Data & Privacy Policy: GDPR
1.1 GDPR Background
GDPR came into force on 25th May 2018 and replaced the Data Protection Act 1998. Following the UK’s departure from the EU, UK GDPR was incorporated into domestic law that applies in the UK. UK GDPR provides greater protection to individuals and places greater obligations on organisations than the pre GDPR data protection regime but can be dealt with in bite-size chunks. Compliance with data protection laws should enhance service provision and care provided by engendering trust between Apley Grange and Sisters/Residents.
1.1 All staff must ensure the ways in which they handle personal data meet the requirements of UK GDPR.
1.2 The Approach of Apley Grange to UK GDPR
Apley Grange is required to take a proportionate and appropriate approach to UK GDPR compliance. Apley Grange understands that not all organisations will need to take the same steps – it will depend on the volume and types of personal data processed by a particular organisation, as well as the processes already in place to protect personal data. Apley Grange understands that if significant volumes of personal data are processed, including special categories of personal data, or it has unusual or complicated processes in place in terms of the way personal data is handled, Apley Grange will consider obtaining legal advice specific to the processing conducted and the steps that may need to be taken.
1.3 UK GDPR and the Data Protection Act 2018 do not apply to any personal data held about someone who has died. Both the Access to Medical Reports Act 1988 and the Access to Health Records 1990 will continue to apply.
1.4 Process for Promoting Compliance at Apley Grange
To ensure Apley Grange complies with UK GDPR and the Data Protection Act 2018, a suite of data protection policies and resources are available and should be read in conjunction with this overarching policy to provide a framework for compliance.
1.5 Overview of Key Terms, Key Principles and Documents
The key principles and themes of each of the documents listed above are summarised below:
Key Terms
· UK GDPR places obligations on all organisations that process personal data about a data subject. A brief description of those three key terms is included in the Definitions section of this document and is expanded upon in the Key Terms Guidance.
· The requirements that Apley Grange needs to meet vary depending on whether Apley Grange is a controller or a processor. In most cases, Apley Grange will be a controller. The meaning of ‘controller’ and ‘processor’, together with the roles they play under UK GDPR, are explained in the Key Terms Guidance. Apley Grange understands that it may be a controller in some circumstances and a processor in others.
· Special categories of data attract a greater level of protection, and the consequences for breaching UK GDPR in relation to special categories of data may be more severe than breaches relating to other types of personal data. This information is also covered in more detail in the Key Terms Guidance.
Key Principles
There are 7 key principles of UK GDPR which Apley Grange must comply with. They are:
· Lawful, fair and transparent use of personal data
· Using personal data for the purpose of which it was collected
· Ensuring that the personal data is adequate and relevant
· Ensuring that the personal data is accurate
· Ensuring that the personal data is only retained for as long as it is needed
· Ensuring that the personal data is kept safe and secure
· Accountability – taking responsibility for what you do with personal data and how you comply with the other principles
Apley Grange must have appropriate measures and records in place to be able to demonstrate compliance. These key principles are explained in more detail in the guidance entitled ‘UK GDPR – Key Principles’. Apley Grange recognises that, in addition to complying with the key principles, it must be able to provide documentation to the Information Commissioner’s Office (ICO) on request, as evidence of compliance. Apley Grange understands that a ‘privacy by design’ approach must be adopted. This means that data protection issues should be considered at the very start of a project, or engagement with new Sisters/Residents. Data protection should not be an after-thought. These ideas are also covered in more detail in the Key Principles Guidance.
Processing Personal Data
The provision of health or social care or treatment or the management of health or social care systems and services is expressly referred to in UK GDPR as a lawful basis upon with an organisation is entitled to process special categories of data. In terms of other types of personal data, Apley Grange must only process personal data if it is able to rely on one of a number of grounds set out in UK GDPR. The grounds which are most commonly relied on are:
· The data subject has given their consent to the organisation using and processing their personal data
· The organisation is required to process the personal data to perform a contract with the data subject:
and
· The processing is carried out in the legitimate interests of the organisation processing the data – note that this ground does not apply to public authorities
The other grounds which may apply are:
· The processing is necessary to comply with a legal obligation
· The processing is necessary to protect the vital interests of the data subject or another living person
· The processing is necessary to perform a task carried out in the public interest
The grounds set out above are explained in more detail in the guidance entitled 'UK GDPR - Processing Personal Data'.
Data Protection Officers
Apley Grange understands that some organisations will need to appoint a formal Data Protection Officer under UK GDPR (a ‘DPO’). The DPO benefits from enhanced employment rights and must meet certain criteria, so it is recognised that it is important to know whether Apley Grange requires a DPO. This requirement is outlined in the Appointing a Data Protection Officer Policy and Procedure. Whether or not Apley Grange needs to appoint a formal Data Protection Officer, it will appoint a single person to have overall responsibility for the management of personal data and compliance with UK GDPR.
Data Security and Retention
Two of the key principles of UK GDPR are data retention and data security.
· Data retention refers to the period for which Apley Grange keeps the personal data that has been provided by a data subject. At a high level, Apley Grange must only keep personal data for as long as it needs the personal data.
