A03b Data protection and subject access procedure for managers
This document is provided to Carers Trust Mid Yorkshire (now referred to as ‘the organisation’) as a Network Partner of Carers Trust.
Table of Contents
TERMS USED 2
DATA PROTECTION OFFICER AND CALDICOTT GUARDIAN 3
RESPONSIBILITIES OF MANAGERS 3
HANDLING / STORAGE OF INFORMATION IN OFFICE SETTING 4
TRANSFER / TRANSMISSION OF INFORMATION 5
DATA SECURITY BREACHES 6
PHOTOGRAPHS, AUDIO RECORDINGS AND VIDEO RECORDINGS 7
USE OF SOCIAL NETWORKING (for example Facebook, Twitter, YouTube) 8
DATA RETENTION / ARCHIVING 9
SUBJECT ACCESS 10
DATA DISPOSAL 10
LEARNING AND DEVELOPMENT 11
APPENDIX 1 Definitions 12
APPENDIX 2 Consent under GDPR 14
APPENDIX 3 Principles of GDPR / Caldicott principles 15
APPENDIX 4 Lawful processing under GDPR 16
APPENDIX 5 Fair processing information 17
APPENDIX 6 Rights of data subject 18
APPENDIX 7 Contracts with external providers 19
APPENDIX 8 Response procedures to data subject requests 20
1.1 This procedure sets out how the organisation will handle service user data. The contents are relevant to all its staff and volunteers and will be read in conjunction with the confidentiality and disclosure procedure (D05b).
1.2 The intended outcome of this document is to ensure that the organisation collects, processes, maintains, stores, discloses and disposes of personal data about living individuals in line with legislative requirements, no matter how information is held.
1.3 In relation to subject access, this document applies where:
- an individual asks to see personal information held by the organisation about them (subject access request)
- an individual asks a third-party representative to view information help about them on their behalf
- a person is lawfully appointed to act on an individual’s behalf (for example by Power of Attorney, Court of Protection Order) and asks to view their information
- a parent / legal guardian / person with parental responsibility asks to view information held on a child for whom they are responsible.
1.4 Where an independent, third-party individual or agency seeks to obtain access to personal data held by the organisation about a service user (termed ‘data sharing’ by the Information Commissioner’s Office), please refer to the confidentiality and disclosure policy documents (D05).
1.5 Where reference is made to ‘staff’ in this procedure, the term includes volunteers.
2.0 TERMS USED
2.1 The following terms have specific definitions under General Data Protection Regulation (GDPR) and have implications for how data is collected and used:
- personal data
- special categories of personal data
- data subject
- data controller
- data processor
- subject access
- third party
- personal data breach
- data concerning health
- direct marketing. See Appendix 1 for definitions
2.2 For a definition of consent as set out in GDPR, see Appendix 2.
3.0 DATA PROTECTION OFFICER AND CALDICOTT GUARDIAN
3.1 Depending on the types of processing activities performed, not all organisations are required to appoint a Data Protection Officer, though they may choose to do so voluntarily. If the organisation is not required to appoint a Data Protection Officer and does not choose to do so voluntarily, they must still nominate a senior person to take responsibility for data protection. See data protection policy (A03a, Appendix 2) for further details concerning the role.
3.2 Likewise, although not a legal requirement, organisations providing regulated health and social care services are encouraged to nominate a senior person to ensure compliance with the Caldicott principles for the safe handling of people’s health and care information. See data protection policy (A03a Appendix 4) for further details.
3.3 The above roles may be carried out by one person as appropriate to the organisation. The nominated senior person is referred to in this procedure as ‘data protection lead’, though organisations may choose a different title as fitting their requirements
3.4 Managers will ensure that the nominated data protection lead:
- receives training in line with GDPR and Caldicott as appropriate
- is given clear lines of responsibility and accountability, specifying ‘who is responsible for what’ in relation to safe handling of service user personal data
- has authority to bring issues to the organisation’s board of trustees and senior management and to make recommendations of actions required.
3.5 Managers will:
- provide staff with contact details for the data protection lead
- instruct staff to refer matters relating to data protection to data protection lead.
4.0 RESPONSIBILITIES OF MANAGERS
4.1 Managers are responsible for having safe and effective systems in place to ensure:
- staff follow the data protection and subject access policy, procedure, guidance
- all data is collected, processed, maintained, stored, disclosed and disposed of in accordance with the conditions for lawful processing as set out in the GDPR (Appendices 3 and 4)
- fair processing information (known as a Privacy Notice) is issued to service users when collecting their personal data (Appendix 5)
- service users understand how their data will be used by the organisation and their rights in relation to this (Appendix 6)
- personal data / special categories of personal data that are in current use are kept up-to-date and reasonable steps are taken to comply with this requirement by deleting or amending identified inaccuracies without delay
- personal records are properly managed, fit for purpose and remain confidential
- personal data / special categories of personal data are kept only if it is justifiable
- records are carefully maintained and clearly demonstrate compliance with GDPR.
