Longfield Poly Clinic GDPR Policy and Procedure

Policy Review Sheet

Review Date: 18/01/18 Policy Last Amended: 18/01/18

Next planned review in 12 months, or sooner as required.

1. Purpose
1.1 The purpose of this policy is to introduce the General Data Protection Regulation 2016 (“GDPR”) and to ensure that Longfield Integrated Care Centre Limited understands the key principles of GDPR.
1.2 This policy sets out the steps that need to be taken by Longfield Integrated Care Centre Limited to ensure that Longfield Integrated Care Centre Limited handles, uses and processes personal data in a way that meets the requirements of GDPR. It should be read alongside the additional GDPR policies and procedures and guidance that will be produced between now and May 2018.
1.3 This policy applies to all staff at Longfield Integrated Care Centre Limited who process personal data about other staff, Patients and any other living individuals as part of their role.
1.4 To support Longfield Integrated Care Centre Limited in meeting the following Key Lines of Enquiry:

1.5 To meet the legal requirements of the regulated activities that Longfield Integrated Care Centre Limited is registered to provide:
• The Data Protection Bill 2017
• The General Data Protection Regulation 2016 (EU) 2016/679

2. Scope
2.1 The following roles may be affected by this policy:
• All staff

2.2 The following people may be affected by this policy:
• Patients

2.3 The following stakeholders may be affected by this policy:
• Commissioners

3. Objectives
3.1 The objective of this policy is to introduce the principles and requirements of GDPR.
3.2 When reviewed alongside future policies and procedures and guidance, Longfield Integrated Care Centre Limited and staff should understand the key principles of GDPR and the steps that need to be taken to ensure Longfield Integrated Care Centre Limited complies with GDPR when handling and using personal data provided by both staff and Patients.
3.3 This policy will assist with defining accountability and establishing ways of working in terms of the use, storage, retention and security of personal data.
3.4 This policy will assist with understanding the obligations of Longfield Integrated Care Centre Limited in respect of the rights of the staff and Patients who have provided personal data and the steps Longfield Integrated Care Centre Limited should take if it breaches GDPR.

4. Policy
4.1 GDPR Background
GDPR will come into force on 25 May 2018 and will replace the Data Protection Act 1998. GDPR will be implemented regardless of Brexit. GDPR will provide greater protection to individuals and place greater obligations on organisations, but it can be dealt with in bite-size chunks to ensure that any impact on the provision of care and services is reduced.
4.2 All staff will need to understand whether the ways in which they handle personal data already meet the requirements of GDPR and, if not, the steps that need to be taken to achieve compliance.
4.3 Longfield Integrated Care Centre Limited's Approach to GDPR
Longfield Integrated Care Centre Limited is required to take a proportionate and appropriate approach to GDPR compliance. Longfield Integrated Care Centre Limited understands that not all organisations will need to take the same steps – it will depend on the volume and types of personal data processed by a particular organisation, as well as the processes already in place to protect personal data. We understand that if we process significant volumes of personal data, including special categories of data, or have unusual or complicated processes in place in terms of the way we handle personal data, we will consider obtaining legal advice specific to the processing we conduct and the steps we may need to take.
4.4 GDPR does not apply to any personal data held about someone who has died. Both the Access to Medical Reports Act 1988 and the Access to Health Records 1990 will continue to apply.
4.5 Longfield Integrated Care Centre Limited's Process for Promoting Compliance
To ensure that Longfield Integrated Care Centre Limited understands and is able to comply with GDPR, all staff should review the following documents that will be produced over the next few months:
• Initial Privacy Impact Assessment Policy & Procedure
• GDPR – Key Terms Guidance
• GDPR - Key Principles Guidance
• GDPR - Processing Personal Data Guidance
• Appointing a Data Protection Officer Guidance
• Data Security and Retention Policy & Procedure
• Website Privacy Policy & Procedure
• Subject Access Requests Policy & Procedure
• Subject Access Requests Process Map Policy & Procedure
• Subject Access Requests - Request Letter Policy & Procedure
• Rights of a Data Subject Guidance
• Breach Notification Policy & Procedure
• Breach Notification Process Map Policy & Procedure
• Fair Processing Notice Policy & Procedure
• Consent Form
• GDPR - Transfer of Data Guidance
• Privacy Impact Assessment Policy & Procedure

4.6 Overview of Key Principles and Documents
The key principles and themes of each of the documents listed above are summarised below:
Initial Audit and Privacy Impact Assessment
Longfield Integrated Care Centre Limited understands that we should conduct an audit of the personal data we currently process. This can be carried out internally by Longfield Integrated Care Centre Limited with the assistance of key staff members. The audit will reveal whether the ways in which Longfield Integrated Care Centre Limited processes personal data meet the requirements of GDPR and will also indicate whether Longfield Integrated Care Centre Limited should delete some of the personal data it currently holds. An initial Privacy Impact Assessment template will be provided as part of the GDPR documentation.
Key Terms
GDPR places obligations on all organisations that process personal data about a Data Subject. A brief description of those three key terms is included in the Definitions section of this document and will be expanded upon in the Key Terms Guidance.
The requirements that Longfield Integrated Care Centre Limited will need to meet will vary depending on whether Longfield Integrated Care Centre Limited is a Data Controller or a Data Processor. We recognise that in most scenarios, Longfield Integrated Care Centre Limited will be a Data Controller. The meaning of Data Controller and Data Processor, together with the roles they play under GDPR, will be explained in the Key Terms Guidance.
Special categories of data attract a greater level of protection, and the consequences for breaching GDPR in relation to special categories of data may be more severe than breaches relating to other types of personal data. This will also be covered in more detail in the Key Terms Guidance.
Key Principles
There are 6 key principles of GDPR which Longfield Integrated Care Centre Limited must comply with. These 6 principles are very similar to the key principles set out in the Data Protection Act 1998. They are: 
• Lawful, fair and transparent use of personal data
• Using personal data for the purpose for which it was collected
• Ensuring the personal data is adequate and relevant
• Ensuring the personal data is accurate
• Ensuring the personal data is only retained for as long as it is needed
• Ensuring the personal data is kept safe and secure
These key principles will be explained in more detail in the guidance entitled 'GDPR – Key Principles'.
Longfield Integrated Care Centre Limited recognises that in addition to complying with the key principles, Longfield Integrated Care Centre Limited must be able to provide documentation to the Information Commissioner's Office (ICO) on request, as evidence of compliance. We understand that we must also adopt 'privacy by design'. This means that data protection issues should be considered at the very start of a project, or engagement with a new Patient. Data protection should not be an after-thought. These ideas will also be covered in more detail in the Key Principles Guidance.
Processing Personal Data
The position has been improved under GDPR in terms of the ability of care sector organisations to process special categories of data. The provision of health or social care or treatment or the management of health or social care systems and services is now expressly referred to as a reason for which an organisation is entitled to process special categories of data.
In terms of other types of personal data, Longfield Integrated Care Centre Limited must only process personal data if it is able to rely on one of a number of grounds set out in GDPR. The grounds which are most commonly relied on are:
• The Data Subject has given his or her consent to the organisation using and processing their personal data
• The organisation is required to process the personal data to perform a contract; and
• The processing is carried out in the legitimate interests of the organisation processing the data – note that this ground does not apply to public authorities

The other grounds which may apply are:
• The processing is necessary to comply with a legal obligation
• The processing is necessary to protect the vital interests of the Data Subject or another living person
• The processing is necessary to perform a task carried out in the public interest
The grounds set out above and the impact of the changes made in respect of special categories of data will be explained in more detail in the guidance entitled 'GDPR – Processing Personal Data'.
Data Protection Officers
Longfield Integrated Care Centre Limited understands that some organisations will need to appoint a formal Data
Protection Officer under GDPR (a “DPO”). The DPO benefits from enhanced employment rights and must meet certain criteria, so we recognise that it is important to know whether Longfield Integrated Care Centre Limited requires a DPO. This requirement will be outlined in the policy and procedure on Data Protection Officers.
Whether or not Longfield Integrated Care Centre Limited needs to appoint a formal Data Protection Officer, Longfield Integrated Care Centre Limited will appoint a single person to have overall responsibility for the management of personal data and compliance with GDPR.
Data Security and Retention
Two of the key principles of GDPR are data retention and data security.
• Data retention refers to the period for which Longfield Integrated Care Centre Limited keeps the personal data that has been provided by a Data Subject. At a high level, Longfield Integrated Care Centre Limited must only keep personal data for as long as it needs the personal data
• Data security requires Longfield Integrated Care Centre Limited to put in place appropriate measures to keep data secure

These requirements will be described in more detail in the policy & procedure entitled Data Security and Retention, which will be drafted with a view to being circulated amongst staff at Longfield Integrated Care Centre Limited.
Website Privacy Policy & Procedure
Where Longfield Integrated Care Centre Limited collects personal data via a website, we understand that we will need a GDPR compliant website privacy policy. The privacy policy will explain how and why personal data is collected, the purposes for which it is used and how long the personal data is kept. A template website policy will be provided.
Subject Access Requests
One of the key rights of a Data Subject is to request access to and copies of the personal data held about them by an organisation. Where Longfield Integrated Care Centre Limited receives a Subject Access Request, we understand that we will need to respond to the Subject Access Request in accordance with the requirements of GDPR. To help staff at Longfield Integrated Care Centre Limited understand what a Subject Access Request is and how they should deal with a Subject Access Request, a Subject Access Request Policy & Procedure will be made available to staff. A Longfield Integrated Care Centre Limited process map to follow when responding to a Subject Access Request, as well as a Subject Access Request letter template will also be included.
The Rights of a Data Subject
In addition to the right to place a Subject Access Request, Data Subjects benefit from several other rights, including the right to be forgotten, the right to object to certain types of processing and the right to request that their personal data be corrected by Longfield Integrated Care Centre Limited. All rights of the Data Subject will be covered in detail in the corresponding guidance.
Breach Notification Under GDPR
We understand, that in certain circumstances, if Longfield Integrated Care Centre Limited breaches GDPR, we must notify the ICO and potentially any affected Data Subjects. There are strict timescales in place for making such notifications. A policy and procedure for breach notification that can be circulated to all staff, together with a process map for Longfield Integrated Care Centre Limited to follow if a breach of GDPR takes place will be published.
We understand that this requirement is likely to have less impact on NHS organisations that are already used to reporting using the NHS reporting tool.
Fair Processing Notice and Consent Form
Organisations are required to provide Data Subjects with certain information about the ways in which their personal data is being processed. The easiest way to provide that information is in a Fair Processing Notice. A Fair Processing Notice template will be produced for Longfield Integrated Care Centre Limited to use and adapt on a case by case basis.

The Fair Processing Notice will sit alongside a consent form which can be used to ensure that Longfield Integrated Care Centre Limited obtains appropriate consent, particularly from the Patient, to the various ways in which Longfield Integrated Care Centre Limited uses the personal data. The Consent Form will contain advice and additional steps to take if the Patient is a child or lacks capacity.
Transfer of Data
If Longfield Integrated Care Centre Limited wishes to transfer personal data to a third party, we understand that we should put in place an agreement to set out how the third party will use the personal data. The transfer would include, for example, using a data centre in a non-EU country. If that third party is based outside the European Economic Area, we recognise that further protection will need to be put in place and other aspects considered before the transfer takes place. Guidance will be produced to explain the implications of transferring personal data in more detail.
Privacy Impact Assessments
In addition to carrying out an Initial Impact Assessment (referred to above), Longfield Integrated Care Centre Limited will carry out further assessments each time it processes personal data in a way that presents a “high risk” for the Data Subject. Examples of when a Privacy Impact Assessment should be conducted will be provided in the relevant policy & procedure. Given the volume of special categories of data that are frequently processed by organisations in the health and care sector, there are likely to be a number of scenarios which require a Privacy Impact Assessment to be completed.
The Privacy Impact Assessment template may also be used to record any data protection incidents, such as breaches or 'near misses'.
4.7 Compliance with GDPR
Longfield Integrated Care Centre Limited understands that there are two primary reasons to ensure that compliance with GDPR is achieved:

• It will promote high standards of practice and Care, and provide significant benefits for staff and, in particular, Patients
• Compliance with GDPR is overseen in the UK by the ICO. Under the Data Protection Act 1998, the ICO has the power to levy fines of up to £500,000 for the most serious breach. Under GDPR, the ICO has the ability to issue a fine of up to 20 million Euros (approximately £17,000,000) or 4% of the worldwide turnover of an organisation, whichever is higher. The potential consequences are therefore significant.
Longfield Integrated Care Centre Limited appreciates that it is important to remember, however, that the intention of the ICO is to educate and advise, not to punish. The ICO wants organisations to achieve compliance. A one- off, minor breach may not attract the attention of the ICO but if Longfield Integrated Care Centre Limited persistently breaches GDPR or commits significant one-off breaches (such as the loss of a large volume of personal data, or the loss of special categories of data), it may be subject to ICO enforcement action. In addition to imposing fines, the ICO also has the power to conduct audits of Longfield Integrated Care Centre Limited and our data protection policies and processes Longfield Integrated Care Centre Limited realises that the ICO may also require Longfield Integrated Care Centre Limited to stop providing services, or to notify Data Subjects of the breach, delete certain personal data we hold or prohibit certain types of processing.

