GDPR Privacy Statement
What is the GDPR?
You will have no doubt received a large number of emails and letters regarding the new General Data Protection Regulations (GDPR), the regulations protect the privacy and data of all citizens of the EU.
Legal Basis
As a health and social care providers, Island Healthcare process (stores, uses and shares) a lot of data, including the sensitive personal data of our staff and clients.
The legal basis under which Island Healthcare will be processing the Sensitive Personal Information under our possession will be Article 6(1)(e) of the GDPR regulations: ‘processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’. The source of Official Authority is the Health and Social Care Act 2014 which sets out our obligations as a care provider and includes our duty to maintain care records and undertake background and reference checks on our employees.
Data Sharing
In order to properly discharge our duty to care for the people living with us we will sometimes have to share personal information to other authorities i.e. CQC, Local Authorities or the NHS. We will ensure this is done in a secure way and the data being shared is limited to only that which is necessary.
Data Storage
Data will be retained in accordance with guidance from the Information Commissioners Office for a period of seven years, except certain circumstances, such as information on serious safeguarding incidents, when the retention period will be considerably longer.
Part of the GDPR action plan includes a programme of electronically archiving our existing paper records and ensuring any new archives are stored on a secure server. Any paper records will be stored in locked units with all documents destroyed confidentially when appropriate.
Your Rights
Under data protection legislation you have certain rights, which are detailed here and below in more detail.
The following rights of the ‘data subject’ apply to anyone both employees of the organisation and clients. The rights are:
1. A right of access to a copy of the information comprised in their personal data;
2. A right to object to processing that is likely to cause or is causing damage or distress;
3. A right to prevent processing for direct marketing;
4. A right to object to decisions being taken by automated means;
5. A right in certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed; and
6. A right to claim compensation for damages caused by a breach of the act.
Implementation Programme
An action plan will shortly be available on this website and the compliance programme will include a considerable investment in our IT infrastructure to ensure our systems are secure and a rewriting of our policies and procedures, including the maintenance of an information asset register. As the appointed Data Protection Officer, Operations Director Ian Bennett, will be responsible for the delivery of this work and ensure the action plan is followed.
Information Governance Policy and the Data Protection Act
Aims and Objectives
To ensure the maintenance of detailed, accurate and up-to-date records of our clients, vital to the delivery of good quality person-centred care. To ensure the safe and proportionate storage of information relating to our employees.
Island Healthcare adheres to the eight principles set out in the Data Protection Act 1998 (HM Government, 1998) and its associated regulations in regard to the creation, storage and sharing of any care data maintained by the company.
Contents
Principle One – Fair and lawful handling of data
Principle Two – The purposes for which personal data is processed
Principle Three – The amount of personal data held
Principle Four – The accuracy of information
Principle Five – Retention of data
Principle Six – Rights of the person
Principle Eight – International
Principle One – Fair and lawful handling of data
“Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless:
(a) at least one of the conditions in Schedule 2 is met, and
(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.”
Schedule 2
The data subject has given his consent to the processing.
The processing is necessary—
(a)for the performance of a contract to which the data subject is a party, or
(b)for the taking of steps at the request of the data subject with a view to entering into a contract.
The processing is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract.
The processing is necessary in order to protect the vital interests of the data subject.
The processing is necessary—
(a)for the administration of justice,
(aa)for the exercise of any functions of either House of Parliament,
(b)for the exercise of any functions conferred on any person by or under any enactment,
(c)for the exercise of any functions of the Crown, a Minister of the Crown or a government department, or
(d)for the exercise of any other functions of a public nature exercised in the public interest by any person.
(HM Government, 1998, p. 48)
This means we must…
o Have legitimate grounds for collecting and using the personal data
o Not use the data in ways that have unjustified adverse effects on the individuals concerned
o Be transparent about how you intend to use the data, and give individuals appropriate privacy notices when collecting their personal data
o Handle people’s personal data only in ways they would reasonably expect
o Make sure you do not do anything unlawful with the data
(Information Commissioner’s Office, 2017)
Client’s data
The information collected by Island Healthcare about our clients is considered by the DPA 1998 to be ‘sensitive’
1. A signed consent form must be obtained during the assessment stage to ensure compliance with Principle One.
2. Any changes to the use of personal data will be given consideration as to the effect this may have and will not occur without the consent of the individual or an advocate.
3. The consent document transparently sets out how the data will be used and who it will be shared with.
4. All the information collected will be stored appropriately, securely and not shared with any person or organisation not outlined in the consent document without prior consent or a best interest decision.
5. Island Healthcare will obtain a written agreement with all organisations it shares data with to ensure it is processed fairly.
