IGPOL31 Data Protection Policy by Provide Community

Data Protection Policy

Version: V6

Ratified by: Finance & Risk Committee

Date ratified: 01/07/2021

Job Title of author: Information Governance Manager

Reviewed by Committee or Expert Group Technology Programme Board

Equality Impact Assessed by: Information Governance Manager

1. Introduction

The Provide Group needs to collect and use certain types of information about staff, patients and other individuals who come into contact with the organisation in order to operate. In addition, it may be required by law to collect and use certain types of information to comply with statutory obligations of Local Authorities, government agencies and other bodies.

This personal information must be dealt with properly however it is collected, recorded and used – whether on paper, in a computer, or recorded on other material - and there are safeguards to ensure this is compliant with data protectin legislation including the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.

We regard the lawful and correct treatment of personal information as very important to successful operations, and to maintaining confidence between those with whom we deal and ourselves. We ensure that our organisation treats personal information lawfully and correctly.

The explosion in the use of the Internet, electronic communication and computerisation of data has led to an increase in the importance of privacy. Breaches of computerised data security have prompted the introduction of legislation on a national and European level.

These include:

• Human Rights Act 1998

• Freedom of Information Act 2000

• Privacy and Electronic Communications Regulations 2003

• Regulation of Investigatory Powers Act 2000

• Telecommunications (Lawful Business Practice) Interception of Communications Regulations 2000

• General Data Protection Regulations (GDPR)

• Data Protection Act 2018

• Data Protection Act 1998 (for incidents prior to May 2018)

• Computer Misuse Act 1990.

• European Union General Data Protection Regulation (EU GDPR)– Hereafter referred to as “DPA Legislation”

• Access to Health Records 1990;

• Access to Medical Reports Act 1988;

NHS & related guidance:

The following are the main publications referring to security and or confidentiality of personal identifiable information/data:

• Confidentiality: NHS Code of Practice (August 2003);

• A Guide to Confidentiality – NHS Digital (2013)

• Records Management Code of Practice for Health and Social Care 2016

• HSC2002/3 Implementing the Caldicott Standard into Social Care; and

• ISO 27001 Information Security Management Standard

2. Statement

The Senior Management of Provide are strongly committed to the rights of individuals whose data they collect and process and will comply with UK and EU laws related to personal information in-line with the DPA Legislation.

3. Definitions

Personal data – this is defined as any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Special categories of personal data – personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.

Data controller – the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

Data subject – any living individual who is the subject of personal data held by an organisation.

Processing – any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Profiling – is any form of automated processing of personal data intended to evaluate certain personal aspects relating to a natural person, or to analyse, or predict that person’s performance at work, economic situation, location, health, personal preferences, reliability, or behavior. This definition is linked to the right of the data subject to object to profiling and a right to be informed about the existence of profiling, of measures based on profiling and the envisaged effects of profiling on the individual.

Personal data breach – a breach of security leading to the accidental, or unlawful, destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. There is an obligation on the controller to report personal data breaches to the supervisory authority and where the breach is likely to adversely affect the personal data or privacy of the data subject.

Data subject consent - means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data.

It is worth noting that it extremely unlikely that Provide could ever rely on this basis as a provider of public services or with regards to management of employment. The organisation must always have another legal basis but staff who have interactions with patients staff or other data subjects should still seek permission where practical to do so. For example health professionals will ask for permission from a patient prior to referring them for treatment with another organisation

Child – the legislation defines a child as anyone under the age of 16 years old.

Third party – a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

Filing system – any structured set of personal data which is accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.

4. Duties

Provide is a data controller as defined under the DPA Legislation. Senior Management and all those in managerial or supervisory roles throughout Provide are responsible for developing and encouraging good information handling practices within the organisation; responsibilities are set out in individual job descriptions.

Provide has appointed a suitably qualified and experienced Data Protection Officer (DPO), reporting to the most senior management and advising the Provide Group on the management of personal information, compliance with data protection legislation, and good practice The DPO is contactable by any data subject and is a point of contact for the Information Commissioner’s Office (ICO).

It should be noted that compliance with the DPA Legislation requirements remains the responsibility of all staff who process or control personal information for Provide. All members of staff employed by the organisation are also responsible for ensuring that any personal data that is about them that is supplied by them to the organisation is accurate and up-to-date.

