Data Protection Policy

Purpose

The purpose of this policy is to guide staff in the principles and requirements of Data Protection Legislation and associated General Data Protection Regulations.

We recognise our responsibilities to ensurethe safe and appropriate handling of personally identifiable information and operate a Data Breach Policy in the event that our processes do not achieve this. Please refer to the Policy for further information.

We recognise the rights of the individuals about whom we hold personal information and these are addressed in this Policy, with the exception of managing Subject Access Requests. Please refer to the Subject Access request Policy for further information.

Policy Statement

This Policy has been written to ensure that the processing of Personal Data in connection with employees and Service Users will comply with the General Data Protection Regulation (GDPR)and the Data Protection Act (2018). Essential Homecare believes that it has a duty of confidentiality to its Service Users; we regard this as being of utmost importance and a key part in building a trusting, caring environment where Service Users can live safe in the knowledge that their confidence will be kept and where information about them will be protected safely. It is our Policy that all the information we receive about or from Service Users is confidential and that only those people who need to know the information will have access to it. Essential Homecare seeks to always ask permission before we share information Service Users have given us with anyone else.

The basic requirement is that the processing, both automated and manual, shall comply with the following data protection principles, which require that personal data shall:

Be processed fairly and lawfully
Be obtained only for specified and lawful purposes, and not be processed in any incompatible manner
Be adequate, relevant and not excessive
Be accurate and, where necessary, kept up to date
Not be kept longer than necessary
Shall be processed in accordance with the rights of Data Subjects
Be protected by appropriate security measures
Not be transferred outside the EEA unless adequate level of data protection exists

Definitions

The Data Protection Act 2018 was introduced to regulate the use of “automatically processed information relating to individuals”. This includes computerised personal records and financial records. The Act defines obligations on those that hold and process information. The Data Protection Act places responsibility on all employers, who keep personal data on computers, to adopt the Data Protection Principles as outlined in the Act, and to provide data subjects with access to personal information relating to them.

General Data Protection Regulations (GDPR) 2016: were introduced in 2016, to become effective by 25^th May 2018, and legislate to further protect personal information and the rights of the people to whom personal information pertains – the Data Subject – from exploitation.

Data Breach: when data is lost, stolen, damaged or mistakenly destroyed.

Key Risks

We recognise two key areas of risk within the management of personal information:

Information about individuals being used, accessed or inadvertently shared with unauthorised persons, either from poor security or inappropriate actions, for example:
- Sharing passwords
- Releasing attachments to emails without password protection
- Not checking correct email address
- Disregarding clear desk policy
- Retained beyond dates stipulated in the Retention Schedule

Individuals being harmed through their personal information being inaccurate or insufficient, for example:
- Payslips being sent to an old address and the householder using the information for their own purpose
- Service user invoices not having the correct name and being sent to the wrong person, causing the service user distress
- Letters to a member of staff confirming a meeting being sent to a previous address and intercepted by an ex-partner who can now locate them

We will ensure, as far as is reasonably possible, to ensure that our systems, policies, procedures, training and monitoring activities minimise the potential for these risks to be realised.

Penalties for failure to meet Data Protection/ GDPR requirements are specifically defined as:

Up to £20million euros or 4% of global turnover for Tier 1 (strategic) failures
Up to £10 million euros or 2% of global turnover for Tier 2 (Operational) failures

Data Protection

Staff will:

Ensure that all files or written information of a confidential nature are stored in a secure manner in a locked filing cabinet. Information will only be accessed by staff that have a need and a right to access them,in accordance with the Data Protection Act 2018 and other statutory requirements.
Wherever practical or reasonable fill in all care records and Service Users’ notes in the presence of and with the co-operation of the Service User concerned.
Ensure that all care records and Service Users’ notes, including Support Plans, are up to date accurate, signed and dated.

Essential Homecare has developed and operates to policies and procedures intended to responsibly and appropriately gather, use, store, share and dispose of personal information associated with our business needs, for which we have a legitimate need or specific consent to process. Our policies, procedures and processes encourage transparency and honesty in all aspects of processing and respect the rights of individuals.

