Skip to content

Coronavirus (COVID-19)

We have a number of temporary service changes in light of the Coronavirus pandemic. Temporary changes to our services.

Visiting

We have a range of information and advice here: Coronavirus information.

GDPR Compliance

RDaSH takes your confidentiality and privacy rights very seriously, along with its responsibility to ensure compliance with the General Data Protection Regulation (GDPR) 2016.

In order to ensure compliance RDaSH has ensured that amongst other guidance, it has followed the Information Commissioner’s Office (ICO) guidance of “Preparing for the General Data Protection Regulations – 12 steps to take now”.

This document outlines how the Trust has met each of these standards and what it will do ensure compliance is maintained.

  1. Awareness
  2. Information you hold
  3. Communicating privacy information
  4. Individuals rights
  5. Subject access requests
  6. Lawful basis for processing personal data
  7. Consent
  8. Children
  9. Data breaches
  10. Data Protection by Design and Data Protection Impact Assessments (DPIA)
  11. Data Protection Officer
  12. International

Awareness

RDaSH ensures that all staff within the organisation undertake annual mandatory Data Security Awareness training; the minimum standard allowed for NHS organisations is 95% compliance in this area, with the remaining 5% allowed for staff absences as a result of sickness, maternity / paternity, secondments, etc.

As part of the annual training there is an assessment at the end which each employee must undertake, as well reading and signing the Trust’s Staff Code of Conduct, before they are considered compliant.

As well as training, staff are regularly provided with updated information on data protection, best practice, information governance, etc, to ensure a high level of understanding throughout the organisation.

Training is closely monitored by senior management and the Trust’s Data Protection Officer. In addition to all of the above the Trust’s Data Protection Officer, Senior Information Risk Owner and Caldicott Guardian receive annual expert training and advise to ensure that their knowledge is maintained at a higher level.

Back to the top of the page

Information you hold

RDaSH undertakes a process which is referred to as Data Flow Mapping. This process identifies:

  • all data that flows in and out of the organisation
  • for what legal purpose it is collected
  • if it is processed securely
  • if it is only processed for the purpose in which it was collected
  • who data is shared with [this is also linked with Information Sharing Agreements (ISAs)]

What’s next?

This process will continue to be reviewed annually. RDaSH is currently looking to publish this information as part of its openness and transparency, however will need to ensure that by doing so it does not compromise the security of the information held; therefore a summary of data processing activities maybe published. In the interim an outline of data that is processed is available within the Trust’s Privacy Notice.

Back to the top of the page

Communicating Privacy Information

RDaSH has provided an updated Privacy Notice as part of its “Your Information Your Rights” page, alongside other information which demonstrates our compliance with GDPR. This includes;

  • Leaflets and Guidance
  • Individuals rights and how these are adhered to
  • Information Sharing Agreements (to be published)
  • Data Processing Agreements (to be published)
  • Data Protection Impact Assessments (to be published)

What’s next?

With regards to the documents identified above as “to be published”; RDaSH is currently looking to publish this information as part of its openness and transparency, however will need to ensure that by doing so it does not compromise the security of the information held; therefore a summary maybe provided as an alternative.

Back to the top of the page

Individual’s Rights

RDaSH has published individuals rights on its “Your Information Your Rights” page, along with supporting guidance and leaflets advising on how we will adhere to these rights.

Back to the top of the page

Subject Access Requests

RDaSH takes it’s responsibility to provide individuals with their information in accordance with law, very seriously and has a dedicated part of the Information Governance Team in place to support this.

If you want to access your personal information, you can make subject access request verbally or in writing. Although if you make your request verbally, we recommend you follow it up in writing, as we have to be satisfied as to your identity, but it will also provide a clear trail of correspondence provide clear evidence of your actions.

Click here to read more about the law and also about how to make a request

Back to the top of the page

Lawful Basis for Processing Personal Data

Organisations should identify the lawful basis for their processing activity. It should be documented and privacy notices updated. You will see that under the “information you hold” and “communicating privacy information” sections of this page, RDaSH has adhered to this requirement.

