Storage of Data on Practitioners' Mobile Devices

The Data Protection Act 2018 and the UK General Data Protection Regulation 2018 (UK GDPR) regulate the use of 'personal data' – obtaining, storing, and processing it.

The Data Protection Act 2018 protects the rights and privacy of identifiable living individuals and ensures that the data about them held, processed, and used by organisations is managed properly. It places legal obligations on those who process personal information and ensures individuals are aware of and exercise some control over how information about them is to be used.

'Personal data' means any information relating to an identified or identifiable living individual.

'Processing' is defined very widely in the Data Protection Act 2018 and covers any activity carried out such as:

  • Collection, recording, organisation, structuring, or storage;
  • Adaptation or alteration;
  • Retrieval, consultation, or use;
  • Disclosure by transmission, dissemination or otherwise making available;
  • Alignment or combination; or
  • Restriction, erasure, or destruction of data.

Advances in technology and increased use of mobile devices can present particular challenges and increased risk of data breaches, and you must be familiar with your requirements under the Act.

The Information Commissioner's Office (responsible for ensuring compliance with the Data Protection Act 2018) can and does impose substantial financial penalties for breaches of the Act.


The Data Protection Act 2018 has a set of principles on how to use personal data properly.

Personal data shall:

  • Be processed fairly and lawfully;
  • Be processed for specified, explicit and legitimate purposes;
  • Be adequate, relevant and not excessive;
  • Be accurate and kept up to date;
  • Be kept no longer than is necessary;
  • Be processed in a secure manner.

In order to ensure compliance with the Data Protection Principles in relation to the storage and processing of data on mobile devices, the following practice must be adhered to:

  • Individuals must be informed of what data is to be collected and stored, and the reasons, including the extent to which the data will be used;
  • All data must be securely stored;
  • All data initially obtained on mobile devices must be held on such devices for the minimum period necessary, and should then be securely transferred to a secure network;
  • The data must then be removed from the mobile device without delay.

Principle 1 in the Data Protection Act 2018 states that 'personal data shall be processed fairly and lawfully'.

In practice, this means that you must:

  • Have legitimate grounds for collecting and using the personal data, and not use the data for any other purpose;
  • Explain to the individual what data you will be obtaining and how you intend to use the data;
  • Handle peoples' personal data only in ways they would reasonably expect.
  • Personal data must only ever be stored on mobile devices provided for this purpose by the employer;
  • Personal data must NEVER be stored on or transferred to staff members' personal devices such as mobile telephones, tablet or laptop computers, home computers, memory sticks, etc.
  • Mobile devices should be password-protected and encrypted using encryption software which meets current standards to protect personal data - password protection alone is insufficient when the mobile device is handling personal data which if lost could cause damage or distress;
  • Access to the device should be locked if an incorrect password is input too many times;
  • The device should automatically lock if inactive for a period of time;
  • Mobile devices should be equipped with software to enable the device to be tracked and remotely wiped of data in the event of loss/theft.
  • Only approved software (e.g. apps) must be downloaded onto mobile devices. Unapproved software/apps can compromise security of the device;
  • Facilities such as Wi-Fi or Bluetooth, which could allow others to have remote access to the device, must be switched off – note that these are likely to be set to 'on' by default;
  • Physical access to the device must be restricted – do not leave the device unattended or where it can be viewed by others. Keep the device with you or securely stored, e.g. in a locked drawer. NEVER allow others such as other family members or children (including your own) to have access to the device.

The Data Protection Act 2018 stipulates that personal data must not be kept for any longer than is necessary. All data initially obtained on mobile devices must be held on such devices for the minimum period necessary, and should then be securely transferred to a secure network.

  • A secure method must be used to transfer the data to a secure network as soon as possible – data should not be retained on the mobile device for any longer than necessary;
  • Data can be securely transferred by secure e-mail, direct transfer from mobile device to secure network computer or secure remote connection such as a Virtual Private Network (VPN);
  • NEVER use personal email, unsecure email or cloud computing to send personal data;
  • DO NOT use public facilities such as internet cafes to send personal data.

