Data Protection / GDPR / Policy and Procedure
To meet the legal requirements of the regulated activities that Believe & Achieve Support Ltd. is registered to provide:To detail the rights of Service Users relating to confidentiality and data protection and issues that staff need to be aware of when processing confidential information within Believe & Achieve Support Ltd. This Policy relates to Data Protection, Information Governance, Data Quality and Security and the Human Rights of Service Users and dovetails to form a framework that ensures full legal compliance and best practice.
- The Health and Social Care (Safety and Quality) Act 2015
- The Care Act 2014
- Freedom of Information Act 2000
- Human Rights Act 1998
- Data Protection Act 2018
Purpose of Data Processing
Believe & Achieve Support Ltd. has a valid lawful basis in order to process personal data. The lawful bases for processing are set out in Article 6 of the GDPR. Believe & Achieve Support Ltd’s basis for data processing is covered by Article 6 as follows:
(a) Consent: the individual has given clear consent for Believe & Achieve Support Ltd. to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract we have with the individual, or because they have asked Believe & Achieve Support Ltd. to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for Believe & Achieve Support Ltd. to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for Believe & Achieve Support Ltd. to perform a task in the public interest or for Believe & Achieve Support Ltd’s official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for Believe & Achieve Support Ltd.’s legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
Believe & Achieve Support Ltd. recognises that we have a duty of confidentiality to our Service Users and staff. We believe that respecting an individual’s right to a private life, which includes confidentiality, is important in ensuring a trusting, caring environment where both Service Users and staff are confident that information about them will be protected safely and not shared inappropriately or unnecessarily. It is the policy of Believe & Achieve Support Ltd. that we will only share information that is in the best interest of the Service Users and with their consent. We aim to comply with the relevant legislation and include the 7 Caldicott Principles.
- All staff will ensure that all Service User information remains confidential. Service Users have the right to expect that personal information held about them is not accessed, used or disclosed improperly
- The same duty of confidentiality applies to personal information about staff with the exception of names and job titles. Information about Directors, which is published, and therefore is a matter of public record, is also excepted
- All staff have the individual responsibility for ensuring that they conform to the Caldicott principles, Data Protection Act (DPA) 2018 and Article 8 Human Rights Act (HRA) 1998
- Staff must not inappropriately access, misuse or share any information or allow others to do so. Staff are personally liable for deliberate or reckless breaches of the DPA 2018 and may be liable to disciplinary action and/or prosecution
- Any personal information given or received in confidence for one purpose may not generally be used for a different purpose, or passed to anyone else without the consent of the provider of the information
- Confidential information will not be used for a different purpose or passed on to anyone else without the consent of the information provider
- There may be occasions when it could be detrimental to the Service User or to another individual if this principle is strictly adhered to
- There is a recognition that breaches of confidence are often unintentional. They are often caused by staff conversations being overheard, by files being left unattended, or by poor computer security. However, the consequences could be equally serious for all concerned
- Believe & Achieve Support Ltd. will ensure that personally identifiable information will always be held securely and, when used, treated with respect. This rule will apply regardless of where the information is held
- We respect that a Service User’s right to privacy and confidentiality continues after they have died
- All information regarding the Service Users we support will be treated with respect and integrity
- We will be transparent in our approach to ensure that anyone associated with Believe & Achieve Support Ltd.s (whether Service User or staff or visitor) is fully aware of how, what, when, who and why we share any information about them and source their agreement before doing
To summarise, Confidentiality Dos and Don’ts Dos
- Do safeguard the confidentiality of all person identifiable or confidential information that you come into contact with. This is a statutory obligation on everyone working on or behalf of Believe & Achieve Support Ltd.
