Confidentiality and Data Protection

Course Overview

Most data breaches in the workplace are not the result of a cyberattack. They are the result of a staff member doing something that seemed harmless in the moment. A photo uploaded to a personal social media account. A message sent to the wrong person. A conversation about a client held in a public space. A document left on a printer.

The assumption that data protection is an IT problem, or a legal problem, or someone else’s problem, is one of the most consistent and costly gaps in workforce understanding. Every member of staff who handles personal information, which in most organisations means everyone, carries legal responsibilities under UK data protection law. Most of them have never been told what those responsibilities actually are.

Confidentiality and Data Protection Training closes that gap. It gives learners a clear, practical understanding of what data protection means in their day-to-day role, what the law requires of them, and what the consequences look like when things go wrong. Not in abstract terms. In the specific, real situations that actually happen at work.

One of the scenarios this course addresses directly is social media. A care worker who photographs an individual they support and posts it to their personal account, even with the best of intentions, has committed a serious breach of that individual’s privacy, potentially breached UK GDPR, and exposed their employer to significant regulatory and reputational risk. It happens regularly. It is almost always unintentional. And it is entirely preventable with the right training.

This course aligns with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and guidance published by the Information Commissioner’s Office (ICO). It is suitable for any organisation in any sector where staff handle personal, sensitive, or confidential information.

Course Details

  • Duration: Typically 2 to 3 hours, adaptable to requirements
  • Delivery: In-person at your venue, or live online via Zoom or Microsoft Teams
  • Certificate: CPD-accredited certificate of achievement in Confidentiality and Data Protection
  • Refresher: Every 1 to 3 years, or sooner following changes to legislation, organisational policy, or job role
  • Group size: Flexible for team training

Who This Course Is For

This course is right for anyone who handles personal, sensitive, or confidential information as part of their role, which in most organisations means everyone, including:

  • Frontline care staff, support workers, and health and social care professionals
  • Administrative, HR, finance, and operations staff
  • Customer-facing and client-facing teams
  • Managers and supervisors with responsibility for data handling
  • Volunteers and contractors with access to personal or organisational data
  • Any employee whose role involves collecting, storing, sharing, or disposing of personal information

No prior legal or technical knowledge is needed.

Why This Training Matters

UK GDPR and the Data Protection Act 2018 place clear legal obligations on organisations and on the individuals working within them. The Information Commissioner’s Office has the power to issue fines of up to £17.5 million or 4% of annual global turnover for serious breaches, whichever is higher. But financial penalties are only part of the picture. A data breach involving personal or special category data can cause real harm to the individuals affected: loss of privacy, reputational damage, distress, and in some cases, serious safeguarding consequences.

In health and social care settings, the stakes are higher still. Individuals being supported are often among the most vulnerable people in society. Their data, including health information, care records, and daily routines, is special category data under UK GDPR, which attracts the highest level of protection. A staff member who shares that information without a lawful basis, however casually, is not just making a policy error. They are potentially causing harm to a person who trusted their organisation with some of the most sensitive details of their life.

Social media is where this most visibly goes wrong. A photograph of a service user was uploaded to a personal account. A post about a resident that identifies them to their family and community without consent. An image shared in a WhatsApp group that includes people outside the organisation. None of these is typically malicious. All of them are data breaches, and all of them are reportable to the ICO. The individuals affected rarely know it has happened. That does not make it less serious.

Data protection is not a compliance exercise. It is a fundamental aspect of how organisations treat the people who trust them with their information.

What You Will Learn

By the end of the session, learners will be able to:

  • Explain what confidentiality and data protection mean and why they matter in their role
  • Identify personal data and special category data, and understand the difference
  • Apply the key principles of UK GDPR to their day-to-day responsibilities
  • Handle, store, share, and dispose of information securely and lawfully
  • Recognise what constitutes a data breach, including social media misuse
  • Understand reporting obligations and what happens when a breach occurs
  • Follow workplace policies on data handling with confidence and clarity

Course Content

Content is adapted to your sector and setting, but typically covers:

  • What confidentiality is and why it matters: the legal and ethical framework
  • UK GDPR and the Data Protection Act 2018: what they require of organisations and individuals
  • Personal data and special category data: what they are and why the distinction matters
  • Lawful bases for processing data: understanding when and how information can be used
  • Secure handling, storage, access, and disposal of information in everyday practice
  • Social media and data protection: why a photograph or post can constitute a serious breach
  • Information sharing: when it is lawful, when it is not, and how to make the right call
  • Recognising data breaches and near misses: what counts as a breach and what to do
  • Reporting obligations: internal reporting, ICO notification, and individual responsibilities
  • Roles and responsibilities: what the organisation must do and what individual staff are accountable for

How the Course Is Delivered

Sessions are practical, discussion-based, and grounded in the real situations learners encounter in their working day. The aim is not just awareness of the law but a clear understanding of what it means to handle information responsibly in practice.

