Lucas Love Healthcare (LLHC) needs to gather and use certain information about individuals.
These can include service users, residents, employees, customers, suppliers, business contacts, and other people we have a relationship with or may need to contact.
This policy describes how this personal data must be collected, handled and stored to meet data protection standards and to comply with the law.
Why this policy exists
This data protection policy ensures LLHC:
- Complies with data protection law and follow good practice.
- Protects the rights of service users, residents, staff, customers and partners.
- Is open about how it stores and processes individuals’ data.
- Protects the organisation from the risks of a data breach.
Data protection law
The General Data Protection Regulation [EU 2016/679) (GDPR) regulates how organisations collect, handle and store personal information.
These rules apply regardless of whether data is stored electronically, on paper or on other materials. To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully. The GDPR is underpinned by six important principles to which LLHC will adhere to. These say that personal data shall be:
- Processed lawfully, fairly and in a transparent manner in relation to individuals;
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
This policy applies to:
- The head office of LLHC.
- All clients, services users, residents, staff contractors, suppliers and other people working on behalf of LLHC.
It applies to all data that we hold relating to identifiable individuals. This can include for example:
- Names of individuals, Postal/email addresses, telephone numbers.
- Sensitive personal data such as information in relation to physical or mental health conditions, religious beliefs, ethnic origin.
Data Protection Risks
This policy helps to protect LLHC from some very real data security risks, including:
- Breaches of confidentiality – for instance, information being given out inappropriately about our services users or staff.
- Failing to offer choice – for instance, all individuals should be free to choose how the company uses data relating to them.
- Reputational damage – for instance, LLHC could suffer if hackers successfully gained access to sensitive data.
Everyone who works for or with LLHC has some responsibility for ensuring data is collected, stored and handled appropriately.
Everyone who handles personal data must ensure that it is handled and processed in line with this policy and data protection principles. Failure by staff to comply with the data protection policy and principles could result in disciplinary action.
However, the following have key areas of responsibility:
- The Directors are ultimately responsible for ensuring that LLHC meets its legal obligations.
- The Data Protection Officer, Stuart Johnstone is responsible for:
- Keeping the Board updated about data protection responsibilities, risks and issues.
- Reviewing all data protection procedures and related policies, in line with an agreed schedule.
- Arranging data protection training and advice for the people covered by this policy.
- Dealing with requests from individuals to see the data we hold about them (also called “subject access requests”).
- Checking and approving any contracts or agreements with third parties that may handle the company’s sensitive data.
- The IT Contractors, Coritas, are responsible for:
- Ensuring all systems, services and equipment used for storing data meet acceptable security standards.
- Performing regular checks and scans to ensure security hardware and software is functioning properly.
- Ensuring all personal and company data is non-recoverable from any computer system previously used within the organisation, which has been passed on/sold to a third party.
- Evaluating any third-party services Coritas is considering using to store or process data. For instance, cloud computing services.
- The Directors, are also responsible for:
- Approving any data protection statements attached to communications such as e-mails and letters.
- Addressing any data protection queries from journalists or media outlets like newspapers.
- Where necessary, working with other staff to ensure marketing initiatives abide by data protection principles.
General Staff Guidelines
- The only people able to access data covered by this policy should be those who need it for their work.
- Data should not be shared informally. When access to confidential information is required, employees can request it from their line managers.
- LLHC will provide training to all employees to help them understand their responsibilities when handling data.
- Employees should keep all data secure, by taking sensible precautions and following the guidelines below.
- In particular, strong passwords must be used and changed regularly; they should never be shared. To be changed every 6 months.
- Personal data should not be disclosed to unauthorised people, either within LLHC or externally.
- When receiving telephone enquiries, we will only disclose personal data we hold on our systems if the following conditions are met:
a) We will not give personal information by phone.
b) We will suggest that the caller put their request in writing, where that enquirer is a third party, permission will need to be gained from the person whose information is sought.
Our employees will refer a request to their line manager for assistance in difficult situations. Employees should not be pressurised into disclosing personal information.
- Data should be regularly reviewed and updated if it is found to be out of date. If no longer required, it should be deleted and disposed of.
- Employees should request help from their line manager or the data protection officer if they are unsure about any aspect of data protection.
Informed consent is when
- An Individual/Service User clearly understands why their information is needed, who it will be shared with, the possible consequences of them agreeing or refusing the proposed use of the data
- And then gives their informed and unambiguous consent.
LLHC will ensure that data is collected within the boundaries defined in this policy. This applies to data that is collected in person, or by completing a form.
When collecting data, LLHC will ensure that the Individual/Service User:
- Has received sufficient information on why their data is needed and how it will be used.
- Is made aware what the data will be used for and what the consequences are should the Individual/Service User decide not to give consent to processing
- As far as reasonably possible, grants explicit consent, either written or verbal for data to be processed
- Is, as far as reasonably practicable, competent enough to give consent and has given so freely without any duress
- In the absence of valid consent (that which is freely given, specific, informed and unambiguous) or where consent is deemed unnecessary, has received information as to the lawful basis for processing their information
Processing in line with Data Subject’s Rights
We will process all personal data in line with data subjects’ rights, in particular their right to:
a) Request access to data held about them by a data controller.
b) Prevent the processing of their data for direct-marketing purposes.
c) Ask to have inaccurate data corrected or erased.
d) Prevent processing that is likely to cause damage or distress to themselves or anyone else.
These rules describe how and where data should be safely stored and the security measures implemented by LLHC. Questions about storing data safely can be directed to IT Consultants or Data Protection Officer.
When data is stored on paper, it should be kept in a secure place where unauthorised people cannot see it. These guidelines also apply to data that is usually stored electronically but has been printed out for some reason:
- When not required, the paper or files should be kept in a locked drawer or filing cabinet.
