GDPR – GENERAL DATA PROTECTION REGULATION POLICY
Tender Loving Care Ltd believes that all data, required for the delivery of the service and the lawful running of TLC Ltd must be collected, handled, maintained and stored in accordance to the requirements of the Data Protection Act 2018.
The General Data Protection Regulations (GDPR) form the basis of the Act but in order to be effective and compliant with its requirements, the Related Policy list should be viewed as core to this policy, as should Section 1 and the Related Guidance links.
PLEASE NOTE All Guidance from the ICO should be considered “Live Documentation” and regularly checked until all Codes of Practice and Guidance are issued. Working Party 29 known as WP29 is a representative body from each of the EU member states who have developed and worked on the Act. WP29 still sits and meets in the European Parliament until all the complexities of the Act have been clarified and amended into law.
After due consideration TLC Ltd has determined that the following Lawful Bases are used in the collection of data
Citation provide TLC with updates to legislation and compliance to assist TLC with the running of its day to day procedures and business activity, TLC consults with Citation for legal advice on Employment Law and issues that are covered under ‘Health and Safety’
TLC are accredited to ISO standard for 9001, 14001,18001 and 27001 and are annually audited/inspected, internally and externally. The Quality management systems set out the way in which the business is managed and monitored.
Data Protection Principles
The Act sets out 8 Principles which must be adhered to when processing data
Please refer to the Related Guidance links for further information
The GDPR sets out the following principles for which TLC Ltd is responsible
and must meet. These require that personal data shall be:
- Processed lawfully, fairly and in a transparent manner in relation to individuals;
- Be collected for specified, explicit and legitimate purposes, and not further processed in a manner that is incompatible with purposes, further processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes shall not be considered to be incompatible with the initial purposes;
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
- Accurate and where necessary, kept up to date, every reasonable step must be taken that personal data that is inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer purposes in so far as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to the appropriate technical and organisational measures required by the GDPR (the safeguards) in order to safeguard the rights and freedoms of individuals; and
- Processed in a manner that ensures appropriate security of the personal data. Including protection against unauthorised or unlawful processing and against accidental loss. Destruction or damage, using appropriate technical or organisational measures.
“The controller shall be responsible for, and be able to demonstrate, compliance with the principles” Article 5 (2) GDPR
Olwen Dean is the TLC ltd Data Controller.
There are several changes here in particular the Right of Access in relation to timescales and fees. These must be fully understood in relation to anyone submitting a Subject Access request. Please refer to the related Guidance Link
The GDPR provides the following rights for individuals:
- Right to be informed
- Right of access
- Right to rectification
- Right to erasure
- Right to restrict processing
- Right to data portability
- Right to object
- Rights in relation to automated decision making and profiling
Each of the above rights has its own Best Practice Process which you will find here
This is a new requirement for data processing, it is an accessible information declaration which should set out clearly how we will gather, use handle, store and process personal data.
The Code uses the term “Privacy Notice” to describe all the privacy information that you make available or provide to individuals when you collect information about them. It is often argued that people’s expectations able personal data are changing, particularly through the use of social media, the use of mobile apps and the willingness of the public to share personal information via these platforms.
However, as an organisation we are increasingly aware of the fragile trust which can be easily broken through data breaches and are therefore seeking transparency as a means of building trust and confidence with users of our services. It is the spirit of the Act that privacy, transparency and control become a given for users.
Being transparent by providing a privacy notice is an important part of fair processing. When planning a privacy notice, we need to consider the following:
- What information is being collected?
- Who is collecting it?
- How is it collected?
- Why is it being collected?
- How will it be used?
- Who will it be shared with?
- What will be the effect of this on individuals concerned?
- Is the intended use likely to cause individuals to object or complain?
The Privacy notice must be easily understood by users of the service and include all of the above, it must also be easily visible so in TLC Ltd it will be displayed
On our Website and in our Service user Guide
Privacy and Electronic Communications Regulations (PECR)
The Data Protection Act 2018 still applies if you are processing personal data. The PECR sets out some extra rules for electronic communications and please be mindful of electronic schedule systems which will also come under PECR
The company uses an ICT system known as Agency Manager, all information is stored on this system and access is password protected.
The GDPR sets out Guidance on files and retention including archiving, specifically Health and Social Care personal data is generally exempt.
As a provider of services, file and retention guidelines are in place from our Regulator which includes Care Inspectorate Wales and the NHS as well as Local Authorities via the Service Specification within any contractual arrangements.
A periodic check of the Regulator’s Guidance should be part of the review of this policy
To meet the requirements of the Act a thorough knowledge of the Guidance should be the priority for the Data Controller.