4.2 Where personal data / special categories of personal data have been collected for direct marketing purposes, managers must ensure they have permission to disclose that data from the person who supplied it, before doing so. Please note the following.
- The original permission form must be checked to ensure it permits disclosure to the intended person/s or agency.
- Direct marketing has a legal meaning. It does not just refer to activity with a commercial purpose but can cover any advertising, including promotion of the aims or membership of the organisation.
- Special rules apply where direct marketing is carried out by phone, email and text message. Managers must ensure that any direct marketing by electronic means complies with the Information Commissioner’s Direct Marketing Checklist.
4.3 Newsletters produced by the organisation are also defined as direct marketing under GDPR. When constructing distribution lists of service users who might wish to receive newsletters, managers will ensure:
- names are not added automatically, as each person’s consent is required
- there is a process in place that allows people to opt in to receiving the newsletter
- there is a clear process to opt out/unsubscribe, including the ‘right to be forgotten’.
See Appendix 2 for further details.
4.4 Managers responsible for the provision of health and adult social care services in England are required to assess whether their organisation is involved in processing service user personal data for purposes other than individual direct care (such as for research and planning purposes), in order to meet the requirements of the NHS Digital national data opt-out policy and be ready to declare compliance. Visit:
4.5 If the organisation chooses to engage an external company to provide services on its behalf, (for example IT services, off site storage, document disposal) and so act as a data processor for purposes of GDPR, managers will ensure the company used is:
- able to guarantee they have GDPR-compliant security measures in place
- engaged by means of a written contract (Appendix 7).
5.0 HANDLING / STORAGE OF INFORMATION IN OFFICE SETTING
5.1 Personal data / special categories of personal data
5.1.1 Personal data / special categories of personal data (including extracts of records containing information that will identify a living person) will be treated confidentially.
5.1.2 Only authorised staff identified as having a legitimate “need to know” will be allowed access to personal data / special categories of personal data (paper and electronic).
5.1.3 The list of staff authorised to access personal data / special categories of personal data will be reviewed regularly and when personnel or roles change.
5.2 Paper records
5.2.1 Careless handling of printed material could result in unauthorised disclosure of personal data / special categories of personal data. Managers will ensure that paper records are:
- printed securely
- never left open to view in the organisation’s premises
- securely stored in a lockable (preferably fireproof) cabinet / cupboard.
5.2.2 The exception to 5.2.1 above is care and support planning documentation kept in a service user’s home. Completed client report forms will be routinely transferred (at least monthly or as required by local commissioner agreements) from the home to the office and securely stored. All other documentation held in the home will be:
- collected and filed when services cease
- retained or disposed of in accordance with GDPR.
5.3 Electronic records
5.3.1 Managers will ensure that:
- unauthorised persons are not allowed to view electronically held personal data
- computer screens are sited away from general view and are shielded (for example using password-protected screen saver) to maximise confidentiality
- removable devices used to store information (for example, floppy discs / optical media / flash memory sticks / tape cartridges / external disc drives) are stored in a lockable, preferably fireproof container.
5.3.2 Managers will ensure password protection and encryption are in place for:
- personal / special categories of personal data stored on computer and removable devices as listed above
- laptops / electronic devices containing personal data / special categories of personal data and taken out of the office.
5.3.3 In addition, managers will ensure:
- removable electronic storage devices / hard drives and encrypted documents containing confidential information are given ‘strong’ passwords
- passwords are recorded and kept in a secure location.
5.3.4 Detailed information regarding all aspects of IT security (including password design and encryption) is available on the Information Commissioner’s Office (ICO) website.
5.3.5 It is recommended that computer systems are backed up daily to avoid loss of data and that backups are stored in a secure place, preferably away from office buildings.
6.0 TRANSFER / TRANSMISSION OF INFORMATION
6.1 The data protection lead is required to provide a statement on confidentiality to partner agencies, setting out the principles governing information sharing, including the expectation that the recipient will respect the need to maintain the confidentiality of information shared.
6.2 Postal service
Confidential personal data sent by post will be marked “strictly private and confidential”, for attention of a named, designated individual only, with consideration given to the need for using a recorded delivery service.
