied to the individual free of charge. However, Extracellular may impose a ‘’reasonable fee‟ to comply with requests for further copies of the same information. Fees will be based on the administrative cost of providing this information. Where a request is manifestly unfounded, excessive or repetitive, a reasonable fee will also be charged. 

Where a SAR has been made electronically, the information will be provided in a commonly used electronic format. All manual data in relevant filing systems will be reviewed and any personal data relating to third parties removed, anonymised or consent for its disclosure obtained from the third party.

Where a request is manifestly unfounded or excessive, Extracellular holds the right to refuse to respond to the request. The individual will be informed of this decision and the reasoning behind it, as well as their right to complain to the supervisory authority (the Information Commissioner’s Office) within 1 month of the refusal. 

In the event that a large quantity of information is being processed about an individual, Extracellular will ask the individual to specify the information the request is in relation to.

Individual Rights – Right to Rectification 

Individuals are entitled to have any inaccurate or incomplete personal data rectified. 

Where the personal data in question has been disclosed to third parties, Extracellular will inform them of the rectification, where possible. Where appropriate, Extracellular will inform the individual about the third parties that the data has been disclosed to. 

Requests for rectification will be responded to within 1 month; this will be extended by 2 months where the request for rectification is complex.

Where no action is being taken in response to a request for rectification, Extracellular will explain the reason for this to the individual and will inform them of their right to complain to the supervisory authority and to a judicial remedy. 

Individual Rights – The Right to Erasure

Individuals hold the right to request the deletion or removal of personal data where there is no compelling reason for its continued processing. Individuals have the right to erasure in the following circumstances: 

  • where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed 
  • when the individual withdraws their consent 
  • when the individual objects to the processing and there is no overriding legitimate interest for continuing the processing 
  • the personal data was unlawfully processed 
  • the personal data is required to be erased in order to comply with a legal obligation 
  • the personal data is processed in relation to the offer of information society services to a child. 

Extracellular has the right to refuse a request for erasure where the personal data is being processed for the following reasons: 

  • to exercise the right of freedom of expression and information 
  • to comply with a legal obligation for the performance of a public interest task or exercise of official authority 
  • for public health purposes in the public interest 
  • for archiving purposes in the public interest, scientific research, historical research or statistical purposes 
  • the exercise or defence of legal claims. 

Where personal data has been disclosed to third parties, they will be informed about the erasure of the personal data, unless it is impossible or involves disproportionate effort to do so. 

Where personal data has been made public within an online environment, Extracellular will inform the other organisations who process the personal data to erase links to and copies of the personal data in question. 

Individual Rights – The Right to Restrict Processing 

Individuals have the right to block or suppress the processing of personal data by Extracellular.

In the event that processing is restricted, Extracellular will store the personal data, but will not process it further, guaranteeing that just enough information about the individual has been retained to ensure that the restriction is respected in future. Extracellular will restrict the processing of personal data in the following circumstances:

  • where an individual has objected to the processing and Extracellular is considering whether there are legitimate grounds to override those of the individual 
  • where processing is unlawful and the individual opposes erasure and requests restriction instead 
  • where Extracellular no longer needs the personal data but the individual requires the data to establish, exercise or defend a legal claim. 

Where an individual contests the accuracy of the personal data, processing will be restricted until Extracellular has verified the accuracy of the data. If the personal data in question has been disclosed to third parties, Extracellular will inform them about the restriction on the processing of the personal data, unless it is impossible or involves a disproportionate effort to do so. Extracellular will inform individuals when a restriction on processing has been lifted.

Individual Rights – The Right to Data Portability 

Individuals have the right to obtain and reuse their personal data for their own purposes across different services. Personal data can be easily moved, copied or transferred from one IT environment to another in a safe and secure manner, without hindrance to usability. The right to data portability only applies in the following cases: 

  • to personal data that an individual has provided to a controller 
  • where the processing is based on the individual’s consent or for the performance of a contract 
  • when processing is carried out by automated means. 

Personal data will be provided in a structured, commonly used and machine-readable form. The information will be provided free of charge. Extracellular is not required to adopt or maintain processing systems that are technically compatible with other organisations. 

In the event that the personal data concerns more than one individual, Extracellular will consider whether providing the information would prejudice the rights of any other individual. 

Extracellular will respond to any requests for portability within 1 month. Where the request is complex, or a number of requests have been received, the timeframe can be extended by 2 months, ensuring that the individual is informed of the extension and the reasoning behind it within 1 month of receipt of the request. 

Where no action is being taken in response to a request, Extracellular will, without delay and at the latest within 1 month, explain to the individual the reason for this and will inform them of their right to complain to the Information Commissioner’s Office.

Fair and Lawful Processing

Under the GDPR, data will be lawfully processed by Extracellular under the following conditions: 

  • the consent of the data subject has been obtained 
  • processing is necessary for: 
    • compliance with a legal obligation
    • the performance of a task carried out in public interest or in the exercise of official authority vested in the controller 
    • for the performance of a contract with the data subject or to take steps to enter into a contract 
    • protecting the vital interests of a data subject or another person 
    • for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject. 

 Sensitive data will only be processed under the following conditions: 

  • Extracellular will not use personal data for any purposes other than those advised to individuals directly or detailed in the relevant entry in the Register of Data Controllers published by the Information Commissioner’s Office
  • as far as possible, Extracellular will process personal data only where it is necessary for compliance with the law, the performance of a contract, with a view to establishing a contract, or it is in the organisation’s legitimate business interests to do so
  • where this is not possible, or in the case of sensitive personal data (see below), consent of the individual will be sought to enable the personal data to be processed.

Extracellular will obtain the explicit consent of the individual concerned for all processing of sensitive personal data, unless:

  • it is information relating to racial/ethnic origin, disability or religious belief that is being collected purely for monitoring equality of opportunity or treatment
  • it relates to the employment of individuals
  • it is necessary for the provision of advice or support and the data subject cannot reasonably be expected to give explicit consent.

Extracellular will require all data processors to formally agree that personal data will not be used for any purpose other than that agreed. Extracellular will not disclose personal data to third parties, unless:

  • carrying out obligations under employment, social security or social protection law or a collective agreement 
  • protecting the vital interests of a data subject or another individual where the data subject is physically or legally incapable of giving consent 
  • the establishment, exercise or defence of legal claims or where courts are acting in their judicial capacity
  • reasons of substantial public interest on the basis of Union or Member State law, which is proportionate to the aim pursued and which contains appropriate safeguards 
  • the purposes of preventative or occupational medicine, for assessing the working capacity of the members of staff, medical diagnosis, the provision of health, social care, treatment, management of health, or social care systems and services on the basis of Union or Member State law or a contract with a health professional 
  • reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of healthcare and of medicinal products or medical devices 
  • archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes in accordance with Article 89(1).                                                                                                                                                                                                                                                                                                                                                                                                                                                                   

All disclosures of personal data to third parties must be authorised by a member of the Senior Management Team and be limited to the minimum information required.  All disclosures must be recorded either in the personnel or service user’s record.