Staff data
Explicit consent is given by all employees in their employment contract for the processing of their personal information, and it’s sharing with third parties also bound by a duty of confidentiality.
Data Sharing
IHL will not share data with other private organisations, without the expressed consent of the person concerned and will never give information to telemarketers or advertisers.
However, in some instances, it may be important to share personal information in the interest of the person’s health and wellbeing, such as with doctors, or the hospital and can be done in the person’s best interest if consent is not possible. Each situation must be reviewed on a case by case basis.
Island Healthcare may share data on a systematic or ad-hoc basis, as defined by the ICO in their guidance on Data Sharing (Information Commissioner’s Office, 2016, p. 9 & 10). The decision to share personal data will be informed by the ‘Data Sharing Checklists’ (Information Commissioner’s Office, 2016, p. 46) following the receipt of a ‘Data Sharing Request Form’
If a decision to share data systematically is taken following the completion of the checklists, a Data Sharing Agreement must be completed and signed by both parties.
In the rare instance where personal data might be requested for research purposes, IHL will look at it on an individual basis and only provide anonymised data.
The company will never sell personal information.
Principle Two – The purposes for which personal data is processed
“Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.” (HM Government, 1998, p. 48)
(HM Government, 1998, p. 48)
This means we must…
o Be clear from the outset about why you are collecting personal data and what you intend to do with it;
o Comply with the act’s fair processing requirements – including the duty to give privacy notices to individuals when collecting their personal data;
o Comply with what the act says about notifying the information commissioner
o Ensure that if you wish to use or disclose the personal data for any purpose that is additional to or different from the originally specified purpose, the new use or disclosure is fair.
(Information Commissioner’s Office, 2017)
Client’s data
The personal data collected by Island Healthcare is for the sole purpose of the provision of save and effective care to the person and will not be used for any other function.
Information shared with others will only be in connection with the provision of safe and effective care.
IHL is clear in its consent document the purpose for which we are collecting this personal information and how it will be processed.
Staff data
Personal information on staff is collected for the sole purpose of complying with regulatory requirements (DBS applications) and for the processing of wages.
Island Healthcare has notified (registered) the ICO.
Principle Three – The amount of personal data held
“Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.”
(HM Government, 1998, p. 48)
This means we must…
o Hold personal data about an individual that is sufficient for the purpose we are holding it for in relation to that individual
o Not hold more information than we need for that purpose.
(Information Commissioner’s Office, 2017)
Client’s Data
Only data relevant and proportionate to the purpose of providing care and support in a person centred way will be collected and stored.
This data extends to work, social and religious history which informs the provision of good, person centred care.
Employee Data
Only data relevant to the processing of job applications, wages and DBS applications is collected and stored.
Principle Four – The accuracy of information
“Personal data shall be accurate and, where necessary, kept up to date.”
(HM Government, 1998, p. 48)
This means we must…
o Take reasonable steps to ensure the accuracy of any personal data we obtain
o Ensure that the source of any personal data is clear
o Carefully consider any challenges to the accuracy of information
o Consider whether it is necessary to update the information
(Information Commissioner’s Office, 2017)
Client’s Data
Care plans must be created in partnership with individuals or their advocates using information from assessment and other health records shared with us to ensure its accuracy.
All care plans are reviewed each month with any additional information added or removed. All changes are recorded in the Care Plan Review sheet.
Employee Data
Employees have a responsibility to ensure that contact information remains up-to-date and information on recent convictions is disclosed to the company.
IHL will routinely distribute information update forms for this purpose.
Principle Five – Retention of data
“Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.”
(HM Government, 1998, p. 48)
This means we must…
o Review the length of time you keep personal data;
o Consider the purpose or purposes you hold the information for in deciding whether (and for how long) to retain it;
o Securely delete information that is no longer needed for this purpose or these purposes
o Update, archive or securely delete information if it goes out of date.
(Information Commissioner’s Office, 2017)
Individual’s Data
A person’s data is maintained for the duration of their relationship with us in accordance with Principle 7 of the DPA.
Island Healthcare follows guidance from the Information Governance Alliance and NHS Digital for the retention of Adult Health and Social Care records (Information Governance Alliance, 2016, p. 53). Care records must be archived for a period of at least eight years, after which they are to be reviewed prior to destruction considering any “serious incident retention”.
Data on Serious Incidents are to be held for a period of 20 years before being reviewed and non-serious incidents are archived for 10 years (Information Governance Alliance, 2016, p. 69). Financial records are maintained indefinitely but for at least 10 years.
Employee Data
Employee data is stored on the same basis. Whilst their relationship with the company exists their data will be stored in accordance with Principle 7 of the DPA.
Once the relationship has ended, employee information is archived until the person is 75 years old or for 6 years at which point a summary of the record is taken which is stored until the person is 75.
