OPSR29 DATA PROTECTION LEGISLATIVE FRAMEWORK (GDPR) ENGLAND
Policy area: Operations (Residential)
Title of policy: OPSR29 Data Protection Legislative Framework (GDPR) England
Version: V1 – September 2020
Effective date: 24 September 2020
Approved by: Chief Operating Officer
Approved date(s) Revision date: As required
On 25 May 2018 the Data Protection Act 2018, which is based on the General Data Protection Regulation (GDPR) replaced the Data Protection Act 1998 in its entirety. It replaced the existing Data Protection Laws to make them fit for the digital age in which ever increasing personal data is being processed. The Act sets new standards for protecting personal data. Gives people more control over the use of their data and assists in the preparation for a future outside of the EU.
There are 4 main matters provided for, these are:
All the above need to be set in the context of international, national and local data processing systems which are increasingly dependent upon internet usage for exchange and transit of data. The UK must lock into international data protection arrangements, systems and processes and this Act updates and reinforces the mechanism to enable this to take place.
Given the size of the legislation and some of the media hype surrounding its introduction this policy is written in 2 Sections.
Section 1 Overview of the Act.
Section 2 The Policy and templates
Overview of the Act
The Act is structured in 7 parts, each of which covers specific areas. These are:
Part 1: Preliminary
This sets out the parameters of the Act, gives an overview, explains that most processing of personal data is subject to the Act and gives the terms relating to the processing of personal data.
Part 2: General Processing
This supplements the GDPR and sets out a broadly equivalent regime to certain types of processing to which the GDPR does not apply.
Part 3: Law Enforcement Processing
Part 4: Intelligence Services Processing
This covers only data handled by the above e.g. MI5 and MI6 and includes rights of access, automated decisions, rectification and erasure, obligations relating to security and data breaches.
Part 5: The Information Commissioner
general functions including publication of Codes of Practice and guidance
Part 6: Enforcement
This covers the new enforcement regime in relation to all forms of Notice issued by the Commissioner.
Part 7: Supplementary and Final Provision.
This covers legal changes which the new Act alters in relation to other legal matters, e.g. Tribunal Procedure rules, definitions, changes to the Data Protection Convention etc. and List of Schedule(s).
As you can see, this Act is a huge piece of legislation, the majority of which is outside the remit of service providers working within the Adult Health and Social Care Sector. The ICO confirms that many concepts and principles are much the same and businesses already complying with the current law are likely to be already meeting many of the key requirements of the GDPR and the new Act.
The Information Commissioner says the new Act represents a “step change” from previous laws. “It means a change of culture of the organisation. That is not an easy thing to do, and it’s certainly true that accountability cannot be bolted on: it needs to be a part of the organisations overall systems approach to how it manages and processes personal data”. It’s a change of mindset in regard to data handling, collection and retention.
We need to stop taking personal data for granted, it’s not a commodity we own: its only ever on loan. Individuals have been given control and we have been given fiduciary duty of care over it!
As an organisation handling personal data on a day to day basis, this policy sets out the requirements of the new Act and how we, as an organisation will meet our legal obligations. Staff awareness and understanding of their responsibilities in regard to the handling, collection and retention of data will be core to the successful embedding of this policy.
Preparation: (The 12 Steps)
In order to comply with the requirements of the Act preparation should include the completion of the 12 steps.
Preparing for the General Data Protection Regulation (GDPR) 12 steps to take now. https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf 24 September 2020 –
The ICO has issued this guidance as the start of the preparation. They have also made clear that they are aware that for small companies in particular time can be a factor in this preparation, but it is important to remember that you must start the 12 steps in order that you can show compliance.
As an organisation we are preparing for this new Act by completing these 12 steps.
The GDPR applies to “Controllers”, “Processors” and “Data Protection Officer” and to certain types of information, specifically, “Personal Data” and “Sensitive Personal Data” referred to in the Act as Special Categories of Personal Data”.