Retention of Information 

Personal data shall be retained in accordance with the period detailed below. Where a retention period is not specified, personal information will only be retained for the longer of:

  • as long as required for its purpose
  • as required by law
  • as recommended by the Institute of Personnel Directors.

Paper based records will be disposed of in the confidential waste bins provided ready for shredding. Further advice can be sought from the Data Protection Officer. Extracellular requires all data processors to formally agree that personal data shall not be retained for longer than the purpose for which they are processing it. In the table below, retention periods in bold are statutory, those not in bold are best practice:

Record Retention Comment
Application forms of non-short-listed candidates 6 months Equality Act 2010
Short lists, interview notes and related application forms  6 months Chartered Institute of Personnel and Development recommendation
Personnel records (incl. training & disciplinary) 6 years after employment ceases Chartered Institute of Personnel & Development recommendation
Redundancy details/ calculations 6 years after redundancy Chartered Institute of Personnel & Development recommendation
Wage/salary / payment records 6 years Taxes Management Act 1970
SMP & SSP records (incl. certificates & self-certification) 3 years after end of related tax year SMP Regulations

SSP Regulations

Parental leave 5 years from birth/adoption Chartered Institute of Personnel & Development recommendation
Incident details  10 years after incident Department of Health NHS Code of Practice for Records Management
RIDDOR incident details 6 years after incident Limitation Act 1980 
Extracellular’s employees (incl. training / contact information / PID) 6 years after employment ceases Limitation Act 1980


Methods used for disposal of confidential information must continue to protect confidentiality. Paper information should be shredded by means of the paper shredding service using the secure, locked consoles placed at various sites within Extracellular. 

All redundant, faulty or obsolete removable storage media, such as external hard drives which did or which may have contained sensitive or valuable information during their life cycle, should be returned to the IT team to ensure complete removal of information/information storage capability.

Data Quality 

All forms used to collect personal data shall only ask for information that is relevant to the purpose of the form. At least once each year, employees and patients will be provided with an opportunity to confirm the accuracy of any personal data held on Extracellular’s IT systems.

Changes in personal data relating to patients or employees must be promptly and accurately updated on the appropriate computer system(s). 

All notes recorded will be saved on the personnel file. The information must be accurate and relevant and not express any subjective opinion relating to an individual’s personal characteristics.

Disclosing Personal Data

All personal data will be protected from unauthorised access by appropriate organisational and technical security measures. Personal data will not be disclosed to data processors unless there is a contract or confidentiality agreement in place, which defines the authorised use(s) to which the data can be put. Personal data will not be disclosed to the data subject via a telephone or facsimile transmission where the authenticity of the requestor cannot be reliably established.

Personal data disclosed to the data subject in response to a Subject Access Request must be reviewed before disclosure to ensure that it does not include any information that infringes the rights and freedoms of any third party or is exempt from disclosure. 

Personal data will not be disclosed to third parties where the identity of the third party cannot be reliably established. Personal data will only be disclosed to third parties when one of the following conditions is met:

  • the data subject has given Extracellular their consent to disclose the information (including where there is a Lasting Power of Attorney)
  • disclosure is essential to the lawful purpose for which the personal data is being processed
  • the data subject has given the third party their consent to request the information
  • the disclosure is subject to a formal Information Sharing Protocol and is made within the terms of that protocol
  • disclosure is required by law (including the prevention or detection of crime, apprehension or prosecution of offenders and the assessment or collection of any tax or duty)
  • disclosure is in the vital interest of the data subject.

Sensitive personal data will only be disclosed to third parties when one of the following conditions is met: 

  • the data subject has given their explicit consent for the disclosure (including consent by a Lasting Power of Attorney)
  • the data subject has given the third party their explicit consent to request the information
  • disclosure is required by law (including the prevention or detection of crime, apprehension or prosecution of offenders and the assessment or collection of any tax or duty)
  • disclosure is in the vital interest of the data subject.

Disclosure in respect of the last two conditions of this policy must not be made without the formal authorisation of the Data Protection Officer. All disclosures of personal data to data processors and third parties will be limited to the minimum information required to satisfy the requirements of the contract or legitimate request.

Consent must be obtained before an individual’s personal data is published in any Extracellular publication.  In the case of sensitive personal data, the consent must be explicit (e.g., signing of the pre-publication article).

The disclosure of personal data must be recorded in an appropriate IT system.

Information Security 

Extracellular has a systematic approach to information security risk management and identifies business needs regarding information security requirements (including contractual and regulatory). During the delivery and maintenance of Extracellular’s services, there are a number of instances where risk assessment is necessary (e.g., disclosure to third parties). Risk management shall be completed when it is considered necessary to protect the needs of our people or our information, as follows:

  • a practical, clear desk policy will be maintained so that no personal or sensitive information or information of a confidential nature is left on unattended desks or in offices in such a way that it could be accessible to any person who is not authorised to have such access
  • information assets and information processing facilities are protected against unauthorised access
  • information is protected from unauthorised disclosure 
  • confidential and sensitive information is appropriately classified as such 
  • appropriate arrangements are in place to encrypt laptops and emails containing personal information
  • appropriate arrangements are in place to manage the uploading and downloading of confidential and sensitive information from IT equipment 
  • confidentiality of information assets is a high priority
  • integrity of information will be maintained
  • Extracellular requirements, as identified by information owners, for the availability of information assets and information processing facilities required for operational activities are met
  • statutory, expressed and implied legal obligations are met
  • business continuity plans shall be produced, maintained and tested.

Unauthorised and illegal use of information assets and information processing facilities is prohibited. The use of obscene, racist or otherwise offensive statements shall be dealt with in accordance with other policies published by Extracellular.

This policy is communicated to all individuals working with Extracellular for whom information governance training shall be given. All breaches of information security, actual or suspected, must be reported and investigated in line with Extracellular’s policies. Controls are commensurate with the risks faced by Extracellular.

White Boards 

Any PID should not be displayed in an office on a white board where members of the public can view or see from the exterior of the building.


PID must only be stored on Company equipment and not on personally owned laptops, phones or home desktop computers.

All files containing personal identifiable information, held on Company owned computer equipment should be “encrypted/password” protected, and preferably not held by the data subject’s name, substituting a suitable identifier other than name. Particular care should be taken with portable devices. The ideal is that portable devices should only act as terminals to the main networked system, since the data is then protected in the Company network.

