Policy On The Data Protection Act 2018
Policy On The Data Protection Act 2018
This Policy defines the arrangements in place within the RCS (as an Organisation) that assures compliance to the requirements of the Data Protection Act 2018, as relevant to the Organisation’s business interests. This Policy should be read in conjunction with Policy No 1016 on the General Data Protection Regulations (GDPR):
A. Introduction
- The Data Protection Act 2018 addresses certain requirements for all Organisations that collect and process personal data as part of their on-going business operations. Personal data is defined as any information relating to an “identifiable living individual”, and will therefore apply to the Organisation’s service users, employees and suppliers.
- The Data Protection Act 2018 applies to any data recorded in a filing system that allows personal data to be easily accessed.
- The Data Protection Act 2018 applies to records kept in hard copy (paper) format, and as computer / biometric files.
B. Principles of Data Protection
- The way in which the Organisation handles and manages service user information will conform to the following 6 information management principles, ref the GDPR
- Justify the purpose(s) of using confidential information;
- Only use it when absolutely necessary;
- Use the minimum that is required;
- Access should be on a strict need-to-know basis;
- Everyone should understand his or her responsibilities;
- Understand and comply with the law.
- The Organisation is committed to the enforcement of the following GDPR Code of Good Practice in relation to the data it retains on service users and employees. In summary, data will:
- be fairly and lawfully processed;
- be used for a limited and well-explained purpose;
- be relevant to the Organisation’s needs;
- not be unnecessarily excessive in detail;
- be accurately maintained;
- not be kept any longer than is necessary, or required by law;
- only be used in accordance with the individual subject’s rights;
- be securely stored;
- only be made available to authorised persons (see section C.4 of this Policy).
In this respect the following additional policies within the Organisation’s documentation system are relevant:
- Policy No 1008: Confidentiality Policy
- Policy No 1016: GDPR Policy
- Policy No 1018: Data Breach Policy
- Policy No 1019: Subject Access Request (SARs) Policy
- Policy No 1020 Cybersecurity Policy
C. Policy Details
- The Organisation will require written consent from the subject individual in order for personal data to be collected and processed. In this respect it will be taken that consent is implied through the following:
- Service users – by the service user accepting the Contract for Care, which is signed by the service user or authorised representative. In order for the Organisation to develop an appropriate Plan of Care personal details must be divulged and kept on record.
- Employees – by completing the Job Application Form at onset of employment, and where the employee has not registered an objection to their data being used.
- Registration under the Data Protection Act 2018 – as a fundamental requirement the Organisation will check with the Data Commissioner as to whether the type of personal data held on service users and employees requires a formal registration to be in place.
- All individuals, service users and employees, have the right of access to manual and computerised records concerning their personal data.
- Where it is deemed necessary to divulge personal data to a third party this will only be done with the express permission of the individual subject, ref. Confidentiality Policy, No 1008. In this respect both staff and service users / relatives / advocates will also be advised that personal information held by the Organisation may be shared with the Registration / Regulating Authority, as appropriate.
- Personal data and records will be maintained under appropriate conditions of security to prevent any unauthorised or accidental disclosure. Records can be hard copy (paper) format and electronic (word processed, scanned pdf, and biometric format) files. In each case Policy No 1104 refers, and particular attention is paid to the following aspects of records storage:
- Hard Copy (paper) files:
- location of storage;
- identification of those employees authorised to have access;
- responsibilities for secure storage;
- retention times; i.e. how long records are kept for (archived);
- methods of disposal of out-dated sensitive documents (cross-cut shredding / incineration).
- Electronic (computer) files:
- responsibilities for implementing security systems for computer files;
- encryption / password-protection for access to sensitive data files;
- who is authorised to have knowledge of these passwords;
- how often encryption / passwords are changed;
- implications for networked systems;
- how long records are kept for;
- back-up, control and management of what are essentially copies of personal data.
- Hard Copy (paper) files:
- When personal data is being processed, administrative staff will take all reasonable precautions to prevent access of data by unauthorised persons:
- Record files are locked away when not in use.
Where practical, VDU screens should be tilted towards the user and away from the general office environment.
- VDUs are not left on when not in use.
Manage a “clear desk” policy for personal office housekeeping.
- Ensure that confidential conversations are not overheard.
- Ensure information is transported securely.
- Ensure that sensitive data is encrypted / password protected.
Date policy completed: 01/02/2024
Annual Review date: 01/02/2025
Got Questions ?
If you have any questions about Right Choice Services Ltd. please don’t hesitate to contact us.