GDPR 4LIFE HEALTH CARE
General Data Protection Regulation
Your privacy is very important to us. We have developed this General Data Protection Regulation (GDPR) in order for you to understand how we collect, use, store, share, transmit, transfer, delete or otherwise process (collectively “process”) your Personal data. This General Data Protection Regulation (GDPR) describes the measures we take to ensure the protection of your Personal data. We also tell you how you can reach us to answer any questions you may have about data protection.
1.1 The purpose of this policy is to ensure that 4Life Healthcare Ltd understands the key principles of the General Data Protection Regulation (GDPR).
1.2 This policy sets out the steps that need to be taken by 4Life Healthcare Ltd to ensure that 4Life Healthcare Ltd handles, uses and processes personal data in a way that meets the requirements of GDPR. It should be read alongside the suite of 4Life Healthcare Ltd policies, procedures and guidance.
1.3 This policy applies to all staff at 4Life Healthcare Ltd who process personal data about other staff, Service User/ Clients and any other living individuals as part of their role.
2.1 The following roles may be affected by this policy:
2.2 The following people may be affected by this policy:
Service User/ Clients
2.3 The following stakeholders may be affected by this policy:
3.1 The objective of this policy is to ensure staff have a working knowledge into the principles and requirements of GDPR.
3.2 Alongside the suite of policies, procedures and guidance available 4Life Healthcare Ltd can demonstrate that appropriate steps are taken to ensure 4Life Healthcare Ltd complies with GDPR when handling and using personal data provided by both staff and Service User/ Clients.
3.3 This policy will assist with defining accountability and establishing ways of working in terms of the use, storage, retention and security of personal data.
3.4 This policy will assist with understanding the obligations of 4Life Healthcare Ltd in respect of the rights of the staff and Service User/ Clients who have provided personal data and the steps 4Life Healthcare Ltd should take if it breaches GDPR.
GDPR came into force on the 25 May 2018 and replaced the Data Protection Act
1998. Regardless of the impact of Brexit, GDPR will remain. GDPR provides greater protection to individuals and places greater obligations on organisations but can be dealt with in bite-size chunks to ensure that any impact on the provision of care and services is minimised.
GDPR does not apply to any personal data held about someone who has died. Both the Access to Medical Reports Act 1988 and the Access to Health Records 1990 will continue to apply..
4Life Healthcare Ltd is required to take a proportionate and appropriate approach to GDPR compliance. 4Life Healthcare Ltd understands that not all organisations will need to take the same steps – it will depend on the volume and types of personal data processed by a particular organisation, as well as the processes already in place to protect personal data.
We understand that if we process significant volumes of personal data, including special categories of data, or have unusual or complicated processes in place in terms of the way we handle personal data, we will consider obtaining legal advice specific to the processing we conduct and the steps we may need to take.
GDPR does not apply to any personal data held about someone who has died. Both the Access to Medical Reports Act 1988 and the Access to Health Records 1990 will continue to apply.
To ensure 4Life Healthcare Ltd compliance with GDPR, a suite of documents are available and should be read in conjunction with this overarching policy to provide a framework:
• Initial Privacy Impact Assessment Policy & Procedure
• GDPR – Key Terms Guidance
• GDPR – Key Principles Guidance
• GDPR – Processing Personal Data Guidance
• Appointing a Data Protection Officer Guidance
• Data Security and Retention Policy & Procedure
• Subject Access Requests Policy & Procedure
• Subject Access Requests Process Map Policy & Procedure
• Subject Access Requests – Request Letter Policy & Procedure
• Rights of a Data Subject Guidance
• Breach Notification Policy & Procedure
• Breach Notification Process Map Policy & Procedure
• Fair Processing Notice Policy & Procedure
• Consent Form
• GDPR – Transfer of Data Guidance
• Privacy Impact Assessment Policy & Procedure
The key principles and themes of each of the documents listed above are summarised below:
Initial Audit and Privacy Impact Assessment
4Life Healthcare Ltd understands that we should conduct an audit of the personal data we currently process. This can be carried out internally by 4Life Healthcare Ltd with the assistance of key staff members. The audit will reveal whether the ways in which 4Life Healthcare Ltd processes personal data meet the requirements of GDPR and will also indicate whether 4Life Healthcare Ltd should delete some of the personal data it currently holds. An initial Privacy Impact Assessment template is provided as part of the GDPR documentation.