The Information Governance Policy defines specifically what training is required for all staff.

5. Risk Assessment

The organisation needs to ensure that it is aware of any risks associated with the processing of all types of personal information. A Risk Assessment procedure (known as a Data Protection (Privacy) Impact Assessment) has been implemented and is used by the organisation to assess any risk to individuals during processing of their personal information. Assessments will also be completed by Provide for any processing that is undertaken on their behalf by any third-party organisation. The organisation will also, through the application of the Data Protection (Privacy) Impact Assessment Policy and procedure, ensure that any identified risks are managed appropriately to reduce the risk of non-compliance.

Staff must follow the Data Protection (Privacy) Impact Assessment Policy and Procedures at the planning stage of all projects that involve the processing of personal information.

6. Principles of Data Protection

Any processing of personal data must be conducted in accordance with the following data protection principles of the DPA legislation, and Provides’ Information Governance policies and procedures will ensure compliance.

Personal data must be processed lawfully, fairly and transparently. Provides’ Fair Processing Leaflet (“Your Information Your Rights”) for patients and the Privacy Notice for staff details how this is achieved.

The DPA Legislation introduces the requirement for transparency whereby the controller has transparent and easily accessible policies relating to the processing of personal data and the exercise of individuals’ “rights and freedoms”. Information must be communicated to the data subject in an intelligible form using clear and plain language.

The specific information that must be provided to the data subject must as a minimum include:

• the identity and the contact details of the data controller and, if any, of the data controller's representative;

• the contact details of the Data Protection Officer;

• the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;

• the period for which the personal data will be stored;

• the existence of the rights to request access, rectification, erasure or to object to the processing;

• the categories of personal data concerned;

• the recipients or categories of recipients of the personal data, where applicable;

• where applicable, that the data controller intends to transfer personal data to a recipient in a third country and the level of protection afforded to the data;

• any further information necessary to guarantee fair processing.

Personal data can only be collected for specified, explicit and legitimate purposes. Data obtained for specified purposes must not be used for a purpose that differsfrom those formally notified tothe Information Commissioner as part of Provide’s DPA Legislation registration which is Z2604172. The purposes for processing are defined in the organisation’s “Your Information Your Rights” leaflet for staff and the Privacy Notice for Staff.

Personal data must be adequate, relevant and limited to what is necessary for processing. The Data Protection Officer will be consulted to ensure that information, which is not strictly necessary for the purpose for which it is obtained, is not collected. All data collection methods (electronic or paper-based), including data collection requirements in new information systems, must be approved by the DPO and approval recorded through the use of the Data Protection (Privacy) Impact Assessment methodology.

7. Other Considerations

Personal data must be accurate and kept up to date. Data that is kept for a long time must be reviewed and updated as necessary. Any data that is considered to be inaccurate or likely to be inaccurate must be removed.

Directors, directorate managers and all staff in managerial or supervisory roles are responsible for ensuring that all staff are trained in the importance of collecting accurate data and maintaining it.

All individuals are responsible for ensuring that live data held by Provide is accurate and up-to-date. Any data submitted by an individual, such as via a form, will be considered to be accurate at the time of receipt. Provide Services must have mechanisms in place for ensuring that information that is maintained over time is checked for accuracy for example by checking contact and other details with patients at the time of appointments or through other interactions (e.g. confirming appointment details over the phone).

Employees of the organisation should notify Provide of any changes in personal information to ensure personal information is kept up to date in their staff file.

If a third-party organisation has been provided inaccurate or out-of-date personal information, the organisation is responsible for informing them that the personal information is inaccurate and/or out-of-date and advise them that the information should no longer be used. This requirement will be included in Information sharing agreements including the responsible person for ensuring that this happens.

8. Personal Data Considerations

Personal data must be kept in a form such that the data subject can be identified only as long as is necessary. Where a system does not have the capacity to delete personal identifiable information then once the information has reached the end of its retention period it should be inaccessible to users of the system and upon decommissioning, the system (along with audit trails) should be retained for the retention period of the last entry related to the schedule

Personal data will be retained in line with the Records Management Policy (IGPOL35)

Personal data must be processed in a manner that ensures its security

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. These controls have been selected on the basis of identified risks to personal data, and the potential for damage or distress to individuals whose data is being processed. Security controls will be subject to audit and review.