5. Procedure
5.1 All staff should review the GDPR policies and procedures and guidance that will be produced over the next few months.
5.2 Longfield Integrated Care Centre Ltd. will nominate a person or team to be responsible for data protection and GDPR compliance (if a formal Data Protection Officer is not required, somebody with an understanding of the requirements who can act as a day-to-day point of contact will be chosen).
5.3 Mr Senthirkumar Ramanathan should ensure all staff understand the policies and procedures provided, including how to deal with a Subject Access Request and what to do if a member of staff breaches GDPR.
5.4 Mr Senthirkumar Ramanathan will consider providing training internally about GDPR (in particular, the Key Principles of GDPR) to all staff members.
5.5 Longfield Integrated Care Centre Limited will conduct an audit of the personal data currently held by Longfield Integrated Care Centre Limited (the initial Privacy Impact Assessment template provided will be used for this purpose).
5.6 Longfield Integrated Care Centre Limited will delete any personal data that Longfield Integrated Care Centre Limited no longer needs, based on the results of the audit conducted, taking into account any relevant guidance, such as the Records Management Code of Practice for Health and Social Care 2016.
5.7 Longfield Integrated Care Centre Limited will, if necessary, put in place new measures or processes to ensure that personal data continues to be processed in line with GDPR.
5.8 Longfield Integrated Care Centre Limited will, if necessary, finalise and circulate a Fair Processing Notice to Patients.
5.9 Longfield Integrated Care Centre Limited will ensure proper consent is obtained from each Patient in line with GDPR regulations (the Consent Form provided can be used for this purpose). Longfield Integrated Care Centre Limited will review the additional steps that Longfield Integrated Care Centre Limited should be taken to ensure that Longfield Integrated Care Centre Limited obtains consent from parents, guardians, carers or other representatives where Longfield Integrated Care Centre Limited works with children or those who lack capacity.
5.10 Longfield Integrated Care Centre Limited will ensure that processes and procedures are in place to respond to requests made by Data Subjects (including Subject Access Requests) and to deal appropriately with any breaches or potential breaches of GDPR.
5.11 Mr Senthirkumar Ramanathan will maintain a log of decisions taken and incidents that occur in respect of the personal data processed by Longfield Integrated Care Centre Limited using the Longfield Integrated Care Centre Limited Privacy Impact Assessment template.

6. Definitions

6.1 Data Subject
• The individual about whom Longfield Integrated Care Centre Limited has collected personal data
6.2 Data Protection Act 1998
The law that relates to data protection. It will remain in force until and including 24 May 2018. It will be replaced by GDPR on 25 May 2018
6.3 GDPR
The General Data Protection Regulation 2016. It will replace the Data Protection Act 1998 from 25 May 2018 as the law that governs data protection in the UK. It will come into force in the UK via the Data Protection Bill
6.4 Personal Data
Any information about a living person including but not limited to names, email addresses, postal addresses, job roles, photographs, CCTV and special categories of data, defined below
6.5 Process or Processing
Doing anything with personal data, including but not limited to collecting, storing, holding, using, amending or transferring it. You do not need to be doing anything actively with the personal data – at the point you collect it, you are processing it
6.6 Special Categories of Data
Has an equivalent meaning to “Sensitive Personal Data” under the Data Protection Act 1998. Special Categories of Data include but are not limited to medical and health records (including information collected as a result of providing health care services) and information about a person’s religious beliefs, ethnic origin and race, sexual orientation and political views

Key Facts - Professionals
Professionals providing this service should be aware of the following:
• GPDR provides greater protection for staff and Patients in respect of their personal data
• Compliance is mandatory, not optional
• Longfield Integrated Care Centre Limited will adopt an appropriate and proportionate approach what is right and necessary for Longfield Integrated Care Centre Limited may not be right for another organisation
• Achieving compliance with GDPR will not only reduce the risk of ICO enforcement or fines but will also promote a better quality service for Patients and an improved working environment for staff
• This is the overarching policy and provides a high level reference to all areas that are important for compliance with GDPR
• Undertanding of the content of this policy should be embedded with all staff at Longfield Integrated Care Centre Limited
• Longfield Integrated Care Centre Limited must appoint a person with overall responsibility for managing GDPR. This person may be an official Data Protection Officer (DPO) or a person appointed to oversee privacy, govenance and data protection

Key Facts - People Affected by The Service
People affected by this service should be aware of the following:
• Your personal data will be protected
• You have a right to see what information we hold about you
• You will be asked for your consent before we obtain your personal data in line with GDPR requirements
• In addition to the new GDPR regulations, our staff will continue to follow confidentiality policies in relation to all aspect of your Care

Further Reading
As well as the information in the 'Underpinning Knowledge' section of the review sheet we recommend that you add to your understanding in this policy area by considering the following materials:
The Records Management Code of Practice for Health and Social Care 2016 has been issued by the Information Governance Alliance for the Department of Health. It is available on the NHS Digital website
https://digital.nhs.uk/article/1202/Records-Management-Code-of-Practice-for-Health-and-Social-Care-2016

Outstanding Practice
To be ‘outstanding’ in this policy area you could provide evidence that:
• Longfield Integrated Care Centre Limited provides training to all staff in respect of GDPR and the new policies and processes that have adopted
• Longfield Integrated Care Centre Limited conducts Privacy Impact Assessments for each new processing activity carried out, whether or not the processing presents a 'high risk' to the Data Subjects
• There is evidence that Longfield Integrated Care Centre Limited conducts regular (6 monthly or annual) audits of the personal data that is processed to ensure continued compliance with GDPR
• Longfield Integrated Care Centre Limited can evidence that there are processes in place for ensuring Longfield Integrated Care Centre Limited remains up to date with guidelines and recommendations relating to data protection, including ICO guidance and guidance issued by NHS Digital and this information is effectively cascaded to all relevant staff
• The wide understanding of the policy is enabled by proactive use of the QCS App

Appointing a Data Protection Officer Policy and Procedure

1. Purpose
1.1
To enable Longfield Integrated Care Centre Limited to understand whether Longfield Integrated Care Centre
Limited is required to appoint a formal Data Protection Officer (DPO) under GDPR and the implications of
appointing a DPO.
1.2
If Longfield Integrated Care Centre Limited is not required to appoint a DPO, this policy recommends
nominating an internal point of contact to deal with day to day data protection and GDPR issues, concerns and
requests.
1.3

To support Longfield Integrated Care Centre Limited in meeting the following Key Lines of Enquiry:

1.4
To meet the legal requirements of the regulated activities that Longfield Integrated Care Centre Limited is
registered to provide:
General Data Protection Regulation 2016
Data Protection Act 2018
2. Scope
2.1

The following roles may be affected by this policy:

All staff

 Data Security and Data Retention Policy and Procedure

1. Purpose
1.1
The purpose of this policy is to ensure that Longfield Integrated Care Centre Limited and all its staff
understand the principles set out in GDPR in relation to data retention and data security.
1.2
By reviewing this policy, Longfield Integrated Care Centre Limited will be able to consider
appropriate retention periods for the personal data it processes.
1.3
This policy will enable Longfield Integrated Care Centre Limited and all staff working at Longfield Integrated
Care Centre Limited to review the policies and procedures they have in place to ensure that personal data they
process is kept secure and properly protected from unlawful or unauthorised processing and accidental loss,
destruction or damage.
1.4
To support Longfield Integrated Care Centre Limited in meeting the following Key Lines of Enquiry:
1.5
To meet the legal requirements of the regulated activities that Longfield Integrated Care Centre Limited is
registered to provide:
General Data Protection Regulation 2016
Data Protection Act 2018
2. Scope
2.1
The following roles may be affected by this policy:
All staff
2.2
The following people may be affected by this policy:
Patients
2.3

The following stakeholders may be affected by this policy:

Family
Advocates
Representatives
Commissioners
External health professionals
Local Authority
NHS
3. Objectives
3.1
The objective of this policy is to enable Longfield Integrated Care Centre Limited to determine whether its data retention and data security policies are GDPR compliant and, if not, to update them prior to 25 May 2018.
3.2
This policy will assist with defining accountability and establishing ways of working in terms of the use, storage, retention and security of personal data.
4. Policy
4.1
Data Retention
As a general principle, Longfield Integrated Care Centre Limited will not keep (or otherwise process) any personal data for longer than is necessary. If Longfield Integrated Care Centre Limited no longer requires the personal data once it has finished using it for the purposes for which it was obtained, it will delete the personal data.
4.2
Longfield Integrated Care Centre Limited may have legitimate business reasons to retain the personal data for a longer period. This may include, for example, retaining personnel records in case a claim arises relating to personal injury caused by Longfield Integrated Care Centre Limited that does not become apparent until a future date. Longfield Integrated Care Centre Limited should consider the likelihood of this arising when it determines its
retention periods - the extent to which medical treatment is provided by Longfield Integrated Care Centre Limited will, for example, affect the likelihood of Longfield Integrated Care Centre Limited needing to rely on records at a later date.
4.3
Longfield Integrated Care Centre Limited may be required to retain personal data for a specified period of time to comply with legal or statutory requirements. These may include, for example, requirements imposed by HMRC in respect of financial documents, or guidance issued by the Home Office in respect of the retention of right to work documentation (see "Underpinning Knowledge" section).
4.4
Longfield Integrated Care Centre Limited understands that claims may be made under a contract for 6 years from the date of termination of the contract, and that claims may be made under a deed for a period of 12 years
from the date of termination of the deed. Longfield Integrated Care Centre Limited may therefore consider keeping contracts and deeds and documents and correspondence relevant to those contracts and deeds for the duration of the contract or deed plus 6 and 12 years respectively.
4.5
Longfield Integrated Care Centre Limited will consider how long it needs to retain HR records. Longfield Integrated Care Centre Limited may choose to separate its HR records into different categories of personal data (for example, health and medical information, holiday and absence records, next of kin information, emergency contact details, financial information) and specify different retention periods for each category of
4. Policy
4.1
Data Retention
As a general principle, Longfield Integrated Care Centre Limited will not keep (or otherwise process) any personal data for longer than is necessary. If Longfield Integrated Care Centre Limited no longer requires the personal data once it has finished using it for the purposes for which it was obtained, it will delete the personal data.
4.2
Longfield Integrated Care Centre Limited may have legitimate business reasons to retain the personal data for a longer period. This may include, for example, retaining personnel records in case a claim arises relating to
personal injury caused by Longfield Integrated Care Centre Limited that does not become apparent until a future date. Longfield Integrated Care Centre Limited should consider the likelihood of this arising when it determines its
retention periods - the extent to which medical treatment is provided by Longfield Integrated Care Centre Limited will, for example, affect the likelihood of Longfield Integrated Care Centre Limited needing to rely on records at a later date.
4.3
Longfield Integrated Care Centre Limited may be required to retain personal data for a specified period of time to comply with legal or statutory requirements. These may include, for example, requirements imposed by HMRC in respect of financial documents, or guidance issued by the Home Office in respect of the retention of right to work documentation (see "Underpinning Knowledge" section).
4.4
Longfield Integrated Care Centre Limited understands that claims may be made under a contract for 6 years from the date of termination of the contract, and that claims may be made under a deed for a period of 12 years
from the date of termination of the deed. Longfield Integrated Care Centre Limited may therefore consider keeping contracts and deeds and documents and correspondence relevant to those contracts and deeds for the duration of the contract or deed plus 6 and 12 years respectively.
4.5
Longfield Integrated Care Centre Limited will consider how long it needs to retain HR records. Longfield Integrated Care Centre Limited may choose to separate its HR records into different categories of personal data
(for example, health and medical information, holiday and absence records, next of kin information, emergency contact details, financial information) and specify different retention periods for each category of personal data. Longfield Integrated Care Centre Limited recognises that determining separate retention periods for each element of personal data may be more likely to comply with GDPR. Longfield Integrated Care Centre Limited may decide, however, that separating its HR records into different elements is not practical, and that it can determine a sensible period of time for which to keep the HR records in their entirety. The period of time that is appropriate may depend on the likelihood of a claim arising in respect of that employee in the future. If, for example, Longfield Integrated Care Centre Limited is concerned that an employee may suffer personal injury as a result of its employment with Longfield Integrated Care Centre Limited, Longfield Integrated Care Centre Limited may choose to retain its HR records for a significant period of time. If any such claim is unlikely, Longfield Integrated Care Centre Limited may choose to retain its files for 6 or 12 years (depending on whether the arrangement entered into between Longfield Integrated Care Centre Limited and the employee is a contract or a deed).
4.6
Longfield Integrated Care Centre Limited will consider for how long it is required to keep records relating to Patients. In doing so, Longfield Integrated Care Centre Limited will consider the data retention guidelines provided by the NHS, if applicable. Those guidelines can be accessed by using the link in the "Further Reading" section. If the NHS guidelines don't apply to Longfield Integrated Care Centre Limited, Longfield Integrated Care Centre Limited will determine an appropriate retention policy for Patient personal data. Longfield Integrated Care Centre Limited may choose to retain personal data for at least 6 years from the end of the provision of services to the Patient, in case a claim arises in respect of the services provided.
4.7
Irrespective of the retention periods chosen by Longfield Integrated Care Centre Limited, Longfield Integrated Care Centre Limited will ensure that all personal data is kept properly secure and protected for the period in which it is held by Longfield Integrated Care Centre Limited. This applies in particular to special categories of data.
4.8
Longfield Integrated Care Centre Limited will record all decisions taken in respect of the retention of personal data. Longfield Integrated Care Centre Limited recognises that if the ICO investigates Longfield Integrated Care Centre Limited's policies and procedures, a written record of the logic and reasoning behind the retention periods adopted by Longfield Integrated Care Centre Limited will assist Longfield Integrated Care Centre Limited's
position.
4.9
Longfield Integrated Care Centre Limited will implement processes for effectively destroying and/or deleting personal data at the end of the relevant retention period. Longfield Integrated Care Centre Limited will consider whether personal data stored on computers, including in emails, is automatically backed up and how to achieve deletion of those backups or ensure that the archived personal data is automatically deleted after a certain period of time. Longfield Integrated Care Centre Limited will consider circulating guidance internally to encourage staff to regularly delete their emails. Longfield Integrated Care Centre Limited will introduce policies relating to the destruction of hard copies of documents, including by placing the documents in confidential waste bins or shredding them.
4.10
Data Security
Longfield Integrated Care Centre Limited will take steps to ensure the personal data it processes is secure, including by protecting the personal data against unauthorised or unlawful processing and against accidental loss, destruction or damage.
4.11
Longfield Integrated Care Centre Limited understands that all health and care organisations, as detailed below, are required to comply with the Information Governance Toolkit (the "IG Toolkit"). The IG Toolkit will be replaced from April 2018 with the new Data Security and Protection Toolkit. A link to an explanatory guidance note is included in the "Underpinning Knowledge" section. Compliance with the IG Toolkit and the Data Security and Protection Toolkit will facilitate compliance with GDPR. Longfield Integrated Care Centre Limited understands that the following types of organisation must comply with the Data Security and Protection Toolkit:
Organisations contracted to provide services under the NHS Standard Contract
Clinical Commissioning Groups
General Practices that are contracted to provide primary care essential services
Local authorities and social care providers must take a proportionate response to the new toolkit:
Local authorities should comply with the toolkit where they provide adult social care or public health and other services that receive services and data from NHS Digital, or are involved in data sharing across health and care where they process confidential personal data of Patients who access health and adult social care services
Social care providers who provide care through the NHS Standard Contract should comply with the toolkit. It is also recommended that social care providers who do not provide care through the NHS Standard Contract consider compliance with the new toolkit from April 2018, which will help to demonstrate compliance with the ten security standards and GDPR
4.12
Longfield Integrated Care Centre Limited will implement and embed the use of policies and procedures to ensure personal data is kept secure. The suggestions below apply in addition to the steps Longfield Integrated
Care Centre Limited is required to take pursuant to the IG Toolkit and the new Data Security and Protection Toolkit, if the toolkits apply to Longfield Integrated Care Centre Limited. For paper documents, these will include, where possible:
Keeping the personal data in a locked filing cabinet or locked drawer when it is not in use
Adopting a "clear desk" policy to ensure that personal data is not visible or easily retrieved
Ensuring that documents containing personal data are accessible only by those who need to know/review the documents and the personal data contained within them
Redacting personal data from documents where possible
Ensuring documents containing personal data are placed in confidential waste bins or shredded at the end of the relevant retention period
For electronic documents, the measures taken by Longfield Integrated Care Centre Limited will include, where possible:
Password protection or, where possible, encryption
Ensuring documents containing personal data are accessible only by those who need to know/review the documents and the personal data contained within them
Ensuring ongoing confidentiality, integrity and reliability of systems used online to process personal data
(this may require a review of IT systems and software currently used by Longfield Integrated Care Centre

Limited)