Disposal of archived data
Island Healthcare will request that information stored electronically is deleted in accordance with our statutory obligations.
Hard copy data will be shredded in house or using a confidential shredding service.
Principle Six – Rights of the person
“Personal data shall be processed in accordance with the rights of data subjects under this Act.”
(HM Government, 1998, p. 48)
The following rights of the ‘data subject’ apply to anyone both employees of the organisation and clients. The rights are:
1. A right of access to a copy of the information comprised in their personal data;
2. A right to object to processing that is likely to cause or is causing damage or distress;
3. A right to prevent processing for direct marketing;
4. A right to object to decisions being taken by automated means;
5. A right in certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed; and
6. A right to claim compensation for damages caused by a breach of the act.
1. Subject access requests
The right of an individual to access their personal data goes further than simply showing them the records. If the individual makes a formal subject access request (Subject Access Request Form – Appendix 4) IHL has an obligation to respond within 30 days of receipt and provide the following information, we will not charge a fee for this service:
Whether any personal data is being processed
A description of the personal data, the reasons it is being processed, and whether it will be given to any other organisations or people
A copy of the information comprising the data; and given details of the source of the data (where this is available)
You will receive this information on a Subject Access Response Form (Appendix 5).
Data can be accessed on behalf of another person (for instance a solicitor acting in a person’s interest or a family member). However, Island Healthcare will only ever provide this information when clear permission is given. It is the third party’s responsibility to provide this permission and could be either a written authority to make the request or a power of attorney.
2. Damage or Distress
The second right allows for a person to request, via the Damage or Distress Contact form (Appendix 6), IHL stops processing their data, however this is limited to the following circumstances:
o When the data is their own
o When processing the data causes unwarranted and substantial damage or distress
o When the objection specifies why the processing has this effect
Additionally, the person has no right to object to the processing under the following circumstances:
o they have consented to the processing;
o the processing is necessary:
o in relation to a contract that the individual has entered into; or
o because the individual has asked for something to be done so they can enter into a contract;
o the processing is necessary because of a legal obligation that applies to you (other than a contractual obligation)
o the processing is necessary to protect the individual’s “vital interests”.
3. Preventing direct marketing
Island Healthcare undertakes no direct marketing. If in the future, this changes people have a right to request that we not use their data for this purpose which we must action “within a reasonable period”.
4. Automated decision taking
Island Healthcare operates no processes which involve automated decision making. Were this to change the policy will be updated her to account for it.
(Information Commissioner’s Office, 2017)
Principle Seven – Security
“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”
(HM Government, 1998, p. 48)
Each Home’s Manager, or the Community Care Manager, is responsible for the security of the physical records held at their home. The Operations Director is responsible for IT Security of the use of Google Drive Cloud service.
Google Account passwords are only available to the Operations Director or the care home manager. When a manager has changes to their own password they must ensure it is difficult to ‘hack’ and not disclosed.
Breaches in security are treated very seriously and investigated with hast. Disciplinary action may be taken against employees who breach security, or whose negligence leads to a breach.
Client’s Data
All personal information about clients must be stored in locked offices accessible only to authorised people.
Where data is stored digitally, computers must be password protected and secured with anti-virus software. Care plans stored electronically can be shared with the Cloud but steps must be taken to ensure only authorised people have access.
Where data is in a person’s home in the community it must be stored in a secure way, and never removed from the premises. The information remains the property of the client.
Once the person’s relationship with the company has come to an end the data is archived as per Principle 5.
Employee Data
As with client data, information on employees must be stored in a locked filing cabinet in a locked office only accessible by authorised people.
Information stored in and shared via the Cloud must be done so in a way to ensure only authorised people have access.
Principle Eight – International
“Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.”
(HM Government, 1998, p. 48)
IHL does not envisage that there will be a requirement for us to send personal data to countries outside of the European Economic Area (EEA).
However, if such a situation were to arise due consideration will be given and advice taken from the Information Commissioner’s Office (ICO).
(Information Commissioner’s Office, 2017)
Confidentiality
Total respect must be given to confidentiality regarding all aspects of a person’s care.
Matters of health, medication, medical history and all details of a private and personal nature may be entrusted to staff and should be treated with the maintenance of this trust in mind.
Information needed for the safety and well-being of a client should only be passed on to outside agencies following the guidance above.
In an emergency staff will inform the Manager of any information given, the circumstances and to whom. At no time should such information be passed on during telephone conversations without the consent of the Manager/Deputy.
All information written down of a personal nature remains the property of the client and as such should be filed in a locked cabinet at all times. Clients will have access to this information at any time.
Staff who breach client confidentiality will be subject to disciplinary procedures.