Privacy Policy

Privacy Policy

1 Personal Information

1.1 We take your privacy seriously and this privacy policy (Privacy Policy) sets out how we will handle your personal data securely and in accordance with your rights.

1.2 Steps Ahead Care & Support Ltd (we, us, our) is a registered data controller under the terms of the Data Protection Act 1998. Details of our notification to the data protection regulator may be found in the Information Commissioner’s Office Public Register of Data Controllers at ico.org.uk under registration number Z1830696. Our registered office address is at 130 City Business Park, Somerset Place, Plymouth, PL3 4BB.

On the 25th May 2018, the new Data Protection Act 2018, which is based on the General Data Protection Regulations (GDPR) replaces the Data Protection Act 1998 in its entirety. It replaces the existing Data Protection Laws to make them fit for the digital age in which ever increasing personal data is being processed. The Act sets new standards for protecting personal data. Gives people more control over the use of their data and assists in the preparation for a future outside of the EU.

There are 4 main matters provided for, these are:

·       General Data Processing

·       Law Enforcement Data processing

·       Data Processing for National Security Purposes

·       Enforcement

All of the above need to be set in the context of international, national and local data processing systems which are increasingly dependent upon internet usage for exchange and transit of data. The UK must lock into international data protection arrangements, systems and processes and this Act updates and reinforces the mechanism to enable this to take place.

Given the size of the legislation and some of the media hype surrounding its introduction this policy is written in 2 Sections.

Section 1 Overview of the Act.

 

Section 2 The Policy and templates

 

Section 1

Overview of the Act

The Act is structured in 7 parts, each of which covers specific areas. These are:

Part 1: Preliminary

This sets out the parameters of the Act, gives an overview, explains that most processing of personal data is subject to the Act and gives the terms relating to the processing of personal data.

Part 2: General Processing

This supplements the GDPR and sets out a broadly equivalent regime to certain types of processing to which the GDPR does not apply.

Part 3: Law Enforcement Processing

This covers;

·       “competent authority”

·       meaning of “controller” and “processor”

·       data protection principles

·       safeguards in regard to archiving and sensitive processing

·       rights and access of the data subject, including erasure

·       implements the law enforcement directive

·       controller and processor duties and obligations

·       records

·       co-operation with the ICO commissioner

·       personal data breaches

·       the remedy of such breaches

·       position of the data protection officer and their tasks

·       transfer of data internationally to particular recipients

·       national security considerations

·       special processing restrictions and reporting of infringements.

 

Part 4: Intelligence Services Processing

This covers only data handled by the above e.g. MI5 and MI6 and includes rights of access, automated decisions, rectification and erasure, obligations relating to security and data breaches.

Part 5: The Information Commissioner

This covers:

·       general functions including publication of Codes of Practice and guidance

·       their International role

·       their responsibilities in relation to specific Codes of Practice

·       consensual audits

·       information to be provided to the Commissioner

·       confidentiality and privileged communication

·       fees for services

·       charges payable to the commission

·       publications

·       Notices from the Commissioner

·       reporting to parliament.

 

Part 6: Enforcement

This covers the new enforcement regime in relation to all forms of Notice issued by the Commissioner

·       powers of entry and inspection

·       penalty amounts

·       appeals

·       complaints

·       remedies in the court

·       offences

·       special purpose proceedings.

Part 7: Supplementary and Final Provision.

This covers legal changes which the new Act alters in relation to other legal matters, e.g. Tribunal Procedure rules, definitions, changes to the Data Protection Convention etc. and List of Schedule(s).

As you can see, this Act is a huge piece of legislation, the majority of which is outside the remit of service providers working within the Adult Health and Social Care Sector. The I.C.O. confirms that many concepts and principles are much the same and businesses already complying with the current law are likely to be already meeting many of the key requirements of the GDPR and the new Act.

The Information Commissioner says the new Act represents a “step change” from previous laws. “It means a change of culture of the organisation. That is not an easy thing to do, and its certainly true that accountability cannot be bolted on: it needs to be a part of the organisations overall systems approach to how it manages and processes personal data”. It’s a change of mindset in regard to data handling, collection and retention.

We need to stop taking personal data for granted, it’s not a commodity we own, it’s only ever on loan. Individuals have been given control and we have been given fiduciary duty of care over it!

As an organisation handling personal data on a day-to-day basis, this policy sets out the requirements of the new Act and how we, as an organisation will meet our legal obligations. Staff awareness and understanding of their responsibilities in regard to the handling, collection and retention of data will be core to the successful embedding of this policy.

Preparation: (The 12 Steps)

In order to comply with the requirements of the Act preparation should include the completion of the 12 steps

·       Awareness

·       Information we hold

·       Communicating privacy information

·       Individuals rights

·       Subject access requests

·       Lawful bases for processing

·       Consent

·       Children

·       Data Breaches

·       Data Protection by Design and Data Protection Impact Assessments

·       Data Protection Officers

·       International Data

 Preparing for the General Data Protection Regulation (GDPR) 12 steps to take now. Read here >

The ICO has issued this guidance as the start of the preparation. They have also made clear that they are aware that for small companies in particular time can be a factor in this preparation, but it is important to remember that you must start the 12 steps in order that you can show compliance

As an organisation we are preparing for this new Act by completing these 12 steps.