The ability to quickly restore the availability of and access to personal data in the event of a technical incident (this may require a review of IT systems and software currently used by Longfield Integrated Care Centre Limited)
Taking care when transferring documents to a third party, ensuring that the transfer is secure and the documents are sent to the correct recipients Longfield Integrated Care Centre Limited will ensure that all business phones, computers, laptops and tablets are password protected.
Longfield Integrated Care Centre Limited will encourage staff to avoid, storing personal data on portable media such as USB devices. If the use of portable media can't be avoided, Longfield Integrated Care Centre Limited will ensure that the devices it uses are encrypted or password protected and that each document on the device is encrypted or password protected.
4.13
Longfield Integrated Care Centre Limited will implement guidance relating to the use of business phones and messaging apps. Longfield Integrated Care Centre Limited understands that all personal data sent viabusiness phones, computers, laptops and tablets may be captured by GDPR, depending on the content and context of the message. As a general rule, Longfield Integrated Care Centre Limited will ensure that staff
members only send personal data by text or another messaging service if they are comfortable that the content of the messages may be captured by GDPR and may be provided pursuant to a Subject Access Request (which will be explained in more detail in a future policy).
4.14
Longfield Integrated Care Centre Limited will ensure that all staff are aware of the importance of keeping personal data secure and not disclosing it on purpose or accidentally to anybody who should not have access to the information. Longfield Integrated Care Centre Limited will provide training to staff if necessary. Longfield Integrated Care Centre Limited will consider in particular, the likelihood that personal data, including special
categories of data, will be removed from Longfield Integrated Care Centre Limited's premises and taken to, for example, Patients' homes and residences. Longfield Integrated Care Centre Limited will ensure that all staff
understand the importance of maintaining the confidentiality of personal data away from Longfield Integrated Care Centre Limited's premises and take care to ensure that the personal data is not left anywhere it could be viewed by a person who should not have access to that personal data.
4.15
Longfield Integrated Care Centre Limited will adopt policies and procedures in respect of recognising, resolving and reporting security incidents including breaches of GDPR. Longfield Integrated Care Centre Limited understands that it may need to report breaches to the ICO and to affected Data Subjects, as well as to CareCERT if Longfield Integrated Care Centre Limited is required to comply with the IG Toolkit and the new Data Security and Protection Toolkit.
4.16
Longfield Integrated Care Centre Limited will adopt processes to regularly test, assess and evaluate the security measures it has in place for all types of personal data.
4.17
Privacy By Design
Longfield Integrated Care Centre Limited will take into account the GDPR requirements around privacy by design, particularly in terms of data security.
4.18
Longfield Integrated Care Centre Limited understands that privacy by design is an approach set out in GDPR that promotes compliance with privacy and data protection from the beginning of a project. Longfield Integrated Care Centre Limited will ensure that data protection and GDPR compliance is always at the forefront of the services it provides, and that it won't be treated as an afterthought.
4.19
Longfield Integrated Care Centre Limited will comply with privacy by design requirements by, for example:
Identifying potential data protection and security issues at an early stage in any project or process, and addressing those issues early on; and Increasing awareness of privacy and data protection across Longfield Integrated Care Centre Limited, including in terms of updated policies and procedures adopted by Longfield Integrated Care Centre Limited
4.20
Longfield Integrated Care Centre Limited will conduct Privacy Impact Assessments to identify and reduce the privacy and security risks of any project or processing carried out by Longfield Integrated Care Centre Limited. A template Privacy Impact Assessment will be provided in a future policy.
5. Procedure
5.1
Longfield Integrated Care Centre Limited will consider data retention and data security issues and concerns at the beginning of any project (whether the project is the introduction of a new IT system, a new way of working, the processing of a new type of personal data or anything else that may affect Longfield Integrated Care Centre Limited's processing activities). Longfield Integrated Care Centre Limited appreciates that this is key for complying with the privacy by design requirements in GDPR.
5.2
Longfield Integrated Care Centre Limited will review the periods for which it retains all the personal data that it processes.
5.3
Longfield Integrated Care Centre Limited will, if necessary, adopt new policies and procedures in respect of data retention and will circulate those policies and procedures to all staff. Longfield Integrated Care Centre Limited will consider providing training to staff in respect of data retention.
5.4
Longfield Integrated Care Centre Limited will review the security measures currently in place in respect of all the personal data it processes.
5.5
Longfield Integrated Care Centre Limited will document the decisions it takes, and the logic and reasoning behind those decisions, in respect of both data retention and data security. Longfield Integrated Care Centre Limited will keep a record of all policies and procedures it implements to improve its compliance with GDPR.
6. Definitions
6.1
CareCERT
The Care Computing Emergency Response Team, developed by NHS Digital. CareCERT offers advice and guidance to support health and social care organisations to respond to cyber security threats
6.2
Data Subject
The individual about whom Longfield Integrated Care Centre Limited has collected personal data
6.3
Data Protection Act 2018
The Data Protection Act 2018 is a United Kingdom Act of Parliament that updates data protection laws in the UK. It sits alongside the General Data Protection Regulation and implements the EU's Law Enforcement Directive
6.4
GDPR
General Data Protection Regulation (GDPR)
(EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union. It was adopted on 14 April 2016 and after a two- year trasition period became enforceable on 25 May 2018
6.5
Personal Data
Any information about a living person including but not limited to names, email addresses, postal addresses, job roles, photographs, CCTV and special categories of data, defined below
6.6
Process or Processing
Doing anything with personal data, including but not limited to collecting, storing, holding, using, amending or transferring it. You do not need to be doing anything actively with the personal data - at the point you collect it, you are processing it
6.7
Special Categories of Data
Has an equivalent meaning to "Sensitive Personal Data" under the Data Protection Act 2018. Special categories of data include but are not limited to medical and health records (including information collected as a result of providing health care services) and information about a person's religious beliefs, ethnic origin and race, sexual orientation and political views
Key Facts - Professionals
Professionals providing this service should be aware of the following:
Personal data will not be kept longer than necessary
Personal data will be deleted when no longer needed
Personal data may be held for longer than needed for the purposes of processing if there are justified reasons such as to meet regulations, insurance or other statutory requirements
Retention periods are the decision of Longfield Integrated Care Centre Limited, but guidance
All personal data will be kept securely
All retention periods need to be documented and justified
Anybody who processes personal data on behalf of Longfield Integrated Care Centre Limited should be made aware of and should comply with Longfield Integrated Care Centre Limited's policies in respect of data retention and data security
The Longfield Integrated Care Centre Limited has effective and robust processes for destroying data
The Longfield Integrated Care Centre Limited will comply with the Data Security and Protection Toolkit when necessary, this is the replacement for the Information governance Toolkit (IG Toolkit)
Electronic devices will be password protected to aid security
Documents containing personal data are only shared with people who need to know the content
Key Facts - People Affected by The Service
People affected by this service should be aware of the following:
Longfield Integrated Care Centre Limited will implement and embed the use of policies and procedures to ensure that all personal data processed about people affected by the services provided by Longfield Integrated Care Centre Limited, including Patients, is retained and is kept secure and protected in accordance with GDPR
Further Reading
There is no further reading for this policy, but we recommend the 'Underpinning Knowledge' section of the review sheet to increase your knowledge and understanding.
Outstanding Practice
To be ‘outstanding’ in this policy area you could provide evidence that:
You have reviewed the security measures in place in respect of the personal data Longfield Integrated Care Centre Limited processes and have determined whether those measures need updating. If further steps need to be taken to improve security, you have a plan in place to take those steps prior to 25 May 2018
You have reviewed and considered the documents and guidance referenced in the "Underpinning Knowledge" and "Further Reading" sections
You have considered the personal data you process and adopted and documented appropriate retention periods for each type of personal data
The wide understanding of the policy is enabled by proactive use of the QCS App
Cookies Example Policy Statement
COOKIES WEBSITE STATEMENT
Cookies are small text files which a website may put on your computer or mobile device when you first visit a Site or page. The cookie will help the website, or another website, to recognise your device the next time you visit. Web beacons or other similar files can also do the same thing. We use the term “cookies ” in this policy to refer to all files that collect information in this way. We use cookies to distinguish you from other users of the Application or the Site. This helps us to provide you with a good experience when you use the Application or browse the Sites and also allows us to improve the Service, the Application and the Site.
Initial Privacy Impact Assessment Policy and Procedure
1. Purpose
1.1
The purpose of this policy is to enable Longfield Integrated Care Centre Limited to conduct an audit of the
personal data it holds and processes to determine whether the personal data and processing comply with
GDPR.
1.2
The principles set out in this policy will be explained in more detail in future policies and procedures and
guidance.
1.3
This policy applies to all staff at Longfield Integrated Care Centre Limited who process personal data about
other staff, Patients and any other living individual as part of their role.
1.4
To support Longfield Integrated Care Centre Limited in meeting the following Key Lines of Enquiry:
1.5
To meet the legal requirements of the regulated activities that Longfield Integrated Care Centre Limited is
registered to provide:
Health and Social Care (Safety and Quality) Act 2015
Privacy and Electronic Communications (EC Directive) Regulations (PECR)2003
General Data Protection Regulation 2016
Data Protection Act 2018
2. Scope
2.1
The following roles may be affected by this policy:
All staff
2.2
The following people may be affected by this policy:
Patients
2.3
The following stakeholders may be affected by this policy:
Commissioners
3. Objectives
3.1
The objective of this policy is to enable Longfield Integrated Care Centre Limited to determine whether its processing of personal data complies with GDPR.
3.2
Longfield Integrated Care Centre Limited will use this policy to conduct an assessment of its personal data and, if necessary following the assessment, Longfield Integrated Care Centre Limited will delete or destroy the personal data it holds and/or change the way in which it processes the personal data.
3.3
This policy will assist with defining accountability and establishing the ways of working in terms of the use, storage, retention and security of personal data.
3.4
To ensure that Longfield Integrated Care Centre Limited complies with the Records Management Code of Practice for Health and Social Care 2016 and the detailed Retention Schedules and doesn't destroy any relevant personal data.
4. Policy
4.1
Longfield Integrated Care Centre Limited recognises that a Privacy Impact Assessment (PIA) is essentially a risk assessment of proposed processing of personal data. Longfield Integrated Care Centre Limited understands that if Longfield Integrated Care Centre Limited is processing personal data that is likely to result in a high risk to the Data Subject’s rights, a PIA must be carried out prior to commencing that processing.
4.2
An effective PIA will allow Longfield Integrated Care Centre Limited to identify and fix problems at an early stage, reducing the associated costs and damage to reputation, which might otherwise occur. The purpose of this initial Privacy Impact Assessment which forms part of this documentation is to clarify what personal data is currently held, where, how and by whom, by including organisations that may hold or collect personal data for Longfield Integrated Care Centre Limited.
4.3
Longfield Integrated Care Centre Limited will work with staff members identified by the Data Protection Officer, with partner organisations and, where appropriate, with the Patients affected to identify and reduce privacy risks in order to undertake an initial Privacy Impact Assessment. Once the information has been gathered, the responses will be considered by Longfield Integrated Care Centre Limited alongside the key principles of GDPR (which will be described in more detail in the relevant guidance note).
4.4
Key Considerations
Once the initial Privacy Impact Assessment has been completed, Longfield Integrated Care Centre Limited will review the key considerations outlined in the procedure and take action where required.
5. Procedure
5.1
Circulate the Initial Privacy Impact Assessment Form to all key members of staff for completion.
5.2
Circulate all relevant guidance, particularly guidance in respect of GDPR - Key Principles, to all key staff members to assist completion of the Initial Privacy Impact Assessment.
5.3
Form Completion - Types of Personal Data
Explanatory Comment
The form is drafted on the basis that a separate form will be used for each type of personal data. Examples of types of personal data include 'name', 'email address', 'postal address', 'phone number', 'medical records', 'health records', 'care plans', 'next of kin information', 'recruitment records', 'bank details', 'staff management records' or 'CCTV'. These are examples, and Longfield Integrated Care Centre Limited may have other types of personal data that are being held for purposes other than listed. The forms should not refer specifically to an individual (for example, "Joe Bloggs" or "joe.bloggs@gmail.com")
The intention is that a form will be completed for each type of personal data. It is possible that more than one form for the same type of personal data may be completed dependent upon the scope and knowledge of the person nominated by Longfield Integrated Care Centre Limited to complete the form. Each member
of staff only needs to complete a form for the types of personal data they process - if a member of staff does not use care plans, they do not need to complete a form for care plans, for example
Longfield Integrated Care Centre Limited may review documents that include personal data such as complaints, the visitors book, safeguarding records, marketing records, Patient family, relatives and friends' details. However, the type of personal data is not the document itself, it is the personal data within the document. For example, if a complaint is reviewed it is not the complaint that is the personal data it is the name, address or other details that identify individuals within it
Longfield Integrated Care Centre Limited may find that the same response applies to several types of personal data. For example, the retention periods for medical records, health records and care plans may be the same. It is for this reason that Longfield Integrated Care Centre Limited may choose to incorporate the questions from the form into a spreadsheet, listing the types of personal data in the left-hand column. This would enable Longfield Integrated Care Centre Limited and its members of staff to easily duplicate responses for all the questions and would result in one single spreadsheet being produced by each key member of staff/team rather than multiple copies of the form
5.4
Question 1 of the Form - "How did you obtain the personal data?" Explanatory Comment
Was the personal data (i.e. the email address, medical record, care plan) obtained directly from the Patient or from a third party, such as the Patient's carer, next of kin or medical provider?
5.5
Question 2 - "Did you get consent to collect their personal data?"
Explanatory Comment When the personal data was obtained, did you get express consent from the Data Subject (for example, the Patient or member of staff) to process that personal data?
Longfield Integrated Care Centre Limited may have other grounds for processing the personal data (which will be explained in a guidance note) but it is a useful starting point to understand if consent has been obtained or not
5.6
Question 3 - "If you did not get consent, on which ground are you processing the personal data?"
Explanatory Comment
Can you rely on legitimate interest or fulfilment of a contract or, in the case of Special Categories of Data, is the personal data being processed in the field of employment or for the provision of health and social care services?
These terms will be explained in more detail in future guidance notes
5.7
Question 4 - "Why do you need the personal data?"
Explanatory Comment
Do you use the personal data for HR/staff purposes such as payroll or general employment purposes?
Do you use the personal data to be able to provide care to a Patient? Do you have the personal data simply because it may be useful in the future?
5.8
Question 5 - "Is the personal data still relevant?"
Explanatory Comment
Do you still use the personal data?
Do you have any personal data for former members of staff, or for Patients for whom you no longer provide care?
5.9
Question 6 - "Do you destroy or delete personal data you no longer need?"
Explanatory Comment
Do you shred hard copies or permanently erase online documents?
If not, what do you do with the personal data when you no longer need it?
5.10
Question 7 - "Do you make sure that the personal data is kept accurate and up to date?"
Explanatory Comment
Do you have processes in place for regularly checking and updating details with staff and Patients?
5.11
Question 8 - "What do you do with personal data that is no longer up to date?"
Explanatory Comment
Do you retain it in the same location, do you move it to archive, do you update and replace it?
5.12
Question 9 - "Are there restrictions in place around who can access and use the personal data, and
what are they?"
Explanatory Comment
Is the personal data password protected if it is stored online?
Is knowledge of the password restricted to only the people that need to know the information?
Are there other technical/IT security measures in place?
Are hard copies of personal data stored in locked filing cabinets?
Is access to the filing cabinets limited to only those who need access to the information?
Are there other security measures in place?
5.13
Question 10 - "How long do you keep personal data?" Explanatory Comment
What do you do with the personal data when a member of staff leaves or when care is no longer being provided to a particular Patient?
Do you have policies and procedures in place to deal with the retention of personal data and to ensure personal data is destroyed or deleted when it is no longer needed?
5.14
Question 11 - "Do you need to keep the personal data for that long?" Explanatory Comment Based on your responses to Question 10, are there statutory, business or other legitimate reasons as to why you retain the personal data for the period you have set out?
5.15
Question 12 - "Do you pass personal data to any third parties? If so, who and why?" -
Explanatory Comment
Do you pass the personal data to other service providers, to medical providers, to third parties for hosting in a data centre, or to anybody else?
5.16
Question 13 - "If you pass personal data to a third party, do you have an agreement in place with them about how they will use that personal data?"
Explanatory Comment
Is there a written agreement in place that sets out how the third party will process and protect the personal data, and the basis on which the personal data is being transferred?
5.17
Key Considerations
The following issues will be considered by Longfield Integrated Care Centre Limited following completion of the Initial Privacy Impact Assessment:
Question 1
- If the personal data was not obtained directly from the Data Subject, do grounds exist to justify the collection of that personal data i.e. legitimate interests or fulfilment of a contract (see future guidance note for more information)? If Longfield Integrated Care Centre Limited sends marketing communications, it will consider whether it has obtained consent (if necessary) and whether its marketing communications comply with GDPR and PECR (Privacy and Electronic Communication Regulations)
Question 2
- If yes, consider whether consent is the appropriate ground to rely on going forwards for collection of that type of personal data
Question 3
- If consent was not obtained from the Data Subject to process the personal data, Longfield Integrated Care Centre Limited will consider whether it is able to rely on another ground (such as legitimate interest or, if the personal data are Special Categories of Data, is the processing necessary for the provision of health and social care or treatment, or as part of the employment of the member of staff)? These principles will be explained in more detail in the guidance entitled GDPR - Key Principles. If Longfield Integrated Care Centre Limited has no ground for processing the personal data, continuing to process it may result in a breach of GDPR
Question 4
- If Longfield Integrated Care Centre Limited does not have a particular need for the personal data, it will consider deleting the personal data and ceasing collection of it. Failure to do so may result in a breach of GDPR
Question 5
- If the Personal Data is no longer relevant, Longfield Integrated Care Centre Limited will consider deleting the personal data and ceasing collection of it. Failure to do so may result in a breach of GDPR
Question 6
- If Longfield Integrated Care Centre Limited does not currently destroy or delete personal data it no longer needs, it will consider adopting new processes to ensure that the personal data is destroyed or deleted. Failure to do so may result in a breach of GDPR
Question 7
- If Longfield Integrated Care Centre Limited does not ensure that personal data is kept accurate and up to date, it will consider adopting processes to ensure the personal data is up to date and correct. Failure to do so may result in a breach of GDPR
Question 8
- See above
Question 9
- If personal data is accessible by individuals who do not need to see the information, Longfield Integrated Care Centre Limited will consider adopting processes to ensure access to the personal data is restricted. Failure to do so may result in a breach of GDPR
Questions 10 and 11
Personal data should only be kept during the period it is needed. Longfield Integrated Care Centre Limited will consider adopting processes to ensure it has appropriate retention policies in place. Failure to adopt appropriate retention policies and processes may result in a breach of GDPR
Questions 12 and 13
- If personal data is passed to third parties, Longfield Integrated Care Centre Limited will consider whether it has appropriate grounds for transferring the personal data (for example, consent, legitimate interests or fulfilment of a contract). Ideally, data processing agreements will be entered into by Longfield Integrated Care Centre Limited and the third party. If the third party is located outside the EEA, Longfield Integrated Care Centre Limited will consider seeking legal advice to ensure the transfer is GDPR compliant
5.18
Action Plan

The form includes an action plan (in the section entitled "Results of Initial Privacy Impact assessment"). Longfield Integrated Care Centre Limited acknowledges that, in some circumstances, it may be difficult for each key member of staff who has completed the form to input into the action plan.