It is recommended that personal data / special categories of personal data are NOT transmitted by fax unless the matter is urgent, and the organisation has first established that there are adequate safeguards in place to protect confidentiality. See ICO website for more details.
When handling confidential information via the internet, managers will ensure reasonable technical security measures are in place to protect that data, including:
- special provisions (such as data encryption) to protect transmitted data
- computers protected with antivirus, antispyware, software, hardware firewalls
- staff trained in potential threats posed by the internet and how to manage them.
When sending confidential information via email, managers will have systems in place to ensure that:
- where possible, information is sent as a password protected attachment rather than in the body of an email
- destination addresses to which information is transmitted have been checked
- confirmation has been obtained in writing that the recipient of the information (for example, local authority) will handle it in strict confidence in line with GDPR and that the information will not be used for purposes other than the one agreed
- information being sent is encrypted and password protected.
6.6 European Economic Area (EEA)
Under GDPR, transfer of personal data outside of the EEA is prohibited unless adequate data protection is in place. There are conditions that must be met before an international transfer is deemed appropriate and legal advice should first be sought. In particular:
- where the organisation uses a cloud provider for the processing of personal data, it is important to obtain clarification as to where its computer servers are located
- where a transfer is likely to result in a high risk to the rights of individual/s concerned, the organisation will carry out a data protection impact assessment and ensure appropriate contractual safeguards are in place before it proceeds.
7.0 DATA SECURITY BREACHES
7.1 Breaches of data security include:
- unauthorised / unlawful processing of or access to personal data
- accidental loss /theft / destruction of /damage to personal data or equipment on which data is stored
- incorrect transfer of information.
7.2 The data protection lead will have documented systems in place to prevent, identify and deal with breaches of security swiftly and effectively. These include:
- carrying out regular audits of computer and data security
- ensuring staff are aware of the need to immediately report security breaches
- informing the person whose data has been compromised of the breach that has occurred where appropriate (see 7.3)
- seeking professional advice if required
- taking immediate steps to mitigate the effect of any loss or damage to the person whose personal data has been compromised.
7.3 By law, whenever a security breach occurs the data protection lead must report the breach to the Information Commissioner’s Office (ICO) without undue delay and, where feasible, within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals concerned. Consideration must therefore be given as to whether it is necessary to report a security breach to the ICO on a case-by-case basis. The data protection lead will:
- record and store the facts relating to the breach, the effects of the breach, and the remedial action taken, in accordance with GDPR
- consider whether it is necessary to report a security breach to the data subject on a case-by-case basis
- report the breach to the data subject without undue delay, if assessed that it is likely to result in a high risk to the rights and freedoms of affected individual/s.
7.4 Visit the ICO website for additional information on data security breach management
8.0 TAKING AND USING PHOTOGRAPHS, AUDIO RECORDINGS AND VIDEO RECORDINGS
8.1 Photographs, audio recordings and video recordings or any other material in which an individual can be identified are classed as personal data, subject to the same restrictions as all other personal data. This includes analogue or digital photographs (using cameras or mobile phones), videos, film footage or any other image.
8.2 If the organisation wishes to use a photograph, audio or video recording of a service user (for example for publicity purposes), the manager will obtain prior consent from:
- the adult to be photographed if they have capacity to make that decision
- the person lawfully acting on the adult’s behalf if they do not have capacity to consent (see Mental Capacity Act Code of Practice)
- the child or young person to be photographed and / or their parent / person with parental responsibility (see Appendix 2 – Children’s Consent).
For those organisations providing regulated care and support services, see Autonomy and Independence policy (D04) for further details regarding consent.
8.3 Consent will cover:
- permission to take the photograph / audio recording / video recording
- permission to reproduce it
- details of what it will be used for and how this will be done
- details of how long it may be used
- circumstances under which it may no longer be used (for example, subject no longer using the service).
8.4 It is good practice to obtain consent in writing- see following model consent forms:
- permission to use photographs, audio recordings, video recordings-adults BT09
- permission to use photographs, audio recordings, video recordings-children CT09
8.5 Where consent for a photograph/audio/video recording has been given for a particular purpose, additional permission is required to use it for any other purpose.
8.6 Where a photograph, audio or video recording is being used long-term, it is advisable to check that permission is still in place, for example at annual review or periodically if the person is no longer a service user.
8.7 The data subject has the right to revoke their consent at any time, and it must be as easy for them to withdraw their permission as it is to give it.
8.8 Storage of photographs
8.8.1 If a photograph, audio recording or video recording is to be kept for re-use, it must be stored securely either electronically or as a hard copy and only accessed by authorised staff. Copies of the written consent for its use will be stored securely until all copies (both hard and electronic) of the actual photograph, audio recording or video recording have been destroyed.