Personal identifiable data should not be kept on the hard drives of PCs unless formally justified by the Data Protection Officer, due to the risk of theft and breach of confidentiality. Such files will be stored on the WriteUpp network.

Files containing individual person-identifiable information on portable computers should be password protected, or better still not stored on a portable. Files stored on network drives do not require password protecting, as a password is needed to log on to the network and access to folders is restricted.

Users should not leave terminals logged in and unattended. Screens should be locked as soon as the user moves away from the screen to reduce the risk of unauthorised access to information. Computers should not be transferred between users or disposed of, other than through the IT team as they have the means of transferring or removing all data from the hard drive.


All possible steps must be taken to ensure that information regarding an individual is not divulged over the telephone to anyone without authority. Asking for key details about the individual (e.g., date of birth) may not be sufficient to ensure that the caller has a need to know.

Where there is any doubt regarding the identity of the person requesting the information, guidance should be sought from the Data Protection Officer. If advice is not immediately available, then the information should not be disclosed. If the caller is claiming to be from an organisation (e.g., the GMC) then the switchboard telephone number should be obtained (rather than direct line), checked and then used to ensure that the caller is from the agency stated.

A record should be kept of all telephone discussions where information is shared verbally on the personnel file.


Personal email addresses should never be used for work purposes. Person identifiable information must only be sent by e-mail within Extracellular when attached to a password protected document, spreadsheet or database. Inclusion within the main body of the e-mail is not permitted. The password should be delivered to the intended recipient by a different medium, such as a telephone call or text message.

Personal identifiable information must only be sent externally using an encrypted email. Steps must be taken to ensure that any confidential/sensitive information is sent to the mailbox of the person or persons who are authorised to see that information, and that no unauthorised persons have access to that mailbox/those mailboxes.

Before sending or receiving confidential/sensitive emails, confirm the email address with the other party, spelling any words that may cause errors. Use must be made of the e-mail “Tracking Options” where available, to notify that a message has been delivered and/or read. Otherwise, the sender must be telephoned to confirm receipt. A copy of the e-mail and its attached documents must be stored appropriately within manual and/or electronic records, and the original email deleted from both the inbox and deleted items.

All employees should be mindful of using the ‘reply all’ and ‘cc’ buttons to prevent against other people receiving information unnecessarily. There must be a justified reason for anyone to be copied into or sent PID.

Third Parties

The risks associated with engaging a third party will be identified, assessed and managed and due diligence shall be undertaken in any such proposals. Where third parties are used to manage information or information processing facilities, a formal contract shall be in place that defines the information security requirements of the relationship.

The delivery of the contracted services is monitored, and formal procedures are in place to manage change and the identification, reporting and management of information security incidents. Contracts with third parties shall provide Extracellular with the right to audit the third party. All contracts with third parties that will process data on behalf of Extracellular will contain the relevant contractual clauses outlined within the GDPR.

Privacy by Design and Privacy Impact Assessments (DPIA)

Extracellular will act in accordance with the GDPR by adopting a privacy by design approach, which will seek to ensure that Extracellular have considered and integrated data protection into processing activities where required.

The GDPR does not require a DPIA to be carried out for every processing operation that may result in risks to the rights and freedoms of natural persons. The carrying out of a DPIA is only mandatory where a processing is “likely to result in a high risk to the rights and freedoms of natural persons”. It is particularly relevant when a new data processing technology is being introduced.

DPIAs will be used to identify the most effective method of complying with Extracellular’s data protection obligations when using new technologies or when the processing is likely to result in a high risk to the rights and freedoms of individuals. High risk processing includes, but is not limited to, the following: 

  • a systematic and extensive evaluation of personal aspects relating to natural persons, which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person
  • processing on a large scale of special categories of data or of personal data relating to criminal convictions and offences
  • systematic monitoring of a publicly accessible area on a large scale.

In risk management terms, a DPIA aims to manage risks to the rights and freedoms of natural persons, using the following three processes, by: 

  • establishing the context: taking into account the nature, scope, context and purposes of the processing and the sources of the risk 
  • assessing the risks: assess the particular likelihood and severity of the high risk
  • treating the risks: mitigating that risk, ensuring the protection of personal data and demonstrating compliance with this Regulation.

Extracellular will seek to ensure that all DPIAs include the following information: 

  • a description of the processing operations and the purposes 
  • an assessment of the necessity and proportionality of the processing in relation to the purpose 
  • an outline of the risks to individuals 
  • the measures implemented in order to address risk. 

Patient Confidentiality 

For further information specifically relating to patient confidentiality, please refer to the Patient Confidentiality Policy.

Standards for Completion of Medical Records

Both written and electronic medical records must be clear in content and completed as soon as is possible after the consultation or event, providing current information on the care and condition of the patients.

Medical records should identify problems that have arisen, and subsequent actions taken to rectify them. They should also record other persons present during any visit/appointment/consultation. In the event of this being a student or any other employees observing the visit/appointment/consultation, there should also be a record of the patient’s consent.

Medical records should be factual, consistent, clear and accurate and written in a way that the meaning is clear. They should not include jargon, meaningful phrases, irrelevant speculation and offensive subjective statements. They should be formulated, wherever possible, with the involvement of the patient and/or their relatives in terms that they can understand.

Abbreviations in care records should only be used where this is first explained in the notes to identify what the abbreviation is.

Roles and Responsibilities

The Data Protection Officer has overall responsibility for information governance within Extracellular. The Data Protection Officer is responsible for:

  • informing and advising Extracellular and individuals associated with the business about their obligations to comply with the GDPR and relevant data protection legislation
  • monitoring compliance with the GDPR and other data protection legislation, including managing internal data protection activities and ensuring that relevant training is available for all employees
  • acting as the first point of contact for regulatory authorities and for data subjects
  • investigating any breaches of the GDPR, reporting such breaches as appropriate and ensuring that appropriate arrangements are put in place to prevent similar breaches occurring in the future.

The Registered Manager is responsible for:

  • carrying out and keeping up to date a personal data audit
  • ensuring that this policy is implemented within their team and that all employees receive Information Governance Training in line with this Policy.

Monitoring and Compliance of the Policy

The Data Protection Officer is responsible for ensuring the ongoing relevance of this Policy and for monitoring the consistency of its application. This will primarily be done via face to face supervision sessions. 

This policy will be routinely reviewed every 3 years by the Data Protection Officer, or earlier if there are any changes in legislation.