· Data security requires Apley Grange to put in place appropriate measures to keep data secure
These requirements are described in more detail in the Data Security and Data Retention Policy and Procedure.
Website Privacy and Cookies Policy and Procedure
Where Apley Grange collects personal data via a website, it understands that it will need a UK GDPR compliant website privacy policy. The privacy policy explains how and why personal data is collected, the purposes for which it is used and how long the personal data is kept. A template website policy is provided.
Wider Privacy Policies
Apley Grange understands that it is required to provide certain information to all individuals about whom it processes personal data, and that such information is usually provided via privacy policies. A template external and employee-facing privacy policy is provided. The template privacy policy sits alongside a consent form which can be used to ensure that Apley Grange obtains appropriate consent, particularly from the Sisters/Residents, to the various ways in which Apley Grange uses the personal data (where consent is the most appropriate ground for Apley Grange to rely upon). The consent form contains advice and additional steps to take if the Sisters/Residents is a child or lacks capacity.
Subject Access Requests
One of the key rights of a data subject is to request access to, and copies of, the personal data held about them by an organisation. Where Apley Grange receives a subject access request, it understands that it will need to respond to it in accordance with the requirements of UK GDPR. To help staff at Apley Grange understand what a subject access request is and how they should deal with a subject access request, a Subject Access Requests Policy and Procedure is available to staff. A process map to follow when responding to a subject access request, as well as a subject access request letter template is also included.
The Rights of a Data Subject
In addition to the right to place a subject access request, data subjects benefit from several other rights, including the right to be forgotten, the right to object to certain types of processing and the right to request that their personal data be corrected by Apley Grange. Not all rights apply in all circumstances. Rights of the data subject are covered in detail in the corresponding guidance.
Breach Notification Under UK GDPR
In certain circumstances, if there is a personal data breach (i.e. a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data), the ICO must be notified and potentially any affected data subjects. There are strict timescales in place for making such notifications. A policy and procedure for breach notification that can be circulated to all staff, together with a process map for Apley Grange to follow if a breach of UK GDPR takes place is available. Apley Grange understands that this requirement is likely to have less impact on NHS organisations that are already used to reporting using the NHS reporting tool.
Transfer of Data
If Apley Grange wishes to transfer personal data to a third party, an agreement must be put in place to set out how the third party will use the personal data. If the third party is processing data on the instruction of Apley Grange, the contract must cover specific points set out in UK GDPR. Apley Grange must consider carrying out due diligence investigations on third party recipients of personal data of which Apley Grange is the controller. Transfers of personal data outside of the UK and EEA may only be made under specific circumstances. This applies where a data processor processes personal data outside of the UK or EEA. Apley Grange understands that an adequacy decision has been made by the UK in respect of the EEA and by the EEA in respect of the UK, and that certain other countries are covered by adequacy decisions made by the UK and the EEA. Apley Grange understands that where an adequacy decision has been made by the UK in respect of the EEA and by the EEA in respect of the UK, and that certain other countries are covered by adequacy decisions made by the UK and the EEA. Apley Grange understands that where an adequacy decision has been made, no further transfer safeguards need to be put in place. Apley Grange recognises that if no adequacy decision has been made in respect of the recipient country, transfer safeguards will need to be put in place and other aspects considered, including transfer impact assessments, before the transfer takes place. Guidance has been produced to explain the implications of transferring personal data in more detail. Apley Grange should consider seeking legal advice if it wishes to transfer personal data to a jurisdiction that does not b4enefit from a finding of adequacy.
Data Protection Impact Assessments
Apley Grange must carry out Data Protection Impact Assessments each time it processes personal data in a way that presents a ‘high risk’ for the data subject. Examples of when a Data Protection Impact Assessment should be conducted are provided in the relevant policy and procedure. Given the volume of special categories of data that are frequently processed by organisations in the health and care sector, there are likely to be a number of scenarios which require a Data Protection Impact Assessment to be completed.
4.7 Compliance with UK GDPR
Apley Grange understands that there are two primary reasons to ensure that compliance with UK GDPR is achieved:
· It promotes high standards of practice and care, and provides significant benefits for staff and, in particular, Sisters/Residents
· Compliance with UK GDPR is overseen in the UK by the ICO. Under UK GDPR, the ICO has the ability to issue a fine of up to £17.5 million or 4% of the worldwide turnover of an organisation, whichever is higher. The potential consequence of non-compliance are therefore significant.
Apley Grange appreciates that is important to remember, however, that the intention of the ICOs is to educate and advise, not to punish. The ICO wants organisations to achieve compliance and offers guidance to organisations about how to comply. A one-off, minor breach may not attract the attention of the ICO but if Apley Grange persistently breaches UK GDPR or commits significant one-off breaches (such as the loss of a large volume of personal data, or the loss of special category personal data), it may be subject to ICO enforcement action. In addition to imposing fines, the ICO also has the power to conduct audits of Apley Grange and its data protection policies and processes and to issue instructions for Apley Grange to comply or put right its data processing practices including requiring Apley Grange to stop providing services, or to notify data subjects of the breach, delete certain personal data held or prohibit certain types of processing.