Managers will inform staff they are not allowed to take photographs, audio or video recordings of service users without prior written permission from their line manager, who will ensure the necessary consent is obtained as detailed above.
8.10 Use of surveillance technology
For further information concerning the use of surveillance technology (including CCTV, cameras and microphones), please visit:
- CCTV Code of Practice (ICO)
- Using Surveillance: Information for providers of health and social care on using surveillance to monitor services (CQC)
9.0 USE OF SOCIAL NETWORKING (for example Facebook, Twitter, YouTube)
9.1 Staff will be made aware that by participating in social networking sites such as those listed above, they could be in breach of the following:
- confidentiality and disclosure policy (D05a) – for example by releasing information such as photographs, audio or video recordings about identifiable individuals (such as other staff members, service users) without their permission
- codes of practice for health and social care workers in England and in Wales– for example by entering into inappropriate personal relationships with service users
- the organisation’s code of conduct – for example by bringing trust in their professional role or the organisation into disrepute.
Breaches may result in disciplinary action under organisation’s disciplinary policy.
9.2 Staff will be informed, therefore, that they are not permitted to:
- post information pertaining to service users, work colleagues, project workers or any other persons with whom they come in to contact through work, without the express permission of their line manager and the individual/s concerned
- post information about themselves that may bring trust in their professional role or their organisation into disrepute
- post privileged information concerning work (for example rates of pay, terms and conditions of employment)
- encourage or engage in cyber friendships with service users unless explicitly approved by their line manager and in agreement with the codes of practice for health and social care workers in England and Wales
- conduct work-related activity (for example amending visits, discussing service delivery), via social networking sites.
9.3 Social networking sites will only be used for work-related activity with a manager’s permission on a case-by-case basis and arrangements will be regularly reviewed.
10.0 DATA RETENTION / ARCHIVING
10.1 The information below applies to all service user personal data / special categories of personal data whether held on paper, electronically, or a combination of formats.
10.2 Personal data / special categories of personal data will not be retained for longer than is necessary to fulfil the purpose for which it is held. It can only be retained for legitimate reasons. If there are no contractual or legal grounds to retain it, it must be destroyed or deleted (see 12.0 below) rather than archived.
10.3 It is recommended good practice to sort documentation required by law for retention at point of closure and to destroy non-archivable material immediately. Retained material will be kept securely and accessibly, until its retention period has expired.
10.4 Once a paper file is closed, corresponding electronic documents will be removed from the system as set out below.
10.5 Electronic archiving
10.5.1 Basic statistical data may be retained electronically, with personal data removed.
10.5 2 For records that have to be retained for long periods, care is needed to ensure that the electronic medium used for storage remains accessible. This includes making appropriate arrangements for storage of passwords / encryption keys and, potentially, periodic reviews of availability of technology needed to access the storage medium used.
10.5.3 Signed documents
- The authenticity of signatures on documents stored electronically may be challenged if submitted as evidence in legal proceedings. This could include signed documents scanned for storage and documents using electronic signatures.
- Where a paper copy of an original signed document is not retained, the risk of challenge can be reduced by following procedures that provide an effective audit trail of each signature. This could include for example, recording the following information alongside the electronic signature / signed document:
- name of person signing/authority for doing so (e.g. job title, email exchange)
- date and time
10.5.4 Where managers do not have the required knowledge regarding any aspects of electronic storage of documents, it is recommended they take external expert advice from a reputable professional IT specialist on appropriate procedures.
10.6 Length of time records will be kept
10.6.1 GDPR does not provide specific retention periods for service user records. Instead, it requires organisations to be clear about why and how long they will retain them.
10.6.2 Retention periods for service user data will vary depending, for example, on:
- the person’s age (requirements differ for adults and children)
- the type of service provided (such as regulated care, signposting for carers)
- contractual requirements from funders
- the data retention protocols of local commissioning bodies (such as Local Authority, Health and Social Care joint working)
- relevant regulatory requirements and nationally recognised guidance (including Care Quality Commission / Care Inspectorate Wales)
- terms and conditions of the organisation’s insurance policy
- other involvement that could extend the retention period on a case by case basis.
Whichever of the above requirements is the longest will over-ride the rest.
10.6.3 Managers will establish a robust organisation-specific retention policy that:
- ensures compliance regarding the above factors as appropriate to their services
- substantiates the retention periods the organisation has adopted
- monitors the retention process so that retention periods are adhered to
- ensures data is destroyed/deleted in line with retention timescales that apply.
10.6.4 Accident books and general records of compliments and complaints will be kept for six years from date of the last entry.