Provide’s compliance with this principle is contained in its Information Security Policy (IGPOL53)

Personal data shall not be transferred to a country or territory outside the European Union Member States unless that country or territory ensures an

adequate level of protection for the ‘rights and freedoms’ of data subjects in relation to the processing of personal data.

The transfer of personal data outside of the EU Member States is prohibited unless one or more of the specified safeguards or exceptions apply.

International transfers can occur at the request of the Data Subject for example if they reside in another Country. Examples of such scenarios would be if they would like a reference to an employer or education provider in another country or if they are making a Subject Access Request.

Safeguards

An assessment of the adequacy by the data controller taking into account the following factors:

• the nature of the information being transferred;

• the country or territory of the origin, and final destination, of the information;

• how the information will be used and for how long;

• the laws and practices of the country of the transferee, including relevant codes of practice and international obligations; and

• the security measures that are to be taken as regards the data in the overseas location. (This is a UK-specific option.)

Provide has stipulated that it does not transfer personal data outside of the EU through its Data Protection and Security Toolkit Submission and in some cases to its commissioners as well as to the Information Commissioners Office.

Provide may adopt approved Binding Corporate Rules or standard Contractual clauses approved by the ICO for the transfer of data outside the EU Member States. Binding corporate rules require submission to the ICO for approval of the rules that Provide is seeking to rely upon. If Provide adopts the model contract clauses approved by the relevant Supervisory Authority there is an automatic recognition of adequacy. Alternatively the EU-US Privacy Shield is binding legal instrument under European law which can be used as a legal basis for transferring personal data to the US. (Ref: Using the privacy shield to transfer data to the US, Information Commissioner’s Office)

Where a requirement for transfer of personal data outside of the EEA is identified this must be raised with the Information Governance Manager and/or the DPO in the first instance.

9. Contract Clauses for Data Processing

Where information is being processed by a third party (Data Processor) on behalf of Provide a Contract must be put in place that satisfies the requirements of the DPA Legislation. The contracts team must be engaged at an early stage of any new data processing activities.

Standard contractual clauses have been agreed for inclusion in Provide contracts that meet the requirements of the DPA legislation as well as clauses relating to Confidentiality and Records Management where applicable.

10.Accountability

Data Protection Legislation states that the data controller is not only responsible for ensuring compliance but for demonstrating that each processing operation complies with the requirements of the legislation. As a result, controllers are required to keep all necessary documentation of all processing operations, and implement appropriate security measures. They are also responsible for completing Data Protection (Privacy) Impact Assessments (DPIAs), complying with requirements for prior notifications, or approval from supervisory authorities and ensuring a Data Protection Officer is appointed if required.

Any new processing activities must be recorded in the relevant service’s Information Asset register held. This information will be held in the Information Asset register system “Flowz” which will risk assess any processing activities and flag these to the IG Team, DPO and SIRO.

11.Data Subjects Rights

Data subjects have the following rights regarding data processing, and the data that is recorded about them:

• To make subject access requests regarding the nature of information held and to whom it has been disclosed.

• To prevent processing likely to cause damage or distress.

• To prevent processing for purposes of direct marketing.

• To be informed about the mechanics of automated decision-taking process that will significantly affect them.

• Not to have significant decisions that will affect them taken solely by automated process.

• To take action to rectify, block, erased, including the right to be forgotten, or destroy inaccurate data.

• To request the ICO to assess whether any provision of the Data Protection Legislation has been contravened.

• The right for personal data to be provided to them in a structured, commonly used and machine-readable format, and the right to have that data transmitted to another controller.

• The right to object to any automated profiling without consent.

N.B. Not all of these rights apply to health or care records, or where the organisation processes information for public health or scientific research purposes. Advice should be sought from the IG Team where a data subject makes such a request other than right of access or rectification which are defined in the organisation’s Access to Health Records Policy and Procedures (IGPOL88) and Subject Access Requests from staff for access to their personal data. These Policies and procedures also describes how Provide will ensure that its response to the data access request complies with the requirements of the Regulation.