This information includes details about staff, service users and other individuals. The systems and processes we use to handle personal information intend to protect individuals and the Company from the potential for any misuse of personal information, including loss, inadvertent sharing or use for other than its intended purpose.

Data refers to electronic and hard copy material and information held in all media formats e.g. hard copy document, emails, text messages, voice recording, social media, photographic images, IP addresses, testimonials.

We will ensure that all staff are suitably trained and skilled to recognise their responsibilities within Data Protection and GDPR requirements and enabled to apply these in practice.

The Data Protection Officer is responsible include:

Update the management team regarding Data Protection/ GDPR responsibilities and requirements
Review the Data Protection processes, policies, procedures and practices in place
Advise and support the business with Data Protection/ GDPR issues and queries
Ensure that Data Protection/ GDPR training takes place
Handle Subject Access Requests
Maintain a register of, and support the investigation of, Data Breaches
Notify Breaches to, and liaise with, the Information Commissioners Office
Approve unusual or controversial disclosure of personal information
Review Data Protection/ GDPR element of contracts with Data Processors
Support with Data Privacy Impact Assessments and Privacy by Design in change projects, innovations and new processes

Roles and Responsibilities

There are a number of key roles at Essential Homecare thatinfluence our processing of personal information:

Steve Cheetham the managing director is responsible for Data protection/ GDPR compliance within commissioning contracts
The managingdirector is responsible for HR/ Recruitment/ Training Policies that require processing of personal information
The managingdirector is responsible for ensuring an appropriate Purchasing process that ensures suppliers and contractors are suitable compliant with Data Protection/ GDPR requirements.
The managing director is responsible for systems security
The Marketing Director is responsible for Data Protection/ GDPR compliance on publicity materials and branded products
The Head of Quality is responsible for Operational Policies that require processing of personal information and for monitoring processing at Internal Audits
Regional Directors / Area Managers are responsible to monitor that Branches in their area are following complaint practice
Registered Managers are responsible for the application of policies, procedures and practices in their Branch
All staff are required to read, understand and work to the Data Protection Policy and those associated – identified in the Related Documents section

Personal Information and Confidentiality

Essential Homecare operates a Confidentiality Policy that includes confidential handling of all business information. This section relates particularly to confidentiality within the requirements of Data Protection and GDPR.

In order to conduct its business, Essential Homecare is required to:

Obtain and process personal data fairly and lawfully
Hold data only for specified purposes
Use or disclose data only in a way which is compatible with those purposes
Ensure that the data held is adequate, relevant and not excessive
Maintain data accurately
Keep data only as long as necessary
Maintain appropriate security measures to any data which is held

All personal information is accessed only on a ‘need to know’ basis – ability to access does not imply that the information is then used in all cases:

Branch staff will have access to information which is relevant and necessary for the safe and effective delivery of service to service users
Branch Managers and line managers will have access to staff records necessary for the safe and effective management of staff
Recruitment staff will have access to information generated through staff recruitment activity
Payroll staff will have access to information required to process pay accurately
Finance staff will have access to information required to process invoices accurately
Marketing staff will have access to customer details generated through marketing activity
IT staff will have access to all systems held personal information to enable systems support and development
Quality Auditors will have access to information required in Internal Audits or supporting the Branch with quality compliance.
HR staff will have access to information required to manage or support employee relations, business processes such as TUPE and management reporting.
Administration staff will have access to information that supports their line manager in, for example, investigations, report writing, reward and recognition.
Executive Team members will have access to information required to monitor and/or manage significant service issues.

Personal Information is accessed by external agencies and partners:

The Regulator, to enable service inspections
The Local Authority, to enable service monitoring
IT suppliers who conduct systems testing and support
Zurichand their appointed supporting solicitors,who provide company Insurance
ELASwho provide HR advice
Company lawyers who support with legal matters.