Legislation and Guidance

General Data Protection Regulation 2016

Data Protection Act 2018

Privacy and Electronic Communications (EC Directive) Regulations (PECR) 2003

Information Commissioner’s Office Guide to the General Data Protection Regulation:

The Information Governance Review: Information to Share or not to Share:


Safe S6: Are lessons learned and improvements made when things go wrong
Well-led W2: Does the governance framework ensure that responsibilities are clear and that quality performance, risks and regulatory requirements are understood and managed.

W3: How are the people who use the service, the public and staff engaged and involved


Management of Complaints and Compliments Policy and Procedure

Author CQC Compliance Limited
Policy Lead Dr Niruban Ratnarajah
Version No. 1.0
Date of issue February 2021
Date to be reviewed February 2022
Not controlled once printed



Extracellular recognises that there will be times when patients, their families or carers, employees and others are dissatisfied with aspects of the care and services provided. Extracellular is committed to dealing with any issues that may arise as quickly and effectively as possible.

By making sure that concerns and complaints are dealt with in a timely manner the risk of escalation is minimised and the opportunity of finding a satisfactory resolution to the problem is maximised.

At the same time, compliments are an important means of identifying areas of good practice, and Extracellular will seek to ensure that feedback on good practice is shared with employees to motivate and encourage and ensure standards of care are improved wherever possible.

Extracellular will ensure that the complaints procedure is fair and accessible to all.

Policy Statement

All concerns and complaints will be treated seriously and investigated promptly in accordance with the procedures outlined in this Policy. Employees will receive training in dealing with concerns and complaints and will ensure that all persons have access to guidance on the procedures for raising a concern or making a complaint. Extracellular is committed to ensuring that no-one is prevented from highlighting concerns or complaints.

Extracellular will ensure that all lessons learned from feedback are used as a means of improving the quality of care and services provided. Any recommendations made as a result of a feedback, will be shared at 1:1 supervision sessions, in order that changes can be considered business-wide and implemented where appropriate.

Extracellular recognises its legal responsibility to respond appropriately and effectively to complaints (e.g., through the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014).

How to Submit Feedback

Compliments and concerns can be given verbally or in writing to any employee or submitted to the Registered Manager. The company Lead for compliments and complaints is Dr Niruban Ratnarajah. 

Complaints must be submitted in writing to the Registered Manager (or the Medical Director if the complaint relates to the Registered Manager). This is to ensure clarity of the full and specific details of the complaint. Where the complainant is unable to submit a complaint in writing, they should raise the complaint with the Registered Manager, who will then record the complaint.

Comments on social media websites will not normally be deemed to be formal complaints unless submitted in writing via one of the means outlined above.

Extracellular will ensure full information is provided about this Policy in the form of leaflets and posters that are available throughout the Company, including in areas accessible to the public, and on the Company website. The information will be available in different styles and languages where this is required.

Compliments Management Process

All compliments received in writing should be documented. They should also be circulated amongst relevant employees so that employees are aware of the number of compliments received, and the specific topics which are raised.

There is no requirement to record compliments which are received verbally, but this is encouraged wherever possible.

No formal acknowledgement of compliments is necessary, however where this is deemed appropriate, it should be encouraged.

Concerns Management Process

Many concerns arise out of a lack of information or understanding, and very often the matter can be resolved via the provision of further information, advice or an apology. This means they can often be dealt with at the time of their raising with front-line staff. On other occasions it may be that employees can take swift action in order to resolve a concern straightaway or find the most appropriate person to help. Employees should feel empowered to deal with concerns promptly and informally without the need for a more in-depth investigation. 

On receipt of a concern employees will:

  • ensure that the immediate health care needs of the person affected by the concern are being met (where the person affected is still in Extracellular’s care) 
  • make sure that the person raising the concern does not wish to make a formal complaint 
  • undertake any enquiries required to resolve the matter respond to the person raising the concern with the appropriate information/advice/apology and/or explain what has been done to resolve the matter
  • offer the person raising the concern the opportunity to discuss their concern further. 

However, concerns are handled, employees should aim to ensure that they are resolved within 24 hours of their being raised. Excellent communication at this stage is essential to prevent the concern from escalating into a formal complaint. It is recommended that verbal communication be used primarily at this stage, either face-to-face or via telephone. However, if preferred by the person raising the concern, this can also be in writing, via email or text.

All concerns must be recorded on the incident management system. The record will include details of the concern, how it was resolved, and any further actions required.   

Where the concern cannot be resolved in the above manner, it should be forwarded to the Registered Manager. The Registered Manager can discuss the issue with the person raising the concern and initiate the formal complaints process outlined below if required.

Complaints Management Process

Once a complaint has been received, it should be recorded on the incident management system and formally acknowledged within two working days of receipt. The acknowledgement should normally be in writing but can be given verbally if appropriate. 

The Registered Manager will then either investigate the complaint fully themselves or nominate a ‘Lead Investigator’. If a ‘Lead Investigator’ has been nominated, the complainant must be informed with the name and contact details of the nominated person.

The person investigating the complaint will ensure that it is handled in a way to ensure that it is resolved without undue delay. Complainants should ordinarily receive a written response within 20 working days from the date of receipt. It is important that the right balance is struck between a timely response and one that is informed by comprehensive local action, as this will provide the best response to the complainant and the best opportunities for learning within the business. 

The complainant should be sent regular updates on the progress of the investigation and likely timescales for receiving the formal response. If agreed timescales cannot be met, it is essential that the lead investigator informs the complainant of the reason for the delay and that new timescales are mutually agreed. In conducting the investigation, the lead investigator may undertake any of the following: 

  • contact the complainant to identify the outcome that they are seeking 
  • provide the complainant the opportunity to give their account and views of what took place 
  • review the relevant documentation, checking for evidence regarding issues raised 
  • interview any members of staff involved in the incident   
  • develop a timeline of what happened  
  • identify any shortfalls in level(s) of care provided
  • when appropriate, using a Root Cause Analysis, identify the causes/contributory factors/validity of the concerns that have been raised
  • identify clear and assigned actions to prevent recurrence and to improve care quality. 

The lead investigator will then: 

  • decide whether the complaint should be upheld in full, upheld in part or not upheld 
  • make a record of the details of the investigation, outcomes and actions to be taken on the incident management system. 

It is essential that every stage of the investigation is based on the best available evidence. The formal response from the Lead Investigator should be structured as follows: 

  • outline how the complaint has been considered  
  • explain how conclusions have been reached in relation to the complaint and whether it was upheld in part, in full or not upheld  
  • describe how any action needed as a result of the complaint has been taken, or is proposed to be taken 
  • explain that if they are not happy with the findings, an internal appeal is possible 
  • provide details of the regulatory body, should the complainant still be unhappy and wish for their complaint to undergo external review. 

The Lead Investigator should ensure that the full written response is filed alongside the initial complaint on the incident management system. If, after receiving the formal response, the complainant is not happy with the outcome, they may write to the Senior Leadership Team to request an internal appeal.