12.Complaints

A Data Subject has the right to complain to at any time to Provide if they have concerns about how their information is used. If they wish to lodge a complaint this should be directed using the organisation’s Complaints and Compliments Policy (CSPOL01) A Data subject may make a complaint directly to the DPO. A Data subject also has the option to complain directly to the Information Commissioners Office. Contact details

for both the DPO, Customer Services team and the ICO are detailed in the organisation’s “Your Information Your Rights” Privacy notice and via the Provide Website and the Privacy notice for staff.

13.Data Security

The requirements for Data Security are defined in IGPOL53 – Information Security Policy.

14.Retention and disposal of data

Personal data must not be retained for longer than is required or disposed when it is still required. The requirements for retention and disposal of Information is defined in IGPOL35 – Records Management Policy. Provide follows the NHS Digital records Retention schedules which are available on the staff intranet.

Any personal data must be disposed of in line with the requirements of the Information Security Policy (IGPOL53)

15.Audit

An audit against the terms of this policy will be performed at regular intervals to ensure compliance with Data Protection Legislation through the Confidentiality and Data Protection Audit and through ad-hoc spot checks.

16. Training

Data Protection Training is covered in the annual Information Governance training which is mandatory for all staff to complete.

17.Review

This policy will be reviewed every 2 years by the Information Governance Team. Earlier review may be required in response to exceptional circumstances, organisational change or relevant changes in legislation.

Appendix 1 – PERSON IDENTIFIABLE AND SENSITIVE CATEGORIES OF INFORMATION

Any of the following information collected in the course of a patient’s care or Staff administration could constitute person identifiable information:

• Name

• Address

• Post code

• Date of birth

• NHS Number

• National Insurance Number

• Carer’s details

• Next of kin details

• Contact details

• Bank details

• Lifestyle (in both work and leisure behaviour patterns and (on an individual basis) in activities, attitudes, interests, opinions, values, and allocation of income.)

• Family details

• Voice and visual records (e.g. photographs, video, voice recordings)

• IP address

This list is not exhaustive

The following categories of data are defined as “Sensitive” under Data Protection Legislation:

• race;

• ethnic origin;

• politics;

• religion;

• trade union membership;

• genetics;

• biometrics (where used for ID purposes);

• health information including mental health and disability;

• sex life; or

• sexual orientation.

• Criminal Records and Allegations

Appendix 2 – Data Protection Principles

Article 5 of the GDPR sets out seven key principles which lie at the heart of the general data protection regime.

Article 5(1) requires that personal data shall be:

“(a) processed lawfully, fairly and in a transparent manner in relation to individuals (‘lawfulness, fairness and transparency’);

(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (‘purpose limitation’);

(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);

(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals (‘storage limitation’);

(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”

Article 5(2) adds that:

“The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).”

EQUALITY IMPACT ASSESSMENT TEMPLATE: Stage 1: ‘Screening’

Name of project/policy/strategy (hereafter referred to as “initiative”):

IGPOL31 Data Protection Policy

Provide a brief summary (bullet points) of the aims of the initiative and main activities:

Personal information must be dealt with properly however it is collected, recorded and used – whether on paper, in a computer, or recorded on other material - and there are safeguards to ensure this is compliant with data protection legislation including the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.

Project/Policy Manager:

Petra Lastivkova

Date: 17/3/2022

This stage establishes whether a proposed initiative will have an impact from an equality perspective on any particular group of people or community – i.e. on the grounds of race (incl. religion/faith), gender (incl. sexual orientation), age, disability, or whether it is “equality neutral” (i.e. have no effect either positive or negative). In the case of gender, consider whether men and women are affected differently.

Q1. Who will benefit from this initiative? Is there likely to be a positive impact on specific groups/communities (whether or not they are the intended beneficiaries), and if so, how? Or is it clear at this stage that it will be equality “neutral”? i.e. will have no particular effect on any group.

neutral

Q2. Is there likely to be an adverse impact on one or more minority/under-represented or community groups as a result of this initiative? If so, who may be affected and why? Or is it clear at this stage that it will be equality “neutral”?

neutral

Q3. Is the impact of the initiative – whether positive or negative - significant enough to warrant a more detailed assessment (Stage 2 – see guidance)? If not, will there be monitoring and review to assess the impact over a period time? Briefly (bullet points) give reasons for your answer and any steps you are taking to address particular issues, including any consultation with staff or external groups/agencies.

neutral

Guidelines: Things to consider

Equality impact assessments at Provide take account of relevant equality legislation and include age, (i.e. young and old,); race and ethnicity, gender, disability, religion and faith, and sexual orientation.

