Call : +0115 9984 902
Email : info@4lifecareservices.co.uk
Your privacy is very important to us. We have developed this General Data Protection Regulation (GDPR) in order for you to understand how we collect, use, store, share, transmit, transfer, delete or otherwise process (collectively “process”) your Personal data. This General Data Protection Regulation (GDPR) describes the measures we take to ensure the protection of your Personal data. We also tell you how you can reach us to answer any questions you may have about data protection.
1.1 The purpose of this policy is to ensure that 4Life Care Services understands the key principles of the General Data Protection Regulation (GDPR).
1.2 This policy sets out the steps that need to be taken by 4Life Care Services to ensure that 4Life Care Services handles, uses and processes personal data in a way that meets the requirements of GDPR. It should be read alongside the suite of 4Life Care Services policies, procedures and guidance.
1.3 This policy applies to all staff at 4Life Care Services who process personal data about other staff, Service User/ Clients and any other living individuals as part of their role.
2.1 The following roles may be affected by this policy:
All staff
2.2 The following people may be affected by this policy:
Service User/ Clients
2.3 The following stakeholders may be affected by this policy:
Commissioners
3.1 The objective of this policy is to ensure staff have a working knowledge into the principles and requirements of GDPR.
3.2 Alongside the suite of policies, procedures and guidance available 4Life Care Services can demonstrate that appropriate steps are taken to ensure 4Life Care Services complies with GDPR when handling and using personal data provided by both staff and Service User/ Clients.
3.3 This policy will assist with defining accountability and establishing ways of working in terms of the use, storage, retention and security of personal data.
3.4 This policy will assist with understanding the obligations of 4Life Care Services in respect of the rights of the staff and Service User/ Clients who have provided personal data and the steps 4Life Care Services should take if it breaches GDPR.
GDPR does not apply to any personal data held about someone who has died. Both the Access to Medical Reports Act 1988 and the Access to Health Records 1990 will continue to apply..
GDPR does not apply to any personal data held about someone who has died. Both the Access to Medical Reports Act 1988 and the Access to Health Records 1990 will continue to apply.
To ensure 4Life Care Services compliance with GDPR, a suite of documents are available and should be read in conjunction with this overarching policy to provide a framework:
• Initial Privacy Impact Assessment Policy & Procedure
• GDPR – Key Terms Guidance
• GDPR – Key Principles Guidance
• GDPR – Processing Personal Data Guidance
• Appointing a Data Protection Officer Guidance
• Data Security and Retention Policy & Procedure
• Website Privacy Policy & Procedure
• Subject Access Requests Policy & Procedure
• Subject Access Requests Process Map Policy & Procedure
• Subject Access Requests – Request Letter Policy & Procedure
• Rights of a Data Subject Guidance
• Breach Notification Policy & Procedure
• Breach Notification Process Map Policy & Procedure
• Fair Processing Notice Policy & Procedure
• Consent Form
• GDPR – Transfer of Data Guidance
• Privacy Impact Assessment Policy & Procedure
5.1 All staff should review the GDPR policies and procedures and guidance that will be produced over the next few months.
5.2 4Life Care Services will nominate a person or team to be responsible for data protection and GDPR compliance (if a formal Data Protection Officer is not required, somebody with an understanding of the requirements who can act as a day-to-day point of contact will be chosen).
5.3 The Registered Manager should ensure all staff understand the policies and procedures provided, including how to deal with a Subject Access Request and what to do if a member of staff breaches GDPR.
5.4 The Registered Manager will consider providing training internally about GDPR (in particular, the Key Principles of GDPR) to all staff members.
5.5 4Life Care Services will conduct an audit of the personal data currently held by 4Life Healthcare Ltd (the initial Privacy Impact Assessment template provided will be used for this purpose).
5.6 4Life Care Services will delete any personal data that 4Life Care Services no longer needs, based on the results of the audit conducted, taking into account any relevant guidance, such as the Records Management Code of Practice for Health and Social Care 2016.
5.7 4Life Care Services will, if necessary, put in place new measures or processes to ensure that personal data continues to be processed in line with GDPR.
