RDaSH takes your confidentiality and privacy rights very seriously, along with its responsibility to ensure compliance with the General Data Protection Regulation (GDPR) 2016.
In order to ensure compliance RDaSH has ensured that amongst other guidance, it has followed the Information Commissioner’s Office (ICO) guidance of “Preparing for the General Data Protection Regulations – 12 steps to take now”.
This document outlines how the Trust has met each of these standards and what it will do ensure compliance is maintained.
- Information you hold
- Communicating privacy information
- Individuals rights
- Subject access requests
- Lawful basis for processing personal data
- Data breaches
- Data Protection by Design and Data Protection Impact Assessments (DPIA)
- Data Protection Officer
RDaSH ensures that all staff within the organisation undertake annual mandatory Data Security Awareness training; the minimum standard allowed for NHS organisations is 95% compliance in this area, with the remaining 5% allowed for staff absences as a result of sickness, maternity / paternity, secondments, etc.
As part of the annual training there is an assessment at the end which each employee must undertake, as well reading and signing the Trust’s Staff Code of Conduct, before they are considered compliant.
As well as training, staff are regularly provided with updated information on data protection, best practice, information governance, etc, to ensure a high level of understanding throughout the organisation.
Training is closely monitored by senior management and the Trust’s Data Protection Officer. In addition to all of the above the Trust’s Data Protection Officer, Senior Information Risk Owner and Caldicott Guardian receive annual expert training and advise to ensure that their knowledge is maintained at a higher level.
Information you hold
RDaSH undertakes a process which is referred to as Data Flow Mapping. This process identifies:
- all data that flows in and out of the organisation
- for what legal purpose it is collected
- if it is processed securely
- if it is only processed for the purpose in which it was collected
- who data is shared with [this is also linked with Information Sharing Agreements (ISAs)]
This process will continue to be reviewed annually. RDaSH is currently looking to publish this information as part of its openness and transparency, however will need to ensure that by doing so it does not compromise the security of the information held; therefore a summary of data processing activities maybe published. In the interim an outline of data that is processed is available within the Trust’s Privacy Notice.
Communicating Privacy Information
RDaSH has provided an updated Privacy Notice as part of its “Your Information Your Rights” page, alongside other information which demonstrates our compliance with GDPR. This includes;
- Leaflets and Guidance
- Individuals rights and how these are adhered to
- Information Sharing Agreements (to be published)
- Data Processing Agreements (to be published)
- Data Protection Impact Assessments (to be published)
With regards to the documents identified above as “to be published”; RDaSH is currently looking to publish this information as part of its openness and transparency, however will need to ensure that by doing so it does not compromise the security of the information held; therefore a summary maybe provided as an alternative.
RDaSH has published individuals rights on its “Your Information Your Rights” page, along with supporting guidance and leaflets advising on how we will adhere to these rights.
Subject Access Requests
RDaSH takes it’s responsibility to provide individuals with their information in accordance with law, very seriously and has a dedicated part of the Information Governance Team in place to support this.
If you want to access your personal information, you can make subject access request verbally or in writing. Although if you make your request verbally, we recommend you follow it up in writing, as we have to be satisfied as to your identity, but it will also provide a clear trail of correspondence provide clear evidence of your actions.
Lawful Basis for Processing Personal Data
Organisations should identify the lawful basis for their processing activity. It should be documented and privacy notices updated. You will see that under the “information you hold” and “communicating privacy information” sections of this page, RDaSH has adhered to this requirement.
We do not rely on consent to use your information as a ‘legal basis for processing’.
We rely on specific provisions under Article 6 and 9 of the General Data Protection Regulation, such as ‘…a task carried out in the public interest or in the exercise of official authority vested in the controller’ or ‘.. the provision of health or social care or treatment or the management of health or social care systems and services ..’.
This means we can use your personal information to provide you with your care without seeking your consent. However, you do have the right to say ‘NO’ to our use of your information but this could have an impact on our ability to provide you with care.
Where consent is required for data processing, we will ensure that this is explicit, freely given, specific, informed and unambiguous.
For this requirement organisations should start thinking about whether it needs to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.
RDaSH has had a long history in ensuring that appropriate consent is obtained from children or their parents / guardians.
This is also regularly reviewed to assess that, if the child is considered competent enough, that they then become responsible for their own data and treatment.
RDaSH has systems and processes in place to manage the robust reporting and investigating of Data Breaches and Incidents. Evidence of this can be found in the Trust’s Data Security and Protection Breaches/Information Governance Incident Reporting Policy.
Data Protection by Design and Data Protection Impact Assessments (DPIA)
The General Data Protection Regulation 2016 (GDPR) introduced a new legal obligation to complete a Data Protection Impact Assessment (DPIA) before carrying out types of processing likely to result in high risk to individuals’ rights and freedoms. A DPIA is a process to help identify and minimise the data protection risks which requires the processing of personal data. It is also good practice to do a DPIA for any other major project which requires the processing of personal data.
Below is a log of our completed DPIAs, together with their reference number and name of the project, as part of our openness and transparency. To request a copy of the entire DPIA please apply via the FoIA process.
DPIA0008 Voice Recognition Second Pilot
DPIA0010 ZOOM (Conferencing)
DPIA0013 Time and Attendance
DPIA0032 ORCHA Health App Library
DPIA0034 PVP Suite Sinclair House
DPIA0038 Serious Mental Illness Physical Health Checks
DPIA0039 Lease 4000 Software
DPIA0040 Flashback Express
DPIA0042 Grammarly writing assistant
DPIA0043 Minddistrict (CCBT)
DPIA0044 Service Management Replacement
DPIA0045 Health Roster Optimisation
DPIA0046 Rotherham Health Record
DPIA0047 Uniqus App
DPIA0049 Zoomtec magnifier
DPIA0050 Axe the Fax
DPIA0051 EHCP digital platform (ECG Machine Test Trial)
DPIA0054 MD Calc App
DPIA0055 SIGN App
DPIA0056 Toxbase App
DPIA0059 Primera Doorset and Ligature Alarm System
DPIA0061 Next Generation Text app
DPIA0064 Video Interaction Guidance
DPIA0068 ADOS (Autism Diagnostic Obs)
DPIA0073 Serenity Integrated Mentoring (SIM)
DPIA0074 Share Point
DPIA0076 Individual Placement Support
DPIA0078 Clinical Skills Ltd
DPIA0080 Woodlands Camera
DPIA0087 Stroke Association Connect
DPIA0091 eConsent for School Vaccinations
REF125 Palo Alto
Data Protection Officer
This Trust has appointed a qualified Data Protection Officer:
Caroline J Britten
Data Protection Officer and Head of Information Governance
This Trust does not process the majority of its data outside of the EU / EEA.
Where this occurs appropriate checks are undertaken and Privacy Notices will be updated accordingly.