5.19
Each member of staff who completes the form should incorporate as much information as possible in the action plan and provide any suggestions they feel are relevant or may be helpful.
5.20
Longfield Integrated Care Centre Limited will ensure its Data Protection Officer, Privacy Officer or other nominated individual has responsibility for producing a final action plan.
5.21
Longfield Integrated Care Centre Limited will incorporate the action plan into its ongoing risk register for GDPR compliance
6. Definitions
6.1
Data Subject
The individual about whom Longfield Integrated Care Centre Limited has collected personal data
6.2
GDPR
The General Data Protection Regulation 2016. It will replace the Data Protection Act 2018 from 25 May 2018 as the law that governs data protection in the UK. It will come into force in the UK via the Data Protection Bill
6.3
Personal Data
Any information about a living person including but not limited to names, email addresses, postal addresses, job roles, photographs, CCTV and Special Categories of Data, defined below
6.4
Process or Processing
Doing anything with personal data, including but not limited to collecting, storing, holding, using, amending or transferring it. You do not need to be doing anything actively with the personal data - at the point you collect it, you are processing it.
6.5
Special Categories of Data
Has an equivalent meaning to "Sensitive Personal Data" under the Data Protection Act 2018. Special Categories of Data include but are not limited to medical and health records (including care plans and information collected as a result of providing health care services) and information about a person's religious beliefs, ethnic origin and race, sexual orientation and political views.
6.6
ICO
The Information Commissioner's Office, a regulator which advises on and oversees compliance with GDPR
6.7
PECR
The Privacy and Electronic Communication Regulations, which sit alongside the Data Protection Act 2018 and GDPR. PECR is in the process of being updated.
Key Facts - Professionals
Professionals providing this service should be aware of the following:
An Initial Privacy Impact Assessment should be carried out to ensure Longfield Integrated Care Centre Limited complies with GDPR when it processes personal data
Penalties for non-compliance with GDPR could be significant
Completion of an Initial Privacy Impact Assessment and taking appropriate steps based on the results of the assessment will not only reduce the risk of ICO enforcement or fines but will also promote a better quality service for Patients and an improved working environment for staff
Key Facts - People Affected by The Service
People affected by this service should be aware of the following:
If you are a member of staff of Longfield Integrated Care Centre Limited you should assist Longfield Integrated Care Centre Limited with completion of the Initial Privacy Impact Assessment
Personal data held by Longfield Integrated Care Centre Limited about members of staff, Patients and other
individuals will be processed and protected in line with GDPR
Further Reading There is no further reading for this policy, but we recommend the 'Underpinning Knowledge' section of the review sheet to increase your knowledge and understanding.
Outstanding Practice
To be ‘outstanding’ in this policy area you could provide evidence that:
All key members of staff have completed the Initial Privacy Impact Assessment by the end of February 2018
Longfield Integrated Care Centre Limited has deleted or destroyed all personal data it no longer needs (based on the results of the Initial Privacy Impact Assessment) by 24 May 2018
Longfield Integrated Care Centre Limited has implemented new policies and processes to ensure its processing activities and personal data it holds are compliant with GDPR and such policies and processes will take effect on or before 24 May 2018
Longfield Integrated Care Centre Limited has implemented processes so that lessons are learned when there are data security breaches
The wide understanding of the policy is enabled by proactive use of the QCS App
GDPR
-
Processing Personal Data
Under both the Data Protection Act 2018 and the General Data Protection Regulation 2016
(
GDPR
)
organisations must ensure there is a lawful basis for processing personal data. If there is
no lawful basis for processing, the processing should not take place.
This expert insight focuses on some of the grounds for processing that are most likely to apply to
organisations in the health and care sector, including:
1.
Consent from the data subject
2.
Legitimate interest of the Data Controller or a third party
3.
Performance of a contract
4.
Protection of the vital interests of a data subject
5.
In the case of special categories of data:
a. Processing in the field of employment; and
b. Processing for the provision of health or social care or treatment or the management of
health or social care systems and services.
1. Consent
If none of the other grounds applies to the processing of personal data, organisations must obtain express consent from the data subject to process their personal data.
For example, in some circumstances, marketing communications can only be sent to a data subject if the data subject has given their express consent to receiving the communications. This will apply if marketing communications are sent to individuals to whom the organisation does not provide services. If an organisation wishes to send marketing communications to its current customers and clients, it is likely that it will be able to rely on the grounds of legitimate interest for doing so, although the Information Commissioner’s Office is still to confirm that point. Consent should also be sought if an Employee’s personal data is processed for a reason other than usual HR/Administrative purposes. This will need to be considered on a case by case basis but may include, for example, contacting an employee on their personal phone for work purposes.
Under GDPR, consent must be a “freely given, specific, informed and unambiguous indication of the data subject ’s wishes by which he or she by statement or clear affirmative action , signifies agreement to the processing of personal data relating to him or her”.
The statement above means that consent must relate specifically to the purpose for which the organisation wishes to process the personal data and the giving of consent must be a positive action. Implied or negative consent (including, for example, pre - ticked boxes often used to sign up for marketing communications) will no longer be sufficient.
2. Legitimate Interest (Art 6.1(f))
At a high level, legitimate interest means the data subject would reasonably expect an organisation to process its data in the manner it is being processed.
This will apply, for example, to the processing by an organisation of employee data for HR/Staff purposes. There is no need to obtain consent from each employee for their personal data to be processed.
Legitimate interest will apply to much of the ancillary processing of personal data carried out by organisations, for example, processing the individual names and email addresses of contacts at business suppliers.
It will also apply to processing contact details of a person to whom an organisation provides services – for example, it is in the legitimate interests of a
care service to process the service user’s name, contact information and next of kin. This may also be permitted on the grounds of fulfilment of a contract – see below for more information.
Legitimate interest will not apply where the interests of the organisation are overridden by the interests, rights or freedoms of the data subject. It also does not apply to public authorities (but it can be relied upon by health and care organisations in the independent sector).
3. Performance of a Contract (Art 6.1(b))
Organisations are entitled to process personal data without obtaining consent to the extent the processing is necessary to perform a contract.
If a care home enters into a contract to provide care to a service user, GDPR recognises that certain personal data will need to be processed to fulfil the contract and provide the services. The types of personal data that may be processed on this basis will depend on the services being provided and the contract in place.
4. Protection of the Vital Interests of a Data Subject
For this ground to apply, the processing must be necessary to protect an interest which is essential for the life of the data subject or another person. It is therefore very limited in scope and will only apply to a life and death situation i.e. the provision of emergency medical care. If the individual is capable of giving consent to the processing, the vital interests ground won’t apply – consent must be sought.
5. Special Categories of Data (Art 9)
The grounds that apply to the processing of special categories of data differ to those which apply to
the processing of other personal data.
In many situations, explicit consent will be required. However, there are a number of other grounds
which may apply to organisations in the
health and social care
sector and which mean consent does
not need to be obtained:
(i) Processing Necessary in the Field of Employment
Organisations are able to rely on this ground to process special categories of data to the extent such processing is necessary for usual Employment/HR Purposes. This may include, for example, recording on an employee’s file any health issues that may affect their ability to work or of which the organisation needs to be aware. Organisations will need to consider their processing of special categories of personal data for HR purposes on a case by case basis. One example provided by the ICO of processing that may not be captured by this ground is the processing of special categories of data for the purposes of carrying out an occupational health assessment. In this scenario, consent would need to be obtained from the data subject.
(ii) Processing Necessary to Protect the Vital Interests of the Data Subject or Another Natural Person
The same principles apply as those set out above in respect of non - sensitive types of personal data. This ground can only be relied upon in cases of life and death (of the data subject or another person) where the data subject is incapable of giving their consent.
(iii) Processing Necessary for the Purposes of Preventive or Occupational Medicine, for the Assessment of the Working Capacity of the Employee, Medical Diagnosis, Provision of Health or Social Care or Treatment or the Management of Health or Social Care Systems and Services
GDPR expands the grounds upon which special categories of data can be processed for health and social care reasons. The provision of “health or social care or treatment” is now expressly referred to, which means where personal data is being processed to facilitate the provision of such care or treatment, there is no need to obtain express consent from the data subject.
GDPR requires, however, that where processing takes place on the ground referred to at (iii) above, there must be “obligations of professional secrecy” (i.e confidentiality obligations) in place.
Fair Processing Notices
Organisations must provide fair processing notices to all individuals whose personal data is processed. The notices include the grounds upon which processing is carried out. This allows an organisation to communicate unambiguously the lawful basis of processing and indicate the types of processing involved. An organisation may have more than one fair processing notice, for example, one for service users, one for relatives and one for suppliers.
Privacy and Electronic Communications Regulations 2003 (“PECR”)
PECR sits alongside the Data Protection Act 2018 and GDPR. It is currently in the process of being updated and the final draft has not yet been finalised. PECR (and its replacement) focus on the sending of electronic communications (i.e. by email, text & phone) and must be complied with in addition to GDPR.
PECR is particularly important for organisations that send marketing communications by email or by text. If you fall into this category, you should ensure you understand and comply with the principles
of PECR and that you keep up to date with the reform of PECR. You can find more information here - https://ico.org.uk/for-organisations/guide-to-pecr/what-are-pecr/
Further Reading
All grounds that apply to the processing of personal data are set out in Article 6 of GDPR and the grounds that apply to special categories of data are contained in Article 9. The full text of GDPR can be found here https://gdpr-info.eu/