Definitions

The GDPR applies to “Controllers”, “Processors” and “Data Protection Officer” and to certain types of information, specifically, “Personal Data” and “Sensitive Personal Data” referred to in the Act as Special Categories of Personal Data”.

“Controllers”

This role determines, on behalf of the organisation, the purposes and means of processing personal data.

“Processors”

This role is responsible for processing personal data on behalf of a controller. The Act places specific legal obligations on you, e.g. you are required to keep and maintain records of personal data and processing activities. This role has legal liabilities if they are responsible for any breach.

Data Protection Officer.

This role is a must only in certain circumstances if you are:

·       A public authority (except for courts)

·       Carry out large scale systematic monitoring of individuals e.g. online behaviour tracking, or

·       Carry out large scale processing of special categories of data, or data relating to criminal convictions and offences e.g. Police, DBS Bodies, Prison Service etc. P33

This means any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. So, this would include name, reference or identification number, location data or online identifier. This reflects changes in technology which incorporates a wide range of different identifiers. Personal Data applies to both automated and manual filing systems. It can also apply to pseudonymised e.g. key-coded can fall within the GDPR dependent on how difficult it is to attribute the pseudonym to a particular individual’s race, ethnic origin, politics, religion, trade union membership, sex life or sexual orientation.

“Special Categories of personal Data”

This category of data is more sensitive and much more protected. Sensitive personal data specifically includes genetic data, biometric data, health, race, ethnic origin, politics, religion, trade union membership, sexual orientation Safeguards apply to other type of data e.g. criminal convictions and offences; intelligence data etc.

Data Protection Principles


The GDPR sets out the following principles for which organisations are responsible and must meet. These require that personal data shall be:

·       processed lawfully, fairly and in a transparent manner in relation to individuals

·       be collected for specified, explicit and legitimate purposes, and not further processed in a manner that is incompatible with purposes, further processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes shall not be considered to be incompatible with the initial purposes

·       adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed

·       accurate and where necessary, kept up to date, every reasonable step must be taken that personal data that is inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay

·       kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed

·       personal data may be stored for longer purposes in so far as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to the appropriate technical and organisational measures required by the GDPR (the safeguards) in order to safeguard the rights and freedoms of individuals

·       processed in a manner that ensures appropriate security of the personal data. including protection against unauthorised or unlawful processing and against accidental loss. destruction or damage, using appropriate technical or organisational measures

“The controller shall be responsible for, and be able to demonstrate, compliance with the principles” Article 5 (2) GDPR

“Lawful bases” for processing


There are 6 lawful bases for processing data. These are:

·       Consent: the individual has given clear consent for us to process their personal data for a specific purpose.

·       Contract: the processing is necessary for a contract you have with the individual, or because they have asked us to take specific steps before entering into a contract.

·       Legal Obligation: the processing is necessary for us to comply with the law (not including contractual obligations).

·       Vital Interests: the processing is necessary to protect someone’s life.

·       Public Task: the processing is necessary for us to perform a task in the public interest, or for official functions and the task or function has a clear basis in law.

·       Legitimate interests: the processing is necessary for our legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (Does not apply if a public authority is processing data to perform its official tasks).

Consent


The GDPR sets a high standard here.  Consent means offering individuals real choice and control. Consent practices and existing paperwork will need to be refreshed and meet specific requirements. These are:

·       positive opt-in, no pre-ticked boxes or other method of “default” consent

·       a clear and specific statement of consent

·       vague or blanket consent is not enough

·       keep consent requests separate from other terms and conditions

·       keep evidence of consent – who, when, how, and what you told people

·       keep consent under review

·       avoid making consent to processing pre-condition to any service

·       employers need to take extra care to evidence that consent is freely given, and should avoid over reliance on consent

Consent is one lawful basis to consider but organisations in a position of power over individuals should consider alternative “lawful bases”. If we would still process their personal data without consent, then asking for consent is misleading and inherently unfair.

PLEASE NOTE

Consent within this policy relates only to data processing not Health or Support in a Social Care context. You must still use consent as defined within the Mental Capacity Act 2005 to deliver services

Legal Obligation
Put simply, the processing is necessary for us as an organisation to comply with the law, e.g. the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014, which requires us as providers to collect, handle and process data in a prescribed manner.

Legitimate Interests
·       this is the most flexible lawful basis for processing

·       it is likely to be appropriate where we process in ways that people would reasonably expect us to, with a minimal privacy impact, or where there is a compelling justification for the processing

·       there are 3 elements to consider when using this lawful base. we need to:

o   identify a legitimate interest

o   show that the processing is necessary to achieve it: and balance it against the individual’s interests, rights and freedoms

o   legitimate interests can mean our organisations, interest of third parties, commercial interests, individual or social benefits

·       the processing must be necessary

·       a balance must be struck between our interests, the individual’s and would it be reasonable to expect the processing, or would it cause unnecessary harm, then their interests are likely to override our legitimate interests

·       keep a record of your legitimate interest’s assessment (LIA) to help you demonstrate compliance

The above are the 3 most pertinent bases for Health and Social Care data processing activity.

Contract, Vital Interests or Public Task apply within specific work settings and would be difficult to meet because service providers are subject to specific legislative and regulatory requirements in order to work within a “Regulated Activity”.

“Lawful bases” must be determined by the organisation before processing of any personal data and it is vital that thorough consideration is given to this decision.

Clients must be aware of the lawful base used by this organisation to process their personal data

Individual Rights


The GDPR provides the following rights for individuals:

·       right to be informed

·       right of access

·       right to rectification

·       right to erasure

·       right to restrict processing

·       right to data portability

·       right to object

·       rights in relation to automated decision making and profiling

All relevant guidance to individual rights is not yet complete, Working Party (WP)29 will continue to work and produce such guidance as is thought appropriate.

Any individual request which falls into the above categories this organisation will follow the relevant guidance currently available on the following website

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/whats-new/ 

Section 2 

The Policy

This organisation believes that all data, required for the delivery of the service and the lawful running of the organisation must be collected, handled, maintained and stored in accordance to the requirements of the Data Protection Act 2018.

The General Data Protection Regulation (GDPR) form the basis of the Act but in order to be effective and compliant with its requirements, the Related Policy list should be viewed as core to this policy, as should Section 1 and the Related Guidance links.

PLEASE NOTE All Guidance from the ICO should be considered “Live Documentation” and regularly checked until all Codes of Practice and Guidance are issued. Working Party 29 known as WP29 is a representative body from each of the EU member states who have developed and worked on the Act. WP29 still sits and meets in the European Parliament until all of the complexities of the Act have been clarified and amended into law.

Lawful Bases
After due consideration this organisation has determined that the following Lawful Bases are used in the collection of data

·       Consent: the individual has given clear consent for us to process their personal data for a specific purpose.

·       Contract: the processing is necessary for a contract you have with the individual, or because they have asked us to take specific steps before entering into a contract.

·       Legal Obligation: the processing is necessary for us to comply with the law (not including contractual obligations)

·       Legitimate interests: the processing is necessary for our legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (Does not apply if a public authority is processing data to perform its official tasks)

Data Protection Principles
The Act sets out 8 Principles which must be adhered to when processing data

Please refer to the Related Guidance links for further information 

The GDPR sets out the following principles for which this organisation is responsible and must meet. These require that personal data shall be:

·       processed lawfully, fairly and in a transparent manner in relation to individuals

·       be collected for specified, explicit and legitimate purposes, and not further processed in a manner that is incompatible with purposes, further processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes shall not be considered to be incompatible with the initial purposes

·       adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed

·       accurate and where necessary, kept up to date, every reasonable step must be taken that personal data that is inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay

·       kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed

·       personal data may be stored for longer purposes in so far as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to the appropriate technical and organisational measures required by the GDPR (the safeguards) in order to safeguard the rights and freedoms of individuals

·       processed in a manner that ensures appropriate security of the personal data including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures

“The controller shall be responsible for, and be able to demonstrate, compliance with the principles” Article 5 (2) GDPR

The data controller and processor for Steps Ahead Care & Support Ltd is Miss Christine Holdsworth

Individual Rights

There are several changes here in particular the Right of Access in relation to timescales and fees. These must be fully understood in relation to anyone submitting a Subject Access request. Please refer to the related Guidance Link 

The GDPR provides the following rights for individuals:

·       right to be informed

·       right of access

·       right to rectification

·       right to erasure

·       right to restrict processing

·       right to data portability

·       right to object

·       rights in relation to automated decision making and profiling

Each of the above rights has its own Best Practice Process which you will find here

https://ico.org.uk/media/for-organisations/guide-to-the-general-data-protection-regulation-gdpr-1-0.pdf

This policy has been updated to include the changes being implemented by the General Data Protection Regulation (GDPR) which are in place on 25/5/2018.  This policy will be reviewed tri-annually and updated when required.

Access to your information and corrections


All files held in your name are available for your perusal and you can ask us to remove information which is inaccurate.  Please email admin@stepsaheadsupport.co.uk or write to us at 130 City Business Park, Somerset Place, Plymouth, PL3 4BB. Where you use our website, cookies are text files which collect log on information and visitor behaviour information.  Cookies track visitor use and compile statistical reports on website activity. You can set your browser to accept or decline cookies.  Please be aware that a decline preference may mean a loss of function in some of our website features.

For further information on cookies visit: www.aboutcookies.org or www.allaboutcookies.org

Whether you require long term cover or your requirements are more ad hoc, Steps Ahead Care & Support are able to offer an exceptional service with the highest calibre of staff.

For more information on the service we can offer you, please contact our Head Office on
01752 547257