Internal Appeal

Upon receipt of an appeal the Senior Leadership Team will: 

  • take the time to understand the details of the initial investigation and outcome 
  • contact the complainant to understand the reason(s) why they are not happy with the initial investigation outcome
  • appoint an appropriate independent individual within the business to carry out the appeal investigation 
  • provide the complainant with the name and contact details of the Independent Investigator.  

The Independent Investigator will: 

  • review the initial investigation and outcome
  • meet with or contact the complainant to discuss their continuing concerns 
  • carry out further investigation, if necessary
  • decide whether or not the initial investigation outcome should be upheld 
  • provide the complainant with relevant feedback and inform them of the appeal outcome. 

Once completed, the Independent Investigator will ensure that the incident management system is updated with comprehensive details of the appeal, including actions taken and outcome. They will also report their findings to the Senior Management Team. If the complainant remains dissatisfied with the response, they may contact the relevant ombudsman for further review.

Independent Review

Once your complaint has been fully dealt with by Extracellular, if you are not satisfied with the outcome of the internal appeal, you can refer your complaint to the Independent Sector Complaints Adjudication Service (ISCAS).

Details are available at Complaints process – ISCAS ( 

Our service is registered with and regulated by the Care Quality Commission (CQC).

The CQC cannot get involved in individual complaints about providers but is happy to receive information about our services at any time. You can contact the CQC at: 

Care Quality Commission,
National Correspondence,
Newcastle upon Tyne
NE1 4PA, 

Tel: 03000616161,

Fax: 03000 616171

Monitoring and Learning from Complaints

Extracellular regards all forms of feedback as an opportunity to improve the levels of care offered to patients. Extracellular operates within the ‘just culture’ framework. This means that employees are not apportioned unconstructive guilt or blame for genuine mistakes, but that they always remain accountable for deliberate policy deviations. The culture within Extracellular is a supportive one. Where areas of learning are identified following the receipt of feedback, these will be addressed. 

In order to ensure that the rest of the business is equally able to learn from feedback received, details of the lessons learned will be shared across the business. The Registered Manager will then be responsible for discussing the most appropriate method of sharing proposed service improvements with the Senior Leadership Team.

Issues arising from complaints should be a standard agenda item for discussion at the Senior Leadership Team meeting and the Registered Manager should ensure that themes and trends and lessons learned are shared with employees. 

Unreasonable Complainant Behaviour 

Many complainants are angry and feel very aggrieved, sometimes with good cause. Although most complainants behave appropriately, a small number may make complaints that are vexatious or malicious. This may involve making serial complaints about different matters or persisting with the same complaint when nothing further can be done to assist them.

It is important to distinguish between people who make several complaints, because they genuinely believe something has gone wrong, and people who are simply trying to make life difficult. It is important to remember that complainants will often be frustrated and aggrieved and, as a result, it is important to consider the merits of the complaint rather than their attitude. 

The fact that a complainant has made a vexatious complaint in the past does not necessarily mean that the next complaint is automatically vexatious. Each complaint must be considered individually, and a decision made as to whether it is vexatious or genuine. Complainants will be deemed to be vexatious or habitual if they have met two or more of the following criteria:

  • persistence with pursing a complaint despite Extracellular complaints procedure outlined above having been fully exhausted
  • frequently bringing up further concerns and questions with a view to prolonging contact with Company. It is important that new issues are not dismissed, if they are significantly different from the original complaint it may be that they can be addressed as a separate complaint
  • being unwilling to accept documented evidence of care given as being factual, including denying receipt of an adequate response to their complaint
  • being unable to identify specific issues they wish to be investigated despite all reasonable efforts to assist them
  • focussing on a trivial matter that is out of proportion to its significance (careful judgement should be used in using this criterion as it requires a subjective judgement)
  • threatening or using physical violence towards employees. This criterion on its own will cause verbal contact with the complainant to cease. Any further communication following this should be solely in written format. Any threats of, or use of, violence should be reported on the incident management system
  • placing unreasonable demands on Extracellular’s employees. Discretion is required to determine how many contacts constitute excessive, along with good judgement based on the specific circumstances of each individual case
  • harassing or being abusive on more than one occasion to the person dealing with the complaint. If the behaviour is sufficiently severe this may be sufficient to classify it as vexatious
  • meetings or conversations are known to have been recorded electronically without the prior knowledge or consent of all parties involved
  • displaying unreasonable demands or expectations and failing to accept that these may be unreasonable despite a clear explanation having been provided as to what constitutes unreasonable.

Careful judgement and discretion must be used in applying criteria to identify habitual and vexatious complainants and to decide what action to take. The following actions are available: 

  • informing the complainant that they are at risk of being classified as habitual or vexatious. A copy of this policy should be sent to them and they should be advised to consider the criteria outlined when dealing with Extracellular in the future
  • declining further contact with the complainant, either in person, by telephone, letter, email or text whilst ensuring that one route of contact remains available. Alternatively, further contact could be restricted to liaison via a third party
  • notify the complainant in writing that the Senior Leadership Team has responded fully to the points raised and has tried to resolve the complaint, that there is nothing more to add and that continuing contact on the matter will serve no useful purpose. Complainants should be notified that correspondence is at an end and that further communications will not be acknowledged or answered  
  • inform complainants that in extreme circumstances Extracellular reserves the right to refer unreasonable or vexatious complainants to solicitors and, if appropriate, the police. 

These measures should only be implemented following agreement by the Registered Manager or Senior Leadership Team. The complainant must be notified of the course of action in writing by the Senior Management Team, including the reasons why the complaint has been classified as habitual or vexatious. The letter should be copied for the information of those involved in the complaint. 

Habitual or vexatious status can be withdrawn if a complainant demonstrates a more reasonable approach or submits a separate complaint for which the standard complaints procedure would seem appropriate. Such status should only be withdrawn following discussion between the Registered Manager and Senior Management Team.

Support for Employees Involved in a Complaint

The investigation of a complaint involving allegations of malpractice, assault, etc., can be stressful for staff involved. Sensitivity at this time is required. Managers are encouraged to provide support to their employees. However, in order to maintain their more objective role, an independent mentor (e.g., a manager from another area) can be identified to provide advice and support to the employee concerned during this difficult time.  

When a complaint investigation takes place, staff can be asked to prepare statements or attend interviews. The Lead Investigator will ensure that: 

  • an employee is given guidance as to what areas of information they will require from them in a timely manner, allowing time for staff to gain support from colleagues and/or unions   
  • good information governance practice is maintained and that information regarding specific individuals is treated confidentially and with respect; sharing will only take place as far as required to conduct the investigation 
  • conduct interviews in a professional and supportive manner  
  • ensure that employees know that the review is being conducted as part of a learning and safety culture, as opposed to the apportioning of blame 
  • keep employees up to date on the review’s progress. 

