PRIVACY NOTICE - SERVICE USERS
In order for us to provide care and support services to the people we support we collect and use certain personal information about you.
Personal information means any information about you from which you can be identified, but it does not include information where your identity has been removed (anonymous data). As the ‘controller’ of personal information, we are responsible for how that data is managed. The General Data Protection Regulation (GDPR), which applies in the United Kingdom and across the European Union, sets out our obligations to you and your rights in respect of how we manage your personal information.
As the ‘controller’ of your personal information, we will ensure that the personal information we hold about you is:
-Used lawfully, fairly and in a transparent way.
- Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
- Relevant to the purposes we have told you about and limited only to those purposes.
- Accurate and kept up to date</li>\r\n <li>Kept only as long as necessary for the purposes we have told you about.
- Kept securely.
Please note when we refer to: A ‘public body‘ we mean any organisation in the United Kingdom which delivers, commissions or reviews a public service and includes (but is not limited to) the Ombudsman, local authorities, councils, unitary authorities, clinical commissioning groups, health and social care trusts, the National Health Service as well as their arm’s length bodies and regulators. A ‘health or social care professional‘ we mean any person who provides direct services, acts as consultant or is involved in the commission of your healthcare or social care services, including (but not limited to) your general practitioner (GP), dental staff, pharmacists, nurses and health visitors, clinical psychologists, dieticians, physiotherapists, occupational therapists, hospital staff, social workers and other care and support related professionals.
The personal information we collect and use in relation to people who enquire about and use our services
Information collected by us</strong>\r\n\r\nWhen you enquire about our care and support services through our website, phone, email, post, face to face or social media, and during the course of providing care and support services to you we collect the following personal information when you provide it to us:
- Your name, home address, date of birth and contact details (including your telephone number, email address) and emergency contacts (i.e. name, relationship and home and telephone numbers).
- Contact details for your GP, your allergies and any medical, physical or mental conditions and in particular your care needs.
- Your likes, dislikes and lifestyle preferences (including your religious beliefs or other beliefs of a similar nature, racial or ethnic origin, health and sexual orientation (so far as they relate to providing you with suitable care).
- Credit/Debit Card, direct debit details or other payment information (if you pay for some or all of our services using one of these methods).
- Your feedback and contributions to questionnaires and surveys about the service we offer.
- Audio recordings of phone calls to and from our office teams.
- Your complaints, compliments or concerns about the service we provide.
- Any accidents and incidents or near misses you may have been involved in whist on our premises or whilst our employees are delivering a regulated service to you – this may include details of injuries and treatment you may have received.
When using our website, we collect standard internet log information (commonly known as cookies), including:
- Details of the pages you visit.
- IP address.
- Browser details including the type of computer or device that you are using. This is statistical information only which we collect in order to find out the numbers of visitors to our site and the pages they have visited. This information collected in such a way that it is not used to identify individuals. Where we do collect personal information on the website, this will be made obvious to you through the relevant pages.
Information collected from other sources
We work closely with third parties such as social and healthcare professionals and public bodies. We therefore also obtain personal information about you from other sources such as:
-Your allergies and any medical, physical or mental conditions, test results and in particular your care and support needs, from any appropriate external social or health care professionals (including your GP).
- Your name, date of birth, home address, contact details, needs assessments and financial assessments from any appropriate external social or health care professionals (including any relevant public body regardless of whether you are publicly funded).
- Your likes, dislikes and lifestyle preferences (including your religious beliefs or other beliefs of a similar nature, racial or ethnic origin, health and sexual orientation (so far as they relate to providing you with suitable care) from your family, friends and any other person you have nominated as your representative.
-Your legal representative (for example Lasting Power of Attorney), if applicable.
How we use your personal information
We use your personal information to:
-Prepare, review and update a suitable care plan, describing the nature and level of care and support services which you have requested.
- To communicate with you, your representatives and any appropriate external social or health care professionals about your individual needs and personalise the service delivered to you.
-Respond, should your care needs change, to meet your individual needs and ensure the safety of you and your Care Support Worker.
- Invoice you for the care and support services in accordance with our terms and conditions.
- Carry out quality assurance procedures, review our service and improve our customer experience.