The Data Protection Act applies to photographs in the same way as to any other personal data, i.e. the collection and use of images (still or moving pictures) of any individual who can be identified.

The Act does not stop an individual's image from being captured, but it does require the image to be obtained fairly, used for a legitimate purpose which does not cause the individual distress or prejudice and to be kept securely.

It is recognised that taking photos or videos of people with care and support needs can be a legitimate, and indeed an essential part of working with them, such as the recording of activities, at the request of the person themselves, or for life story work. In all such situations staff should alert their line manager to the fact that photos or videos are being used and this should be recorded clearly in supervision notes.

Workers should also be sensitive to the negative impact of photographs for an individual, where they are known to have experienced abuse or neglect in their lives that involved (or may have involved) the use of photographic imagery.

  • The use of photography, reproduction of photographic images or the use of videos must always have a clear and person-centred purpose;
  • Prior to the taking of any photo or video the purpose of this should be explained to the person according to their age, development and understanding, and to anyone with the legal authority to make such decisions on their behalf (a Lasting Power of Attorney or Deputy);
  • The person must consent to the taking of any photograph or video, or, if they lack capacity to consent, this must be deemed in their best interests by a Lasting Power of Attorney or Deputy. Where a Lasting Power of Attorney or Deputy does not exist a Best Interests decision can be made by another appropriate person able to apply the principles of the Mental Capacity Act 2005;
  • A record of consent from the person or a Lasting Power of Attorney or Deputy should be kept on file and reviewed each time a photograph or video image is to be taken. Where a Best Interests decision has been made a record of this should also be kept and reviewed in the same way;
  • A person should not be photographed if they do not wish to be, regardless of whether or not they have capacity to make this decision;
  • Individuals must be clothed and their torsos covered when being photographed or videoed;
  • Staff must not take any photographic images of people to their own home or keep them in their private possession;
  • If photos or videos are to be used for public display e.g. for publicity purposes, specific permission must be sought from the person to do so. If they lack capacity to consent, this must be deemed in their best interests by a Lasting Power of Attorney or Deputy. Where a Lasting Power of Attorney or Deputy does not exist a Best Interests decision can be made by another appropriate person able to apply the principles of the Mental Capacity Act 2005. The full name, date of birth or other information that could identify the individual must not be published';
  • Images must not be posted on social networking sites (e.g. Facebook) where they can be copied by others (either directly or using a screenshot).

You should immediately notify your line manager of any loss, theft or wrongful disclosure of personal or sensitive data by you or any loss or theft of your mobile device/s.

If you feel that another professional or a service provider is at fault this should be reported using appropriate internal safeguarding, commissioning or whistleblowing processes.

It is important to remember that principles of data protection and confidentiality apply equally when working in a home environment as they do when working in an office environment.

A home environment may pose additional risks and issues of which you must be aware.

For instance:

  • Ensure that confidential material and devices containing such material (e.g. phones/laptops) cannot be viewed or accessed by other members of your household. It is important to make sure that children, for instance, do not have access to work laptops;
  • If you have paper copies of personal data, these must be disposed of securely, e.g. by shredding;
  • Be mindful of ensuring that confidential telephone conversations cannot be overheard;
  • Beware of 'smart home' devices (Alexa, Google Home, Nest, Ring, 'nanny cams' etc.). These devices may be 'listening' in to conversations and/or 'watching'. These devices must be disabled if they are sited close to where you are working;
  • Cloud storage should not be regarded as secure unless specifically provided and approved by your employer. Likewise with personal devices such as telephones and computers;
  • Remember that you are still working, and appropriate standards of professionalism should be maintained at all times. Do not post anything on personal social media accounts that could inadvertently disclose any confidential work material/issues/identifying information in relation to individuals.

Last Updated: September 16, 2021