Records Management

All feedback paperwork will be retained for a minimum of 6 years. Any archived paper files will be stored in a secure manner, in order to preserve confidentiality. Feedback related correspondence should not, in any circumstances, be retained in the care record of a person; this should only record information that is strictly relevant to their health.

The security and retention of information on the incident management system is the responsibility of the Registered Manager.


The implementation and levels of compliance with this policy will be monitored by 1:1 supervision sessions, with lessons learned shared through this channel as well as the Senior Leadership Team.  

Related Policies and Procedures

Grievance Policy and Procedure

Information Governance Policy and Procedure

Safeguarding Adults Policy and Procedure

Safeguarding Children Policy and Procedure

Whistleblowing Policy and Procedure

Legislation and Guidance

A Review of the NHS Hospitals Complaints System Putting Service users Back in the Picture, Clwyd & Hart, October 2013. 

Compensations Act 2006

Complaints in health and social care: standards & guidelines for resolution and learning, Department of Health, Social Services and Public Safety, June 2013. 

Complaints Matter, CQC, December 2014 

Data Protection Act 2018

How to complain about a care home or care in your home – self-funded or council-funded, Local Government Ombudsman, February 2015. 

Human Rights Act 1998

Mental Capacity Act 2005

Mental Capacity Act Code of Practice 

 Report of the Mid Staffordshire NHS Foundation Trust Public Inquiry, Francis, 2013.   

The Care Act 2014

The Health and Social Care Act 2008 (Regulated Activities) Regulations 2014

The Local Authority Social Services and National Health Service Complaints (England) Regulations 2009


Safe S1: How do systems, processes and practices safeguard people from abuse?
Caring C2: How does the service support people to express their views and be actively involved in making decisions about their care, support and treatment as far as possible?
Responsive R2: How are people’s concerns and complaints listened and responded to and used to improve the quality of care?


Health and Safety Policy and Procedures

Author CQC Compliance Limited
Policy Lead Dr Niruban Ratnarajah
Version No. 1.0
Date of issue February 2021
Date to be reviewed February 2022
Not controlled once printed


Extracellular recognises our responsibility and duties under the Health and Safety at Work etc. Act 1974 and we are committed to ensuring, so far as reasonably practicable the health, safety and welfare of our employees, patients, visitors and other persons who may be affected by our activities. Extracellular recognises the strategic and moral importance of health and safety as part of our business performance and is committed to developing a positive health and safety culture throughout the organisation.

This Health and Safety Policy has been prepared in accordance with the requirement of the Health and Safety at Work etc. Act 1974. It defines how we will manage the health and safety risks associated with our business, premises and activities. It will be signed and delivered by the Registered Manager.

Extracellular will implement a systematic and pro-active approach to managing health and safety risks by making sure that foreseeable risks are identified, mitigated and communicated effectively to those who may be affected. With a view to ensuring continuous improvement we will ensure that we benchmark and evidence our performance so that employees, patients, visitors and other persons who may be affected can be assured of our internal processes.

Policy Statement

Extracellular acknowledges that we have a duty of care to protect the health and safety of our employees, patients and others who may be affected by our business activities (see Appendix I). To achieve this we will:

  • maintain the workplace in a safe condition and provide adequate facilities and arrangements for employee welfare at work 
  • ensure that there is a safe means of accessing and leaving the workplace
  • ensure that health and safety risks from our work activities are identified and mitigated
  • ensure that all work provided equipment and systems of work are safe
  • ensure that arrangements are in place for promoting health and safety in relation to the use, handling and storage of hazardous substances
  • make sure that the place of work is clean and tidy and that measures are in place to control the spread of infection
  • make sure that all contractors who undertake work on our premises adhere to safe systems of work and engage competent staff
  • dispose of all waste generated through our business activities in a safe and reasonable manner
  • ensure that up to date and relevant information, instruction, training and supervision is provided to our employees, and other relevant persons to maintain health and safety at work
  • engage in consultation with our employees in relation to health and safety issues
  • monitor and review our performance to promote a culture of continuous improvement.


This policy and the procedures apply to all employees, workers and independent contractors within Extracellular.

The Registered Manager has overall responsibility for ensuring the health and safety of all employees, patients and visitors. 

Roles and Responsibilities

The Registered Manager is responsible for:

  • the overall responsibility of health and safety, including ensuring a safe place of work and providing adequate resources to implement this policy
  • ensuring that this policy is available and brought to the attention of all employees within their control
  • ensuring that all risks presented to employees and others are identified and providing adequate training
  • identifying training needs in line with the risks identified and providing equipment to ensure that all necessary controls are in place and being adhered to
  • ensuring that all contractors operating under their control are properly controlled and where necessary permits issued
  • investigating and reporting (to the Health and Safety Executive where applicable) and recording accidents and implement measures to ensure that corrective action is taken to prevent recurrence. 

Employees are responsible for:

  • taking reasonable care of their own health and safety and that of others who may be affected by their actions or omissions
  • undertaking their tasks as instructed, in line with any risk assessment findings and training
  • co-operating with their employer in all matters relating to health and safety
  • attending training sessions where required and adhere to all safe systems of work implemented by the organisation
  • using equipment in accordance with Extracellular’s instructions
  • following all infection prevention processes
  • reporting any accident involving injury, damage to plant and equipment or potential injury damage or loss
  • not misusing or interfering with any equipment provided to ensure safe working practices in the workplace.

Fire marshals are responsible for:

  • carrying out preventative fire safety checks in their responsible area
  • managing the evacuation of the premises in the event of a fire or other emergency. 

A named Competent Person is responsible for providing Extracellular with professional advice, support and guidance on all health and safety matters. This will ensure that Extracellular is compliant with its statutory duties. 

First Aid

Extracellular will nominate an individual who will be responsible for First Aid. This person will have the appropriate First Aid training and will be responsible for ensuring that the First Aid kit is easily accessible and appropriately stocked, in accordance with L74: First Aid at Work Approved Code of Practice. Extracellular will ensure that resources are made available to facilitate this. 

Health and Safety Poster

Extracellular will display a Health and Safety poster and ensure that it is kept up to date. The Competent Person and First Aider will have their name clearly displayed. 