Personal Information will only be accessed where there is a legitimate business need and where the person to whom the data relates understands where and how their information will be accessed, either by acceptance of the Privacy Notice or by giving specific consent.

The Company will share personal information with the relevant authorities where this is in the public interest, regardless of consent, and where there are actual or potential concerns about the safety of any individual or group of people e.g. Safeguarding, Adult Support and Protection, Mental Welfare, Modern Slavery and illegal activity.

In any such instance, the Manager must initially refer to the relevant Policy and follow the guidance therein. Where the situation is not explicitly covered within a Policy, and the Manager is unsure what to do, they should consult with the Data Protection Officer or, in their absence, a senior Operational Manager. In an emergency situation where any person has been harmed, is at risk of harm, or at risk of causing harm to others, we will give the relevant authorities access to any personal information they require to manage the situation. The Manager does not need to consult in those circumstances but should act in the persons, or public, best interest and update the Data Protection Officer and Senior Operational Manager at the very earliest opportunity.

Transparency – informing people whose information we hold

Essential Homecare recognises its responsibility to inform people about who will have access to their information and for what purpose.

Service Usersand Power of Attorneys will have this information within their Service User Guide, which they signonce they have received, reviewed and understood. Any updates will be communicated in writing.
Staff will have this information in their Handbook, which they sign once they have received, reviewed and understood. Any updates will be communicated in writing.
Service Users family members, Next of Kin will have this communicated to them in writing.

We will, on occasion, remind people about using and protecting their information through, for formal and informal mechanisms including at service reviews, at supervision meetings, in newsletters, at training and in staff meetings.

New Service Users and prospective Service Users should be shown a copy of this Data Protection Policy on initial assessment. Every effort should be made by staff to ensure that Service Users fully understand the implications of that policy. The member of staff performing the assessment should ensure that the new Service User understands and has read the following statement.

‘To help us make an assessment of your needs, we will need to ask you for personal information about your circumstances and to record this information. We will not share this information with anyone without your agreement and it will be kept in a confidential file which will be kept in a locked filing cabinet. Only This agency staff with permission to see the file will be able to access it. This agency will always ask you for permission before we share information Service Users have given us with anyone else. In certain circumstances, however, we may need to share information in your best interests and reserve the right to do so.

Rights of Access:

Service Users and employees have the right to be supplied with a copy of their personal data the company retains. All requests are to be made to the registered manager.

Essential Homecare will not provide information to relatives, spouses, friends or advocates without the consent of the individual resident concerned. All enquiries for information, even if they are from close relatives, should be referred back to the Service User or the Service Users permission is sought before disclosure.

Rights to be forgotten:

Service Users and employees have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller will have the obligation to erase personal data without undue delay where one of the following grounds apply:

Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.
When the individual withdraws consent.
When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing.
The personal data was unlawfully processed (i.e., otherwise in breach of the GDPR).
The personal data has to be erased in order to comply with a legal obligation.

Privacy Notices and Consent: the legal basis for processing

We maintain a Data Map that identifies the legal basis for processing the personal information we use and this is communicated to individuals in our Privacy Notice.

Where there is no legal basis, or where other legislation requires, we will gain the consent of individuals to process their personal information. This relates particularly, though not exclusively, to:

Service Users, or their legal representatives, consent to care
Consent to use personal information for direct marketing or promotional purposes
Where consent is sought, it will be clear to the individual what they are consenting to, and they shall actively ‘opt-in’
Where consent is given, this only relates to the stated intended use of the information. If there is any desire to use the information for another purpose, further consent must be sought
Consent may be withdrawn at any time by the individual

We will never divulge information without consent unless obliged to by law.

Promoting data protection in practice

Essential Homecare has a range of mechanisms to promote best working practices amongst its staff team:

We operate a Confidentiality Policy that details the manner in which we expect staff to work to maintain confidentiality and integrity
We train care staff at Induction level and annually thereafter in the principles of confidential working, Data Protection and GDPR
We require all office- based staff to complete Data Protection and GDPR e-learning which includes confidentiality
We require offices to work to Company Standards that promote confidential practice and professional conduct.

