This policy document sets out the principles and practices adopted by CHS Healthcare (a trading name of Carehome Selection Ltd hereafter referred to as CHS) for assuring their compliance with the Data Protection Act 1998 (to be superseded by the General Data Protection Regulation in May 2018) and the NHS Confidentiality Code of Practice.
2. Policy Context – the Data Protection Act 1998 (to be superseded by the General Data Protection Regulation in May 2018) and its relevance
The Data Protection Act 1998 (to be superseded by the General Data Protection Regulation in May 2018) regulates the use and processing of personal data held on computer and paper records.
Data protection law applies whenever a data controller processes personal data.
Data protection law exists to strike a balance between the rights of individuals to privacy and the ability of organisations to use data for the purposes of their business.
As a service provider to public sector health and social care organisations, CHS processes personal data relating to employees, patients, customers, suppliers and business contacts in order for it to fulfil its business requirements.
According to the Act, CHS are data controllers i.e. is a person who (either alone or jointly or in common with other persons) determines the purposes for which, and the manner in which, any personal data are, or are to be, processed.
A data controller is obligated by the Act to ensure it complies with the requirements of the Act.
Non – compliance with the Act by a data controller may result in damage to the data controller’s reputation and financial sanctions against the data controller.
To comply with the Act CHS is required to ensure the following:
It has mechanisms for assuring its annual notification to the Office of the Information Commissioner. The Head Office Manager is responsible for the annual notification.
It has mechanisms in place to ensure its compliance with the eight data protection principles. The eight principles advocate fairness, transparency and openness in the processing of personal information by data controllers.
The Data Protection Leads (see 5.1) are responsible for ensuring staff awareness of the principles and for reviewing compliance across the organisation.
It has mechanisms in place to ensure its compliance with the upholding of individual rights.
The Data Protection Leads are responsible for ensuring staff awareness of individual rights and for reviewing compliance in upholding these rights across the organization.
Policy context will be further reviewed and re-articulated prior to the General Data Protection Regulation coming into force.
3. Scope and Application of the Policy
This policy covers all aspects of personal data processed within CHS including:
Patient/Client/Service User information
This policy covers all types of information, including:
Structured record systems: paper and electronic
Unstructured information: paper and electronic
Transmission of information: fax, e-mail, post and telephone
This policy also covers the contents of all information systems purchased, developed and managed by, or on behalf of, CHS and any individual directly employed or otherwise by the organisation.
This policy applies to all employees, servants, agents and clients of CHS who provide personal data to them.
4. Policy Statement
It is CHS policy that the processing of personal data by, or on behalf of, CHS or any of its customers – whether as a Data Controller (joint or in common) or as a Data Processor – shall be in accordance with the requirements, as currently understood, of the Data Protection Act 1998 (to be superseded by the General Data Protection Regulation in May 2018) and the current version of the NHS Confidentiality Code of Practice.
5. Assurance of Data Protection by CHS
5.1 Data Protection Framework
The Chief Executive has ultimate responsibility for compliance with the Policy but has delegated leadership for Data Protection within CHS to be jointly fulfilled by the Operations Manager who is also the Caldicott Guardian and the Financial Controller who is also the Senior Information Risk Owner for the company. Specific responsibilities of the Data Protection Leads will include operational responsibility for reviewing policies and procedures, delivering data protection training to staff members, supporting and advising staff on day-to-day data protection matters as they arise, conducting data compliance audits and information flow mapping exercises.
The Management Team is ultimately jointly responsible for compliance with the Act with each manager performing the lead role within their respective area of the business and all senior Managers and Coordinators have the responsibility for ensuring that systems and processes within their work areas comply with the Act requirements.
All persons working for or on behalf of CHS, who have access to Person Identifiable Data, are responsible for ensuring that any personal data which they hold is kept securely, and is not disclosed either orally or in writing, accidentally or otherwise, to any unauthorised third party. Failure to comply may be regarded as a disciplinary incident.
5.2 Data Protection Assurance
CHS will, through appropriate management, ensure the following actions to assure its compliance with the Data Protection Act (to be superseded by the General Data Protection Regulation in May 2018):
Observe fully the conditions regarding the fair collection and use of information
Meet obligations to specify the purposes for which information is used
Collect and process appropriate information, and only to the extent that it is needed to fulfil operational needs or to comply with any legal requirements
Ensure the quality of information used
Apply strict checks to determine the length of time information is held
Ensure that the rights of people about whom information is held, are able to be fully exercised under the Act
Take appropriate technical and organisational security measures to safeguard personal information
Ensure that personal information is not transferred abroad without suitable safeguards
Ensure there is someone with specific responsibility for data protection within the organisation
Ensure everyone managing and handling personal information is made aware that they are contractually responsible for following good data protection practice
Ensure everyone managing and handling personal information is appropriately trained to do so
Ensure everyone managing and handling personal information is appropriately supervised
Ensure anybody wanting to make enquires about handling personal information knows what to do
Ensure queries about handling personal information are promptly and courteously dealt with
Ensure methods of handling personal information are clearly described
Ensure a regular review and audit is made of the way personal information is managed
Ensure methods of handling personal information are regularly assessed and evaluated
5.3 Policy Monitoring Arrangements
This policy will be monitored and will be subject to a regular review, which will take place within 6 months from the original date of issue of this policy and at 12-monthly intervals thereafter.