GDPR places obligations on all organisations that process personal data about a Data Subject. A brief description of those three key terms is included in the Definitions section of this document and are expanded upon in the Key Terms Guidance.
The requirements that 4Life Healthcare Ltd need to meet vary depending on whether 4Life Healthcare Ltd is a Data Controller or a Data Processor. We recognise that in most scenarios, 4Life Healthcare Ltd will be a Data Controller. The meaning of Data Controller and Data Processor, together with the roles they play under GDPR, are explained in the Key Terms Guidance.
Special categories of data attract a greater level of protection, and the consequences for breaching GDPR in relation to special categories of data may be more severe than breaches relating to other types of personal data. This information is also covered in more detail in the Key Terms Guidance.
There are 6 key principles of GDPR which 4Life Healthcare Ltd must comply with. These 6 principles are very similar to the key principles that were set out in the Data Protection Act 1998. They are:
• Lawful, fair and transparent use of personal data
• Using personal data for the purpose for which it was collected
• Ensuring the personal data is adequate and relevant
• Ensuring the personal data is accurate
• Ensuring the personal data is only retained for as long as it is needed
• Ensuring the personal data is kept safe and secure
These key principles are explained in more detail in the guidance entitled ‘GDPR – Key Principles’.
4Life Healthcare Ltd recognises that in addition to complying with the key principles, 4Life Healthcare Ltd must be able to provide documentation to the Information Commissioner’s Office (ICO) on request, as evidence of compliance. We understand that we
must also adopt ‘privacy by design’. This means that data protection issues should be considered at the very start of a project, or engagement with a new Service User/ Clients. Data protection should not be an after-thought. These ideas are also covered in more detail in the Key Principles Guidance.
Processing Personal Data
The position has been improved under GDPR in terms of the ability of care sector organisations to process special categories of data. The provision of health or social care or treatment or the management of health or social care systems and services is now expressly referred to as a reason for which an organisation is entitled to process special categories of data.
In terms of other types of personal data, 4Life Healthcare Ltd must only process personal data if it is able to rely on one of a number of grounds set out in GDPR. The grounds which are most commonly relied on are:
• The Data Subject has given his or her consent to the organisation using and processing their personal data • The organisation is required to process the personal data to perform a contract; and • The processing is carried out in the legitimate interests of the organisation processing the data – note that this ground does not apply to public authorities
The other grounds which may apply are:
• The processing is necessary to comply with a legal obligation
• The processing is necessary to protect the vital interests of the Data Subject or another living person
• The processing is necessary to perform a task carried out in the public interest
The grounds set out above and the impact of the changes made in respect of special categories of data are explained in more detail in the guidance entitled ‘GDPR – Processing Personal Data’.
Data Protection Officers
4Life Healthcare Ltd understands that some organisations will need to appoint a formal Data Protection Officer under GDPR (a “DPO”). The DPO benefits from enhanced employment rights and must meet certain criteria, so we recognise that it is important to know whether 4Life Healthcare Ltd requires a DPO. This requirement is outlined in the policy and procedure on Data Protection Officers.
Whether or not 4Life Healthcare Ltd needs to appoint a formal Data Protection Officer, 4Life Healthcare Ltd will appoint a single person to have overall responsibility for the management of personal data and compliance with GDPR.
Data Security and Retention
Two of the key principles of GDPR are data retention and data security.
• Data retention refers to the period for which 4Life Healthcare Ltd keeps the personal data that has been provided by a Data Subject. At a high level, 4Life Healthcare Ltd must only keep personal data for as long as it needs the personal data
• Data security requires 4Life Healthcare Ltd to put in place appropriate measures to keep data secure
These requirements are described in more detail in the policy & procedure entitled Data Security and Retention.
