As a company our policy guidelines defines the arrangements in place within the Organisation that assures compliance to the requirements of the General Data Protection Regulation (“GDPR”), as relevant to the Organisation’s business interests.
In all aspects of this Policy the term “Organisation” refers to the Domiciliary Care Service that operates as a viable and on-going business in accordance with the requirements of the Care Act 2014:
A: INTRODUCTION:
- The General Data Protection Regulation (henceforth abbreviated to “GDPR”) addresses certain requirements for all Organisations that collect and process personal data as part of their on-going business operations. Personal data is defined as any information relating to an “identifiable living individual”, and will therefore apply to the Organisation’s service users, employees and suppliers.
- The GDPR applies to any data recorded in a filing system that allows personal data to be easily accessed. In this respect GDPR will apply to any of the following types of file where data may be stored:
2.1 – “Hard copy” (paper) files relating to employees (e.g. employment records, safeguarding records, risk assessments, assessments of care needs, care planning, and other documents requiring original signatures).
2.2 – Electronic (computer) files relating to staffing issues, (shift allocation, staff skills, training), complaints etc, and service user issues (care planning, environmental risk assessments, accidents etc).
2.3 – Digital image files relating to the following:
-
- Photographs of staff – for ID badges / verification of identity as part of employment vetting
- photographs of service users – Care Plan / medicine assistance verification of identity / CCTV images
- biometric scans – fingerprint scans for door entry systems
B: PRINCIPLES OF DATA PROTECTION:
- The way in which our Organisation manages service user / staff information will conform to the following 6 principles of Information Management:
-
- Justify the purpose(s) of using confidential information;
- Only use it when absolutely necessary;
- Use the minimum that is required;
- Access to be on a strict need-to-know basis;
- Everyone should understand his or her responsibilities;
- Understand and comply with the law.
- The Organisation is committed to the enforcement of the following Code of Good Practice in relation to the data it retains on service users and employees. In summary, data will:
-
- be fairly and lawfully processed;
- be used for a limited and well-explained purpose;
- be relevant to the Organisation’s needs;
- not be unnecessarily excessive in detail;
- be accurately maintained;
- not be kept any longer than is necessary, or as required by law;
- only be used in accordance with the individual subject’s rights;
- be securely stored;
- only be made available to authorised persons.
- In this respect the following additional policies within the Organisation’s documentation system are relevant:
C: POLICY DETAILS:
- The core activities of the Organisation centres around the collection and processing of large quantities of personal data. Most of this data originates from the service users as assessments of care needs, care planning, records of care service delivery, risk assessments etc, but personal data from staff members (CVs, employment records etc) will also be Data is classified into 2 categories for the purposes of this Policy; Personal Data and Sensitive Personal Data:
- Personal Data – this is defined as any information relating to an individual who is identified or otherwise identifiable, whether directly or indirectly. Examples here would be:
-
- date of birth
- current drivers’ licence
- photograph
- mobile phone number
- Sensitive Personal Data – certain types of information have been assessed as requiring additional protection under the GDPR. This will include an individual’s:
-
- ethnicity / racial origin
- political affiliations
- religious belief
- physical / mental health
- gender identity / sexual orientation
- genetic / biometric data
- This type of data requires stricter control than personal data. Staff receive appropriate training in the types of data needed to accomplish a particular activity, for example, the development of a service user’s Care Plan. Since it is highly likely that the constituent documents and records of a Care Plan will include a mixture of both categories of data, care will be taken to only use the data required, and not more than is absolutely necessary to deliver a high-quality service.
- The Organisation is fully committed to up-holding the legal principles of Data Protection as interpreted through the Office of the Information Commissioner (ICO). In particular:
3.1 – The service user will be kept informed about who, why, when, where and how (“WWWWH”) their information will be held and used (“processed”).
3.2 – At the first point of contact, and prior to data collection, everybody whose data will be processed (current service users and staff members) will be provided with a Privacy Notice which will identify the circumstances under which any data they volunteer is collected, and subsequently processed. It is a fundamental requirement that written consent from the subject individual (service user / staff member) be obtained in order for personal data to be collected. This facility is built into the Privacy Notice.
- The following will be considered when developing a Privacy Notice:
-
- The actual information being collected
- Who is collecting it
- How it is collected
- Why it is being collected
- How it will be used
- Who it will be shared with (as appropriate)
- The effect of this on the individuals concerned
- Whether the intended use is likely to cause individuals to object or complain
- All individuals, service users and employees, have the right of access to manual, electronic and digital records that are relevant to their personal data.
- Where it is deemed necessary to divulge personal data to a third party this will only be done with the express permission of the individual subject, ref. Confidentiality Policy, No 1505. In this respect both staff and service users / relatives / advocates will also be advised that personal information held by the Organisation may be shared with the Registration / Regulating Authority, as appropriate.
- The Organisation is committed to understanding and respecting the rights of the individual with respect to the safe and secure handling, storing and management of that individual’s personal data. The Organisation will therefore uphold the following fundamental rights for individuals concerning their personal data, per the requirements of the GDPR:
-
- the right to be kept informed
- the right of access to their data at any reasonable time
- the right to rectify / modify records
- the right to erase / redact any information
- the right to restrict processing of data (e.g. on a “need-to-know” basis)
- the right to data portability
- the right to object to any part of the data content
8 – Personal data and records will be maintained under appropriate conditions of security to prevent any unauthorised or accidental disclosure. Records can be in hard copy (paper) format, or as electronic files (word processed and scanned pdf files), or as digital files (biometric scans and digital photographs). In each case Policy No 1505 refers, and particular attention is paid to the following aspects of data sharing and storage:
8.1 – Hard Copy (paper) files:
-
- location of storage;
- identification of those employees authorised to have access to specific data;
- service users / advocates authorised to have access to their personal records;
- responsibilities for secure storage of the data at the Organisation;
- retention times; i.e. how long data records are kept.