- Do clear your desk at the end of each day, keeping all non-digital records containing person identifiable or confidential information in recognised filing and storage places that are locked at times when access is not directly controlled or supervised
- Do switch off computers with access to person identifiable or business confidential information, or put them into a password-protected mode if you leave your desk for any length of time
- Do ensure that you cannot be overheard when discussing confidential matters
- Do challenge and verify, where necessary, the identity of any person who is making a request for person identifiable or confidential information and ensure that they have a need to know
- Do share only the minimum information necessary
- Do transfer person identifiable or confidential information securely
- Do seek advice if you need to share Service User/person identifiable information without the consent of the Service User’s/identifiable person’s consent, and record the decision and any action taken
- Do report any actual or suspected breaches of confidentiality
- Do participate in induction, training and awareness raising sessions on confidentiality issues
- Don’t share passwords or leave them lying around for others to see
- Don’t share information without the consent of the person to which the information relates, unless there are statutory grounds to do so
- Don’t use person identifiable information unless absolutely necessary, anonymised the information where possible
- Don’t collect, hold or process more information than you need, and do not keep it for longer than necessary
Roles and Responsibilities – Service Manager
- Ensuring that systems and processes are in place for the security of records and they are reviewed to ensure that they remain fit for purpose
- Ensuring that all staff understand this policy at the start of employment and that its importance is reiterated during supervision or team meetings
- Ensuring that staff have received the appropriate training and are competent in their role
- Reviewing, monitoring and auditing practice within Believe & Achieve Support Ltd. to ensure that staff remain knowledgeable
- Acting on any breaches in confidentiality in a timely manner and notifying the appropriate bodies
- Ensuring that confidentiality rules are never used as a barrier to sharing appropriate information and fulfilling Duty of Candour obligations
Roles and Responsibilities – All staff will ensure the following:
- That information received is effectively protected against improper disclosure when it is received, stored, transmitted and disposed of
- That confidential information is only accessed if it is appropriate to the job you undertake
- That every effort is made to ensure that Service Users understand how information about them will be used before they supply any confidential information
- That when Service Users give consent to the disclosure of information about them, they understand what will be disclosed, the reasons for disclosure and the likely consequence/s
- That Service Users understand when information about them is likely to be disclosed to others, and that they have the opportunity to withhold their permission
- If disclosing information outside the team that could have personal consequences for Service User, that consent is obtained from the Service User
- If the Service User withholds consent, or if consent cannot be obtained for whatever reason, disclosures may be made only where:
- They can be justified in the public interest (usually where disclosure is essential to protect the Service User or someone else from the risk of significant harm)
- They are required by law or by order of a court
- If required to disclose confidential information, staff will only release as much information as is necessary for the purpose
- That the person(s) to whom information is disclosed understands that it is given to them in confidence which they must respect
- When disclosing confidential information, staff must be prepared to explain and justify the decision. Where there are doubts, they will discuss them with Aimie Wolohan
- Queries concerning this policy will be brought to the attention of Aimie Wolohan
- During the induction period for new staff, they will be made aware of this policy and their individual responsibilities
Staff should refer to the Fair Processing Notice Templates and the Fair Processing Notice Policy and Procedure for further information that details how information is processed within Believe & Achieve Support Ltd.
Believe & Achieve Support Ltd. will detail with transparency how confidentiality is managed with Service Users, employees and others at the earliest opportunity and seek their agreement e.g through existing systems such as recruitment and the pre-assessment process.
Information sharing between partners directly involved in a Service User’s Support, and for the purpose of providing that Support, is essential to good practice.
Consent from the Service User for information sharing must be recorded following a discussion with the Service User or, in the absence of capacity to consent, their designated other.
The principles of sharing information are:
- Only information that needs to be shared
- Only with those who have a clear need to know, and
- There is a lawful basis for sharing information
General Principles of Confidentiality – Staff will:
- Be aware that the Data Protection Act is not a barrier to sharing information but provides a framework to ensure that personal information about living persons is shared appropriately
- Be open and honest with the person (and/or their family where appropriate) from the outset about why, what, how and with whom information will, or could be shared and will seek their agreement unless it is unsafe or inappropriate to do so
- Seek advice from Aimie Wolohan if they are in any doubt, without disclosing the identity of the person where possible
- Share with consent where appropriate and, where possible, respect the wishes of those who do not consent to share confidential information. Staff may still share information without consent if, in their judgment, that lack of consent can be overridden in the public interest
- Consider safety and wellbeing: Staff must base information sharing decisions on considerations of the safety and wellbeing of the person and others who may be affected by their actions
Necessary, proportionate, relevant, accurate, timely and secure:
- Ensure that the information shared is necessary for the purpose for which it is being shared, is shared only with those people who need to have it, is accurate and up to date, is shared in a timely fashion, and is shared securely
- Staff must keep a record of any decision and the reasons for it (to include what has been shared, with whom and for what purpose), and for a decision not to share
- All information regarding the people we support will be treated with respect and integrity
- In general, no information may be disclosed either verbally or in writing to other persons without the Service User’s consent. This includes family, friends and private carers, and other professionals
- If in doubt, staff will consult the Line Manager or Aimie Wolohan, Service Director
- Conversations relating to confidential matters affecting Service Users will not take place anywhere that they may be overheard by others, i.e. in public places – such as supermarkets, corridors or communal areas,
- Written records and correspondence must be kept securely at all times when not being used by a member of staff. Timesheets, rotas, etc. must not be left in unattended vehicles
- Staff must not disclose any information that is confidential or that, if it were made public, may lead to a breakdown in the trust and confidence that the Service User and their families have in Believe & Achieve Support Ltd.