This role determines, on behalf of the organisation, the purposes and means of processing personal data.
This role is responsible for processing personal data on behalf of a controller. The Act places specific legal obligations on you, e.g. you are required to keep and maintain records of personal data and processing activities. This role has legal liabilities if they are responsible for any breach.
Data Protection Officer –
This role is a must only in certain circumstances if you are:
This means any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. So, this would include name, reference or identification number, location data or online identifier. This reflects changes in technology which incorporates a wide range of different identifiers. Personal Data applies to both automated and manual filing systems. It can also apply to pseudonymised e.g. key-coded can fall within the GDPR dependent on how difficult it is to attribute the pseudonym to a particular individual’s race, ethnic origin, politics, religion, trade union membership, sex life or sexual orientation.
“Special Categories of personal Data”
This category of data is more sensitive and much more protected. Sensitive personal data specifically includes genetic data, biometric data, health, race, ethnic origin, politics, religion, trade union membership, sexual orientation Safeguards apply to other type of data e.g. criminal convictions and offences; intelligence data etc.
Data Protection Principles
The GDPR sets out the following principles for which organisations are responsible and must meet. These require that personal data shall be:
“The controller shall be responsible for, and be able to demonstrate, compliance with the principles” Article 5 (2) GDPR.
“Lawful bases” for processing
There are 6 lawful bases for processing data. These are:
The GDPR sets a high standard here. Consent means offering individuals real choice and control. Consent practices and existing paperwork will need to be refreshed and meet specific requirements. These are:
Consent is one lawful basis to consider but organisations in a position of power over individuals should consider alternative “lawful bases”. If we would still process their personal data without consent, then asking for consent is misleading and inherently unfair.
Consent within this policy relates only to data processing not Health or Support in a Social Care context. You must still use consent as defined within the Mental Capacity Act 2005 to deliver services.
Put simply, the processing is necessary for us as an organisation to comply with the law, e.g. the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014, which requires us as providers to collect, handle and process data in a prescribed manner.
The above are the 3 most pertinent bases for Health and Social Care data processing activity.
Contract, Vital Interests or Public Task apply within specific work settings and would be difficult to meet because service providers are subject to specific legislative and regulatory requirements in order to work within a “Regulated Activity”.
“Lawful bases” must be determined by the organisation before processing of any personal data and it is vital that thorough consideration is given to this decision.
Residents must be aware of the lawful base used by this organisation to process their personal data.
The GDPR provides the following rights for individuals:
Any individual request which falls into the above categories this organisation will follow the relevant guidance currently available on the following website:-
Subject Access Data Requests (SAR)
The Organisation, which follow’s the ICO’s Code of Practice, understands that an individual is legally entitled to require an organisation to provide access to, or copies of, all of that individual’s personal data held by the Organisation. This is known as a “Subject Access Request” (SAR).
Individuals also have the right to know:
The process will involve the following stages:
Privacy notices, transparency and control
To start off a privacy notice, you need to tell people, as a minimum:
Being transparent, and providing accessible information, is core to compliance and the GDPR. Privacy notices is the most common way to meet the GDPR requirements.
Transparency, in a governance or business context, is honesty and openness and the more transparent we can be the more easily understood and accessible our services become to the people who use them. In the context of data processing is simply that:
“it should be transparent to natural persons that personal data concerning them are collected, used, consulted, or otherwise processed and to what extent the personal data are or will be processed. The principle of transparency requires that any information and communication relating to the processing of their personal data be easily accessible and easy to understand, and that clear and plain language be used. That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processor and further information to ensure fair and transparent processing in respect of the confirmation and communication of personal data concerning them which is being processed.”
Information Commissioner: Role and Function
Regarding the changes within the GDPR, National Supervising Authorities in all EU member states have had their powers of enforcement enhanced. Our ICO in the UK’s supervising authority.