Rights of the Data Subject
The rights of the data subject are enhanced under GDPR. They are detailed below, together with some common myths and myth busters. The first two rights must be automatically exercised by the data controller. The remaining rights are optional rights which the data subject can choose to exercise.
1. Provision of Transparent Information (Art 12)
Data controllers must provide information to the data subject in a “concise, transparent, intelligible andeasily accessible form, using clear and plain language”. Information should be provided in writing including electronically, if appropriate. This requirement is particularly important where information is addressed to a child. GDPR states that children “Merit Special Protection”and so any information and communication with a child should be in clear and plain language that the child can easily understand.
2. Provision of Specific Information when the Personal Data are Collected or Obtained (Arts 13 and 14)
At the point personal data are collected, the data controller must provide the following information to the data subject (in the form of a privacy policy, fair processing notice or similar):
ŠThe identity and contact detail of the data controller;
ŠContact details of the data protection officer (if there is one);
ŠPurposes for processing and the legal basis for the processing;
ŠIf the processing is on the grounds of legitimate interest, what those legitimate interests are;
ŠThe recipients or categories of recipients of the personal data;
ŠAny intention to transfer personal data to a third country or international organisation and the existence of a finding of adequacy or other suitable safeguards;
ŠThe period of retention of the data or the criteria used to determine the period;
ŠThe existence of the data subject’s rights (detailed below);
ŠThe existence of the right to withdraw consent (if applicable);
ŠThe right to complain to the ICO;
ŠAny relevant statutory or contractual requirement to process; and
ŠThe existence of automated decision-making (detailed below).
3. Access to Data (Art 15)
Each data subject is entitled to require an organisation to provide access to or copies of all of the individual’s personal data by placing a subject access request. In addition to requesting access to the personal data, the data subject is entitled to the following information:
ŠThe purposes for which their personal data is processed;
ŠThe categories of personal data;
ŠThe recipients or categories of recipients to whom the personal data has been disclosed;
ŠThe period for which the personal data will be stored or, if it’s not possible to provide the information, the criteria used to determine that period;
ŠThe existence of the right to request rectification or erasure of personal data;
ŠThe right to lodge a complaint with the ICO
ŠInformation about the source of the personal data if it wasn’t collected from the data subject; and If relevant, the existence of automated decision - making including profiling together with information about the logic applied, the significance and the envisaged consequences of such processing for the data subject.
Each organisation should adopt processes for dealing with subject access requests and decide whether it would be beneficial to issue firm wide policies. Development of policies and provision of training may provide comfort that all members of staff understand how to recognise and deal with a subject access request (ideally by directing the request to the organisation’s data protection or privacy officer). If an organisation receives a subject access request as a data processor, it should pass the request to the data controller and act in accordance with the data controller’s instructions when assisting the data controller to respond to the request.
Responding to the Request
Under the Data Protection Act 2018, an organisation has 40 days to respond to the request. The organisation is entitled to request a fee of £10 to respond. Under GDPR, an organisation must respond within one month of receiving the request and must do so free of charge (unless the requests are vexatious or repeated, in which case it may be possible for a business to charge a reasonable fee to respond).
*Myth*-
An organisation can delay responding to a subject access request if they’re not confident about the identity of the individual or if they would like more information about what the data subject requires.
*Fact*-
An organisation should be confident about the identity of the person making the request but should not use it as a stalling tactic. Confirmation should only be sought if there are real doubts about the identity of the data subject. Whilst an organisation is entitled to ask for more information from the data subject, doing so will not delay the timescales in which the organisation must respond and the data subject is under no obligation to limit its request.
4. Right to Rectification (Art 16)
This right links to the obligation on the data controller to keep personal data up to date and accurate. A
data subject has the right to request that inaccurate personal data is rectified or completed “without undue delay”.
5. Right to be Forgotten (Art 17)
Data subjects are entitled to request that the personal data held about them by an organisation is deleted. If an organisation is a data processor, any action that they are required to take should be notified to them by the data controller. The organisation must comply with the request to be forgotten without undue delay where one of the following grounds applies:
ŠThe personal data is no longer necessary in relation to the purposes for which it was collected or processed;
ŠThe data subject withdraws their consent and there is no other legal ground for processing;
ŠThe data subject objects to the processing and there are no over - riding legitimate interests;
ŠThe personal data has been unlawfully processed;
ŠThere is a legal requirement that the personal data is erased;
Š
Personal data has been collected in relation to the offer of information society services. Information society services are online services and this exemption is therefore unlikely to apply to organisations in the health and care sector.
The right to be forgotten is a more limited right than many organisations realise. The most useful right from a data subject’s perspective is arguably that personal data must be deleted if a data subject withdraws their consent to processing and subsequently requests that all personal data be deleted.
*Myth*
-Data subjects have a blanket right to request that their information be deleted.
*Fact*
-The right to request to be forgotten is relatively limited and organisations may be able to rely on a justification to retain the data.
6. Right to Restriction of Processing (Art 18)
The data subject can request that an organisation limits the processing of certain personal data if:
ŠThe data subject believes the data isn ’t accurate, in which case processing should stop until the data controller is able to verify the accuracy of the data;
ŠThe processing is unlawful and the data subject requests restriction rather than deletion of data;
ŠThe data controller no longer needs the personal data for the purposes of the processing but the data subject requires the data to be retained for the establishment, exercise or defence of legal claims;
ŠThe data subject has objected to their personal data being processed in which case processing should stop until the data controller is able to check whether its legitimate interests over - ride the objection.
If personal data is restricted, it can only continue to be processed in the following circumstances:
ŠWith consent from the data subject;
ŠFor the establishment, exercise or defence of legal claims
ŠThe protection of the rights of another; or
ŠFor reasons of important public interest.
7. Data Portability (Art 20)
The data subject can request that their data is provided in a structured, commonly used and machine
-readable format and/or that the data is transferred directly to another data controller.
*Myth*
-A data subject can exercise the right to data portability in all circumstances.
*Fact*-
The right only applies where the personal data is processed on the grounds of consent or performance of a contract. It does not apply where the personal data is processed on the basis of any other grounds, including legitimate interest.
8. Right to Object (Art 21)
The data subject can object to the processing of personal data where the personal data is processed for the performance of a task carried out in the public interest or where processing is necessary for the legitimate interests of the data controller or a third party.
The data controller can, however, continue to process the data if it can demonstrate it has compelling legitimate grounds to process and those grounds override the interests, rights and freedoms of the data subject, or for the establishment, exercise and defence of legal claims.
9. Right to Object to Automated Decision-Making (Art 22)
In basic terms, “Automated Decision - Making” means using a person’s personal information to understand what that person is like and how they behave and to make an automated (i.e. online/ computerised) decision as a result of collecting that information. If there is human intervention in the decision, it is not an “Automated” Decision.
For example, if an organisation uses a clocking in/out process and automatically a percentage of salary if an employee is a specified number of minutes late to work, this would constitute an automated decision making process. If, however, the clocking in/out process takes place but the deduction of salary is decided by the employee’s line manager, it would not constitute an Automated Decision.
The data subject is not entitled to object if the automated decision is necessary for entering into or performance of a contract (for example, a bank carrying out a credit reference check in order to approve a credit card application); or if the decision is authorised by law and there are suitable measures to safeguard the data subject’s rights and freedoms.
What Could Go Wrong?
Failure to properly respond to a request made by a data subject to exercise their rights under GDPR; to provide what they’ve requested; or to implement a suitable process to deal with data subject requests could attract a fine of up to 20 million Euros or 4% of group worldwide turnover.
Breach Notification Policy and Procedure
1. Purpose
1.1
The purpose of this policy is to explain what a breach of GDPR may consist of and to ensure that all staff at Longfield Integrated Care Centre Limited know how to recognise a breach or potential breach, and how they should deal with it.
1.2
To support Longfield Integrated Care Centre Limited in meeting the following Key Lines of Enquiry.
1.3
To meet the legal requirements of the regulated activities that Longfield Integrated Care Centre Limited is registered to provide:
General Data Protection Regulation 2016
Data Protection Act 2018
2. Scope
2.1
The following roles may be affected by this policy:
All staff at Longfield Integrated Care Centre Limited who process personal data about other staff, Service Users and other individuals.
2.2
The following people may be affected by this policy:
Patients
2.3
The following stakeholders may be affected by this policy:
Family
Advocates
Representatives
Commissioners
External health professionals
Local Authority
NHS
3. Objectives
3.1
This policy will assist with defining accountability and establishing ways of working in terms of Longfield Integrated Care Centre Limited appropriately dealing with breaches of GDPR and any notifications that need to be made as as result of the breach (for example, to the ICO and to affected Data Subjects).
3.2
This policy will encourage GDPR compliance at Longfield Integrated Care Centre Limited by ensuring that breaches of GDPR (and "near misses") are dealt with appropriately by staff and by Longfield Integrated Care Centre Limited's .
3.3
This policy will facilitate the process of dealing with breaches of GDPR which will improve Longfield Integrated Care Centre Limited's compliance with GDPR and will also benefit Data Subjects affected by a breach, including Patients.
4. Policy
4.1
Longfield Integrated Care Centre Limited's , will read and understand this policy and procedure together with the process map set out in the form attached, and will ensure that it adheres to the process map if Longfield Integrated Care Centre Limited breaches GDPR.
4.2
Longfield Integrated Care Centre Limited acknowledges that if its processes differ from those set out in this policy, it will modify them to the extent necessary to reflect its processes and procedures.
4.3
Longfield Integrated Care Centre Limited understands that if it breaches GDPR, it may be required to notify the ICO as well as the Data Subjects who have been affected by the breach. Longfield Integrated Care Centre Limited recognises that failure to report a breach could result in significant fines being imposed on Longfield Integrated Care Centre Limited, as well as reputational damage.
4.4
Longfield Integrated Care Centre Limited recognises that it is reliant on its employees notifying if they breach or think they may have breached GDPR. Longfield Integrated Care Centre Limited will therefore encourage all of its staff to review the policy and understand their obligations in terms of reporting a breach to who is the .
4.5
What is a Breach?
A breach of GDPR is any breach of security that leads to the destruction, loss, alteration, unauthorised
disclosure of, or access to, personal data.
Examples of a breach may include:
Sending an email to the incorrect recipient
Copying rather than blind copying recipients of an email
Losing a USB device containing personal data
Leaving a hard copy of personal data (for example, a Patient record or employee file) in an easily accessible area so that details can be viewed or recorded, or the document taken
Leaving a laptop or documents containing personal data on a train or other public transport; or
Leaving a cupboard or filing drawer unlocked that contains personal data Longfield Integrated Care Centre Limited recognises that the above list is by way of example only and is not exhaustive or definitive.
4.6
Longfield Integrated Care Centre Limited will ensure that its staff members understand that if they breach or think they may have breached GDPR, they should immediately notify , who will determine the next steps to take. Longfield Integrated Care Centre Limited understands that, once its employees are aware of a breach of GDPR, Longfield Integrated Care Centre Limited is deemed to be aware of the breach, at which point the 72 hour timescale for notifying the ICO will begin.
5. Procedure
5.1
Process Map Stage 1 - Log breach
Longfield Integrated Care Centre Limited understands that it should maintain a log of breaches. Longfield Integrated Care Centre Limited will also record any potential breaches notified to it by employees or third parties which it determines not to be a breach, setting out its rationale for such a decision Longfield Integrated Care Centre Limited will record the date of the breach, the date of notification of the breach (i.e. by the relevant employee) and actions taken in respect of the breach, using the process map attached to this policy
5.2
Stage 2 and 2a - Has the breach resulted in the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data? Longfield Integrated Care Centre Limited recognises that not every breach of GDPR must be notified to the ICO. For example, there is no requirement to notify the ICO of a failure to respond to a Subject Access Request. Longfield Integrated Care Centre Limited understands that the notification requirements focus on the loss of, or unauthorised access to, personal data. Longfield Integrated Care Centre Limited will therefore consider:
Whether personal data has been affected by the breach (if, for example, only business data has been disclosed Longfield Integrated Care Centre Limited understands that GDPR will not apply and there will be
no requirement to notify the ICO); and Whether the personal data has been destroyed, lost, altered, disclosed or accessed as a result of the breach Longfield Integrated Care Centre Limited will record information about the breach and decisions taken for future reference. If there has been a security breach (irrespective of whether it requires notification to the ICO), Longfield Integrated Care Centre Limited will consider whether, from a best practice perspective, it will proceed with Stages 4 and 5 to identify the cause of the breach and whether further steps can be taken to prevent further loss and disclosure of data (whether the data is personal data or otherwise).
5.3
Stage 3 - Identify the relevant team to investigate Longfield Integrated Care Centre Limited anticipates that more than one team or individual may need to be involved or lead the investigation into the breach, and it will ensure that the appropriate people are involved at an early stage in the process.
5.4
Stage 4 - Identify the cause of the breach and whether the breach has been contained Refer to further information at Stage 5.
5.5
Stage 5 - Take all steps necessary to prevent further loss/disclosure Longfield Integrated Care Centre Limited understands that the ICO must be notified within 72 hours of Longfield Integrated Care Centre Limited becoming aware of the breach. Longfield Integrated Care Centre Limited will also focus on ensuring that the breach is contained to prevent it worsening prior to notification. Longfield Integrated Care Centre Limited will, where possible, notify the ICO in its initial notification of the steps it has already taken to mitigate the impact of the breach and will record all action it has taken.
5.6
Stage 6 - Identifying if the breach is likely to result in a risk to the rights and freedoms of individuals Longfield Integrated Care Centre Limited understands that the ICO must be notified of the breach unless it is unlikely to result in a risk to the rights and freedoms of individuals. Longfield Integrated Care Centre Limited recognises that guidance provided by the ICO explains that a breach is likely to result in a risk to the rights and freedoms of individuals if, left unaddressed, it is likely to have a significant detrimental effect on individuals in terms of, for example, discrimination against that individual, damage to reputation, financial loss, loss of
confidentiality or any other significant economic or social disadvantage. Longfield Integrated Care Centre Limited recognises that if the lost data is business personal data (i.e. individuals’ work email addresses or phone numbers), it is unlikely that such loss will result in a risk to the rights and freedoms of those individuals, particularly if the information is publicly available elsewhere.
5.7
Stage 6a - No need to take further action if response to Stage 6 is negative Although Longfield Integrated Care Centre Limited may not be required to notify the ICO if there is no risk to the rights and freedoms of individuals, it should take steps to avoid a similar breach occurring in the future, particularly if a similar breach in the future could result in a risk to the rights and freedoms of individuals – see
Stage 10.
5.8
Stage 7 – Within 72 hours of becoming aware of the breach, notify ICO Longfield Integrated Care Centre Limited understands that the ICO has provided a notification template for serious breaches under the Data Protection Act 2018 that should be notified to the ICO, and that the template is likely to be updated by the ICO prior to GDPR coming into force.
Longfield Integrated Care Centre Limited will ensure that any breach notification it submits includes:
The nature of each breach, including the categories and approximate numbers of individuals concerned and the categories and approximate numbers of personal data records concerned
The name and contact details of the Privacy Officer/point of contact for the breach
A description of the likely consequences of the breach; and
A description of measures taken or proposed to be taken to deal with the breach and any measures taken to mitigate effects of the breach Under the Data Protection Act 2018, the form should be sent to casework@ico.org.uk with “DPA breach notification form” in the subject field or by post to: The Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF. Longfield Integrated Care Centre Limited will review the relevant page on the ICO website to check whether the information around breach notification is updated in line with GDPR.
5.9
Stage 8 - Consider whether affected individuals should be notified Longfield Integrated Care Centre Limited understands that if the breach is likely to result in a “high” risk to the rights and freedoms of individuals, those individuals must be notified directly. Longfield Integrated Care Centre Limited recognises that the threshold is higher than the threshold for notifying the ICO. It should be determined on a case by case basis. Examples may be loss or disclosure of Special Categories of Personal Data, or the potential for significant financial impact. If Longfield Integrated Care Centre Limited is unable to notify affected Data Subjects individually (because, for example, of the number of Data Subjects affected), it will take out a public notice, for example in a national newspaper, informing affected individuals of the breach.
5.10
Stages 9 and 9a - Notify data controller If Longfield Integrated Care Centre Limited is acting as a data processor rather than a data controller, it will notify the relevant data controller of the breach. Longfield Integrated Care Centre Limited will, if necessary, refer to the guidance note entitled "GDPR - Key Terms" for further information.
5.11