10.6.5 For information relating to retention periods for organisations working jointly with the NHS, see Records Management Code of Practice for Health and Social Care 2016.
11.0 SUBJECT ACCESS
11.1 Managers will ensure systems are designed to facilitate any request by a data subject to see information held by the organisation on them. Records will be structured so that information relating to a particular individual is readily accessible. This does not include “incidental” information; for example, a mention of an individual in a management meeting would not have to be copied onto their file unless a whole section was dedicated to them (Appendix 8).
12.0 DATA DISPOSAL
12.1 GDPR states that personal data / special categories of personal data are kept for no longer than necessary. Once information is no longer eligible for retention, it must be disposed of safely and securely. Managers will ensure there is an organisation-specific data disposal policy that reflects local requirements, setting out when and how personal data will be disposed of in compliance with GDPR.
12.2 Printed material
Printed material containing personal data / special categories of personal data will be destroyed as confidential waste by shredding, pulping or burning as soon as the information is no longer required. Every care will be taken to ensure the information does not fall into the possession of unauthorised persons.
12.3 Electronic records
It requires more than just the delete key to permanently remove electronically held data. Where electronic devices need to be cleansed of personal data, it may be necessary to outsource to a suitably qualified external agency to ensure the data is fully removed. This includes the destruction of redundant storage media (such as computers, memory sticks, portable hard drives, laptops, tablets) as well as data held on storage media.
12.4 External providers
Where the organisation engages an external company to remove / destroy / delete personal data held either on paper records or electronically, the company must be engaged by means of a written contract and have GDPR-compliant security measures in place (Appendix 7).
13.0 LEARNING AND DEVELOPMENT
13.1 Managers are responsible for assessing the roles undertaken by:
- staff not directly involved in provision of care and support
- volunteers within their organisation
to determine the level of briefing / induction / training they require in relation to data protection and subject access.
13.2 It is recommended that:
- all staff are trained in accurate record keeping as applicable to their job role
- staff using a computer system are trained in its use and made aware of the data security implications of their work
- the data protection lead is trained in requirements of data protection legislation.
13.3 In addition, for staff who are involved in the provision of regulated care and support services, general learning and development requirements relating to data protection and subject access are contained in the learning and development policy documents (E13a E13b E13c).
14.1 Managers, care planners / assessors and staff involved in implementing this procedure will evidence that they have received, read, understood its contents. Evidence required:
- title and reference number of document
- name and signature of staff member
- job title
14.2 Responsibility for following this procedure rests with the individual staff member. Failure to do so may result in disciplinary proceedings.
The GDPR defines personal data as ‘any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person’.
Personal data can:
- relate to a person’s private, professional or public life
- be held electronically or in manual filing systems
- be in written form, including email / text messages.
It can include, for example:
- photographs (digital or analogue), videos, CCTV footage or other images
- audio recordings
- email address
- bank account details
- posts made on social networking websites
- medical information
- internet protocol (IP) address.
Special categories of personal data
This includes a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic data and data concerning their health, sex life or sexual orientation.
Any person whose personal data is being collected, held or processed.
Any operation or set of operations that are performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
An organisation / individual who (either jointly or in common with other organisations / individuals) determines purposes for and manner in which personal data is processed.
An organisation or individual (other than an employee of the data controller) who processes personal data on behalf of the data controller.
A request (verbal or in writing) from an individual to see information held on them.
An individual or organisation who is not the data subject, not the data controller nor an
employee of the data controller and not a data processor or employee of the data processor.
Personal data breach
A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of/access to, personal data transmitted, stored or otherwise processed
Data concerning health
Personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveals information about their health status.
As defined under Privacy and Electronic Communications (EC Directive) Regulations 2003
These regulations give people specific privacy rights in relation to electronic communications. They restrict unsolicited advertising or marketing to individuals by telephone, fax, email, text or other electronic message, all of which require specific consent from the individual concerned.
- The restrictions do not only apply to marketing with a commercial or financial motive.
- They can include a charity contacting a data subject to notify them of a forthcoming profile-raising ‘Open Day’ for example, or may include sending literature, promoting or raising awareness of the non-profit-making aims and ideals of the organisation.
- See ICO Guide to Privacy and Electronic Communications Regulations 2003 (revised January 2019) for further details.
CONSENT UNDER GDPR
If relying on consent as a lawful basis for processing personal data under GDPR, it must be freely given, specific, informed and unambiguous indication of the individual’s wishes. This means there must be some form of clear affirmative action and a positive ‘opt-in’.