8.2 – Electronic (computer) files:
- responsibilities for implementing data security systems for computer files;
- password-protection, and / or encryption, for access to sensitive data files;
- who is authorised to have knowledge of passwords / encryption;
- how often passwords are changed;
- implications for networked systems;
- how long data records are kept for (retention times);
- back-up, control and management of personal data files;
- any special control requirements needed when on-line back-up services are used.
8.3 – Digital files (photographs, CCTV images and biometric scans):
-
- responsibilities for implementing security systems for digital files;
- password-protection for access to sensitive data files;
- who is authorised to have knowledge of these passwords;
- how often passwords are changed;
- how long records are kept for;
- procedures for the control and management of personal data.
9 – When personal data is being processed, administrative staff will take all reasonable precautions to prevent access to data by unauthorised persons:
9.1 – Record files are locked away when not required, ensuring that computer / biometric files are password-protected and that passwords are regularly changed.
9.2 – Where practical, computer VDU screens are tilted towards the user and away from the general office environment.
9.3 – VDUs are not left on when not in use – switched off / locked.
9.4 – Managing a “clear desk” policy for personal office housekeeping, ensuring that confidential electronic files are encrypted when not in use, and that waste confidential paper is destroyed by cross-cut shredding.
9.5 – Ensuring that confidential conversations are not overheard.
9.6 – Ensuring that information is transported securely.
10 – Privacy Impact Assessments / Data Protection Impact Assessments:
Privacy Impact Assessments (PIAs), or Data Protection Impact Assessments (DPIAs), help Organisations to identify the most effective way to comply with their data protection obligations and meet individuals’ expectations of privacy.
10.1 – Privacy impact assessment is a process which helps an organisation to identify and reduce the privacy risks of a project. An effective PIA uses existing project management processes to assess how a particular project or system will affect the privacy of the individuals involved.
10.2 – Privacy, ref. Policy No: 3103, is about the right of an individual to be left alone. There are 2 types of privacy, each subject to different types of intrusion:
- Physical privacy – the ability of a person to maintain their own physical space or solitude. Intrusion can come in the form of unwelcome searches of a person’s home or personal possessions, acts of surveillance, and the taking of biometric information.
- Informational privacy – the ability of a person to control, edit, manage and delete information about themselves and to decide how and to what extent such information is communicated to others. Intrusion can come in the form of collection of excessive personal information, disclosure of personal information without consent and misuse of such information. It can include the collection of information through the monitoring of communications whether by post, phone or online and extends to monitoring the records of senders and recipients as well as the content of messages.
10.3 – Privacy Risk – the risk of harm to a person (the “Data Subject”) arising through an intrusion into privacy. This is concerned primarily with minimising the risk of informational privacy – the risk of harm through use or misuse of personal information. Some of the ways this risk can arise is through personal information being:
- inaccurate, insufficient or out of date;
- excessive or irrelevant;
- kept for too long;
- disclosed to persons not unauthorised by the Data Subject to have it;
- used in ways that are unacceptable to the Data Subject;
- not kept, or backed-up, securely;
- not disposed of securely when no longer required.
10.4 – Harm can present itself in different ways. Sometimes it will be tangible and quantifiable, for example financial loss or losing a job. At other times it will be less defined, for example damage to personal relationships andsocial standing arising from disclosure of confidential or sensitive information. Sometimes harm might still be real even if it is not obvious, for example the fear of identity theft that comes from knowing that the security of information could be compromised. There is also harm which goes beyond the immediate impact on individuals. It can contribute to a loss of personal autonomy or dignity, or exacerbate fears of excessive surveillance.
10.5 – The outcome of a PIA should be a minimisation of privacy risk. As such, the Organisation will develop an understanding of how it will approach the broad topics of privacy and privacy risks for its service users and staff. Understanding privacy risk in this context requires an understanding of the relationship between an individual and the Organisation, and factors that can have a bearing on this include the following:
- reasonable expectations of how the activity of individuals will be monitored.
- reasonable expectations of the level of interaction between an individual and an organisation.
- the level of understanding of how and why particular decisions are made about people.
10.6 – The projected benefits of a PIA – it is the Organisation’s objective that undertaking an effective PIA should benefit the people affected by the project and also the organisation carrying out the project. Benefits can include the following:
- It will demonstrate to the ICO (Information Commissioner’s Office) how personal data processing complies with legal requirements, and that individuals can be reassured that the organisations which use their information have followed best practice.
- A project which has been PIA assessed should be less privacy intrusive and therefore less likely to affect individuals in a negative way.
- A PIA should improve transparency and make it easier for individuals to understand how and why their information is being used.
- Undertaking the assessment will improve how the Organisation uses information which impacts on individual privacy. This should in turn reduce the likelihood of the Organisation failing to meet its legal obligations.
10.7 – Conducting and publicising a PIA will help our Organisation to build trust with our service users. The actions taken during and after the PIA process can improve our understanding of our service users. There can be financial benefits to conducting a PIA. Identifying a problem early will generally require a simpler and less costly solution. A PIA can also reduce the ongoing costs of a project by minimising the amount of information being collected or used where this is possible, and devising more straightforward processes for staff. Consistent use of PIAs will increase the awareness of privacy and data protection issues within an organisation and ensure that all relevant staff involved in designing projects consider privacy at the early stages of a project.