Skip to main content

GDPR Compliance

RDaSH takes your confidentiality and privacy rights very seriously, along with its responsibility to ensure compliance with the General Data Protection Regulation (GDPR) (2016).

In order to ensure compliance RDaSH has ensured that amongst other guidance, it has followed the information commissioner’s office (ICO) guidance of “preparing for the general data protection regulations, 12 steps to take now”.

This document outlines how the trust has met each of these standards and what it will do ensure compliance is maintained.

  1. Awareness
  2. Information you hold
  3. Communicating privacy information
  4. Individuals rights
  5. Subject access requests
  6. Lawful basis for processing personal data
  7. Consent
  8. Children
  9. Data breaches
  10. Data protection by design and data protection impact assessments (DPIA)
  11. Data protection officer
  12. International


RDaSH ensures that all staff within the organisation undertake annual mandatory data security awareness training; the minimum standard allowed for NHS organisations is 95% compliance in this area, with the remaining 5% allowed for staff absences as a result of sickness, maternity or paternity, secondments, etc.

As part of the annual training there is an assessment at the end which each employee must undertake, as well reading and signing the trust’s staff code of conduct, before they are considered compliant.

As well as training, staff are regularly provided with updated information on data protection, best practice, information governance, etc, to ensure a high level of understanding throughout the organisation.

Training is closely monitored by senior management and the trust’s data protection officer. In addition to all of the above the trust’s data protection officer, senior information risk owner and Caldicott guardian receive annual expert training and advise to ensure that their knowledge is maintained at a higher level.

Information you hold

RDaSH undertakes a process which is referred to as data flow mapping. This process identifies:

  • all data that flows in and out of the organisation
  • for what legal purpose it is collected
  • if it is processed securely
  • if it is only processed for the purpose in which it was collected
  • who data is shared with. This is also linked with information sharing agreements (ISAs)

Information sharing agreement

These agreements define the information that will be transferred between the organisations listed and arrangements for assisting compliance with relevant legislation and guidance. Agreements that set out the lawful basis for the use of personal data by the public sector, across traditional organisational boundaries, to achieve better policies and deliver better services.

The law, rightly, puts in place safeguards for the use of individuals’ data (the data protection act, human rights and common law) and there are organisational costs involved in meeting those conditions. It is important that those safeguards exist and are properly applied.

Data sharing can take place in a way that helps deliver the better services that we all want, while still respecting people’s legitimate expectations about the privacy and confidentiality of their personal information.

What’s next?

This process will continue to be reviewed annually. RDaSH is currently looking to publish this information as part of its openness and transparency, however will need to ensure that by doing so it does not compromise the security of the information held; therefore a summary of data processing activities maybe published. In the interim an outline of data that is processed is available within the trust’s privacy notice.

Communicating privacy information

RDaSH provides a privacy notice as part of its your information, your rights page, alongside other information which demonstrates our compliance with GDPR. This includes:

  • leaflets and guidance
  • individuals rights and how these are adhered to
  • information sharing agreements (to be published)
  • data processing agreements (to be published)
  • data protection impact assessments (to be published)

What’s next?

With regards to the documents identified above as “to be published”; RDaSH is currently looking to publish this information as part of its openness and transparency, however will need to ensure that by doing so it does not compromise the security of the information held; therefore a summary maybe provided as an alternative.

Individual’s rights

RDaSH has published individuals rights on its tour information, your rights page page, along with supporting guidance and leaflets advising on how we will adhere to these rights.

Subject access requests

RDaSH takes it’s responsibility to provide individuals with their information in accordance with law, very seriously and has a dedicated part of the Information Governance team in place to support this.

If you want to access your personal information, you can make subject access request verbally or in writing. Although if you make your request verbally, we recommend you follow it up in writing, as we have to be satisfied as to your identity, but it will also provide a clear trail of correspondence provide clear evidence of your actions.

Read more about the law and how to make a request.

Lawful basis for processing personal data

Organisations should identify the lawful basis for their processing activity. It should be documented and privacy notices updated. You will see that under the “information you hold” and “communicating privacy information” sections of this page, RDaSH has adhered to this requirement.

We do not rely on consent to use your information as a legal basis for processing.

We rely on specific provisions under article 6 and 9 of the general data protection regulation, such as either:

  • ‘a task carried out in the public interest or in the exercise of official authority vested in the controller’
  • ‘the provision of health or social care or treatment or the management of health or social care systems and services’

This means we can use your personal information to provide you with your care without seeking your consent. However, you do have the right to say ‘no’ to our use of your information but this could have an impact on our ability to provide you with care.

Where consent is required for data processing, we will ensure that this is explicit, freely given, specific, informed and unambiguous.


For this requirement organisations should start thinking about whether it needs to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.

RDaSH has had a long history in ensuring that appropriate consent is obtained from children or their parents or guardians.

This is also regularly reviewed to assess that, if the child is considered competent enough, that they then become responsible for their own data and treatment.

Data breaches

RDaSH has systems and processes in place to manage the robust reporting and investigating of data breaches and Incidents. Evidence of this can be found in the trust’s data security and protection breaches or information governance incident reporting policy.