Subject Access Requests
One of the key rights of a Data Subject is to request access to and copies of the personal data held about them by an organisation. Where 4Life Healthcare Ltd receives a Subject Access Request, we understand that we will need to respond to the Subject Access Request in accordance with the requirements of GDPR. To help staff at 4Life Healthcare Ltd understand what a Subject Access Request is and how they should deal with a Subject Access Request, a Subject Access Request Policy & Procedure is available to staff. A 4Life Healthcare Ltd process map to follow when responding to a Subject Access Request, as well as a Subject Access Request letter template is also included.
The Rights of a Data Subject
In addition to the right to place a Subject Access Request, Data Subjects benefit from several other rights, including the right to be forgotten, the right to object to certain types of processing and the right to request that their personal data be corrected by 4Life Healthcare Ltd. All rights of the Data Subject are covered in detail in the corresponding guidance.
Breach Notification Under GDPR
If 4Life Healthcare Ltd wishes to transfer personal data to a third party, we understand that we should put in place an agreement to set out how the third party will use the personal data. The transfer would include, for example, using a data centre in a non-EU country. If that third party is based outside the European Economic Area, we recognise that further protection will need to be put in place and other aspects considered before the transfer takes place. Guidance has been produced to explain the implications of transferring personal data in more detail.Privacy Impact Assessments
4Life Healthcare Ltd understands that there are two primary reasons to ensure that compliance with GDPR is achieved:
• It promotes high standards of practice and Support, and provides significant benefits for staff and, in particular, Service User/ Clients
• Compliance with GDPR is overseen in the UK by the ICO. Under GDPR, the ICO has the ability to issue a fine of up to 20 million Euros (approximately £17,000,000) or 4% of the worldwide turnover of an organisation, whichever is higher. The potential consequences are therefore significant.
4Life Healthcare Ltd appreciates that it is important to remember, however, that the intention of the ICO is to educate and advise, not to punish. The ICO wants organisations to achieve compliance. A one off, minor breach may not attract the attention of the ICO but if 4Life Healthcare Ltd persistently breaches GDPR or commits significant one-off breaches (such as the loss of a large volume of personal data, or the loss of special categories of data), it may be subject to ICO enforcement action. In addition to imposing fines, the ICO also has the power to conduct audits of 4Life Healthcare Ltd and our data protection policies and processes. 4Life Healthcare Ltd realises that the ICO may also require 4Life Healthcare Ltd to stop providing services, or to notify Data Subjects of the breach, delete certain personal data we hold or prohibit certain types of
5.1 All staff should review the GDPR policies and procedures and guidance that will be produced over the next few months.
5.2 4Life Healthcare Ltd will nominate a person or team to be responsible for data protection and GDPR compliance (if a formal Data Protection Officer is not required, somebody with an understanding of the requirements who can act as a day-to-day point of contact will be chosen).
5.3 The Registered Manager should ensure all staff understand the policies and procedures provided, including how to deal with a Subject Access Request and what to do if a member of staff breaches GDPR.
5.4 The Registered Manager will consider providing training internally about GDPR (in particular, the Key Principles of GDPR) to all staff members.
5.5 4Life Healthcare Ltd will conduct an audit of the personal data currently held by 4Life Healthcare Ltd (the initial Privacy Impact Assessment template provided will be used for this purpose).
5.6 4Life Healthcare Ltd will delete any personal data that 4Life Healthcare Ltd no longer needs, based on the results of the audit conducted, taking into account any relevant guidance, such as the Records Management Code of Practice for Health and Social Care 2016.
5.7 4Life Healthcare Ltd will, if necessary, put in place new measures or processes to ensure that personal data continues to be processed in line with GDPR.
5.8 4Life Healthcare Ltd will, if necessary, finalise and circulate a Fair Processing Notice to Service User/ Clients.
