RDaSH takes your confidentiality and privacy rights very seriously, along with its responsibility to ensure compliance with the General Data Protection Regulation (GDPR) 2016.
In order to ensure compliance RDaSH has ensured that amongst other guidance, it has followed the Information Commissioner’s Office (ICO) guidance of “Preparing for the General Data Protection Regulations – 12 steps to take now”.
This document outlines how the Trust has met each of these standards and what it will do ensure compliance is maintained.
- Information you hold
- Communicating privacy information
- Individuals rights
- Subject access requests
- Lawful basis for processing personal data
- Data breaches
- Data Protection by Design and Data Protection Impact Assessments (DPIA)
- Data Protection Officer
RDaSH ensures that all staff within the organisation undertake annual mandatory Data Security Awareness training; the minimum standard allowed for NHS organisations is 95% compliance in this area, with the remaining 5% allowed for staff absences as a result of sickness, maternity / paternity, secondments, etc.
As part of the annual training there is an assessment at the end which each employee must undertake, as well reading and signing the Trust’s Staff Code of Conduct, before they are considered compliant.
As well as training, staff are regularly provided with updated information on data protection, best practice, information governance, etc, to ensure a high level of understanding throughout the organisation.
Training is closely monitored by senior management and the Trust’s Data Protection Officer. In addition to all of the above the Trust’s Data Protection Officer, Senior Information Risk Owner and Caldicott Guardian receive annual expert training and advise to ensure that their knowledge is maintained at a higher level.
Information you hold
RDaSH undertakes a process which is referred to as Data Flow Mapping. This process identifies:
- all data that flows in and out of the organisation
- for what legal purpose it is collected
- if it is processed securely
- if it is only processed for the purpose in which it was collected
- who data is shared with [this is also linked with Information Sharing Agreements (ISAs)]
This process will continue to be reviewed annually. RDaSH is currently looking to publish this information as part of its openness and transparency, however will need to ensure that by doing so it does not compromise the security of the information held; therefore a summary of data processing activities maybe published. In the interim an outline of data that is processed is available within the Trust’s Privacy Notice.
Communicating Privacy Information
RDaSH has provided an updated Privacy Notice as part of its “Your Information Your Rights” page, alongside other information which demonstrates our compliance with GDPR. This includes;
- Leaflets and Guidance
- Individuals rights and how these are adhered to
- Information Sharing Agreements (to be published)
- Data Processing Agreements (to be published)
- Data Protection Impact Assessments (to be published)
With regards to the documents identified above as “to be published”; RDaSH is currently looking to publish this information as part of its openness and transparency, however will need to ensure that by doing so it does not compromise the security of the information held; therefore a summary maybe provided as an alternative.
RDaSH has published individuals rights on its “Your Information Your Rights” page, along with supporting guidance and leaflets advising on how we will adhere to these rights.
Subject Access Requests
RDaSH takes it’s responsibility to provide individuals with their information in accordance with law, very seriously and has a dedicated part of the Information Governance Team in place to support this.
We have adapted the process to support the new timescale requirements of GDPR, which require requests to be processed within one month as opposed to 40 days and they are free of charge (in most circumstances).
Lawful Basis for Processing Personal Data
For this requirement organisations should identify the lawful basis for their processing activity, document it and update their privacy notice to explain it. You will see that under the “information you hold” and “communicating privacy information” sections of this document, RDaSH has adhered to this requirement. In the majority of cases the legal basis’s for processing are outlined below;
Article 6 – Processing Personal Data
b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; Staff Information
c) processing is necessary for compliance with a legal obligation to which the controller is subject; e.g. Safeguarding Act, Children’s Act, Mental Capacity Act
d) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; Provision of medical services
e) processing is necessary in order to protect the vital interests of the data subject or of another natural person; Medical emergencies
a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes. Only if one of the legal basis’s above is not applicable.
Article 9 – Process Special Category Data
(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject; Staff Information
(c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent; Medical emergencies
(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3; Provision of medical services
(a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject; Only if one of the legal basis’s above is not applicable.
We do not rely on consent to use your information as a ‘legal basis for processing’.
We rely on specific provisions under Article 6 and 9 of the General Data Protection Regulation, such as ‘…a task carried out in the public interest or in the exercise of official authority vested in the controller’ or ‘.. the provision of health or social care or treatment or the management of health or social care systems and services ..’.
This means we can use your personal information to provide you with your care without seeking your consent. However, you do have the right to say ‘NO’ to our use of your information but this could have an impact on our ability to provide you with care.
Where consent is required for data processing, we will ensure that this is explicit, freely given, specific, informed and unambiguous.
For this requirement originations should start thinking about whether it needs to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.
RDaSH has had a long history in ensuring that appropriate consent is obtained from children or their parents / guardians.
This is also regularly reviewed to assess that, if the child is considered competent enough, that they then become responsible for their own data and treatment.
RDaSH, alongside other NHS organisations, have had systems and processes in place previously to manage the robust reporting and investigating of Data Breaches. Evidence of this can be found in the Trust’s Information Risk Management Policy
Data Protection by Design and Data Protection Impact Assessments (DPIA)
RDaSH, alongside other NHS organisations, have had systems and processes in place previously to implement Data Protection Impact Assessments (aka Privacy Impact Assessments). Evidence of this can be found in the Trust’s Data Protection Impact Assessment Procedure.
To ensure Data Protection by Design, the Trust’s Data Protection Officer has ensured that they are to be linked into all service discussions, both clinically and corporately, where data processing will be discussed, to ensure that the right checks have been put in place and that Data Protection Impact Assessments are completed. In addition to this all Trust sub-contractors have been/will be contacted and provided with updated GDPR compliance contract clauses. For more information click here.
Although previously for existing processes, Data Protection Impact Assessments may not have been required to be completed (although security checks would have been completed) these have not been requested to be undertaken retrospectively, where major changes in processing have been made, they will be completed retrospectively.
The GDPR introduces a new obligation to do a DPIA before carrying out types
of processing likely to result in high risk to individuals’ interests. A Data Protection Impact Assessment (DPIA) is a process to help identify and minimise the data protection risks which requires the processing of personal data. It is also good practice to do a DPIA for any other major project which requires the processing of personal data.
We will publish our DPIAs, as part of our openness and transparency, although to ensure that we do not compromise the security of the information held, only a summary is provided.
Below is a summary of all DPIAs carried out since 25th May 2018 when this became a data protection requirement. The list will be periodically updated with new completed DPIAs but if you would like more information about our process, or any listed below, please contact firstname.lastname@example.org
Data Protection Officer
This Trust has appointed a qualified Data Protection Officer:
Caroline J Britten
Data Protection Officer and Head of Information Governance
This Trust does not process the majority of its data outside of the EU / EEA.
In the rare circumstances where this occurs, vigorous security checks are undertaken, alongside contractual restrictions.
Individuals will be informed when their data is being processed outside of the EU / EEA