GDPR Compliance
RDaSH takes your confidentiality and privacy rights very seriously, along with its responsibility to ensure compliance with the General Data Protection Regulation (GDPR) (2016).
In order to ensure compliance RDaSH has ensured that amongst other guidance, it has followed the information commissioner’s office (ICO) guidance of “preparing for the general data protection regulations, 12 steps to take now”.
This document outlines how the trust has met each of these standards and what it will do ensure compliance is maintained.
- Awareness
- Information you hold
- Communicating privacy information
- Individuals rights
- Subject access requests
- Lawful basis for processing personal data
- Consent
- Children
- Data breaches
- Data protection by design and data protection impact assessments (DPIA)
- Data protection officer
- International
Awareness
RDaSH ensures that all staff within the organisation undertake annual mandatory data security awareness training; the minimum standard allowed for NHS organisations is 95% compliance in this area, with the remaining 5% allowed for staff absences as a result of sickness, maternity or paternity, secondments, etc.
As part of the annual training there is an assessment at the end which each employee must undertake, as well reading and signing the trust’s staff code of conduct, before they are considered compliant.
As well as training, staff are regularly provided with updated information on data protection, best practice, information governance, etc, to ensure a high level of understanding throughout the organisation.
Training is closely monitored by senior management and the trust’s data protection officer. In addition to all of the above the trust’s data protection officer, senior information risk owner and Caldicott guardian receive annual expert training and advise to ensure that their knowledge is maintained at a higher level.
Information you hold
RDaSH undertakes a process which is referred to as data flow mapping. This process identifies:
- all data that flows in and out of the organisation
- for what legal purpose it is collected
- if it is processed securely
- if it is only processed for the purpose in which it was collected
- who data is shared with. This is also linked with information sharing agreements (ISAs)
Information sharing agreement
These agreements define the information that will be transferred between the organisations listed and arrangements for assisting compliance with relevant legislation and guidance. Agreements that set out the lawful basis for the use of personal data by the public sector, across traditional organisational boundaries, to achieve better policies and deliver better services.
The law, rightly, puts in place safeguards for the use of individuals’ data (the data protection act, human rights and common law) and there are organisational costs involved in meeting those conditions. It is important that those safeguards exist and are properly applied.
Data sharing can take place in a way that helps deliver the better services that we all want, while still respecting people’s legitimate expectations about the privacy and confidentiality of their personal information.
What’s next?
This process will continue to be reviewed annually. RDaSH is currently looking to publish this information as part of its openness and transparency, however will need to ensure that by doing so it does not compromise the security of the information held; therefore a summary of data processing activities maybe published. In the interim an outline of data that is processed is available within the trust’s privacy notice.
Communicating privacy information
RDaSH provides a privacy notice as part of its your information, your rights page, alongside other information which demonstrates our compliance with GDPR. This includes:
- leaflets and guidance
- individuals rights and how these are adhered to
- information sharing agreements (to be published)
- data processing agreements (to be published)
- data protection impact assessments (to be published)
What’s next?
With regards to the documents identified above as “to be published”; RDaSH is currently looking to publish this information as part of its openness and transparency, however will need to ensure that by doing so it does not compromise the security of the information held; therefore a summary maybe provided as an alternative.
Individual’s rights
RDaSH has published individuals rights on its tour information, your rights page page, along with supporting guidance and leaflets advising on how we will adhere to these rights.
Subject access requests
RDaSH takes it’s responsibility to provide individuals with their information in accordance with law, very seriously and has a dedicated part of the Information Governance team in place to support this.
If you want to access your personal information, you can make subject access request verbally or in writing. Although if you make your request verbally, we recommend you follow it up in writing, as we have to be satisfied as to your identity, but it will also provide a clear trail of correspondence provide clear evidence of your actions.
Read more about the law and how to make a request.
Lawful basis for processing personal data
Organisations should identify the lawful basis for their processing activity. It should be documented and privacy notices updated. You will see that under the “information you hold” and “communicating privacy information” sections of this page, RDaSH has adhered to this requirement.
Consent
We do not rely on consent to use your information as a legal basis for processing.
We rely on specific provisions under article 6 and 9 of the general data protection regulation, such as either:
- ‘a task carried out in the public interest or in the exercise of official authority vested in the controller’
- ‘the provision of health or social care or treatment or the management of health or social care systems and services’
This means we can use your personal information to provide you with your care without seeking your consent. However, you do have the right to say ‘no’ to our use of your information but this could have an impact on our ability to provide you with care.
Where consent is required for data processing, we will ensure that this is explicit, freely given, specific, informed and unambiguous.
Children
For this requirement organisations should start thinking about whether it needs to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.
RDaSH has had a long history in ensuring that appropriate consent is obtained from children or their parents or guardians.
This is also regularly reviewed to assess that, if the child is considered competent enough, that they then become responsible for their own data and treatment.
Data breaches
RDaSH has systems and processes in place to manage the robust reporting and investigating of data breaches and Incidents. Evidence of this can be found in the trust’s data security and protection breaches or information governance incident reporting policy.
Data protection by design and data protection impact assessments (DPIA)
The General Data Protection Regulation (2016) (GDPR) introduced a new legal obligation to complete a data protection impact assessment (DPIA) before carrying out types of processing likely to result in high risk to individuals’ rights and freedoms. A DPIA is a process to help identify and minimise the data protection risks which requires the processing of personal data. It is also good practice to do a DPIA for any other major project which requires the processing of personal data.
