GDPR Policy
Please see below our policies on GDPR policy
POSITIVE SUPPORT FOR YOU
GENERAL DATA PROTECTION REGULATION (GDPR) POLICY – PERSONAL CLIENT INFORMATION
OUTCOME 21, REGULATION 20 (Records)
Data Protection Policy Statement
Positive Support for You believes that all records required for the protection of service users and for the effective and efficient running of the organisation should be collected, maintained and kept according to the General Data Protection Regulations of May 2018.
What the Law Says
POSITIVE SUPPORT FOR YOU CIC aims to comply with the spirit and letter of the General Data Protection Regulations GDPR.
The organisation understands that personal data should:
be obtained fairly and lawfully
be held for specified and lawful purposes
be processed in accordance with the person’s rights
be adequate, relevant and not excessive in relation to that purpose
be kept accurate and up to date
not be kept for longer than is necessary for its given purpose
be subject to appropriate safeguards against unauthorised use, loss or damage
be transferred outside the European Economic Area only if the recipient country has adequate data protection
We also understand that the GDPR imposes specific rights for individuals with respect to data:
the right to be informed
the right to access
the right to rectification
the right to erasure
the right to restrict processing
the right to data portability
the right to object:
the right not to be subject to automated decision making including profiling
The GDPR requires certain types of organistion to have a Data Protection Officer designated. Although we do not fulfil the criterea for this we recognise it is best practice to do so and as such The Chief Executive will act as Data Protection Officer for Positive Support For You CIC. The Chief Executive also by definition acts as the “Senior Information Risk Owner”.
Lawful Basis for Holding Information
We understand that in all cases the personal data we hold has a lawful basis under the Care Standards Act and associated Care Quality Commission Regulations.
CareCERT Advisories
Although our systems are not compatible with electronically derived CareCERT notifications should any be directly received by other means they will be addressed by the Data Protection Officer within required timescales – which if at the high severity level will be within 48 hours.
Continuity Plan
The Positive Support for You Business Continuity Plan has been revised to include GDPR and Cyber Security and this is reviewed periodically.
What We Will Do to Meet GDPR Requirements:
At Positive Support for You CIC we will strive to fulfil all the requirements of the GDPR.
This means we will:
Make our Board and Senior Management Team aware of the the Law and refresh this periodically
Document the Personal Data we hold, where it comes from and who we share it with.
Secure consent from individuals to hold, share and use information containing personal data where required to do so. We recognise the need to ensure consent takes account of individuals Capacity as defined in the Mental Capacity Act. We understand that consent must by definition be freely given, specific, informed and unambiguous. People must be able to withdraw consent.
Document the Retention Periods for Personal Data held.
Ensure individuals know about their right to complain to the Information Commissioners Office if they feel their data has been mis-handled.
We feel this gives a proportionate response for an Organisation of our size and scale
Data Breaches
In the event of a data breach the Data Protection Officer (DPO) will be informed at the earliest opportunity.
The DPO will ensure that the required report is made to the Information Commissioners Office, and that the Individual or Individuals involved are informed .
In each case the Breach will be investigated, a written report made to the Board and appropriate remedial action taken to prevent re-occurance.
National Data Opt-Out:
Positive Support For You CIC reviews all of our data processing on an annual basis to assess if the national data opt-out applies. This is recorded in our Record of Processing Activities. All new processing is assessed to see if the national data opt-out applies.
If at any time our data processing falls within scope of the National Data Opt-Out we will use MESH to check if any of our service users have opted out of their data being used for this purpose.
At this time, we do not share any data for planning or research purposes for which the national data opt-out would apply. We review all of the confidential patient information we process on an annual basis to see if this is used for research and planning purposes. If it is, then individuals can decide to stop their information being shared for this purpose. You can find out more information at https://www.nhs.uk/your-nhs-data-matters/.
Subject Access Requests
In the event Positive Support For You CIC receives a subject access request we will:
Not Charge for processing this from May 2018
Comply within a month
Consider if the request is manifestly unfounded or excessive
Where any request is refused we will set out our thinking as to why, and ensure the person has the right to complain.
The DPO will in all cases coordinate any Subject Access Requests and be Responsible for Them. In practical terms our approach will be to put systems in place to deliver these outcomes in general.
It is not the case that this policy can set out how we will address every issue which could arise beyond this - the GDPR is brand new and the guidance is being developed. As such whenever Subject access requests, deletion or portability requests ,Data Breaches, or other queries relating to personal data are received the Data Protection Officer will take appropriate professional advice in each case, and document this and act accordingly and Transparently. All such matters will be reported to the Board, and this will enable the Board to periodically review and adjust this policy as practice around GDPR develops.
Training All new staff are encouraged to read the policies on GDPR and on confidentiality as part of their induction process and receive training on this wish is refreshed. The Skills for Care Common Induction Standards 1 – 8 are used and cover confidentiality and data protection. Training in the correct method for entering information in service users’ records is given to all care staff. All staff who need to use the computer system should be thoroughly trained in its use.
Information Commissioners Contact Details
Helpline: 03031231113
Email : registration@ico.org.uk
Information Commisssioners Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
Positive Support For You CIC Data Protection Officer Contact Details
Chief Executive
Positive Support for You CIC
Office 7 Beresford Buildings
Thorntree
Middlesbrough TS3 9NB e mail: info@psforyou.org
At Positive Support for You we value your safety and your right to Data privacy , please click here to view an easy read guide to GDPR