- Send information about our services which we believe you may be interested in. You may unsubscribe from this at any time.
-Notify you about changes to our services which are relevant to you.
-Monitor how effective our services are and to make sure that the services we provide meet your needs.
- Improve your experience of our website and to ensure that the content is presented in the most effective way.
Who we share your personal information with
We share your medical information with appropriate external social or health care professionals (including your GP and pharmacist) and any individuals you have nominated as your representative as and when required. This data sharing enables us to establish the type of care and support you need. It also allows us to design the right care package to suit your individual needs. We will share personal information with law enforcement or other authorities if requested or required. This includes information required by public bodies to evidence our compliance with the applicable regulatory framework. We are also required to share personal information with external social or health care professionals, including public bodies and local safeguarding groups (in some circumstances) to ensure your safety. We will share relevant information within ProCare Services in order to provide safe and effective services to you. We will not share, sell or trade your personal information with any other third party without your consent. In order to deliver our service to you we rely on third parties to provide specialist support to us.
To provide this support they will have access to, or a duty of care over your personal information. These providers are:
- IT and Telecoms Support companies – to ensure the safe, secure and resilient operation of our IT infrastructure including computers, servers, phones and mobile devices.
-Software support companies – to provide specialist support and resolve issues with the software that we run, for example the systems we use to store and manage your customer records.
-Data archiving companies – responsible for the secure storage and destruction of records.
These providers are under a written contract to ensure the same level of privacy and security that we promise to you. Whether information has to be provided by you, and if so why. The provision of your medical, physical or mental condition is necessary to enable us to create a care plan and to provide you with suitable care and support services. Without this information, we will not be able to assess your care needs or provide any care services to you. The provision of your name, home address and telephone number is required so that we can arrange a care support worker to attend your home to deliver service.
How long your personal information will be kept
We will hold the personal information kept within your electronic customer file for the length of your contract plus 3 years. We will hold the personal information kept within your hard copy customer files for 3 years from the date of the last entry. We will hold the personal information kept within our feedback procedure for 1 year so that we can identify trends and patterns in our service. We will hold financial records and transactions for 7 years in line with our legal requirements.
Reasons we can collect and use your personal information
We rely on the following grounds within the GDPR:
Article 6(1)(a) – processing is conducted with your consent to process personal data for specified purposes
Article 6(1)(b) – processing is necessary for the performance of our contracts to provide individuals with care and support services.
Article 6(1)(c) – processing is necessary for us to demonstrate compliance with our regulatory framework and the law
Article 6(1)(f) – to process your personal data in pursuit of legitimate interests, which include;
Corporate due diligence and financial modelling, service development and innovation – the privacy impact on you is expected to be minimal. We will process your data internally to ensure our business is stable, trusted and innovating to provide the best possible service to you. GDPR recognises that additional care is required when processing special category (sensitive) data such as your health. We process this under the following grounds within GDPR;
Article 9(2)(h) – processing is necessary for the provision of social care or the management of social care systems and services. International transfers. All your personal data is stored and processed on systems that are within the European Economic Area (EEA) and offer the same level of legal protection and rights over your data.
Your rights
As a data subject, you have the following rights, without charge, in relation to your personal data processed by us:
- To be informed about how your data is handled;
- To gain access to your personal data;
To have errors or inaccuracies in your data changed;
-To have your personal data erased, in limited circumstances;
-To object to the processing of your personal data for marketing purposes or when the processing is based on the public interest or other legitimate interests;
-To restrict the processing of your personal data, in limited circumstances.
-To obtain a copy of some of your data in a commonly used electronic form, in limited circumstances;
For further information on each of these rights, including the circumstances in which they apply, see the Guidance from the UK Information Commissioner’s Office (ICO) on individuals’ rights under the General Data Protection Regulation. If you would like to exercise any of these rights, please contact us on the details below.
