General Data Protection Regulation (GDPR) Policy
Arise Teen and Adult Support Services believe that all data required for the delivery of the service and the lawful running of the organisation must be collected, handled, maintained, and stored in accordance with the requirements of the Data Protection Act 2018.
The General Data Protection Regulations (GDPR) form the basis of the Act, but in order to be effective and compliant with its requirements, the Related Policy list should be viewed as core to this policy, as should Section 2 and the Related Guidance links.
PLEASE NOTE: All Guidance from the ICO should be considered “Live Documentation” and regularly checked until all Codes of Practice and Guidance are issued. Working Party 29, known as WP29, is a representative body from each of the EU member states who have developed and worked on the Act. WP29 still sits and meets in the European Parliament until all of the complexities of the Act have been clarified and amended into law.
Lawful Bases
After due consideration, this organisation has determined that the following Lawful Bases are used in the collection of data:
Consent: The individual has given clear consent for us to process their personal data for a specific purpose.
Contract: The processing is necessary for a contract you have with the individual, or because they have asked us to take specific steps before entering into a contract.
Legal Obligation: The processing is necessary for us to comply with the law (not including contractual obligations) and CQC regulations.
Vital Interests: The processing is necessary to protect someone’s life.
Public Task: The processing is necessary for us to perform a task in the public interest, or for official functions, and the task or function has a clear basis in law.
Legitimate Interests: The processing is necessary for our legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data that overrides those legitimate interests. (Does not apply if a public authority is processing data to perform its official tasks).
Data Protection Principles
The Act sets out 8 Principles, which must be adhered to when processing data. Please refer to the Related Guidance links for further information. The GDPR sets out the following principles for which this organisation is responsible and must meet. These require that personal data shall be:
Processed lawfully, fairly, and in a transparent manner in relation to individuals.
Collected for specified, explicit, and legitimate purposes, and not further processed in a manner that is incompatible with those purposes. Further processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes shall not be considered incompatible with the initial purposes.
Adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
Accurate and, where necessary, kept up to date. Every reasonable step must be taken to erase or rectify without delay personal data that is inaccurate, having regard to the purposes for which they are processed.
Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, subject to the appropriate technical and organisational measures required by the GDPR (the safeguards) in order to safeguard the rights and freedoms of individuals.
Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.
Individual Rights
There are several changes here, particularly the Right of Access in relation to timescales and fees. These must be fully understood in relation to anyone submitting a Subject Access request. Please refer to the related Guidance Link.
The GDPR provides the following rights for individuals:
Right to be informed
Right of access
Right to rectification
Right to erasure
Right to restrict processing
Right to data portability
Right to object
Rights in relation to automated decision making and profiling
Each of the above rights has its own Best Practice Process which you will find here:
ICO GDPR Guide
Privacy Notices
This is a new requirement for data processing; it is an accessible information declaration which should clearly set out how we will gather, use, handle, store, and process personal data.
The Code uses the term “Privacy Notice” to describe all the privacy information that you make available or provide to individuals when you collect information about them. It is often argued that people’s expectations about personal data are changing, particularly through the use of social media, mobile apps, and the willingness of the public to share personal information via these platforms.
However, Arise Teen and Adult Support Services are increasingly aware of the fragile trust which can be easily broken through data breaches and are therefore seeking transparency as a means of building trust and confidence with users of our services. It is the spirit of the Act that privacy, transparency, and control become a given for users.
Being transparent by providing a privacy notice is an important part of fair processing. When planning a privacy notice, we need to consider the following:
What information is being collected?
Who is collecting it?
How is it collected?
Why is it being collected?
How will it be used?
Who will it be shared with?
What will be the effect of this on individuals concerned?
Is the intended use likely to cause individuals to object or complain?
The Privacy Notice must be easily understood by users of the service and include all of the above. It must also be easily visible, so in this organisation, it will be displayed on our Guardian Angel Carers Website: Arise Teen and Adult Support Services and issued at Assessment Stage for clients and Recruitment stage for employees.
Privacy and Electronic Communications Regulations (PECR)
This guide issued by the ICO covers specifically electronic marketing messages, i.e., phone, fax, email, or text, and includes the use of cookies. It introduces specific roles regarding keeping such communication services secure and user privacy in regard to traffic and location data, itemised billing, line identification, and directory listings.
The Data Protection Act 2018 still applies if you are processing personal data. The PECR sets out some extra rules for electronic communications, and please be mindful of electronic scheduling systems which will also come under PECR.
File Retention
The GDPR sets out Guidance on files and retention, including archiving. Specifically, Health and Social Care personal data is generally exempt.
As a provider of services, file and retention guidelines are in place from our Regulator, which includes CQC and the NHS as well as Local Authorities via the Service Specification within any contractual arrangements.
A periodic check of the Regulator’s Guidance should be part of the review of this policy.
Compliance
In order to meet the requirements of the Act, a thorough knowledge of the Guidance should be the priority for the Data Controller.