Reporting of Injuries Diseases and Dangerous Occurrences (RIDDOR)

Some types of workplace incidents/diseases are required to be reported to the Health and Safety Executive, as follows:

  • if there is an accident connected with work (including an act of physical violence) and the injured person suffers an over-seven-day injury (an over-seven-day injury is one which is not “major” but results in the injured person being away from work OR unable to do their full range of their normal duties for more than seven days)
  • certain poisonings 
  • some skin diseases, such as occupational dermatitis 
  • lung diseases, including asbestosis and mesothelioma  
  • infections, such as COVID-19, leptospirosis, hepatitis, tuberculosis, legionellosis and tetanus  
  • a needle stick injury with a needle that has been used on someone with a blood-borne virus  
  • collapse, overturning or failure of load-bearing parts of lifts and lifting equipment including person hoists
  • plant or equipment coming into contact with overhead power lines  
  • electrical short circuit or overload causing fire or explosion  
  • asbestos being released during maintenance work
  • other conditions, such as occupational cancer and certain musculoskeletal disorders. 

Incidents involving patients can also be reportable under RIDDOR, for example where due to the failing of equipment or a system of work. The Competent Person will be able to provide advice on whether an incident meets the HSE reporting threshold for RIDDOR.

It is the responsibility of all employees to notify the Registered Manager if any of the above incidents/diseases occur. It is then the responsibility of the Registered Manager to ensure that the appropriate notification is submitted to the HSE within the required timescales.


Risk Assessment

The Health and Safety Executive define a risk assessment as ‘a careful examination of what, in your work, could cause harm to people, so that you can weigh up whether you have taken enough precautions or should do more to prevent harm’. Extracellular will ensure that all risk assessments undertaken within our business are completed by an appropriately trained individual. 

All risk assessments within Extracellular will follow the five-step approach to risk assessment:

  1. Identify the hazards.
  2. Decide who might be harmed and how.
  3. Evaluate the risks and decide on control measures.
  4. Record findings and implement them.
  5. Review assessment and update if necessary.



Compliance with this policy will be monitored through the analysis of themes and trends identified from incident reports. These will then be discussed at monthly Senior Management Team meetings and lessons learned shared throughout the business.

Related Policies and Procedures

Accident and Incident Management Policy and Procedure

Complaints and Compliments Policy and Procedure

Infection Prevention and Control Policy and Procedure

Quality, Governance and Risk Policy and Procedure

Safeguarding Adults Policy and Procedure

Safeguarding Children Policy and Procedure

Legislation and Guidance

Civil Contingencies Act 2004

Health and Safety at Work etc Act 1974

Health and Safety (Miscellaneous Amendments) Regulations 2002

Health and Safety (First Aid) Regulations 1981

Health and Social Care Act 2008 (Regulated Activities) (Amendment) Regulations 2015

Health Protection (Notification) (Amendment) Regulations

Hazardous Waste (England and Wales) Regulations 2005

Management of Health and Safety at Work Regulations 1999

Manual Handling Operations Regulations 1992


Workplace (Health, Safety and Welfare) Regulations 1992


Safe S2: Are lessons learned and improvements made when things go wrong?

S6: How are risks to people assessed and their safety monitored and managed so they are supported to stay safe and their freedom is respected? 

Well-led W2: Does the governance framework ensure that responsibilities are clear and that quality performance, risks and regulatory requirements are understood and managed.

W4: How does the service continually learn, improve, innovate and ensure sustainability.


Appendix 1 – Health and Safety Policy Statement 

  • Extracellular has a duty of care under the Health & Safety at Work Act (1974) to ensure, so far as is reasonably practicable, the health, safety and welfare of employees and those who might be affected by the activities of the business.
  • It is the Extracellular’s policy to provide safe and healthy working conditions for our employees, patients, visitors and contractors. In addition, every effort will be made to ensure the safety and welfare of members of the public. 
  • Extracellular accepts the importance of a well organised, committed and tangible health and safety policy which results in improvements in employee welfare, the general work environment and job satisfaction.
  • The Management of Health & Safety at Work Regulations (1999) require employers to carry out a suitable and sufficient assessment of the risks to the health and safety of their employees and others, in order to identify the measures to be taken to comply with statutory and duty of care requirements. Extracellular will ensure that this takes place by implementing a risk assessment process to allow significant hazards to be identified and all related risks controlled as far as reasonably practical, as well as being reviewed regularly.
  • Extracellular requires line managers to obtain and provide relevant information and necessary training to employees in respect of risks to their health and safety which may arise from their work.
  • Extracellular seeks the full co-operation of all employees with the health and safety arrangements highlighted in this policy statement. Employees also have a duty under health and safety legislation to take reasonable care of their own health and safety at work and of others whom their acts or omissions may affect.
  • Employees are expected to always work safely and consider the safety of others. All employees are required not only to observe local health and safety rules that are designed to prevent accidents and promote sound health but also to co-operate and participate with the management team in their aim to maintain and promote safe and health working conditions.
  • Regular employee meetings will take place to promote good practice in respect of the health, safety and welfare of employees at work.

Signed: Dated:

Dr Niruban Ratnarajah (Director of Operations) 


Duty of Candour Policy and Procedure

Author CQC Compliance Limited
Policy Lead Dr Niruban Ratnarajah
Version No. 1.0
Date of issue February 2021
Date to be reviewed February 2022
Not controlled once printed



The potential effects on patients, relatives and staff members, when things go wrong, can be devastating. Duty of candour outlines the principles that employees should use when communicating with patients, relatives and/or carers following an incident where harm has occurred, or where there is a risk or possibility that the incident could lead to or result in harm. It underpins a culture of openness, honesty and transparency, and is a duty on the organisation as a whole, as well as individual employees working within the organisation. 

Policy Statement

This policy aims to improve the quality and consistency of communication with patients, relatives and/or carers when incidents occur, so that they promptly receive the information they need to enable them to understand what happened. A meaningful apology will be offered, and they must also be informed of the action(s) that Extracellular will take to try and ensure that a similar type of incident does not reoccur. It also aims to provide clear information to employees on what they do when they are involved and the support available to them to cope with the consequences of what happened and to communicate with patients, relatives and/or carers effectively.


This document applies to all direct and indirect employees within Extracellular and other persons working within the organisation.


Notifiable safety incident – any unintended or unexpected incident that occurred in respect of a patient during the provision of a regulated activity that, in the reasonable opinion of a healthcare professional appears to have resulted in one of the following:

  • death of a patient, where the death relates directly to the incident rather than to the natural course of the patient’s illness or underlying condition
  • impairment of the sensory, motor or intellectual functions of the patient that has lasted, or is likely to last, for a continuous period of at least 28 days
  • changes to the structure of the patient’s body
  • prolonged pain or psychological harm experienced by the patient
  • shortening of the life expectancy of the patient.


Relevant person –the person directly harmed by the incident, or in the following circumstances, a person lawfully acting on their behalf:

  • when the patient dies
  • where the patient is under 16 and not competent to make a decision in relation to their care or treatment
  • where the patient is 16 or over and lacks capacity to make decisions.