The initiative may have a positive, negative or neutral impact, i.e. have no particular effect on the group/community.

Where a negative (i.e. adverse) impact is identified, it may be appropriate to make a more detailed EIA (see Stage 2), or, as important, take early action to redress this – e.g. by abandoning or modifying the initiative. NB: If the initiative contravenes equality legislation, it must be abandoned or modified.

Where an initiative has a positive impact on groups/community relations, the EIA should make this explicit, to enable the outcomes to be monitored over its lifespan.

Where there is a positive impact on particular groups does this mean there could be an adverse impact on others, and if so can this be justified? - e.g. are there other existing or planned initiatives which redress this?

It may not be possible to provide detailed answers to some of these questions at the start of the initiative. The EIA may identify a lack of relevant data, and that data-gathering is a specific action required to inform the initiative as it develops, and also to form part of a continuing evaluation and review process.

It is envisaged that it will be relatively rare for full impact assessments to be carried out at Provide. Usually, where there are particular problems identified in the screening stage, it is envisaged that the approach will be amended at this stage, and/or setting up a monitoring/evaluation system to review a policy’s impact over time.

EQUALITY IMPACT ASSESSMENT TEMPLATE: Stage 2:

(To be used where the ‘screening phase has identified a substantial problem/concern)

This stage examines the initiative in more detail in order to obtain further information where required about its potential adverse or positive impact from an equality perspective. It will help inform whether any action needs to be taken and may form part of a continuing assessment framework as the initiative develops.

Q1. What data/information is there on the target beneficiary groups/communities? Are any of these groups under- or over-represented? Do they have access to the same resources? What are your sources of data and are there any gaps?

Q2. Is there a potential for this initiative to have a positive impact, such as tackling discrimination, promoting equality of opportunity and good community relations? If yes, how? Which are the main groups it will have an impact on?

Q3. Will the initiative have an adverse impact on any particular group or community/community relations? If yes, in what way? Will the impact be different for different groups – e.g. men and women?

Q4. Has there been consultation/is consultation planned with stakeholders/ beneficiaries/ staff who will be affected by the initiative? Summarise (bullet points) any important issues arising from the consultation.

Q5. Given your answers to the previous questions, how will your plans be revised to reduce/eliminate negative impact or enhance positive impact? Are there specific factors which need to be taken into account?

Q6. How will the initiative continue to be monitored and evaluated, including its impact on particular groups/ improving community relations? Where appropriate, identify any additional data that will be required.

Guidelines: Things to consider

An initiative may have a positive impact on some sectors of the community but leave others excluded or feeling they are excluded. Consideration should be given to how this can be tackled or minimised. It is important to ensure that relevant groups/communities are identified who should be consulted. This may require taking positive action to engage with those groups who are traditionally less likely to respond to consultations, and could form a specific part of the initiative. The consultation process should form a meaningful part of the initiative as it develops, and help inform any future action.

If the EIA shows an adverse impact, is this because it contravenes any equality legislation? If so, the initiative must be modified or abandoned. There may be another way to meet the objective(s) of the initiative.

Further information:

Useful Websites www.equalityhumanrights.com Website for new Equality agency www.employers-forum.co.uk – Employers forum on disability www.disabilitynow.org.uk – online disability related newspaper www.efa.org.uk – Employers forum on age

IGPOL31 Data Protection Policy

Data Protection Policy

Contents

1. Introduction

2. Statement

3. Definitions

4. Duties

5. Risk Assessment

6. Principles of Data Protection

7. Other Considerations

8. Personal Data Considerations

Safeguards

9. Contract Clauses for Data Processing

10.Accountability

11.Data Subjects Rights

12.Complaints

13.Data Security

14.Retention and disposal of data

15.Audit

16. Training

17.Review

Appendix 1 – PERSON IDENTIFIABLE AND SENSITIVE CATEGORIES OF INFORMATION

Appendix 2 – Data Protection Principles

EQUALITY IMPACT ASSESSMENT TEMPLATE: Stage 1: ‘Screening’

EQUALITY IMPACT ASSESSMENT TEMPLATE: Stage 2: