Data Management & GDPR Policy

Cotton Nursing Solutions Ltd — Last updated: March 2026

1. Purpose

This policy outlines how Cotton Nursing Solutions Ltd (including Cotton Nursing and Cotton Family divisions) manages, protects, and uses data. It is designed to ensure compliance with UK data protection laws (including GDPR), maintain confidentiality, and safeguard the trust of our clients, families, and staff, in a manner proportionate to the scale and nature of our business.

2. Scope

This policy applies to all personal, sensitive, and business data processed by Cotton Nursing Solutions Ltd, including digital and paper records, across all services (training, occupational health, coaching, and family support).

3. Our Data Principles

We commit to the following data management principles:

• Lawfulness, Fairness & Transparency: Data is processed legally, fairly, and transparently.
• Purpose Limitation: Data is collected for specified, explicit, and legitimate purposes only.
• Data Minimisation: Only necessary data is collected and processed.
• Accuracy: Data is kept accurate and up to date where reasonably practicable.
• Storage Limitation: Data is retained only as long as necessary.
• Integrity & Confidentiality: Data is kept secure, confidential, and protected against unauthorised access or loss.

4. Data Collection

We collect data that is relevant and necessary for:

• Service delivery (training, coaching, occupational health, course bookings)
• Communication (newsletters, updates, feedback)
• Legal, regulatory, and safeguarding requirements

5. Data Storage & Security

• Electronic data: Stored securely on password-protected devices and cloud platforms (e.g., Google Drive, Cliniko).
• Paper records: Kept in locked cabinets with restricted access.
• Access control: Only authorised staff and contractors may access data, in line with their roles.
• Data encryption: Sensitive information is encrypted where possible.

6. Data Sharing

• Data is only shared with third parties (e.g., healthcare partners, trainers, regulators) when necessary for service delivery, compliance, or with explicit consent.
• Data is not sold or shared for marketing purposes without consent.
• All third parties must demonstrate adequate data protection standards.

7. Data Retention

Data is retained for the minimum period required by law or best practice (e.g., safeguarding). Outdated or unnecessary data is securely deleted or destroyed. Retention periods are reviewed periodically.

8. Data Subject Rights

Individuals have the right to:

• Access their data
• Request correction or deletion
• Restrict or object to processing
• Withdraw consent at any time (where applicable)
• Lodge a complaint with the Information Commissioner's Office (ICO)

9. Data Breach Response

• All staff must report suspected data breaches promptly.
• Breaches will be investigated and affected individuals notified as required by law.
• Incidents are documented and reviewed to prevent recurrence, proportionate to the scale of the business.

10. Training & Awareness

All staff and contractors receive appropriate training on data protection and this policy. Updates are communicated as needed.

11. Policy Review

This policy is reviewed periodically or in response to significant changes in law, guidance, or business practice.

12. Contact

Questions or requests regarding this policy should be directed to:

Elisabeth Fairbairn, Owner
Cotton Nursing Solutions Ltd
Email: [email protected]
Phone: 07872 179689

This policy reflects the scale and nature of Cotton Nursing Solutions Ltd's activities. Actions, training, and record-keeping are proportionate to the size of the business and the needs of those we work with.