It is also important that the Act is placed in the context of other compliance requirements namely The Regulated Services (Service providers) and (Responsible Individuals) (Wales) Regulations 2017.
In recognition of the complexities of the Act, the ICO has set up an advice service for small organizations. https://ico.org.uk/global/contact-us/advice-service-for-small-organisations/
This policy has been updated to include the changes being implemented by the General Data Protection Regulations (GDPR) which are in place on 25/5/2018. This policy will be reviewed tri-annually and updated when required.
Appendix – TEMPLATE: Privacy Notice
- What information do we collect about you?
- How do we use such information?
- Access to your information and correction
What information do we collect about you?
The nature of our service means that very personal and sensitive information is discussed, openly and honestly, in order to ensure we can meet your health and social care needs in ways that are unique to your individual circumstances. The specific type of information is required in order for us to meet our legal and regulatory obligations as a registered provider.
The Lawful Bases which we use are contained within the Data Protection Act 2018 and is TLC ltd office
How information about you will be used.
We may share information regarding your care with those who have a need to know, namely Health Professionals, such as GP’s, District Nurses, Hospitals etc., Local Authorities, includes departments such as Social Services, Housing, Day Centres etc. Any relevant person identified by you, such as an L.P.A., and our staff. We would like to contact you about the services we provide, please indicate below your preferred contact method.
Post Email Phone SMS
We will not share your information with anyone except those indicated above, unless required by law. If you do not wish this information to be shared, please indicate below.
Personal information supplied to us is used in a number of ways, for example.
- To agree a Care Plan
- To review your care needs
- To monitor your medication
- To help us improve our services
How will we use this information?
Upon completion of your Assessment of Need, we compile a Care Plan which sets out tasks, aspirations and outcomes in order to meet all your identified needs and this is regularly reviewed and updated. This includes liaison with all those involved in your care such as family, your representative relevant health and social care colleagues and other professionals.
Access to your information and corrections.
All files held in your name are available for your perusal and you can ask us to remove information which is inaccurate. Please email or write to us at (Insert contact details here). Where you use our website, cookies are text files which collect log on information and visitor behaviour information. Cookies track visitor use and compile statistical reports on website activity. You can set your browser to accept or decline cookies. Please be aware that a decline preference may mean a loss of function in some of our website features.
Accessible Information and Communication
Access to Records
Duty of Candour
- Smaller Organisations ICO https://ico.org.uk/for-organisations/business/
- Your privacy Notice Checklist https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-notices-transparency-and-control/your-privacy-notice-checklist/
- Guide to the General Data Protection Regulations (GDPR) https://ico.org.uk/media/for-organisations/guide-to-the-general-data-protection-regulation-gdpr-1-0.pdf
- Guide to the Privacy and Electronic Communications May 2016 Regulations https://ico.org.uk/media/for-organisations/guide-to-pecr-2-3.pdf
- Records Management Code of Practice for Health and Social Care 2016 https://digital.nhs.uk/data-and-information/looking-after-information/data-security-and-information-governance/codes-of-practice-for-handling-information-in-health-and-care/records-management-code-of-practice-for-health-and-social-care-2016
- ICO Code of practice on privacy notices, transparency and control https://ico.org.uk/media/for-organisations/guide-to-data-protection/privacy-notices-transparency-and-control-1-0.pdf
- ICO Data protection Self-Assessment https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/
- Direct Marketing Guidancehttps://ico.org.uk/media/for-organisations/documents/1555/direct-marketing-guidance.pdf
- Data Protection Fees Information Commissioner https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2018/02/new-model-announced-for-funding-the-data-protection-work-of-the-information-commissioner-s-office/
- Example of Privacy Notice https://www.johnlewis.com/customer-services/shopping-with-us/privacy-notice
- Guide to privacy and Electronic Communications Regulations (PECR) https://ico.org.uk/for-organisations/guide-to-pecr/
- Data Protection and the use of criminal offence data for employment and education purposes August 2018 https://www.nacro.org.uk/wp-content/uploads/2018/08/Nacro-briefing-Data-protection-and-the-use-of-criminal-offence-data.pdf
Tender Loving Care Ltd is committed to the continuous improvement of its services and views staff learning and training as core to delivering a quality service. The Regulated Services (Service Providers and Responsible Individuals) (Wales) Regulations 2017 and its accompanying Statutory Guidance makes clear the importance of ongoing professional development and training of the workforce. We will continually review and revise our training in order to ensure that the Regulatory requirements are met.
Policy Review Date November 2018 by Olwen Dean
Policy Review Date December 2020 by Olwen Dean