Delivery includes:

  • Real-world scenarios, including social media misuse, accidental disclosure, and insecure information sharing
  • Discussion of where data protection obligations sit within everyday tasks learners already carry out
  • Practical guidance on what to do if a breach occurs or is suspected
  • Time for questions, because data protection tends to raise a lot of them once people start applying it to their own roles

Certification and Validity

On completion, learners receive a CPD-accredited certificate of achievement in Confidentiality and Data Protection.

A refresher is recommended every 1 to 3 years, or sooner following changes to data protection legislation, ICO guidance, organisational policy, or significant changes to a staff member’s role or data access. Organisations subject to sector-specific regulation, such as CQC-registered providers or financial services firms, should also review training following any internal or external audit findings related to data handling.

In-House and Bespoke Training

We adapt delivery to your organisation, your data handling risks, and the specific responsibilities of your team.

We can build content around:

  • Your internal data protection policies, systems, and procedures
  • The types of data your organisation handles, including special category data in health and social care settings
  • Common data handling risks specific to your sector, such as social media use, remote working, or third-party data sharing
  • Staff groups with specific data handling responsibilities, such as HR, finance, or clinical teams

Course Location and Service Areas

We deliver in-house training at your workplace or chosen venue across Manchester, Greater Manchester, and the wider North West. We also deliver nationally, including North England, South England, London, and Surrey.

For teams in multiple locations or with remote workers, this course is available live online via Zoom or Microsoft Teams, with no drop in quality or interaction.

All sessions are led by experienced Prima Cura Training instructors. Every trainer holds an Enhanced DBS certificate.

FAQs

Is uploading a photo of a service user to social media a data breach?

es. A photograph of an identifiable individual is personal data under UK GDPR. Posting it to a personal social media account without that individual’s explicit consent, and without a lawful basis for sharing it, is a data breach. In health and social care settings, where the individuals involved may be vulnerable, and their identity and care needs are sensitive information, this type of breach can carry serious consequences for the individual, the staff member, and the organisation. This course addresses social media misuse directly and gives learners a clear understanding of why it matters.

Does this course cover UK GDPR?

Yes. The course provides a practical overview of UK GDPR and the Data Protection Act 2018, including the key principles, what personal and special category data are, the lawful bases for processing, and what organisations and individuals are required to do when things go wrong.

Does the organisation have to report a data breach to the ICO?

It depends on the nature and severity of the breach. Under UK GDPR, organisations must report a breach to the ICO within 72 hours of becoming aware of it if it is likely to result in a risk to the rights and freedoms of individuals. More serious breaches may also need to be communicated directly to the individuals affected. This course covers what the reporting obligations are and how staff should respond if they discover or suspect a breach.

Is this course relevant outside of health and social care?

Yes. UK GDPR and the Data Protection Act 2018 apply to any organisation that handles personal data, which covers virtually every business in the UK. We regularly deliver this training in care, education, housing, legal services, retail, hospitality, and other sectors. Content is adapted to reflect the specific data handling risks relevant to your organisation.

Related Courses

Book or Enquire

To book Confidentiality and Data Protection training or to discuss a tailored option for your organisation, please get in touch with Prima Cura Training. We’re happy to advise on delivery options, group sizes, and suitability for your business.

Our Commitment to Quality and Compliance

At Prima Cura Training, all courses reflect current UK guidance and best practice.

All trainers are experienced professionals with relevant qualifications and ongoing CPD. Because many of the organisations we support work with vulnerable individuals, all trainers hold Enhanced DBS checks.

This course is reviewed against updates from the Information Commissioner’s Office, the UK GDPR framework, the Data Protection Act 2018, and current sector guidance on information governance, including NHS England information governance standards where applicable.

You can read more on our Quality Assurance and Compliance page.

Reviewed by Stephanie Austin, Owner and Lead Trainer, Prima Cura Training 25+ years in health and social care | 15+ years as a trainer | Last reviewed: April 2026 | Next review: April 2027

This page is for general guidance only and reflects UK data protection legislation and ICO guidance current at the date of review. It does not constitute legal advice. Organisations remain responsible for ensuring their data protection policies, procedures, and staff training programmes comply with UK GDPR, the Data Protection Act 2018, and any sector-specific information governance obligations applicable to their organisation. Where a data breach occurs or is suspected, organisations should seek independent legal advice and follow their own internal reporting procedures and ICO notification obligations. Prima Cura Training accepts no liability for decisions made on the basis of this content alone.

< back

Enquire about Confidentiality and Data Protection