Where consent is relied on as a condition for lawful processing, managers will ensure that:
- consent is active, and does not rely on silence, inactivity or pre-ticked boxes
- consent to processing is distinguishable, clear, and is not “bundled” with other written agreements or declarations
- supply of services is not made contingent on consent to processing which is not necessary for the service being supplied
- data subjects are informed that they have the right to withdraw consent at any time (this will not affect the lawfulness of processing based on consent before its withdrawal)
- it is as easy to withdraw consent as it is to give it
- separate consents are obtained for distinct processing operations
- consent is not relied on where there is a clear imbalance between the data subject and the controller (for example, where a service user does not have capacity).
Managers can rely on other lawful bases apart from consent, which may not always be appropriate, for example Article9(2)(h) of GDPR, which legitimises processing for health and social care purposes.
If the organisation offers an ‘information society service’ (that is, online services) to children, consent may need to be obtained from a parent or guardian to process the child’s data.
The GDPR states that, if consent is the basis for processing the child’s personal data, a child under the age of 13 cannot give that consent themselves and instead consent is required from a person holding ‘parental responsibility’. A child aged 13 years or over can provide consent for the purposes of GDPR.
Parental / guardian consent is not required where the processing is related to preventative or counselling services offered directly to a child.
PRINCIPLES OF GDPR
These require personal data to be:
- processed lawfully, fairly, and in a transparent manner in relation to the data subject
- processed for limited, explicitly stated and legitimate purposes
- processed in a way that is adequate, relevant and limited to what is necessary for the purpose for which the data is collected and maintained
- accurate and where necessary kept up-to-date
- kept for no longer than is absolutely necessary
- kept safe and secure, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage
- made available to Data Subjects, and Data Subjects allowed to exercise their rights in relation to their personal data.
The data controller must also be able to demonstrate how the organisation is complying with the data protection principles and its obligations under GDPR.
Organisations providing care and support services and those working jointly with the NHS are required to comply with the Caldicott principles regarding the governance and management of personal health and social care information that allows an individual to be identified.
In relation to patient-identifiable information, the organisation must:
- be able to justify the purpose of how they use and manage it
- not use such information unless it is necessary
- use the minimum necessary amount of information
- ensure it is accessed on a strict need-to-know basis
- ensure those accessing such information are aware of their responsibilities
- understand and comply with the law
- be aware that the need to share information can be as important as the duty to protect patient confidentiality.
LAWFUL PROCESSING UNDER GDPR
For processing of personal data to be lawful under GDPR, the organisation needs to be able to identify a lawful basis for doing so. This is often referred to as the “conditions for processing” and it is important that the lawful basis for processing personal data is determined and documented as set out below.
Conditions for lawful processing under GDPR: personal data (Article 6(1))
Personal data can only be processed lawfully if one or more of the following are met:
the data subject has consented to the processing;
processing is necessary in order to enter into or perform a contract with the data subject;
there is a legal obligation to perform the processing;
it is necessary to protect the vital interests of the data subjects (this essentially applies in
life or death scenarios);
processing is necessary for the performance of a task carried out by a public authority or a private organisation acting in the public interest;
processing is necessary because the controller or a third party has a legitimate interest
in processing the data, provided that the interest is not overridden by the rights or freedoms of the affected data subjects.
Conditions for lawful processing under GDPR: special categories of personal data (Article 9(2))
‘The processing of special categories of personal data (including data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic data, data concerning health or data concerning a natural person’s sex life or sexual orientation) is prohibited unless one or more of the following apply:
the data subject has given explicit consent;
processing is necessary for the controller to comply with obligations or exercise rights in the context of social security and social protection law;
processing is necessary to protect vital interests of the data subject (or another person) where the data subject is incapable of giving advice;
processing is carried out in the course of the legitimate activities of a charity or not-for-profit body, with respect to its own members, former members, or persons with whom it has regular contact in connection with its purposes
processing relates to personal data which are manifestly made public by the data subject;
processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
processing is necessary for the provision of health or social care or treatment or the management of health or social care systems and services;
FAIR PROCESSING INFORMATION
GDPR includes detailed rules for giving what is commonly known as privacy information or privacy notices to data subjects in relation to the processing of their personal data.
Information provided by an organisation about how it processes personal data must be:
- concise, transparent, intelligible and easily accessible;
- written in clear and plain language, particularly if addressed to a child; and
- free of charge.