Back to the top of the page

We do not rely on consent to use your information as a ‘legal basis for processing’.

We rely on specific provisions under Article 6 and 9 of the General Data Protection Regulation, such as ‘…a task carried out in the public interest or in the exercise of official authority vested in the controller’ or ‘.. the provision of health or social care or treatment or the management of health or social care systems and services ..’.

This means we can use your personal information to provide you with your care without seeking your consent. However, you do have the right to say ‘NO’ to our use of your information but this could have an impact on our ability to provide you with care.

Where consent is required for data processing, we will ensure that this is explicit, freely given, specific, informed and unambiguous.

Back to the top of the page

Children

For this requirement organisations should start thinking about whether it needs to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.

RDaSH has had a long history in ensuring that appropriate consent is obtained from children or their parents / guardians.

This is also regularly reviewed to assess that, if the child is considered competent enough, that they then become responsible for their own data and treatment.

Back to the top of the page

Data Breaches

RDaSH has systems and processes in place to manage the robust reporting and investigating of Data Breaches and Incidents. Evidence of this can be found in the Trust’s Data Security and Protection Breaches/Information Governance Incident Reporting Policy.

Back to the top of the page

Data Protection by Design and Data Protection Impact Assessments (DPIA)

The General Data Protection Regulation 2016 (GDPR) introduced a new legal obligation to complete a Data Protection Impact Assessment (DPIA) before carrying out types of processing likely to result in high risk to individuals’ rights and freedoms. A DPIA is a process to help identify and minimise the data protection risks which requires the processing of personal data. It is also good practice to do a DPIA for any other major project which requires the processing of personal data.

Below is a log of our completed DPIAs, together with their reference number and name of the project, as part of our openness and transparency.  To request a copy of the entire DPIA please apply via the FoIA process.

Ref.                      Title

DPIA0001             Qinteractive

DPIA0008             Voice Recognition Second Pilot

DPIA0010             ZOOM (Conferencing)

DPIA0013             Time and Attendance

DPIA0032             ORCHA Health App Library

DPIA0034             PVP Suite Sinclair House

DPIA0036             SLACK.COM

DPIA0038             Serious Mental Illness Physical Health Checks

DPIA0039             Lease 4000 Software

DPIA0040             Flashback Express

DPIA0042             Grammarly writing assistant

DPIA0043             Minddistrict (CCBT)

DPIA0044             Service Management Replacement

DPIA0045             Health Roster Optimisation

DPIA0046             Rotherham Health Record

DPIA0047             Uniqus App

DPIA0049             Zoomtec magnifier

DPIA0050             Axe the Fax

DPIA0051             EHCP digital platform (ECG Machine Test Trial)

DPIA0053             IESO

DPIA0054             MD Calc App

DPIA0055             SIGN App

DPIA0056             Toxbase App

DPIA0059             Primera Doorset and Ligature Alarm System

DPIA0061             Next Generation Text app

DPIA0064             Video Interaction Guidance

DPIA0068             ADOS (Autism Diagnostic Obs)

DPIA0073             Serenity Integrated Mentoring (SIM)

DPIA0074             Share Point

DPIA0076             Individual Placement Support

DPIA0078             Clinical Skills Ltd

DPIA0080             Woodlands Camera

DPIA0087             Stroke Association Connect

DPIA0091             eConsent for School Vaccinations

REF125                 Palo Alto

REF128                 SystmOne

Data Protection Officer

This Trust has appointed a qualified Data Protection Officer:

Caroline J Britten
Data Protection Officer and Head of Information Governance
Email: rdash.dpo@nhs.net

International

This Trust does not process the majority of its data outside of the EU / EEA.

Where this occurs appropriate checks are undertaken and Privacy Notices will be updated accordingly.

Back to the top of the page