5.8 4Life Care Services will, if necessary, finalise and circulate a Fair Processing Notice to Service User/ Clients.
5.9 4Life Care Services will ensure proper consent is obtained from each Service User/ Clients in line with GDPR regulations (the Consent Form provided can be used for this purpose). 4Life Care Services will review the additional steps that 4Life Care Services should be taken to ensure that 4Life Care Services obtains consent from parents, guardians, carers or other representatives where 4Life Healthcare Ltd works with children or those who lack capacity.
5.10 4Life Care Services will ensure that processes and procedures are in place to respond to requests made by Data Subjects (including Subject Access Requests) and to deal appropriately with any breaches or potential breaches of GDPR.
5.11 The Registered Manager will maintain a log of decisions taken and incidents that occur in respect of the personal data processed by 4Life Care Services using the 4Life Care Services Privacy Impact Assessment template
6.1 Data Subject
• The individual about whom 4Life Care Services has collected personal data
6.2 Data Protection Act 2018
• The Data Protection Act 2018 is a United Kingdom Act of Parliament that updates data protection laws in the UK. It sits alongside the General Data Protection Regulation and implements the EU’s Law Enforcement Directive
6.3 GDPR
• General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union. It was adopted on 14 April 2016 and after a two-year transition period became enforceable on 25 May 2018
6.4 Personal Data
• Any information about a living person including but not limited to names, email addresses, postal addresses, job roles, photographs, CCTV and special categories of data, defined below
6.5 Process or Processing
• Doing anything with personal data, including but not limited to collecting, storing, holding, using, amending or transferring it. You do not need to be doing anything actively with the personal data – at the point you collect it, you are processing it.
6.6 Special Categories of Data
• Has an equivalent meaning to “Sensitive Personal Data” under the Data Protection Act 2018. Special Categories of Data include but are not limited to medical and health records (including information collected as a result of providing health care services) and information about a person’s religious beliefs, ethnic origin and race, sexual orientation and political views
Key Facts – Professionals
Professionals providing this service should be aware of the following:
• GPDR provides greater protection for staff and Service User/ Clients in respect of their personal data
• Compliance is mandatory, not optional
• 4Life Care Services Ltd has adopted an appropriate and proportionate approach what is right and necessary for 4Life Healthcare Ltd may not be right for another organisation
• Achieving compliance with GDPR will not only reduce the risk of ICO enforcement or fines but will also promote a better-quality service for Service User/ Clients and an improved working environment for staff
• This is the overarching policy and provides a high-level reference to all areas that are important for compliance with GDPR
• Understanding of the content of this policy should be embedded with all staff at 4Life Care Services
• 4Life Care Services must appoint a person with overall responsibility for managing GDPR. This person may be an official Data Protection Officer (DPO) or a person appointed to oversee privacy, governance and data protection.
Key Facts – People Affected by The Service
People affected by this service should be aware of the following:
• Your personal data will be protected
• You have a right to see what information we hold about you
• You will be asked for your consent before we obtain your personal data in line with GDPR requirements
• In addition to the GDPR regulations, our staff will continue to follow confidentiality policies in relation to all aspect of your Support
https://digital.nhs.uk/article/1202/Records-Management-Code-of-Practice-for-Health-and- Social-Care-2016
To be ‘Outstanding’ in this policy area you could provide evidence that:
• 4Life Care Services provides training to all staff in respect of GDPR and the new policies and processes that have adopted
• 4Life Care Services Conducts Privacy Impact Assessments for each new processing activity carried out, whether or not the processing presents a ‘high risk’ to the Data Subjects
• There is evidence that 4Life Care Services conducts regular (6 monthly or annual) audits of the personal data that is processed to ensure continued compliance with GDPR
• 4Life Care Services can evidence that there are processes in place for ensuring 4Life Care Services remains up to date with guidelines and recommendations relating to data protection, including ICO guidance and guidance issued by NHS Digital and this information is effectively cascaded to all relevant staff
• The wide understanding of the policy is enabled by proactive use of the QCS App