Below is a log of our completed DPIAs, together with their reference number and name of the project, as part of our openness and transparency. To request a copy of the entire DPIA please apply via the FoIA process.
| Reference | Title |
|---|---|
| DPIA0001 | Qinteractive |
| DPIA0008 | Voice Recognition Second Pilot |
| DPIA0010 | ZOOM (conferencing) |
| DPIA0013 | Time and attendance |
| DPIA0032 | ORCHA health app library |
| DPIA0034 | PVP Suite Sinclair House |
| DPIA0036 | SLACK.COM |
| DPIA0038 | Serious Mental Illness Physical Health Checks |
| DPIA0039 | Lease 4000 Software |
| DPIA0040 | Flashback Express |
| DPIA0043 | Minddistrict (CCBT) |
| DPIA0044 | Service Management Replacement |
| DPIA0045 | Health Roster Optimisation |
| DPIA0046 | Rotherham Health Record |
| DPIA0047 | Uniqus App |
| DPIA0049 | Zoomtec magnifier |
| DPIA0050 | Axe the Fax |
| DPIA0051 | EHCP digital platform (ECG Machine Test Trial) |
| DPIA0053 | IESO |
| DPIA0054 | MD Calc app |
| DPIA0055 | SIGN app |
| DPIA0056 | Toxbase app |
| DPIA0059 | Primera Doorset and Ligature Alarm System |
| DPIA0061 | Next Generation Text app |
| DPIA0064 | Video Interaction Guidance |
| DPIA0068 | ADOS (Autism Diagnostic Obs) |
| DPIA0073 | Serenity Integrated Mentoring (SIM) |
| DPIA0074 | Share Point |
| DPIA0076 | Individual Placement Support |
| DPIA0078 | Clinical Skills Ltd |
| DPIA0080 | Woodlands Camera |
| DPIA0087 | Stroke Association Connect |
| DPIA0091 | eConsent for School Vaccinations |
| REF125 | Palo Alto |
| REF128 | SystmOne |
| REF134 | Office365 |
| REF136 | Speech Exec Pro Dictate Software |
| REF140 | QUIT |
| REF141 | Perfect Ward |
| REF142 | Children’s post screening vision screening service |
| REF147 | Oxehealth |
| REF152 | Survey Monkey |
| REF154 | Rotherham Health App, Subtrakt Health |
| REF155 | Portacount FFP3 Fit Testing Machine |
| REF156 | CGL Framework- Inpatient Detox and Residential Rehabilitation Services |
| REF157 | NVIS staff flu submission |
| REF158 | IAPT online referral |
| REF159 | CEC Healthcare Coding Ltd. |
| REF160 | ECG interpretation service |
| REF161 | Lateral flow reporting service |
| REF162 | Account self service |
| REF165 | Use of Eventbrite for the booking of staff events |
| REF170 | COVID vaccination |
| REF176 | Govroam |
| REF177 | Children’s care group eClinic |
| REF189 | Palo Alto Global Protect VPN |
| REF191 | Gait Pressure Plate |
| REF214 | Akrivia Health Platform |
| REF216 | VMware Horizon VDI platform |
| REF220 | Medical e-Job Planning |
| REF221 | Technical data room or externally shared file with Hill Dickinson LLP |
| REF224 | Rotherham CAMHS, automated booking system |
| REF225 | BarCo ClickShare, hybrid meeting room trollies |
| REF226 | Block contract inpatient beds, consortium DMBC |
| REF228 | S12 Solutions app |
| REF229 | Newly Qualified Nurse Standardised Recruitment |
| REF231 | YOC Form Link in SMS |
| REF232 | C19-YRS COVID 19 Yorkshire Rehabilitate Scale app |
| REF238 | Staff Portal, booking procedure for staff training |
| REF242 | Remote ECG Service CAMHs and Eating Disorder Service (CEDS) |
| REF243 | Intellectual Disabilities Referral Form |
| REF245 | Formeo Implementation |
| REF254 | Salary Finance Portal |
| REF255 | Fresh Street Food and Health Pilot Study |
| REF256 | Akrivia Health Platform UK CRIS |
| REF257 | SYA Finance Together |
| REF258 | Just In Time Adaptive Interventions (JITAI) for Suicide and Self-Harm |
| REF259 | Perinatal Mental Health Feedback with LIGHT |
| REF265 | Deloitte Connect |
| REF266 | Grammarly |
| REF268 | Fresh Street Food and Health Pilot Study, Smart Survey |
| REF281 | Canon Digital Store Front |
| REF283 | Health roster optimisation loop app |
| REF285 | ISOSEC Virtual smart card pilot |
| REF292 | LOLIPOP study |
| REF296 | Technical data room or shared file with Hempsons Solicitors |
| REF298 | Neurodevelopment online referral form |
| REF299 | Doncaster crisis pathway |
| REF313 | Refill |
| REF314 | Total ESR access for executive PAs and CAST |
| REF323 | SystmOne communications annexe |
| REF324 | Wagestream |
| REF328 | Agiito train ticket and hotel booking platform |
| REF336 | Brigid UK app |
Data protection officer
This trust has appointed a qualified data protection officer:
Caroline J Britten, Data Protection Officer and Head of Information Governance
Email: rdash.dpo@nhs.net
International
This trust does not process the majority of its data outside of the EU or EEA.
Where this occurs appropriate checks are undertaken and privacy notices will be updated accordingly.
Page last reviewed: April 08, 2024
Next review due: April 08, 2025