Safeguarding and Confidentiality
Where safeguarding issues arise and in order to fully understand what has gone wrong, Safeguarding Boards may ask for information to be shared. Decisions about who needs to know and what needs to be known should be taken on a case by case basis, within locally agreed policies and the constraints of the legal framework. However:
- Staff must verify the identity of the person requesting the information whilst establishing if it can be anonymised (refer to 8)
- Information will only be shared on a ‘need to know’ basis when it is in the interests of the adult
- Confidentiality must not be confused with secrecy
- Informed consent should be obtained but, if this is not possible and other adults are at risk of abuse or neglect, it may be necessary to override the requirement
- It is inappropriate for Believe & Achieve Support Ltd. to give assurances of absolute confidentiality in cases where there are concerns about abuse, particularly in those situations when other adults may be at risk
Rights of those that use the service
The law gives rights to individuals to be informed about how their data will be processed, a right to have inaccurate data corrected or removed, to restrict processing in some circumstances, to withdraw their data from automatic decision making and the right to complain about how their data has been processed. Complaints regarding data protection issues should be sent to the Data Protection Officer, not the Council’s Complaints department as there are strict time scales on the time for responses.
All Service Users may view personal information we hold about them. Local and health authorities are not required to give access to information that is ‘hurtful’ or ‘that would breach the confidentiality of another Service User’. The policy of Believe & Achieve Support Ltd. is to record information in a way that, as far as possible, avoids a need for this exclusion. If a Service User believes their right to confidentiality is either being breached or undermined, they must have access to the complaint’s procedure at Believe & Achieve Support Ltd. Staff should refer to the Subject Access Requests Policy and Procedure for further details.
Rights of all Staff
All staff may view personal information held by Believe & Achieve Support Ltd. that relates to them, by applying in writing to their Line Manager or Service Manager.
Data Security and Quality
- Any record that contains information about an individual must remain confidential unless it is in the public domain. All records must be factual and not include the personal opinions of the person writing the records. Staff should refer to the Record Keeping Policy and Procedure for further details
- Reproduction of information relating to a Service User (for example photocopying documents) will only be done with the consent of the Service User
- Confidential information to be posted must be marked ‘Private & Confidential, for the attention of the addressee only’, and sent by recorded/special delivery
Staff should refer to the guidance contained in the Forms section of this policy for best practice and requirements for data security. However, as a minimum:
- Information held within Believe & Achieve Support Ltd. will not be shown to unauthorised individuals or be left where authorised personnel may access it. All records must be kept in a lockable cabinet in a lockable office, with restricted access
- All written records must be kept securely and only disposed of by shredding, after appropriate timescales. Staff must take care when recording personal identifiable information into personal notebooks or paper during shift handover and ensure the safekeeping and destruction of the information
- Any employee who breaches this policy may be subject to disciplinary procedures
Physical Location and Security
- Unauthorised staff or members of the public must not be able to gain access to person-identifiable information
- Person-identifiable information will be held in rooms that conform to health and safety standards in terms of fire safety and safety from flood, theft or environmental damage
- Paper records containing person-identifiable information must be stored in locked filing cabinets
- Computers must not be left on view or be accessible by unauthorised Computers must have a secure screen saver function and be switched off when not in use
- Equipment such as fax machines must have a password and be switched off outside office hours if situated in a non-secure area
Staff are not permitted to discuss the people who use our services, other employees past or present, or Believe & Achieve Support Ltd. on any social networking site as this may breach confidentiality and bring Believe & Achieve Support Ltd. into disrepute. Staff must also be aware that this applies to taking and posting photographs of Service Users.
In accordance with the Data protection Act 2018 Believe & Achieve Support Ltd. will ensure that any records containing data on people are kept securely, Believe & Achieve Support Ltd. will ensure that:
- any paper filing system is lockable
- any electronic records are password and virus protected
- only those people who need to use the data have access to it.
Information must be kept for no longer than is necessary. There are specific rules and guidance about the length of time you should keep personnel and other related records.
Believe & Achieve Support Ltd. will keep the information, either in hard copy or electronically, in respect of each contractor. Believe & Achieve Support Ltd. will seek copies of indemnity insurance, DBS checks where appropriate.
To ensure its compliance to the Data Protection Act 2018 and GDPR, Believe & Achieve Support Ltd. will:
- carry out a data audit to understand the data lifecycle within your organisation, including identifying what data your organisation processes, how you process the data and how long data is retained for
- have a clear retention policy for handling personal data and ensure it is not held for longer than is necessary
- ensure that all staff are aware of the retention policy and follow it
- have a lawful basis for acquiring and/or using any personal data
- inform employees, workers, consultants and job applicants of their rights as data subjects through a privacy notice which can be provided to each individual.