Our training encourages staff to think about the information they are using and how to protect it. Staff are required to escalate any queries or concerns about data handling to their line manager, who can escalate to the Data protection Officer should the required guidance not be found in any Policy or Procedure. Staff who receive a request for information that exceeds what their job role usually requires are aware that this must be escalated to their Manager who will determine, consulting with the Data Protection Officer if necessary, whether the information can be disclosed e.g. requests for information from claims lawyers, Information requests from the regulator.

Authorisation for disclosures not directly related to the reason we have the information

We understand that within the legislation, we are only entitled to have personal information that meets the purpose for which we need it, and we can only use the information we have for that purpose.

If we are asked to disclose information we have for any other purpose, this is likely to fall into one of two categories:

Information request to support e.g. job application, mortgage application, financial reference, placement reference or similar. We must obtain written consent from the person whose information is being requested prior to sharing the data. A copy of the consent must be retained in the relevant HR/ Service User file.
Information request to inform an official investigation: this must be authorised by a Senior Manager as it may not be appropriate for the person to know that their information is being disclosed, depending on the circumstances e.g. criminal investigation. A written rationale for disclosure without consent must be sent to the DPO for retention on file.

Securing personal information

Security should not be confused with confidentiality. Essential Homecare operates an Information Security Policy that includes security of all business information. This section relates particularly to security within the requirements of Data Protection and GDPR.

We hold personal information in hard copy and electronic formats (soft copy), and at times have information for the same person in both formats for specific reasons. These are detailed on our Data Map, which identifies the types of data we hold, the reason we can hold it, in which formats and for how long.

Whether in hard or soft copy, personal information needs to be managed securely by ensuring that:

Paper records are kept in a recognisable file and filed in an orderly manner.
Files, when not in use, must be stored in a lockable cabinet, and the keys retained in a key safe or another secure place. Keys should not be left in cabinets all day as this enables unauthorized access to files.
Files, when in use, must not be left lying open or unattended and accessible to others: close the file and put in a desk drawer if being left unattended for a short space of time. Return the file to the filing cabinet once no longer required and lock it away.
When an employee leaves, or a service is no longer required, the file becomes ‘finished’. It must be removed from the cabinet and placed into an archiving box: closed files must be held for 6 years.
Electronic information is protected by passwords which are required by all Essential Homecare devices.
Passwords are unique to each user and must be updated at prescribed intervals, and in a permitted format.
Passwords must not be shared
Different job roles have different access levels and permissions, assigned at the point of employment. Any change to this must be requested by the Line Manager, with reasons for the change request, and signed off by a Senior Manager.
Device ports are disabled so data cannot be removed onto pen drives or discs.
Internal emails operate within a secure system and any information sent externally must be password protected or otherwise encrypted or made anonymous.
Archived records – hard copy documents that must be retained as per the Retention Schedule are held. The Archiving Process must be followed to ensure documents are properly filed for ease of retrieval, if required, and destruction once the due date is reached.

Where archived records are held electronically in our own systems, these are suitably encrypted or anonymized according to the Retention Schedule.

Records review, retention and disposal.

As per the Health and social care Act 2008 all personal records will be reviewed once every 12 months to ensure they are complete, legible, indelible, accurate and up to date. The Manager Hayley Wilson is responsible for carrying out the above review. A note will be placed on the Service Users file once the annual review has taken place.

Records must be kept for the required length of time as per the Control of Records Policy and Procedures.

All records covered by the Data Protection Act must be shredded prior to disposal at theendof their retention period.

Care must be taken to ensure that appropriate security measures are in place for the deletion or disposal of personal data. Manual records will be shredded or disposed of as “confidential waste” only.

References

The Data Protection Act 1998

General Data Protection Regulations (GDPR) 2016

Health and Social Care Act 2008 (Regulated Activities) Regulations 2014