Moderate harm – harm that requires a moderate increase in treatment, including readmission, prolongation of care, admission to hospital, referral to hospital as an outpatient, cancelling of treatment that is otherwise needed or a transfer to another specialist facility or treatment area. Moderate harm also includes significant but not permanent harm.

Severe harm – a permanent reduction of bodily, sensory, motor, psychological or intellectual functions, including procedures carried out on the wrong person or on the wrong area of the body of the right person.

Prolonged psychological harm – psychological harm that a relevant person has or is likely to experience for a continuous period of at least 28 days.


Extracellular aims to promote a culture of openness and transparency within the organisation. Employees should feel empowered to report any adverse incident, whether patients have come to harm or not. Extracellular is committed to learning lessons, positive and negative, from incidents that happen with a view to continuous improvement of our services.  

In order to support employees in reporting incidents, the requirement to adopt an open and transparent practice will be discussed at supervisions and one to one meetings. 

Employees will be supported to report incidents by ensuring that they are not obstructed to do so, and action will be taken to remedy any incident of bullying and/or harassment related to a duty of candour. Any incident where an individual has been obstructed in carrying out their duty of candour will be investigated. 


  • Reporting

The first step of the process is the recognition of an incident and whether the level of harm dictates that it is appropriate to apply a duty of candour. If a an employee is unsure of whether an incident is reportable or unsure of the level of harm, the incident should be reported in any event, with the level of harm being reported at the higher end of the estimate. The Registered Manager can then make the appropriate judgment as to the level of harm caused.

Incidents should be reported in line with the Incident Management Policy. A verbal report must be made to the person on duty and in charge of the service at the time of the incident.

The person on duty then must formally report it to the Registered Manager, if they are not the same person, as soon as possible. 

  • Determine if a Duty of Candour Applies

The Registered Manager should:

  • carry out an initial assessment of the incident to determine whether the incident is a notifiable incident. This is dependent on the level of harm. A notifiable incident is one where the level of harm suffered is moderate or severe 
  • if it is considered that the incident is not a notifiable incident under regulation 20, follow normal incident reporting procedures alone.


  • Identify the Relevant Person

The Registered Manager should then identify the ‘Relevant Person’ under the Regulation. In most cases this will be the patient. However, if the patient has died, is under 16 or lacks capacity, it will be their legal representative. A legal representative is usually someone who holds parental responsibility, for a patient under the age of 16, or a Lasting Power of Attorney for health and wellbeing, for a patient aged 16 or over who lacks capacity under the Mental Capacity Act 2005. 

If a patient who lacks capacity does not have a Lasting Power of Attorney in place, a best interest decision should be taken as to the most appropriate person with whom to liaise. 

  • Contact the Relevant Person

An attempt should be made to arrange a face to face meeting with the Relevant Person, where possible. This should usually be done within 10 days of the incident being reported. At the meeting, the Relevant Person should be given the following:

  • introductions of all present and an explanation of why the meeting was requested
  • a detailed and honest account of all the facts currently held about the incident, and what action has been taken so far
  • an apology
  • an explanation of the level of investigation that is being conducted, how this will occur and the anticipated timescales
  • a discussion to determine any questions or concerns that the patient or representative specifically wish to be investigated
  • gathering of facts from the patient or their representative as appropriate 
  • confirmation that a written summary of the meeting will be provided.

After the meeting the Relevant Person should be provided with the following information:

  • a follow up letter outlining the details of the meeting
  • details of investigations taking place
  • any update on further queries raised within the face to face meeting
  • a written apology on behalf of Extracellular.

The Relevant Person should also be updated with the outcome of any investigations, as well as lessons learned, as soon as these are available. 

External Notifications

External bodies, such as the CQC and local authorities, should be notified of the incident in line with the Incident Management Policy.


Extracellular recognises the importance of appropriate support to patients, their relatives and/or carers during difficult times. The Registered Manager is responsible for discussing support needs with the individual and considering whether it would be appropriate to offer further support (i.e., through their GP, registered charities and/or other relevant organisations).

It is also acknowledged that staff involved in an incident requiring the implementation of a duty of candour may require additional support. This should be accessed initially through their line manager.


The implementation and levels of compliance with this policy will be monitored through one to one supervision and a monthly Leadership Team meeting. 

Related Policies and Procedures

Compliments and Complaints Policy and Procedures

Health & Safety Policy and Procedures

Incident Management Policy and Procedures

Quality, Governance and Risk Policy and Procedures

Legislation and Guidance

Criminal Justice and Courts Act 2015

The Care Act 2014

The Health and Social Care Act 2008 (Regulated Activities) 2014

The Health and Social Care Act 2008 (Regulated Activities)(Amendment) Regulations 2015

The Mental Capacity Act 2005

Mental Capacity Act Code of Practice 


Safe S2: How are risks to individuals and the service managed so that people are protected and their freedom is supported and respected?
Well-led W1: How does the service promote a positive culture that is person-centred, open, inclusive and empowering?

Appendix A – Initial Disclosure Letter Template

Private & Confidential 

(Name and address) 





Thank you for taking the time to talk with me/my colleague regarding XXXX on (e.g., your father’s fall on 16 April and subsequent fractured hip). The members of the team involved in the care of your XXXX and I would like to express our sincere apologies that this event occurred whilst XXXX was in our care.

[Or in the event of a death] On behalf of the Organisation, and the members of the team involved in the care of your XXXX, please accept our sincere condolences at this sad time. At Extracellular we aim to provide a quality service to patient/service users and families and want to assure you that we will be investigating this incident promptly to understand how it happened and whether there is anything we could do differently in future to prevent this happening to anyone else. As an Organisation, we are committed to being open when events such as this happen, and we will ensure our findings are shared with those involved and will endeavour to keep you informed of the progress of our investigation. We will write to you again within the next XX weeks (i.e., 10 working days after the investigation has been completed) once the findings of the investigation are known.

Once you have received our investigation findings, we would welcome the opportunity to meet with you again to discuss the findings personally and answer any questions you may have. We will do everything we can to support you and your family during this process, in line with our Being Open and Duty of Candour policy. IF THE INCIDENT INVOLVES A LOSS OF RELATIVE ADD Please be assured that it is not our intention to intrude upon you, or your family at this difficult time, however, we would like to keep you informed.

In the meantime, if you have any questions, or queries about this letter please do not hesitate to contact me on XXXXX XXXXXX (or named Quality and Patient Safety Improvement Nurse on XXXX XXXXXX) If you would like this information in an alternative format, or language, please contact XXXX, or me so we can arrange.

Yours sincerely,