Within the Enforcement Toolbox, the Information Commissioners Office known as the ICO, can now issue substantial fines of up to 20 million, or, 4% of an organisation’s global turnover for certain data protection infringements. Fines, when appropriate, will be of the discretion of the ICO with considerable variations expected to be levied. There are no fixed penalties or minimum fines, though there are different maximum fines for different breaches. The GDPR also empowers the ICO to create tailor made solutions to deal with infringements brought to their attention. This does not mean that organisations can relax about compliance, but diligent small and medium sized organisations can take comfort in the fact that they are unlikely to face the sort of punitive fines that rogue tech giants could to bring them to head.
The role and scope of the ICO has not fundamentally changed, but rather has been expanded and enhanced via the new GDPR.
Codes of Conduct and Certification Mechanisms
Although the use of any of the above is encouraged by the GDPR it is not obligatory. If an approved code of conduct or certification scheme becomes available that covers our processing activity, consideration will be given to working towards such a scheme as a way of demonstrating our compliance. The ICO will develop its own code of conduct as it has already worked with the Direct Marketing Commissions Code of Conduct: DMA Code.
Derogations and Exceptions
The Act provides that member states of the EU can provide their own national rules in respect of specific processing activities.
All Data Controllers must be familiar with Schedules 1-18 of the GDPR as these are the lawful exemptions pertinent to many other legal frameworks and Acts. These Schedules cover things such as Parliamentary Privilege, Health and Social Work, Criminal Convictions (Additional Safeguards), Research, Statistics and Archiving, Education Child Abuse, and include specific provisions for data processing within the Schedule(s).
For example: Schedule 15: Powers of Entry and Inspection. This Schedule sets out clearly the powers of the Information Commissioner’s Office in relation to warrant(s) issued by the courts which allow the ICO to enter premises and inspect data field there, including the seizure of documents. Schedule 18 is where all the legislative changes, in all pertinent primary legislation is found, including the repeal of the Data Protection Act 1998. As the Act is embedded in to the organisation, Data controllers, their role and responsibilities, will need to be reviewed and revised to ensure compliance.
Codes of Practice
The Act enhances the role of the Information Commission’s Office (ICO) in the compilation of such Codes and these will be available in due course. It is important that we are regularly checking the ICO website in order to keep up with current guidance.
This organisation believes that all data, required for the delivery of the service and the lawful running of the organisation must be collected, handled, maintained and stored in accordance to the requirements of the Data Protection Act 2018.
The General Data Protection Regulation (GDPR) form the basis of the Act but in order to be effective and compliant with its requirements, the Related Policy list should be viewed as core to this policy, as should Section 1 and the Related Guidance links.
After due consideration this organisation has determined that the Lawful Bases are used in the collection of data and these may vary depending on the data being processed.
These are explored in detail in the Company’s registers of processing activities
Data Protection Principles
The Act sets out 8 Principles which must be adhered to when processing data
Please refer to the Related Guidance links for further information
The GDPR sets out the following principles for which this organisation is responsible and must meet. These require that personal data shall be:
“The controller shall be responsible for, and be able to demonstrate, compliance with the principles” Article 5 (2) GDPR.
The GDPR provides the following rights for individuals:
Each of the above rights has its own Best Practice Process which you will find here:-
This is an accessible information declaration which should set out clearly how we will gather, use handle, store and process personal data.
The Code uses the term “Privacy Notice” to describe all the privacy information that you make available or provide to individuals when you collect information about them. It is often argued that people’s expectations around personal data are changing, particularly through the use of social media, the use of mobile apps and the willingness of the public to share personal information via these platforms.
However, as an organisation we are increasingly aware of the fragile trust which can be easily broken through data breaches and are therefore seeking transparency as a means of building trust and confidence with users of our services. It is the spirit of the Act that privacy, transparency and control become a given for users.
Being transparent by providing a privacy notice is an important part of fair processing. When planning a privacy notice, we need to consider the following:
The Privacy notice must be easily understood by users of the service and include all of the above, it must also be easily visible so in this organisation it will be displayed in appropriate locations such as on the Company website, on notice boards and information guides for residents / families / staff where required.