- Alternatively, communicate to all individuals the location of this notice (eg the organisation’s website)
- respond to subject access requests from individuals (sometimes called personal data requests) within one month.
- inform the ICO within 72 hours if there is a personal data breach that is likely to result in a risk to the rights and freedom of an individual, and, if the risk is deemed to be high, also inform the individual concerned.
- review whether additional measures are required to secure data where the data is shared outside of the EEA.
- Believe & Achieve Support Ltd. is registered with the Information Commissioner’s Office.
- Believe & Achieve Support Ltd. has appointed a data protection officer, Louise Alsop, who can communicate and monitor the organisation’s GDPR data protection policy.
Contracts must set out:
- the subject matter and duration of the processing;
- the nature and purpose of the processing;
- the type of personal data and categories of data subject; and
- the controller’s obligations and rights.
Contracts must also include specific terms or clauses regarding:
- processing only on the controller’s documented instructions;
- the duty of confidence;
- appropriate security measures;
- using sub-processors;
- data subjects’ rights;
- assisting the controller;
- end-of-contract provisions; and
- audits and inspections.
Contractors are required to provide proof of professional indemnity insurance prior to commencing any work for Believe & Achieve Support Ltd. An indemnity is a primary obligation; it does not depend on having to prove a breach of a contractual obligation.
- An indemnity will typically be triggered by losses being incurred, without the need to prove any “fault”. This can also avoid rules around causation and mitigation, which can otherwise make recovery more problematic.
- If the scope of the indemnity is wide, it can allow fuller recovery of losses such as legal and other related costs than would be possible for a breach of contract claim; the parties can also choose to quantify prospective losses upfront to give greater certainty.
- The ability to pursue losses as a crystallised debt can also make recovery more straightforward in practice: indemnity claims are seen as more difficult to resist and payments are more likely to be made by an indemnifying party under an indemnity without the need for legal proceedings to be initiated
Believe & Achieve Support Ltd. considers itself to be a controller, we may from time to time to ask other businesses, perceived to be processors, for “Processor Contracts”, as such Believe & Achieve Support Ltd. believe they have a controller – processor relationship. This relationship is governed by Articles 28 and 29 of the General Data Protection Regulation (“GDPR”).
“Controller – the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data…”;
“Processor – a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”; and
“Recipient – a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not”.
What responsibilities and liabilities do controllers have when using a processor?
Controllers must only use processors that can give sufficient guarantees they will implement appropriate technical and organisational measures to ensure their processing will meet GDPR requirements and protect data subjects’ rights.
Controllers are primarily responsible for overall compliance with the GDPR, and for demonstrating that compliance. If this isn’t achieved, they may be liable to pay damages in legal proceedings or be subject to fines or other penalties or corrective measures.
What responsibilities and liabilities do processors have in their own right?
In addition to its contractual obligations to the controller, a processor has some direct responsibilities under the GDPR. If a processor fails to meet its obligations, or acts outside or against the controller’s instructions, it may be liable to pay damages in legal proceedings or be subject to fines or other penalties or corrective measures.
A processor may not engage a sub-processor’s services without the controller’s prior specific or general written authorisation. If authorisation is given, the processor must put in place a contract with the sub-processor. The terms of the contract that relate to Article 28(3) must offer an equivalent level of protection for the personal data as those in the contract between the controller and processor. Processors remain liable to the controller for the compliance of any sub-processors they engage
GDPR adds further detail by stating that where a controller has engaged a Processor to carry out processing on its behalf the Processor cannot engage another processor (e.g. as sub-contractor) without the prior written consent of the controller; that such processing shall be governed by a contract that binds the Processor to carry out only the processing required by the controller, and nothing else; and GDPR stipulates what must be included in the contract. In summary: when the processing is being carried out for Believe & Achieve Support Ltd. the Processor can only process in the way that it is contractually bound to, and the Processor has no right to process the data in any other way. It has no discretion.
Believe & Achieve Support Ltd. will ensure that all staff receive Data protection training as part of their induction and training programme. All staff will receive an annual update. The service Manager is responsible for arranging training and ensuring that staff are aware of the course date and time.
Mandatory training topics for staff of Believe & Achieve Support Ltd.:
- Safeguarding – Adults and Children
- Child Protection
- Infection Prevention and Control
- Data Protection / GDPR
- Health and Safety
- Mental Capacity
- Equality and Diversity
- Management of Actual and Potential Aggression
- Awareness of Mental Health
- Food Hygiene
- Deprivation of Liberty Safeguards