Data protection by design and data protection impact assessments (DPIA)

The General Data Protection Regulation (2016) (GDPR) introduced a new legal obligation to complete a data protection impact assessment (DPIA) before carrying out types of processing likely to result in high risk to individuals’ rights and freedoms. A DPIA is a process to help identify and minimise the data protection risks which requires the processing of personal data. It is also good practice to do a DPIA for any other major project which requires the processing of personal data.

Below is a log of our completed DPIAs, together with their reference number and name of the project, as part of our openness and transparency. To request a copy of the entire DPIA please apply via the FoIA process.

Reference Title
DPIA0001 Qinteractive
DPIA0008 Voice Recognition Second Pilot
DPIA0010 ZOOM (conferencing)
DPIA0013 Time and attendance
DPIA0032 ORCHA health app library
DPIA0034 PVP Suite Sinclair House
DPIA0038 Serious Mental Illness Physical Health Checks
DPIA0039 Lease 4000 Software
DPIA0040 Flashback Express
DPIA0043 Minddistrict (CCBT)
DPIA0044 Service Management Replacement
DPIA0045 Health Roster Optimisation
DPIA0046 Rotherham Health Record
DPIA0047 Uniqus App
DPIA0049 Zoomtec magnifier
DPIA0050 Axe the Fax
DPIA0051 EHCP digital platform (ECG Machine Test Trial)
DPIA0054 MD Calc app
DPIA0055 SIGN app
DPIA0056 Toxbase app
DPIA0059 Primera Doorset and Ligature Alarm System
DPIA0061 Next Generation Text app
DPIA0064 Video Interaction Guidance
DPIA0068 ADOS (Autism Diagnostic Obs)
DPIA0073 Serenity Integrated Mentoring (SIM)
DPIA0074 Share Point
DPIA0076 Individual Placement Support
DPIA0078 Clinical Skills Ltd
DPIA0080 Woodlands Camera
DPIA0087 Stroke Association Connect
DPIA0091 eConsent for School Vaccinations
REF125 Palo Alto
REF128 SystmOne
REF134 Office365
REF136 Speech Exec Pro Dictate Software
REF141 Perfect Ward
REF142 Children’s post screening vision screening service
REF147 Oxehealth
REF152 Survey Monkey
REF154 Rotherham Health App, Subtrakt Health
REF155 Portacount FFP3 Fit Testing Machine
REF156 CGL Framework- Inpatient Detox and Residential Rehabilitation Services
REF157 NVIS staff flu submission
REF158 IAPT online referral
REF159 CEC Healthcare Coding Ltd.
REF160 ECG interpretation service
REF161 Lateral flow reporting service
REF162 Account self service
REF165 Use of Eventbrite for the booking of staff events
REF170 COVID vaccination
REF176 Govroam
REF177 Children’s care group eClinic
REF189 Palo Alto Global Protect VPN
REF191 Gait Pressure Plate
REF214 Akrivia Health Platform
REF216 VMware Horizon VDI platform
REF220 Medical e-Job Planning
REF221 Technical data room or externally shared file with Hill Dickinson LLP
REF224 Rotherham CAMHS, automated booking system
REF225 BarCo ClickShare, hybrid meeting room trollies
REF226 Block contract inpatient beds, consortium DMBC
REF228 S12 Solutions app
REF229 Newly Qualified Nurse Standardised Recruitment
REF231 YOC Form Link in SMS
REF232 C19-YRS COVID 19 Yorkshire Rehabilitate Scale app
REF238 Staff Portal, booking procedure for staff training
REF242 Remote ECG Service CAMHs and Eating Disorder Service (CEDS)
REF243 Intellectual Disabilities Referral Form
REF245 Formeo Implementation
REF254 Salary Finance Portal
REF255 Fresh Street Food and Health Pilot Study
REF256 Akrivia Health Platform UK CRIS
REF257 SYA Finance Together
REF258 Just In Time Adaptive Interventions (JITAI) for Suicide and Self-Harm
REF259 Perinatal Mental Health Feedback with LIGHT
REF265 Deloitte Connect
REF266 Grammarly
REF268 Fresh Street Food and Health Pilot Study, Smart Survey
REF281 Canon Digital Store Front
REF283 Health roster optimisation loop app
REF285 ISOSEC Virtual smart card pilot
REF292 LOLIPOP study
REF296 Technical data room or shared file with Hempsons Solicitors
REF298 Neurodevelopment online referral form
REF299 Doncaster crisis pathway
REF313 Refill
REF314 Total ESR access for executive PAs and CAST
REF323 SystmOne communications annexe
REF324 Wagestream
REF328 Agiito train ticket and hotel booking platform
REF336 Brigid UK app

Data protection officer

This trust has appointed a qualified data protection officer:

Caroline J Britten, Data Protection Officer and Head of Information Governance



This trust does not process the majority of its data outside of the EU or EEA.

Where this occurs appropriate checks are undertaken and privacy notices will be updated accordingly.

Page last reviewed: April 08, 2024
Next review due: April 08, 2025


Report a problem