The information should be provided at the time the data is obtained or as soon as possible thereafter (but within no more than a month). It should be communicated in writing or by other means including, where appropriate, electronically (for example, through the organisation’s website). If requested, it can be given verbally, provided that there is a record of communication and the identity of the data subject has been verified. See also:
- template Privacy Notice (AT20c)
- the ICO Privacy Notice Code of Practice
RIGHTS OF DATA SUBJECT
In relation to how the organisation handles the personal data of a service user, they as the data subject have the right to:
- be informed about how their data id processed
- gain access to their personal data
- have errors or inaccuracies in their data changed
- have their personal data erased in some circumstances
- object to the processing of their personal data for marketing purposes or when the processing is based on the public interest or other legal interests
- restrict the processing of their personal data in certain circumstances
- obtain a copy of their personal data.
CONTRACTS WITH EXTERNAL PROVIDERS
A contract with external providers that involves the processing of personal / special categories of personal data must set out:
- subject matter and duration of the processing
- nature and purposes of the processing
- type of personal data and categories of data subjects involved
- obligations and rights of the contracting organisation.
See template Data Processing Agreement (AT20d)
The contracting organisation may wish to seek legal advice to ensure service contracts are GDPR compliant and contain appropriate safeguards.
RESPONSE PROCEDURES TO DATA SUBJECT REQUESTS
Requests to access personal data (subject access)
The right of subject access does not grant a person the right to view complete documents, (which may contain information about third parties), but to see only their own personal data contained in them. This may require copies of such documents to be produced with personal information relating to third parties removed, where the prior consent of those third parties has not been obtained in relation to the disclosure. This can be achieved by:
- re-typing relevant sections of the document, with third-party information removed
- redacting the information from the document (there are companies that provide professional standard redaction software for this purpose).
Service users have the right, under GDPR, to obtain access to personal data held about them as well as certain supplementary information about that personal data, namely:
- the purposes of and legal basis for the processing of that data
- the categories of personal data concerned
- the recipients or categories of recipients to whom personal data has been disclosed
- the period for which the personal data is to be preserved
- the existence of a data subject’s rights to rectify, restrict and object to processing, data portability and erasure of personal data
- the right to lodge a complaint with the Information Commissioner’s Office and contact details of the Commissioner
- any information about the origin of the personal data concerned.
The person making the request does not have to give a reason. It is a right that is enjoyed by the individual to whom the personal data relates and is exercisable only by them or by another person acting on their behalf and with their consent.
Where a third party (for example, a solicitor) purports to be making a subject access request on behalf of an individual, they need to produce evidence of the individual’s consent for them to do so. This may be done via a letter of authority, containing the individual’s original signature, in which they expressly authorise the third party to act on their behalf in making a subject access request for their personal data under GDPR.
Where the individual is not able to provide such consent, extreme care must be taken before disclosing that person’s personal information to a third party claiming to be acting on their behalf. Where consent cannot be given by an individual due to mental incapacity, it is advisable to obtain evidence of legal authority, particularly where there is doubt about the authority of any third party and concerns as to whether disclosure is in the best interests of the individual concerned. The following will provide the requisite legal authority, although the wording should be checked in each case to ensure it covers the circumstance of a subject access request under GDPR:
- an original or certified copy of a power of attorney
- an original or certified copy of an order of the Court of Protection appointing a named person or persons to act as Deputy on behalf of the incapacitated person.
Access rights for children
- A child may exercise data protection rights on their own behalf once they are old enough to understand the implications of doing so. In England and Wales there is no absolute age-limit in this regard, and the test of competency (often termed ‘Gillick Competency’) will be applied and decided on a case-by-case basis. Previous guidance from the ICO recommends that the legal presumption of competency at 12 years of age is taken as a reasonable guide in most cases.
- Where the child is not old enough or is not Gillick Competent, data protection rights may be exercised on their behalf by their parents / persons with parental responsibility (see footer, page 2), provided they are acting in the best interests of the child. Where there is doubt in this regard, it may be deemed appropriate for a trusted relative or close friend of the child to exercise the child’s rights on their behalf. Alternatively, a Guardian may be appointed by the court.
Administration of access rights
On receipt of a request for subject access, the data protection lead will oversee the application and inform the Chief Executive Officer of the situation as necessary.
Requests for information do not need to be made in writing under GDPR. Therefore, whilst a model subject access form (AT20a) may be offered to the person requesting subject access, they are not obliged to use it – any application, whether made verbally or in some other written form, including electronic means, is valid and must be complied with.
The data protection lead is required to verify the identity of the person making the subject access request. Where a member of staff can identify the individual because they are known to them, this will be sufficient. Where they cannot, two pieces of identification (one of which contains a recent photograph) will be required. Copies of identification used will be taken and kept with the application.
A request for subject access will be responded to without undue delay and at the latest within one month of receipt of the request. This time period does not start until information required to prove the identity of the person making the request has been received.