5.9 4Life Healthcare Ltd will ensure proper consent is obtained from each Service User/ Clients in line with GDPR regulations (the Consent Form provided can be used for this purpose). 4Life Healthcare Ltd will review the additional steps that 4Life Healthcare Ltd should be taken to ensure that 4Life Healthcare Ltd obtains consent from parents, guardians, carers or other representatives where 4Life Healthcare Ltd works with children or those who lack capacity.
5.10 4Life Healthcare Ltd will ensure that processes and procedures are in place to respond to requests made by Data Subjects (including Subject Access Requests) and to deal appropriately with any breaches or potential breaches of GDPR.
5.11 The Registered Manager will maintain a log of decisions taken and incidents that occur in respect of the personal data processed by 4Life Healthcare Ltd using the 4Life Healthcare Ltd Privacy Impact Assessment template
6.1 Data Subject
• The individual about whom 4Life Healthcare Ltd has collected personal data
6.2 Data Protection Act 2018
• The Data Protection Act 2018 is a United Kingdom Act of Parliament that updates data protection laws in the UK. It sits alongside the General Data Protection Regulation and implements the EU’s Law Enforcement Directive
• General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union. It was adopted on 14 April 2016 and after a two-year transition period became enforceable on 25 May 2018
6.4 Personal Data
• Any information about a living person including but not limited to names, email addresses, postal addresses, job roles, photographs, CCTV and special categories of data, defined below
6.5 Process or Processing
• Doing anything with personal data, including but not limited to collecting, storing, holding, using, amending or transferring it. You do not need to be doing anything actively with the personal data – at the point you collect it, you are processing it.
6.6 Special Categories of Data
• Has an equivalent meaning to “Sensitive Personal Data” under the Data Protection Act 2018. Special Categories of Data include but are not limited to medical and health records (including information collected as a result of providing health care services) and information about a person’s religious beliefs, ethnic origin and race, sexual orientation and political views
Key Facts – Professionals
Professionals providing this service should be aware of the following:
• GPDR provides greater protection for staff and Service User/ Clients in respect of their personal data
• Compliance is mandatory, not optional
• 4Life Healthcare Ltd has adopted an appropriate and proportionate approach what is right and necessary for 4Life Healthcare Ltd may not be right for another organisation
• Achieving compliance with GDPR will not only reduce the risk of ICO enforcement or fines but will also promote a better-quality service for Service User/ Clients and an improved working environment for staff
• This is the overarching policy and provides a high-level reference to all areas that are important for compliance with GDPR
• Understanding of the content of this policy should be embedded with all staff at 4Life Healthcare Ltd
• 4Life Healthcare Ltd must appoint a person with overall responsibility for managing GDPR. This person may be an official Data Protection Officer (DPO) or a person appointed to oversee privacy, governance and data protection.
Key Facts – People Affected by The Service
People affected by this service should be aware of the following:
• Your personal data will be protected
• You have a right to see what information we hold about you
• You will be asked for your consent before we obtain your personal data in line with GDPR requirements
• In addition to the GDPR regulations, our staff will continue to follow confidentiality policies in relation to all aspect of your Support
As well as the information in the ‘Underpinning Knowledge’ section of the review sheet we recommend that you add to your understanding in this policy area by considering the following materials:
The Records Management Code of Practice for Health and Social Care 2016 has been issued by the Information Governance Alliance for the Department of Health. It is available on the NHS Digital website
To be ‘Outstanding’ in this policy area you could provide evidence that:
• 4Life Healthcare Ltd provides training to all staff in respect of GDPR and the new policies and processes that have adopted
• 4Life Healthcare Ltd Conducts Privacy Impact Assessments for each new processing activity carried out, whether or not the processing presents a ‘high risk’ to the Data Subjects
• There is evidence that 4Life Healthcare Ltd conducts regular (6 monthly or annual) audits of the personal data that is processed to ensure continued compliance with GDPR
• 4Life Healthcare Ltd can evidence that there are processes in place for ensuring 4Life Healthcare Ltd remains up to date with guidelines and recommendations relating to data protection, including ICO guidance and guidance issued by NHS Digital and this information is effectively cascaded to all relevant staff
• The wide understanding of the policy is enabled by proactive use of the QCS App