- Employees should make sure paper and printouts are not left where unauthorised people could see them, like on a printer.
- Data printouts should be shredded and disposed of securely when no longer required.
- A “clear desk” policy is in effect. All data stored on paper should be returned to the appropriate drawer or filing cabinet at the end of the day and no papers should be unnecessarily left on desks during the day.
When data is stored electronically, it must be protected from unauthorised access, accidental deletion and malicious hacking attempts:
- Data should be protected by strong passwords that are changed regularly and never shared between employees.
- Data should not be stored on removable media (like a CD or DVD)
- Data should only be stored on designated drives and servers and should only be uploaded to an approved cloud computing service.
- Servers containing personal data should be sited in a secure location, away from general office space.
- Data is backed up twice daily.
- Data should never be saved directly to laptops or other mobile devices like tablets or smart phones.
- All servers and computers containing data are protected by approved security software and a firewall.
- Mobile devices leaving Head Office with information will be protected via encryption. In the instance of a device being lost or stolen, all information will be remotely removed from the device.
Data Retention and Secure Destruction
Personal data will not be retained longer than necessary, in relation to the purpose for which such data is processed. LLHC will ensure that secure storage/archiving periods are clearly defined for each type of data and confidential destruction of data when no longer required, in accordance with its Information Retention list (appendixes).
Personal data is of no value to LLHC unless we can make use of it. However, it is when personal data is accessed and used that it can be at the greatest risk of loss, corruption or theft and as such LLHC adopts the following additional security measures:
- When working with personal data, employees should ensure the screens of their computers are always locked when left unattended.
- Personal data should not be shared informally. In particular, employees should be particularly vigilant when sending data by e-mail as this form of communication is not secure.
- Financial Data, and in particular bank details must not be transferred by us electronically. Bank details should only be transferred by letter and/or confirmed by telephone.
- Personal data should never be transferred outside of the European Economic Area without the approval of the Board and will only be permitted in the event that an adequate level of protection can be guaranteed.
- Employees must not save copies of personal data to their own computers.Always access and update the central copy of any data.
- Consideration will be given to the anonymization or pseudonymising of personal data to promote the safe use or sharing of data within the organisation
The law requires LLHC to take reasonable steps to ensure data is kept accurate and up to date.
The more important it is that the personal data is accurate, the greater the effort we should put into ensuring its accuracy.
It is the responsibility of all employees who work with data to take reasonable steps to ensure it is kept as accurate and up to date as possible.
- Data will be held in as few places as necessary. Staff should not create any unnecessary additional data sets.
- Staff should take every opportunity to ensure data is updated.For instance, by confirming client/next of kin details on a regular basis.
- LLHC will make it easy for data subjects to update the information we hold about them. For instance, via the company website.
- Data should be updated as inaccuracies are discovered.
Subject Access Requests
All individuals who are the subject of personal data held by LLHC are entitled to:
- Ask what information the company holds about them and why.
- Ask how to gain access to it and to have inaccurate data corrected or erased.
- Be informed how to keep it up to date.
- Be informed how LLHC is meeting its data protection obligations.
If an individual contact is requesting this information, this is called a subject access request.
Subject access requests from individuals should be made by e-mail or in writing addressed to Data Protection Officer Stuart Johnstone. We can supply a standard request form, although individuals do not have to use this.
The Data Protection Officer will aim to provide the relevant data within 14 days and in any event within 1 month.
The Data Protection Officer will always verify the identity of anyone making a subject access request before handing over any information.
Disclosing data for other reasons
In certain circumstances, the GDPR allows personal data to be disclosed to local authorities, law enforcement and statutory agencies without the consent of the data subject. Under these circumstances, LLHC will disclose the necessary data. However, the Data Protection Officer will ensure the request is legitimate, seeking assistance and approval from the Board of Directors where necessary.
Service Users will be made aware in most circumstances how and with whom their information will be shared. There are circumstances where the law allows LLHCto disclose data (including sensitive data) without the data subject’s consent. These include carrying out a legal duty and protecting vital interests of a Service User or other individual.
Where we need to share information with an outside external agency or party, LLHC will ensure they are GDPR compliant and adhere to regulative directives. LLHC will ensure compliance is maintained by these stakeholders via a structured audit tool.
LLHC regards the lawful and correct treatment of personal information as very important to successful working, and to maintaining the confidence of those with whom we deal.
Providing information to Data Subjects
LLHC aims to ensure that individuals are aware that their data is being processed and that they understand:
- How the data is being used.
- How to exercise their rights in relation to same.
To these ends, the organisation will issue privacy notices as appropriate to service users, employees, customers, suppliers, business contacts, and other individuals we have a relationship with or may need to contact, setting out how data relating to an individual is used by the organisation, how to exercise their rights in relation to same including options available and how to raise a complaint.
A version of this statement will also be available on our website.
Security Breach Management
In the event of a security breach of data, the Directors will liaise immediately with the IT Consultants, Coritas
The breach will be internally investigated with appropriate remedial taken and where required, notification will further be made within 72 hours to the ICO and those affected providing details of the nature of the breach, likely consequences and mitigations being taken to address same.
This policy and related data protection procedures will be reviewed on an annual basis by the Data Protection Officer to reflect best practice in data management, security and control and to ensure compliance with GDPR.
Glossary of Key Terms
Any information relating to an identifiable natural person ‘data subject’; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as: a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Sensitive Personal Data
Any data relating to: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health conditions, sexual life or sexual orientation, genetic data and/or biometric data. We process this data in respect of our both our service users and our staff.
A Data Subject
An individual who is the subject of personal data, not including deceased individuals or individuals who cannot be identified or distinguished from others – e.g. statistics.
The operation or set of operations performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing the data.
A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.