Where the deadline cannot be met due to the complexity and/or number of the requests, it may be extended by a further two months, where necessary. However, the data protection lead will provide the person making the request with an explanation for the delay within one month of receipt of the request, along with requested data available at that time.
The data subject must be provided with a copy of the information in writing and where it is expressed in terms that are not intelligible without explanation (for example, using codes or technical terms), these must be explained in clear, plain language. If it is not possible to provide written copies or it would involve a disproportionate effort or the data subject agrees otherwise, an alternative means can be considered, for example inviting the data subject to view information in person or providing access to a secure self-service system. If, however the request is made electronically (by email), the response must be provided by electronic means and a commonly used electronic format (usually by return of email).
Permission requests and confidential data sent by post will be sent by recorded
delivery and marked ‘strictly private and confidential’, for attention of a named individual.
Under GDPR, it is no longer possible to routinely charge a fee for responding to a subject access request. However, if the request is manifestly unfounded or excessive or if further copies of the personal data are requested, a fee may be charged to reflect the amount of administration work involved, or the request may be refused.
For those with sensory or other disabilities wanting to access to their information, the data protection lead will arrange appropriate support from an independent source as necessary.
What can be withheld under subject access?
The following are examples of circumstances in which material will not normally be provided to the data subject under subject access arrangements:
Where the request is made by another on behalf of the data subject and the data subject has either provided the information in the expectation it would not be disclosed to the applicant or has indicated or given the information on the basis that it will not be so disclosed.
Where disclosing personal data would reveal information that relates to and identifies another person, that data must not be provided unless that other person has consented to the disclosure of the information, or it is reasonable to comply with the request without their consent. To determine whether or not it is reasonable to comply without the third party’s consent, consideration should be given to the following matters:
- Is there a duty of confidentiality owed to the third party?
- What steps have been taken with a view to seeking the consent of the third party?
- Is the third party capable of giving consent?
- Has the third party refused consent?
Where there is an obligation of confidence, the party to whom information is confided may not divulge it unless they have consent to do so or if there is a legal obligation (for example a court order) or there is an overriding public interest in the disclosure.
Crime: where personal information is being processed for the purposes of the prevention and / or detection of crime or the apprehension or prosecution of offenders, this information can be withheld from the individual concerned when he / she makes a subject access request for their personal data. For example, where information concerning an individual is passed to the police, for the purposes of crime prevention / detection, this information can be withheld from that particular individual if he or she subsequently makes a subject access request to access it.
Health, Social Work and Education: personal data may be withheld on a subject access request where the information in question:
- is related to the physical or mental health of the individual and the information forms part of a report provided to a court in relation to the care of children
- consists of certain personal data provided to a court in a report or other evidence by a person in the course of legal proceedings dealing with the welfare of children
- would be likely to prejudice the carrying out of social work in that serious mental or physical harm of the data subject or any other person would be likely to be caused as a result of providing the information – there is a balancing exercise here
- would be likely to cause serious harm to the physical or mental health or condition of the data subject or any other person.
- Guidance should be sought from a defined health professional before withholding personal data under this exemption.
- The exemption allows the data controller to neither confirm nor deny holding the information in question.
- Information which has already been seen by the individual making the request cannot be withheld under this exemption.
Legal Professional Privilege: where personal data is provided to a qualified solicitor or barrister for the purposes of obtaining legal advice, this information may be withheld from the person to whom it relates upon that person making a subject access request. This exemption would apply, for instance, where the organisation seeks legal advice from a qualified lawyer.
Correcting an error
When a data subject requests the rectification of information within their personal data
that they claim to be inaccurate, the data protection lead will, without undue delay and in any event within one month of receiving the request:
- inform the data subject whether the request has been granted, and
- if it has been granted, rectify the data, or
- if it has not been granted, explain why not and inform the data subject of his or her rights to seek redress from the Information Commissioner or the Court.
Where personal data has been rectified, the data protection lead will also inform any significant other/s to whom the incorrect information has been passed.
Where the data protection lead has not granted the data subject’s request for rectification, an entry will be made in the file to note the discrepancy and state the data subject’s version.
The data protection lead will not remove accurate material from a data subject’s file at their request where the retention of that information continues to comply with the requirements of GDPR and Caldicott Principles.
The data protection lead will inform data subjects of their right to seek compensation through the courts for loss or damage, and associated distress, in the case of significant errors being uncovered.
Service users or staff who have a complaint about the way data about them is being kept or who are refused access to files that they believe they should have access to, will be referred to the Information Commissioner (see https://ico.org.uk/).