See Privacy Notice’s available as part of the policy documentation.
Privacy and Electronic Communications Regulations (PECR)
The Data Protection Act 2018 still applies if you are processing personal data. The PECR sets out some extra rules for electronic communications and please be mindful of electronic schedule systems which will also come under PECR.
See the following policies:
The GDPR sets out Guidance on files and retention including archiving, specifically Health and Social Care personal data is generally exempt.
As a provider of services, file and retention guidelines are in place from our Regulator which includes CQC and the NHS as well as Local Authorities via the Service Specification within any contractual arrangements.
A periodic check of the Regulator’s Guidance should be part of the review of this policy.
These are explored in detail in the Company’s registers of processing activities and retention policy.
Security Integrity and Confidentiality
We will develop, implement and maintain safeguards appropriate to our size, scope and business, our available resources, the amount of Personal Data that we own or maintain on behalf of others and identified risks (including use of encryption and Pseudonymisation where applicable). We will regularly evaluate and test the effectiveness of those safeguards to ensure security of our processing of Personal Data.
You are responsible for protecting the Personal Data we hold. You must implement reasonable and appropriate security measures against unlawful or unauthorised processing of Personal Data and against the accidental loss or, or damage to, Personal Data. You must exercise particular care in protecting Special Categories of Personal Criminal Convictions Data from loss and unauthorised access, use or disclosure.
You must comply with and not attempt to circumvent the administrative, physical and technical safeguards we implement and maintain in accordance with GDPR and relevant standards to protect Personal Data.
The GDPR requires Controllers to notify any Personal Data Breach to the applicable regulator and, in certain instances, the Data Subject. We have put in place procedures to deal with any suspected Personal Data Breach and will notify Data Subjects or any applicable regulator where we are legally required to do so.
The GDPR restricts data transfers to countries outside the European Economic Area (EEA) in order to ensure that the level of data protection afforded to individuals by the GDPR is not undermined. Personal Data may only be transferred outside the EEA, with approval of the DPO or a Director.
All staff, during induction are made aware of the organisations policies and procedures, all of which are used for training updates. All policies and procedures are reviewed and amended where necessary and staff are made aware of any changes. Observations are undertaken to check skills and competencies. Various methods of training are used including one to one, on-line, workbook, group meetings, individual supervisions and external courses are sourced as required.
In order to meet the requirements of the Act a thorough knowledge of the Guidance should be the priority for the Data Controller.
It is also important that the Act is placed in the context of other compliance requirements namely The Health and Social Care Act 2008 (Regulated Activities) Regulations 2014 and all other lawful requirements such as Regulation 18 Staffing to name but one.
In recognition of the complexities of the Act, the ICO has set up an advice service for small organisations. https://ico.org.uk/global/contact-us/advice-service-for-small- organisations/
Changes to our Policy
This policy has been updated to include the changes being implemented by the General Data Protection Regulation (GDPR) which are in place on 25-May-2018. This policy will be reviewed tri-annually and updated when required.
Accessible Information and Communication Access to Records and Files
Data Breach Policy
Duty of Candour
Social Media and Public Relations
Privacy Notice – Recruitment Job Applicants
Data Protection Culture Statement (see below)
SAR Employee Application form
DATA PROTECTION STATEMENT
We are committed to data protection and data privacy. Following the General Data Protection Regulation (GDPR) becoming enforceable on 25 May 2018, we have undertaken a GDPR readiness programme to review the way we handle data and the way in which we use it to provide our services.
Our GDPR readiness programme is focused on the following areas:
We have a designated Group Data Protection Officer who oversees our information governance practices and coordinates the Group’s efforts to ensure we continue to manage personal data in the way our clients expect.
We are fully committed to the principles of data protection and to safeguarding our data and that of our clients.
For any questions, please contact the Group Data Protection Officer:
Group Data Protection Officer Scholes Mill
Old Coach Road
Derbyshire DE4 5FY