How to contact us
You can contact us by: Telephone 01452 595 690, Email: info@procareservices.co.uk, Post: ProCare Services, Unit 2, Office 6 Morelands Trading Estate, Gloucester, GL1 5RZ, United Kingdom. If you would like to exercise any of those rights, please contact us using the details above – making clear that you wish to exercise one of your privacy rights. Let us have enough information to identify you (e.g. your name and address), Let us have proof of your identity and address (a copy of your driving licence or passport and a recent utility or credit card bill), Let us know the information to which your request relates, including any account or reference numbers, if you have them. If you would like to unsubscribe from any news / information emails you can also click on the ‘unsubscribe’ button at the bottom of the emails. It may take up to 14 days for this to take place. Keeping your personal information secure. The confidentiality and security of your information is of paramount importance to us. We have appropriate security measures in place to prevent personal information from being accidentally lost, or used or accessed in an unauthorised way. We limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality. We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
How to complain
We hope that we can resolve any query or concern you raise about our use of your information. You can raise any concern you may have with: Data Protection Officer, Unit 2, Office 6 Morelands Trading Estate, Gloucester, GL1 5RZ, United Kingdom.
The GDPR also gives you right to lodge a complaint with a supervisory authority, in particular in the European Union (or European Economic Area) state where you work, normally live or where any alleged infringement of data protection laws occurred. The supervisory authority in the UK is the Information Commissioner who may be contacted at https://ico.org.uk/concerns/ or Telephone: 0303 123 1113.
Changes to this privacy notice
This privacy notice was last updated on 1 February 2019. We may change this privacy policy from time to time, when changes are significant we will draw your attention to this via email and on our website.
Policy Statement
On the 25 May 2018 the new Data Protection Act 2018, which is based on the General Data Protection Regulation (GDPR) replaces the Data Protection Act 1998 in its entirety. It replaces the existing Data Protection Laws to make them fit for the digital age in which ever increasing personal data is being processed. The Act sets new standards for protecting personal data. Gives people more control over the use of their data and assists in the preparation for a future outside of the EU.\r\n\r\nThere are 4 main matters provided for, these are:
- General Data Processing
- Law Enforcement Data processing
- Data Processing for National Security Purposes
- Enforcement
All the above need to be set in the context of international, national and local data processing systems which are increasingly dependent upon internet usage for exchange and transit of data. The UK must lock into international data protection arrangements, systems and processes and this Act updates and reinforces the mechanism to enable this to take place. Given the size of the legislation and some of the media hype surrounding its introduction this policy is written in 2 Sections.
Section 1 Overview of the Act.
Section 2 The Policy and templates
Section 1 Overview of the Act:
The Act is structured in 7 parts, each of which covers specific areas. These are:
Part 1: Preliminary.
This sets out the parameters of the Act, gives an overview, explains that most processing of personal data is subject to the Act and gives the terms relating to the processing of personal data.
Part 2: General Processing.
This supplements the GDPR and sets out a broadly equivalent regime to certain types of processing to which the GDPR does not apply.
Part 3: Law Enforcement Processing
This covers; “competent authority”meaning of “controller” and “processor” data protection principles safeguards in regard to archiving and sensitive processing rights and access of the data subject, including erasure implements the law enforcement directive controller and processor duties and obligations records co-operation with the ICO commissioner, personal data breaches, the remedy of such breaches, position of the data protection officer and their tasks, transfer of data internationally to particular recipients, national security considerations, special processing restrictions and reporting of infringements.
Part 4: Intelligence Services Processing
This covers only data handled by the above e.g. MI5 and MI6 and includes rights of access, automated decisions, rectification and erasure, obligations relating to security and data breaches.
Part 5: The Information Commissioner
This covers: general functions including publication of Codes of Practice and guidance, their International role, their responsibilities in relation to specific Codes of Practice, consensual audits, information to be provided to the Commissioner, confidentiality and privileged communication, fees for services, charges payable to the commission, publications, Notices from the Commissioner, reporting to parliament.
Part 6: Enforcement
This covers the new enforcement regime in relation to all forms of Notice issued by the Commissioner, powers of entry and inspection, penalty amounts, appeals, complaints, remedies in the court, offences, special purpose proceedings.
Part 7: Supplementary and Final Provision
This covers legal changes which the new Act alters in relation to other legal matters, e.g. Tribunal Procedure rules, definitions, changes to the Data Protection Convention etc. and List of Schedule(s). As you can see, this Act is a huge piece of legislation, the majority of which is outside the remit of service providers working within the Adult Health and Social Care Sector. The I.C.O. confirms that many concepts and principles are much the same and businesses already complying with the current law are likely to be already meeting many of the key requirements of the GDPR and the new Act. The Information Commissioner says the new Act represents a “step change” from previous laws. “It means a change of culture of the organisation. That is not an easy thing to do, and it’s certainly true that accountability cannot be bolted on: it needs to be a part of the organisations overall systems approach to how it manages and processes personal data”. It’s a change of mindset in regard to data handling, collection and retention. We need to stop taking personal data for granted, it’s not a commodity we own: its only ever on loan. Individuals have been given control and we have been given fiduciary duty of care over it! As an organisation handling personal data on a day to day basis, this policy sets out the requirements of the new Act and how we, as an organisation will meet our legal obligations. Staff awareness and understanding of their responsibilities in regard to the handling, collection and retention of data will be core to the successful embedding of this policy.
Preparation: (The 12 Steps)
In order to comply with the requirements of the Act preparation should include the completion of the 12 steps awareness, information we hold, communicating privacy information, individual’s rights, subject access requests, lawful bases for processing, consent, children, data breaches, data protection by design and data protection impact assessments, data protection officers, international data.
Preparing for the General Data Protection Regulation (GDPR) 12 steps to take now.
The ICO has issued this guidance as the start of the preparation. They have also made clear that they are aware that for small companies in particular time can be a factor in this preparation, but it is important to remember that you must start the 12 steps in order that you can show compliance. As an organisation we are preparing for this new Act by completing these 12 steps.
Definitions
The GDPR applies to “Controllers”, “Processors” and “Data Protection Officer” and to certain types of information, specifically, “Personal Data” and “Sensitive Personal Data” referred to in the Act as Special Categories of Personal Data”. “Controllers” This role determines, on behalf of the organisation, the purposes and means of processing personal data. “Processors” This role is responsible for processing personal data on behalf of a controller. The Act places specific legal obligations on you, e.g. you are required to keep and maintain records of personal data and processing activities. This role has legal liabilities if they are responsible for any breach.
Data Protection Officer, This role is a must only in certain circumstances if you are:
- a public authority (except for courts)
- carry out large scale systematic monitoring of individuals e.g. online behaviour tracking
- carry out large scale processing of special categories of data, or data relating to criminal convictions and offences e.g. police, DBS bodies, prison service etc.
“personal data”
This means any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. So, this would include name, reference or identification number, location data or online identifier. This reflects changes in technology which incorporates a wide range of different identifiers. Personal Data applies to both automated and manual filing systems. It can also apply to pseudonymised e.g. key-coded can fall within the GDPR dependent on how difficult it is to attribute the pseudonym to a particular individual’s race, ethnic origin, politics, religion, trade union membership, sex life or sexual orientation.
“Special Categories of personal Data”
This category of data is more sensitive and much more protected. Sensitive personal data specifically includes genetic data, biometric data, health, race, ethnic origin, politics, religion, trade union membership, sexual orientation Safeguards apply to other type of data e.g. criminal convictions and offences; intelligence data etc.
Data Protection Principles
The GDPR sets out the following principles for which organisations are responsible and must meet. These require that personal data shall be:
- processed lawfully, fairly and in a transparent manner in relation to individuals
- be collected for specified, explicit and legitimate purposes, and not further processed in a manner that is incompatible with purposes, further processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes shall not be considered to be incompatible with the initial purposes
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
- accurate and where necessary, kept up to date, every reasonable step must be taken that personal data that is inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
personal data may be stored for longer purposes in so far as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to the appropriate technical and organisational measures required by the GDPR (the safeguards) in order to safeguard the rights and freedoms of individuals processed in a manner that ensures appropriate security of the personal data. including protection against unauthorised or unlawful processing and against accidental loss. destruction or damage, using appropriate technical or organisational measures
“The controller shall be responsible for, and be able to demonstrate, compliance with the principles”
Article 5 (2) GDPR “Lawful bases” for processing
There are 6 lawful bases for processing data. These are:
- Consent: the individual has given clear consent for us to process their personal data for a specific purpose.
- Contract: the processing is necessary for a contract you have with the individual, or because they have asked us to take specific steps before entering into a contract.
- Legal Obligation: the processing is necessary for us to comply with the law (not including contractual obligations).
- Vital Interests: the processing is necessary to protect someone’s life.
- Public Task: the processing is necessary for us to perform a task in the public interest, or for official functions and the task or function has a clear basis in law.
- Legitimate interests: the processing is necessary for our legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (Does not apply if a public authority is processing data to perform its official tasks).
Consent
The GDPR sets a high standard here. Consent means offering individuals real choice and control. Consent practices and existing paperwork will need to be refreshed and meet specific requirements. These are:
- positive opt-in, no pre-ticked boxes or other method of “default” consent
- a clear and specific statement of consent, vague or blanket consent is not enough
- keep consent requests separate from other terms and conditions
- keep evidence of consent – who, when, how, and what you told people
- keep consent under review
- avoid making consent to processing pre-condition to any service
- employers need to take extra care to evidence that consent is freely given, and should avoid over reliance on consent
Consent is one lawful basis to consider but organisations in a position of power over individuals should consider alternative “lawful bases”. If we would still process their personal data without consent, then asking for consent is misleading and inherently unfair.
PLEASE NOTE : Consent within this policy relates only to data processing not Health or Support in a Social Care context. You must still use consent as defined within the Mental Capacity Act 2005 to deliver services
Legal Obligation
Put simply, the processing is necessary for us as an organisation to comply with the law, e.g. the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014, which requires us as providers to collect, handle and process data in a prescribed manner.
Legitimate Interests this is the most flexible lawful basis for processing, it is likely to be appropriate where we process in ways that people would reasonably expect us to, with a minimal privacy impact, or where there is a compelling justification for the processing, there are 3 elements to consider when using this lawful base. we need to:
- identify a legitimate interest show that the processing is necessary to achieve it: and balance it against the individual’s interests, rights and freedoms
- legitimate interests can mean our organisations, interest of third parties, commercial interests, individual or social benefits, the processing must be necessary, a balance must be struck between our interests, the individual’s and would it be reasonable to expect the processing, or would it cause unnecessary harm, then their interests are likely to override our legitimate interests
- keep a record of your legitimate interest’s assessment (LIA) to help you demonstrate compliance.
The above are the 3 most pertinent bases for Health and Social Care data processing activity.
Contract, Vital Interests or Public Task apply within specific work settings and would be difficult to meet because service providers are subject to specific legislative and regulatory requirements in order to work within a “Regulated Activity”. “Lawful bases” must be determined by the organisation before processing of any personal data and it is vital that thorough consideration is given to this decision.
Service users or residents must be aware of the lawful base used by this organisation to process their personal data.
Individual Rights
The GDPR provides the following rights for individuals:
- right to be informed
- right of access
- right to rectification
- right to erasure
- right to restrict processing
- right to data portability
- right to object
- rights in relation to automated decision making and profiling
All relevant guidance to individual rights is not yet complete, Working Party (WP)29 will continue to work and produce such guidance as is thought appropriate. Any individual request which falls into the above categories this organisation will follow the relevant guidance currently available on the following website https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/whats-new/\
Privacy notices, transparency and control
To start off a privacy notice, you need to tell people, as a minimum:
who you are, what you are going to do with their information, who it will be shared with, Being transparent, and providing accessible information, is core to compliance and the GDPR. Privacy notices is the most common way to meet the GDPR requirements. Transparency, in a governance or business context, is honesty and openness and the more transparent we can be the more easily understood and accessible our services become to the people who use them. In the context of data processing is simply that “it should be transparent to natural persons that personal data concerning them are collected, used, consulted, or otherwise processed and to what extent the personal data are or will be processed. The principle of transparency requires that any information and communication relating to the processing of their personal data be easily accessible and easy to understand, and that clear and plain language be used. That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processor and further information to ensure fair and transparent processing in respect of the confirmation and communication of personal data concerning them which is being processed.”
Information Commissioner: Role and Function
Regarding the changes within the new GDPR, National Supervising Authorities in all EU member states have had their powers of enforcement enhanced. Our I.C.O. in the UK’s supervising authority. Within the Enforcement Toolbox, the Information Commissioners Office known as the I.C.O., can now issue substantial fines of up to 20 million, or, 4% of an organisation’s global turnover for certain data protection infringements. Fines, when appropriate, will be of the discretion of the I.C.O. with considerable variations expected to be levied. There are no fixed penalties or minimum fines, though there are different maximum fines for different breaches. The GDPR also empowers the I.C.O. to create tailor made solutions to deal with infringements brought to their attention. This does not mean that organisations can relax about compliance, but diligent small and medium sized organisations can take comfort in the fact that they are unlikely to face the sort of punitive fines that rogue tech giants could to bring them to head. Remember: the highest imposed fine limit was £500,000 under the old Act (1998) but the highest fine ever imposed was £400,000 to TalkTalk for failings in connection with a cyber-attack in 2016. The Information Commissioner herself is playing down the “scaremongering because of misconceptions”. £20 million fines could put businesses out of business and that is not the intention of the GDPR, though there is a seismic shift in the number of fines that could be imposed. The role and scope of the I.C.O. has not fundamentally changed, but rather has been expanded and enhanced via the new GDPR.
Codes of Conduct and Certification Mechanisms
Although the use of any of the above is encouraged by the GDPR it is not obligatory. If an approved code of conduct or certification scheme becomes available that covers our processing activity, consideration will be given to working towards such a scheme as a way of demonstrating our compliance. The I.C.O. will develop its own code of conduct as it has already worked with the Direct Marketing Commissions Code of Conduct: DMA Code.
Derogations and Exceptions
The Act provides that member states of the EU can provide their own national rules in respect of specific processing activities.\r\n\r\nAll Data Controllers must be familiar with Schedules 1-18 of the GDPR as these are the lawful exemptions pertinent to many other legal frameworks and Acts. These Schedules cover things such as Parliamentary Privilege, Health and Social Work, Criminal Convictions (Additional Safeguards), Research, Statistics and Archiving, Education Child Abuse, and include specific provisions for data processing within the Schedule(s). For example: Schedule 15: Powers of Entry and Inspection. This Schedule sets out clearly the powers of the Information Commissioner’s Office in relation to warrant(s) issued by the courts which allow the I.C.O. to enter premises and inspect data field there, including the seizure of documents. Schedule 18 is where all the legislative changes, in all pertinent primary legislation is found, including the repeal of the Data Protection Act 1998. As the Act is embedded in to the organisation, Data controllers, their role and responsibilities, will need to be reviewed and revised to ensure compliance.
Codes of Practice
The Act enhances the role of the Information Commission’s Office (I.C.O.) in the compilation of such Codes and these will be available in due course. It is important that we are regularly checking the I.C.O. website in order to keep up with current guidance.
The Policy
Section 2
This organisation believes that all data, required for the delivery of the service and the lawful running of the organisation must be collected, handled, maintained and stored in accordance to the requirements of the Data Protection Act 2018. The General Data Protection Regulation (GDPR) form the basis of the Act but in order to be effective and compliant with its requirements, the Related Policy list should be viewed as core to this policy, as should Section 1 and the Related Guidance links. PLEASE NOTE: All Guidance from the ICO should be considered “Live Documentation” and regularly checked until all Codes of Practice and Guidance are issued. Working Party 29 known as WP29 is a representative body from each of the EU member states who have developed and worked on the Act. WP29 still sits and meets in the European Parliament until all of the complexities of the Act have been clarified and amended into law.
Lawful Bases
After due consideration this organisation has determined that the following Lawful Bases are used in the collection of data, the individual has given clear consent for us to process their personal data for a specific purpose.
Contract: the processing is necessary for a contract you have with the individual, or because they have asked us to take specific steps before entering into a contract.
Legal Obligation:the processing is necessary for us to comply with the law (not including contractual obligations) and CQC regulations.
Vital Interests: the processing is necessary to protect someone’s life.
Public Task: the processing is necessary for us to perform a task in the public interest, or for official functions and the task or function has a clear basis in law.
Legitimate interests: the processing is necessary for our legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (Does not apply if a public authority is processing data to perform its official tasks).
Data Protection Principles
The Act sets out 8 Principles which must be adhered to when processing data. Please refer to the Related Guidance links for further information. The GDPR sets out the following principles for which this organisation is responsible and must meet. These require that personal data shall be:
- processed lawfully, fairly and in a transparent manner in relation to individuals
- be collected for specified, explicit and legitimate purposes, and not further processed in a manner that is incompatible with purposes, further processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes shall not be considered to be incompatible with the initial purposes
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
- accurate and where necessary, kept up to date, every reasonable step must be taken that personal data that is inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
- personal data may be stored for longer purposes in so far as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to the appropriate technical and organisational measures required by the GDPR (the safeguards) in order to safeguard the rights and freedoms of individuals
- processed in a manner that ensures appropriate security of the personal data including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
Individual Rights
There are several changes here in particular the Right of Access in relation to timescales and fees. These must be fully understood in relation to anyone submitting a Subject Access request. Please refer to the related Guidance Link. The GDPR provides the following rights for individuals:
- right to be informed
- right of access
- right to rectification
- right to erasure
- right to restrict processing
- right to data portability
- right to object
- rights in relation to automated decision making and profiling
Each of the above rights has its own Best Practice Process which you will find here: https://ico.org.uk/media/for-organisations/guide-to-the-general-data-protection-regulation-gdpr-1-0.pdf
Privacy Notices
This is a new requirement for data processing, it is an accessible information declaration which should set out clearly how we will gather, use handle, store and process personal data. The Code uses the term “Privacy Notice” to describe all the privacy information that you make available or provide to individuals when you collect information about them. It is often argued that people’s expectations able personal data are changing, particularly through the use of social media, the use of mobile apps and the willingness of the public to share personal information via these platforms. However, as an organisation we are increasingly aware of the fragile trust which can be easily broken through data breaches and are therefore seeking transparency as a means of building trust and confidence with users of our services. It is the spirit of the Act that privacy, transparency and control become a given for users. Being transparent by providing a privacy notice is an important part of fair processing. When planning a privacy notice, we need to consider the following:
- what information is being collected?
- who is collecting it?
- how is it collected?
- why is it being collected?
- how will it be used?
- who will it be shared with?
- what will be the effect of this on individuals concerned?
- s the intended use likely to cause individuals to object or complain?<
The Privacy notice must be easily understood by users of the service and include all of the above, it must also be easily visible so in this organisation it will be displayed on our website: http://www.vivevare.co.uk and issued at assessment Stage for clients and Recruitment stage for employers.
Privacy and Electronic Communications Regulations (PECR)
This guide issued by the ICO covers specifically electronic marketing messages i.e. phone, fax, email or text, and includes the use of cookies. It introduces specific roles on the above keeping such communication services secure and user’s privacy in regard to traffic and location data, itemised billing, line identification and directory listings\r\n\r\nThe Data Protection Act 2018 still applies if you are processing personal data. The PECR sets out some extra rules for electronic communications and please be mindful of electronic schedule systems which will also come under PECR
File Retention
The GDPR sets out Guidance on files and retention including archiving, specifically Health and Social Care personal data is generally exempt. As a provider of services, file and retention guidelines are in place from our Regulator which includes CQC and the NHS as well as Local Authorities via the Service Specification within any contractual arrangements. A periodic check of the Regulator’s Guidance should be part of the review of this policy.
Compliance
In order to meet the requirements of the Act a thorough knowledge of the Guidance should be the priority for the Data Controller. It is also important that the Act is placed in the context of other compliance requirements namely The Health and Social Care Act 2008 (Regulated Activities) Regulations 2014 and all other lawful requirements such as Regulation 18 Staffing to name but one. In recognition of the complexities of the Act, the ICO has set up an advice service for small organisations. https://ico.org.uk/global/contact-us/advice-service-for-small-organisations/
Changes to our Policy
This policy has been updated to include the changes being implemented by the General Data Protection Regulation (GDPR) which are in place on 25/5/2018. This policy will be reviewed tri-annually and updated when required.