Stage 10 - Check if there is a risk of a future breach occurring Longfield Integrated Care Centre Limited will have taken possible steps to mitigate the effect of the breach in accordance with Stage 5 above. Longfield Integrated Care Centre Limited will also consider the breach more widely, in particular whether the breach could occur again and take the steps necessary to prevent such recurrence.
5.12
Stage 11 - Consider whether further internal training or guidance for staff is necessary If the breach was caused by a member of staff, Longfield Integrated Care Centre Limited will consider how and why the breach happened. Longfield Integrated Care Centre Limited will consider whether further training or guidance would be beneficial, either for the member of staff or for the Organisation more widely.
5.13
Stage 12 - Log all actions and decisions Longfield Integrated Care Centre Limited will document all decisions taken in respect of any breaches, including whether or not to notify the ICO and/or affected individuals, steps taken to mitigate the breach and steps taken to prevent future recurrence and additional training. Longfield Integrated Care Centre Limited will keep a record of all
relevant dates and copies of relevant documents such as the initial report from the relevant member of staff and
the notification to the ICO.
5.14
Stage 13 - Action and log any related future correspondence from the ICO Longfield Integrated Care Centre Limited will record any correspondence it receives from the ICO in respect of breaches and comply with any suggestions and requirements of the ICO.
6. Definitions
6.1
Data Protection Act 2018
The Data Protection Act 2018 is a United Kingdom Act of Parliament that updates data protection laws in the UK. It sits alongside the General Data Protection Regulation and implements the EU's Law Enforcement Directive
6.2
Data Subject
The individual about whom Longfield Integrated Care Centre Limited has collected personal data
6.3
GDPR
General Data Protection Regulation (GDPR)
(EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union. It was adopted on 14 April 2016 and after a two- year trasition period became enforceable on 25 May 2018
6.4
Personal Data
Any information that identifies a living person including but not limited to names, email addresses, postal addresses, job roles, photographs, CCTV and Special Categories of Data, defined below
6.5
Process or Processing
Doing anything with personal data, including but not limited to collecting, storing, holding, using, amending or transferring it. An organisation does not need to be doing anything actively with the personal data - at the point it collects it, it is processing it
6.6
Special Categories of Data
Has an equivalent meaning to “Sensitive Personal Data” under the Data Protection Act 2018. Special Categories of Data include but are not limited to medical and health records and care plans (including information collected as a result of providing health care services) and information about a person’s religious beliefs, ethnic origin and race, sexual orientation and political views
Key Facts - Professionals
Professionals providing this service should be aware of the following:
All staff at Longfield Integrated Care Centre Limited should follow the guidelines set out in this policy to ensure that breaches are dealt with appropriately and in compliance with GDPR
Key Facts - People Affected by The Service
People affected by this service should be aware of the following:
Longfield Integrated Care Centre Limited has processes in place to ensure that any breaches of GDPR are appropriately dealt with and the risk to the relevant Data Subject (including Patients) is mitigated
Website Privacy Policy and Procedure
1. Purpose
1.1
The purpose of this policy is to provide a template privacy policy that Longfield Integrated Care Centre Limited
can adapt to use on its website. The privacy policy will apply to all users of Longfield Integrated Care Centre
Limited's website.
1.2
By using the template privacy policy provided, Longfield Integrated Care Centre Limited will ensure that the
policy on its website is GDPR compliant.
1.3
To support Longfield Integrated Care Centre Limited in meeting the following Key Lines of Enquiry:
1.4
To meet the legal requirements of the regulated activities that Longfield Integrated Care Centre Limited is
registered to provide:
General Data Protection Regulation 2016
Data Protection Act 2018
2. Scope
2.1
The following roles may be affected by this policy:
All staff
2.2
The following people may be affected by this policy:
All Service Users
2.3
The following stakeholders may be affected by this policy:
Family
Advocates
Representatives
Commissioners
External health professionals
Local Authority
NHS
3. Objectives
3.1
The objective of this policy is to enable Longfield Integrated Care Centre Limited to replace its current privacy policy with a privacy policy that is GDPR compliant. If Longfield Integrated Care Centre Limited currently does not have a privacy policy available on its website, this template privacy policy will be adapted and uploaded by Longfield Integrated Care Centre Limited if a privacy policy is required.
3.2
This policy will assist with establishing ways of working in terms of the use, storage, retention and security of personal data and will ensure that all Data Subjects, including Patients, understand the ways in which personal data collected by Longfield Integrated Care Centre Limited via its website is processed.
4. Policy
4.1
Longfield Integrated Care Centre Limited understands that if it operates a website, it may need to update its privacy policy to ensure it is compliant with GDPR. Longfield Integrated Care Centre Limited will use this privacy policy as a template for its updated version. Longfield Integrated Care Centre Limited understands that this privacy policy only needs to be uploaded by Longfield Integrated Care Centre Limited to its website if it collects personal data via its website. Longfield Integrated Care Centre Limited will use the template Fair Processing Notice to inform all other Data Subjects, including Patients, about how Longfield Integrated Care Centre Limited processes personal data other than personal data collected via the website.
4.2
Longfield Integrated Care Centre Limited understands that the form attached to this policy constitutes the template privacy policy. Longfield Integrated Care Centre Limited understands that terms in square brackets are optional (depending on whether they apply to Longfield Integrated Care Centre Limited or not) or require completion by Longfield Integrated Care Centre Limited. Longfield Integrated Care Centre Limited will review the privacy policy in its entirety to determine which elements are applicable to Longfield Integrated Care Centre Limited's website, and which are not relevant.
For example:
If the template privacy policy below refers to personal data that is not collected by Longfield Integrated Care Centre Limited via its website, Longfield Integrated Care Centre Limited will delete references to such personal data If Longfield Integrated Care Centre Limited's website does not use cookies, Longfield Integrated Care Centre Limited will delete references to cookies and Longfield Integrated Care Centre Limited's cookie policy If Longfield Integrated Care Centre Limited does not transfer personal data outside of the EEA, Longfield Integrated Care Centre Limited will delete the section entitled "Where we store your personal data" If Longfield Integrated Care Centre Limited is not required to appoint a Data Protection Officer, Longfield Integrated Care Centre Limited will delete references to the Data Protection Officer or will consider replacing references to the Data Protection Officer with references to Longfield Integrated Care Centre Limited's Privacy Officer or other person nominated to have day-to-day responsibility for data protection and GDPR If Longfield Integrated Care Centre Limited uses personal data collected via its website in a way that is not described in the privacy policy, it will consider incorporating additional sections. This privacy policy directs users to a webpage with a contact form or contact details if they wish to contact Longfield Integrated Care Centre Limited. Longfield Integrated Care Centre Limited will consider whether
to provide an alternative contact method instead, such as an email address and/or phone number. If Longfield Integrated Care Centre Limited has any concerns or queries in respect of the template privacy policy, it will seek legal advice.
5. Procedure
5.1
Longfield Integrated Care Centre Limited will consider whether or not it collects personal data via its website (for example, via enquiry forms, requests to be sent newsletters, requests for provision of services) and whether it needs a privacy policy. Longfield Integrated Care Centre Limited acknowledges that the use of cookies constitutes processing of personal data via the website.
5.2
Longfield Integrated Care Centre Limited will review the template privacy policy. Longfield Integrated Care Centre Limited will adapt the privacy policy before uploading it to its website to ensure that all aspects of the privacy policy are relevant and reflect the ways in which Longfield Integrated Care Centre Limited processes personal data collected via its website. Where Longfield Integrated Care Centre Limited has any concerns or queries in relation to their own Privacy Statement, Longfield Integrated Care Centre Limited will seek legal advice.
5.3
Longfield Integrated Care Centre Limited should use the template Fair Processing Notice that will be provided at a later date to inform all other Data Subjects, including Patients, about how Longfield Integrated Care Centre Limited processes personal data other than personal data collected via the website.
6. Definitions
6.1
Data Subject
The individual about whom Longfield Integrated Care Centre Limited has collected personal data
6.2
Data Protection Act 2018
The Data Protection Act 2018 is a United Kingdom Act of Parliament that updates data protection laws in the UK. It sits alongside the General Data Protection Regulation and implements the EU's Law Enforcement Directive
6.3
GDPR
General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union. It was adopted on 14 April 2016 and after a two- year trasition period became enforceable on 25 May 2018
6.4
Personal Data
Any information about a living person including but not limited to names, email addresses, postal addresses, job roles, photographs, CCTV and special categories of data, as defined below.
6.5
Process or Processing
Doing anything with personal data, including but not limited to collecting, storing, holding, using, amending or transferring it. Longfield Integrated Care Centre Limited does not need to be doing anything actively with personal data - at the point Longfield Integrated Care Centre Limited collects it, it is processing it
6.6
Special Categories of Data
Has an equivalent meaning to "Sensitive Personal Data" under the Data Protection Act 2018. Special categories of data include but are not limited to medical and health records (including information collected as a result of providing health care services), care plans and information about a person's religious beliefs, ethnic origin and race, sexual orientation and political views
6.7
Cookies
Cookies are small files which are stored on a user's computer. They are designed to hold a modest
amount of data specific to a particular client and website and can be accessed either by the web server or
the client's computer
Key Facts - Professionals
Professionals providing this service should be aware of the following:
The privacy policy applies to personal data collected via Longfield Integrated Care Centre Limited's website
Key Facts - People Affected by The Service
People affected by this service should be aware of the following:
Personal data provided to Longfield Integrated Care Centre Limited via its website will be processed in accordance with Longfield Integrated Care Centre Limited's privacy policy
We are Longfield Integrated Care Centre Limited, a [company] incorporated in [England and Wales] [Scotland].
Our company number is [insert registered company number] and our registered address is ("Longfield Integrated Care Centre Limited" / "we" / "our" / "us"). We are committed to ensuring that your privacy is protected. We will continue to comply with the provisions of the Data Protection Act (“DPA”) until 25 May 2018, after which we will comply with the General Data Protection Regulation ((EU) 2016/679) (“GDPR”) unless and until the GDPR is no longer directly applicable in the UK, together with any national implementing laws, regulations and secondary legislation as amended or updated from time to time in the UK, and any successor legislation to the GDPR and the DPA (together “Data Protection Legislation”). We are the data controller of data you pass to us pursuant to this policy. Our Data Protection Officer can be contacted at [insert email address for DPO. If there is no DPO, delete reference to them]. This Privacy Policy [together with our website terms and conditions and cookie policy] sets out how we collect personal information from you and how the personal information you provide will be processed by us. By visitingthe website at [Insert hyperlink] (the “Website”) you are accepting and consenting to the practices described in this Privacy Policy. If you do not consent, please do not submit any personal data to us. What information does Longfield Integrated Care Centre Limited hold and how will we use it?
Information you give Longfield Integrated Care Centre Limited: You may give us information about you by completing enquiry forms on the website or by requesting via the website that we send you marketing information [or [insert any other reason for which a person may upload their personal data to the website]. The information you give us may include your name, email address, address/location and phone number [ if there are any other types of personal data that Longfield Integrated Care Centre Limited collects via the website, add them to this list. This does not include all personal data processed by Longfield Integrated Care Centre Limited but only personal data it collects through its website]. We will retain this information while we are corresponding with you or providing services to you or to a Patient you represent. We will retain this information for [insert the relevant retention period for the types of personal data listed above. If it is not possible to insert the retention period, explain the criteria Longfield Integrated Care Centre Limited uses for determining how long it will retain the personal data. Refer to the Records Management Code of Practice for Health and Social Care if required]. Information Longfield Integrated Care Centre Limited collects about you: Longfield Integrated Care Centre Limited may collect the following information from you when you visit the website:
Technical information, including the Internet protocol (IP) address used to connect your computer to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform; and Information about your visit, including the full Uniform Resource Locators (URL), clickstream to, through and from the website (including date and time), products you viewed or searched for, page response times, website errors, length of visits to certain pages, page interaction information, methods used to browse away from the page and any phone number used to call our helpline We retain this information for [insert the relevant retention period for the types of personal data listed above. If it is not possible to insert the retention period, explain the criteria Longfield Integrated Care Centre Limited uses for determining how long it will retain the personal data]. Information we receive from other sources: This includes information we receive about you when you use other websites operated by us or other services we provide. This information may include your name, email address, postal address and phone number. We will retain this information for [ insert the relevant retention Website Privacy StatementWebsite Privacy StatementWebsite Privacy StatementWebsite Privacy Statemet.
period for the types of personal data listed above. If it is not possible to insert the retention period, explain the criteria Longfield Integrated Care Centre Limited uses for determining how long it will retain the personal data]. Cookies The Website uses cookies to distinguish you from other users of the website. For detailed information on the cookies we use and the purposes for which we use them, please see our cookie policy [insert hyperlink tocookie policy]. Use Made of the Information Longfield Integrated Care Centre Limited may use the information we receive and/or collect about you to:
Fulfil our obligations under any contract we have entered into with you or with a Patient you represent, and to provide you or the relevant Patient with information or services you or the Patient has requested
Send you newsletters and marketing information if you have consented to us doing so
Notify you of products and services we feel may interest you, or permit third parties to do so if you have provided the appropriate consent
Monitor website usage and provide statistics to third parties for the purposes of improving and developing the website and the services we provide via the website Longfield Integrated Care Centre Limited processes personal information for certain legitimate business purposes, which include some or all the following:
Where the processing enables Longfield Integrated Care Centre Limitedto enhance, modify, personalise or otherwise improve the website, its services or communications
To identify and prevent fraud
To enhance the security of Longfield Integrated Care Centre Limited's network and information systems
To better understand how people interact with Longfield Integrated Care Centre Limited's websites
To administer the website and carry out data analysis, troubleshooting and testing; and
To determine the effectiveness of promotional campaigns and advertising If we obtain consent from you to do so, we may provide your personal details to third parties so that they can contact you directly in respect of services in which you may be interested. Where we are processing personal data we have obtained via the website on the basis of having obtained consent from you, you have the right to withdraw your consent to the processing of your personal data at any time. If you would like to withdraw your consent or prefer not to receive any of the above-mentioned information (or if you only want to receive certain information from us) please let us know by contacting us via the following webpage [insert link to webpage]. Please bear in mind that if you object, this may affect our ability to carry out the tasks above for your benefit. If you wish to have your information removed from our database or if you do not want us to contact you for marketing purposes, please let us know by clicking the "Unsubscribe" option in any email we send to you and providing the details requested or by contacting us via the following webpage [insert webpage link] and we will take steps to ensure that this information is deleted as soon as reasonably practicable. We will not share, sell or distribute any of the information you provide to us (other than as set out in this policy) without your prior consent, unless required to do so by law.
Third Party Sites
Our website may contain links to third party websites, including websites via which you are able to purchase products and services. They are provided for your convenience only and we do not check, endorse, approve or agree with such third-party websites nor the products and/or services offered and sold on them. We have no responsibility for the content, product and/or services of the linked websites. Please ensure that you review all
terms and conditions of website use and the Privacy Policy of any such third-party websites before use and before you submit any personal data to those websites.
How Safe is your Information?
Where we have given you (or where you have chosen) a password which enables you to access certain parts of the website, you are responsible for keeping this password confidential. We ask you not to share a password with anyone. Protecting your security and privacy is important to us and we make every effort to secure your information and maintain your confidentiality in accordance with the terms of the Data Protection Legislation. The website is protected by various levels of security technology, which are designed to protect your information from any unauthorised or unlawful access, processing, accidental loss, destruction and damage. We will do our best to protect your personal data but the transmission of information via the Internet is not completely secure. Any such transmission is therefore at your own risk.
Disclosure of your Information
We may share your personal information with any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 1159 of the Companies Act 2006. We may share your information with selected third parties including:
Business partners, suppliers and sub-contractors for the performance of any contract we enter with them or you
Third parties who may wish to contact you in respect of services or products they offer or sell which may be of interest to you, provided we receive your consent to such disclosure; and/or advertisers and advertising networks that require the data to select and serve relevant adverts to you and analytics and search engine providers that assist us in the improvement and optimisation of the website
Please note we may need to disclose your personal information where we:

Sell any or all our business or assets or we buy another business or assets in which case we may disclose your personal data to the prospective buyer or seller Are under a legal duty to comply with any legal obligation or to enforce or apply our terms and conditions; or Need to disclose it to protect our rights, property or the safety of our customers or others, including the exchange of information with other companies, organisations and/or governmental bodies for the purposes of fraud protection and credit risk reduction Where we Store your Personal Data [if Longfield Integrated Care Centre Limited does not transfer personal data outside the EEA, this policy entry can be deleted]. The data that we collect from you may be transferred to, and stored at, a destination outside the European Economic Area ("EEA") to [insert the reasons why personal data is transferred outside the EEA, for example, because it is hosted on a server outside the EEA]. By submitting your personal data, you agree to this transfer, storing or processing. Longfield Integrated Care Centre Limited will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy. If a finding of adequacy hasn't been made by the EC Commission in respect of the country to which the data is transferred, we will only transfer it where there are appropriate safeguards in place, including the use of EU standard contractual clauses or an intragroup agreement.

Your Rights in Respect of your Data
If any of the information you provide to us via the website changes, please let us know as soon as possible so that we can make the necessary changes to the information we hold for you on our database. If you wish to make any changes to your information, please contact us via the following webpage [insert webpage link]. If you wish to access or rectify the information we hold about you, or request that such information be transmitted directly to another data controller, please contact us via the following webpage [insert webpage link]. We shall
process your request to access your information within one month of receipt, or we'll let you know within that timeframe if we need more information from you. We will process your request free of charge.
To request that your information is deleted or if you wish to restrict or object to the processing of your information, please contact us via the following webpage [insert webpage link]. If you have any complaints about our use of your personal data, please contact us. You also have the right to complain to the relevant supervisory authority in your jurisdiction. In the UK, the supervisory authority is the Information Commissioner's Office. Contact details for the ICO can be found at https://ico.org.uk/.
If you have any further queries or comments on our Privacy Policy, please contact us via the following webpage[insert webpage link] or you can contact us by emailing [insert email address]. We also welcome your views about our website and our Privacy Policy.
Consent Authorisation Policy and Procedure
1. Purpose
1.1
To ensure that Longfield Integrated Care Centre Limited seeks consent from the Data Subject in a way that is GDPR compliant.
1.2
To ensure that when Longfield Integrated Care Centre Limited seeks to obtain consent, Longfield Integrated Care Centre Limited follows the Mental Capacity Act and Code of Practice where Patients lack capacity.
1.3
To support Longfield Integrated Care Centre Limited in meeting the following Key Lines of Enquiry:
1.4
To meet the legal requirements of the regulated activities that Longfield Integrated Care Centre Limited is registered to provide:
Mental Capacity Act 2005
Mental Capacity Act Code of Practice
General Data Protection Regulation 2016
Data Protection Act 2018
2. Scope
2.1
The following roles may be affected by this policy:
All staff
2.2
The following people may be affected by this policy:
Patients
2.3
The following stakeholders may be affected by this policy:
Family
Advocates
Representatives
Commissioners
External health professionals
Local Authority
NHS
3. Objectives
3.1
The objective of this policy is to ensure that Longfield Integrated Care Centre Limited obtains appropriate and GDPR compliant consent from Data Subjects, including Patients, where consent is necessary.
4. Policy
4.1
Longfield Integrated Care Centre Limited understands that it may be able to rely on a ground other than consent under GDPR, such as legitimate interest, fulfilment of a contract, or the processing of special categories of data for the provision of health or social care or treatment or the management of health or social care systems and services. Longfield Integrated Care Centre Limited will review the guidance note entitled "GDPRG04 - Processing Personal Data" for more information about the grounds for processing under GDPR.
4.2
Longfield Integrated Care Centre Limited understands that if it is required to seek consent from Data Subjects, including Patients, such consent should be freely given and Longfield Integrated Care Centre Limited should clearly explain the processing that it intends to carry out in respect of the personal data.
4.3
Longfield Integrated Care Centre Limited understands that under GDPR consent has to be:
Explicit - consent requires a very clear and specific statement of consent
Separate from other terms and conditions
Specific and ‘granular’ so that Longfield Integrated Care Centre Limited gets separate consent for separate things. Vague or blanket consent is not enough
4.4
Longfield Integrated Care Centre Limited understands that it should take extra care when processing personal data about children. Longfield Integrated Care Centre Limited recognises that GDPR does not specify an age at which children are deemed to be able to consent to their personal data being processed under GDPR (except where online services are being provided to a child, in which case a child can provide their consent at the age of 13). Longfield Integrated Care Centre Limited will keep track of the Data Protection Bill, which may specify ages at which children are deemed to be able to consent to their personal data being processed in the UK.
4.5
If Longfield Integrated Care Centre Limited processes personal data about children, it will consider whether the Data Protection Bill has been passed and, if so, whether it includes provisions relating to the age at which children are able to consent to their personal data being processed. Longfield Integrated Care Centre Limited shall seek consent in line with any relevant provisions in the Data Protection Bill and shall ensure that the ways in which it obtains consent from a child are appropriate. For example, Longfield Integrated Care Centre Limited will obtain consent using language that is appropriate and easily understood by the child, taking into account the child's age and ability and the type of personal data being processed.
5. Procedure
5.1
Longfield Integrated Care Centre Limited will use the template forms provided if Longfield Integrated Care Centre Limited determines that it is required to seek consent from Data Subjects, including Patients, to process their personal data under GDPR. If Longfield Integrated Care Centre Limited is uncertain as to whether consent is necessary or it is able to rely on an alternative ground, it will seek further advice.
5.2
Longfield Integrated Care Centre Limited will ensure it uses the appropriate form, bearing in mind whether the Data Subject has capacity or lacks capacity.
5.3
Longfield Integrated Care Centre Limited will ensure that where children's services are provided or activities are undertaken where children might be present or involved, that parental/guardian consent is obtained in advance. This would include situations such as social events where photographs might be taken.
6. Definitions
6.1
Data Subject
The individual about whom Longfield Integrated Care Centre Limited has collected personal data
6.2
GDPR
The General Data Protection Regulation 2016. It will replace the Data Protection Act 2018 from 25 May 2018 as the law that governs data protection in the UK. It will come into force in the UK via the Data Protection Bill
6.3
Personal Data
Any information about a living person including but not limited to names, email addresses, postal addresses, job roles, photographs, CCTV and special categories of data, defined below
6.4
Process or Processing
Doing anything with personal data, including but not limited to collecting, storing, holding, using, amending or transferring it. You do not need to be doing anything actively with the personal data – at the point you collect it, you are processing it
6.5
Special Categories of Data
Has an equivalent meaning to “Sensitive Personal Data” under the Data Protection Act 2018. Special categories of data include but are not limited to medical and health records (including information collected as a result of providing health care services) and information about a person’s religious beliefs, ethnic origin and race, sexual orientation and political views
6.6
Data Protection Bill
The Data Protection Act 2018 which will implement GDPR in the UK
Key Facts - Professionals
Professionals providing this service should be aware of the following:
Personal data is any information that identifies someone or, in some cases, information that is about a person such as an opinion. It includes someone's name, email address, postal address, job role, photographs, CCTV and more sensitive personal data includes types of information such as medical and health records, care plans, information about religious beliefs, origin and race, someone's sexual orientation or political views
The forms attached to this policy should be used if consent needs to be obtained from a Data Subject, including Patients
Key Facts - People Affected by The Service
People affected by this service should be aware of the following:
This form will be used by Longfield Integrated Care Centre Limited to obtain your consent to Longfield Integrated Care Centre Limited processing your Personal data where consent is required under GDPR.

Copies of our policy can be viewed and downloaded here: