Data Protection Policy

Introduction

Commit2Care Services Ltd, Unit 70 Waterham Business Park, Highstreet Road, Hernhill Faversham ME13 9EJ,  is a Domiciliary Care Agency we provide home care service to clients in their own home.  The confidential data we collect and access must be used legally and in good faith, following the principles and guidance published in relevant legislation industry standards.  To ensure this, this policy documents the principles and guidance we apply at all times.

Scope

This policy applies to the treatment of personal data for which Commit2Care Services is the data processor or data controller and applies to all staff members, temporary staff members.

Personal data is defined as any data that can be used to identify a living individual.  Anonymised or aggregated data is not regulated by the Data Protection Act (DPA) or General Data Protection Regulation (GDPR), providing the anonymisation or aggregation has not been done in a reversible way.  For clarity, Individuals can be identified by various means including their name and address, telephone number or Email address.

Confidential data must be treated with an enhanced level of diligence.  For clarity, confidential data includes any data (or information) which is shared under a reasonable expectation of confidentiality, but specifically includes all Special Categories of Data as defined in the GDPR:

  1. Race or ethnic origin;
  2. Political opinions;
  3. Religious or philosophical beliefs;
  4. Trade union membership;
  5. Genetic data;
  6. Biometric data;
  7. Health data;
  8. Sexual history and/or sexual orientation;
  9. Criminal data.

Purpose

This document states and explains how we comply with the principles of data protection, and acts as a statement of intent to which the company, employees or third parties must abide.  This policy is published and distributed to staff, customers, customers or service users, and clients as required for informative purposes.  This policy cannot, and does not aim to cover every possible use of data, but should be used for guidance where required.

Commitments

Commit2Care Services will:

  1. Ensure that we comply with the Principles of Data Protection and the Caldicott Principles.
  2. Meet our legal obligations as laid down by the General Data Protection Regulation, Human Rights Act 1990, Health and Social Care Act 2015, Access to Health Records Act 2000, and any other relevant legislation.
  3. Ensure that processes and procedures are in place to allow data subjects’ rights to exercise their rights.

Data Protection Principles

The data protection principles shall be used to guide all use of personal data:

  1. Accountability – This means that we acknowledge and understand our role and responsibilities as a data controller and data processor. We ensure this by having appropriate governance of how data is used, at the appropriate level of management
  2. Lawfulness, Fairness, and Transparency –
    1. Lawfulness means having a legitimate legal basis for processing personal data. This is the service contracts or agreements we have in place with our Customers.  When a customer purchases our services, refers a patient to us, or a patient self-refers, this gives us the legitimate legal basis to process their personal data.
    2. Fairness means only using data in the manner which is expected. We ensure this by making sure customers and service users are aware of, and understand how, we process their personal data, ensuring that this is clear and accurate, and ensuring that we do not use data in any other way.
    3. Transparency means that customers and service users must be aware of how we use their data. We ensure this by publishing information on how we use personal data (such as this policy), and on gathering relevant informed consents.
  3. Purpose Limitation – This means that data may only be collected for specific, explicit and legitimate purposes. We ensure this by having clear agreements with our customers and suppliers which limit the use of personal data, and only using data in the manner which would be expected.
  4. Data Minimisation – This means that only the minimum relevant personal data should be collected for the agreed purposes. We ensure this by only collecting the data we require to provide our services, and by ensuring that staff are adequately trained.
  5. Accuracy – This means ensuring that data is accurate and up-to-date. We ensure this by adequately training our staff, and by having a process in place to allow customers and service users to access and request corrections to their personal data.
  6. Storage Limitation – This means that personal data should only be kept for the minimum time necessary. We ensure this by regularly reviewing the data we hold, and destroying it in line with our own policies and any other relevant guidance, regulation or legislation.  In practice this means that we store clinical data for eight years from the customer or service user last contacted us.
  7. Storage Limitation – This means that personal data should only be kept for the minimum time necessary. We ensure this by regularly reviewing the data we hold, and destroying it in line with our own policies and any other relevant guidance, regulation or legislation.  In practice this means that we store clinical data for eight years from the customer or service user last contacted us.

Caldicott Principles

The Caldicott Principles are specifically focussed on the use of confidential healthcare data.  These principles shall be considered, above and beyond those stated above when considering clinical data:

  1. Justify the purpose(s) for using confidential information: This means that use of personal confidential data should be clearly defined, scrutinised, documented, and reviewed by an appropriate guardian.
  2. Don’t use personal confidential data unless it is absolutely necessary: This means that personal confidential data items should not be included unless it is essential.  The need for customers and service users to be identified should be considered at each stage.
  3. Use the minimum necessary personal confidential data: This means that where use of personal confidential data is considered to be essential, the inclusion of each individual item of data should be considered and justified so that the minimum amount of personal confidential data is used as is necessary for a given function to be carried out.
  4. Access to personal confidential data should be on a strict need-to-know basis: This means that only those individuals who need access to personal confidential data should have access to it, and they should only have access to the data items that they need to see.
  5. Everyone with access to personal confidential data should be aware of their responsibilities: This means that clinical and non-clinical staff handling personal confidential data should be fully aware of their responsibilities and obligations to respect patient confidentiality.
  6. Comply with the law: This means every use of personal confidential data must be lawful.  Each organisation handling personal confidential data should have a person responsible for ensuring that the organisation complies with legal requirements.
  7. The duty to share information can be as important as the duty to protect patient confidentiality: This means that health and social care professionals should have the confidence to share information in the best interests of customers and service users within the framework set out by these principles. They should be supported by the policies of their employers, regulators and professional bodies.

What Data we Collect

Commit2Care Servicescollects and stores personal data on behalf of private customers, the NHS, employers, Occupational Health providers and website users who visit our webpages and resources.  Generally, the data we collect may consist of (where required for treatment or the provision of services):

  1. name;
  2. address and post code;
  3. telephone number;
  4. employee number or employment details;
  5. email address;
  6. payment card details;
  7. medical history;
  8. medical conditions;
  9. age or date of birth;
  10. gender;
  11. ethnic group or race;
  12. sexual orientation;
  13. criminal offences;
  14. political, religious or philosophical beliefs;
  15. other details about a patient as required for legitimate treatment purposes;
  16. Relevant interests or activities;
  17. Some data is collected automatically by our websites. See relevant website Privacy Policy for more details.

How we Use Personal Data

The data we collect is used for legitimate business purposes only.  We never sell data any to third party and we aim to be fully transparent in its use.  Data is used in the following ways:

  1. for the provision of Physiotherapy, Psychological Therapy, Counselling, and Employee Assistance Services;
  2. to provide reports to customers or service users in line with our agreements;
  3. to positively identify service users or other individuals;
  4. for clinical or business audit and quality assurance purposes;
  5. to provide analysis and intelligence reports to customers or for use internally;
  6. for billing, payment, or accounting purposes;
  7. (NB. in most cases and where suitable, personal data is anonymised when reporting to customer organisations to protect service user confidentiality)
  8. to send or supply goods, products or services;
  9. to manage inquiries or complaints;
  10. to send communications about services, or that have been specifically requested;
  11. to send some marketing communications relating to our business or products, or those of selected third parties

Marketing Communications

Where individuals have opted in to receive marketing communications, or communications about our products and services, data will be stored within our MailChimp account.  The purpose is to send clients regular updates about the business, treatments, and health & wellbeing related news, as specified on the signup form.  Other optional personal data (name, surname, DOB, sports/ activities, preferred appointment location, other detail) may be collected for email marketing purposes.  Individuals can stop receiving these emails at any time by:

  1. clicking the unsubscribe link in the email;
  2. making a request directly to MailChimp through their website, or by emailing personaldatarequest@mailchimp.com;
  3. contacting the data protection officer, using the details at the bottom of this policy.

Who Has Access to Personal Data

Personal data collected as part of treatment may be accessed by clinical or administrative members of staff as required for the provision of services, or by clinical auditors who ensure the quality of service.  This data may also be shared with other clinical professionals outside of Commit2Care Services, where this is required for the provision of services, is required by law, or when required to safeguard the wellbeing of a patient or other person.  Data may occasionally be accessed by selected service suppliers who provide technical support.

To see how personal data collected through our website is used, please see our Website Privacy Policy.

Where an individual has opted in to marketing communications, personal data will be stored on our MailChimp account.  See Marketing Communications section.

How Long we Keep Personal Data

Personal data collected by a healthcare professional forms part of a medical record and we are legally required to maintain this data in line with the guidance of relevant healthcare governing bodies.  In general terms, this means that data is stored for 8 years after a customers or service users last contact with a clinician, however there are exceptions for minors, or following the death of a patient.  For more detail, see the Information Governance Alliance Records Management Code of Practice.

Other personal data collected through websites or other means will be kept only for the minimum amount of time required and then deleted.

What Happens if There is a Data Breach

Any data breach which may result in harm to an individual will be reported to the individual, to any relevant customer organisation, and if required to the Information Commissioner’s Office, within 72 hours of discovery.

Any individual who believes their data may have been used unlawfully should contact the data protection officer immediately using the details at the bottom of this policy.

How we Keep Personal Data Safe

  1. Commit2Care Services systems and processes are protected by CyberEssentials certified technical controls which are verified on an annual basis and managed using an ISO27001:2013 certified Information Security Management System, which is subject to bi-annual external audits, regular internal audits, and full re-certification every three years.
  2. We use enterprise-grade firewalls on network boundaries which include intruder detection and intruder prevention systems. Remote centres are connected to our network using a secure private network, and remote or mobile workers connect via an encrypted virtual private network.
  3. Data is stored on locally hosted and remote UK based platform-as-a-service hosted servers, which are managed and maintained by an ISO27001:2013 certified IT Service provider. Customer Data is also stored on a remote UK based software-as-a-service Case Management System. These services are securely connected to our local network or accessed by encrypted connections.
  4. All servers and user endpoints are protected with enterprise grade Anti-Virus/Anti-Malware software which is monitored and updated on a continuous basis. High risk endpoints are monitored with device monitoring software which allows remote secure deletion of files, or disablement.
  5. All users have unique login credentials with passwords which meet common complexity guidance, and monthly password changes are enforced by network policy. Users with regular access to sensitive data are subject to background checks, criminal records checks, previous employment checks, and governing body certification checks.
  6. Where data is transmitted outside of the network, it is protected by pseudonymisation, anonymisation, or encryption.
  7. Data is backed up locally, and remote copies are stored encrypted for one month. Key systems are also replicated, or have redundant failover to ensure continuity of services in the event of a disaster or technical incident.
  8. Network security is tested by external penetration and vulnerability testing annually, and backups and business continuity measures are fully tested at least annually.
  9. When Patient Data reaches end of life, it is securely destroyed, deleted, or otherwise made inaccessible by secure physical shredding, digital shredding, or database anonymisation.

Data Subjects Rights

Whilst data is collected on behalf of our private customers and business customers, all individuals have the following inalienable rights when it comes to their data:

  1. The right to be informed: Customers or service users should be informed, at the earliest opportunity, what data is to be collected and what it will be used for.  This must be provided in a clear, concise, and transparent format.
  2. The right of access: Customers or service users may request, verbally or in writing and free of charge, access to their own records.  These should be provided in an accessible format once the customers or service users identity has been confirmed, and within 30 calendar days in most circumstances.
  3. The right to rectification: Customers or service users may request that inaccurate or incomplete data is rectified, and where this data has been disclosed to another party, such as their insurance provider or employer, we have an obligation to inform them of corrections.
  4. The right to erase: Bearing in mind the legal protection required for medical records, customers or service users may request the deletion of data where it is no longer required for legitimate purposes, or where they withdraw their consent to processing.
  5. B. Under no circumstances may a medical record be altered or erased without seeking the proper authority and consulting with the Commit2Care Services Data Protection Officer.
  6. The right to restrict processing: Processing of data may be suspended should a patient contest the accuracy of personal data, or where they object to processing, prior to any decision being made about rectifying or deleting data.  Enough data may be retained in any case to ensure that any restrictions on processing are respected in the future.
  7. The right to data portability: Customers or service users are allowed to obtain and reuse their personal data for their own purposes.  We must be prepared to transfer personal data across organisations or IT systems without hindrance to usability.
  8. The right to object: Customers or service users may object to their data being used on grounds relating to their particular situation unless we can demonstrate compelling legitimate grounds to continue.  This should be considered on a case-by case basis.

Rights in relation to automated decision making and profiling:  If an automated decision is made about an individual, they may request that this decision is reviewed by a human being.

Roles and Responsibilities

The following roles have specific responsibilities for data protection.  These are in addition to other responsibilities within the Information Governance Policy:

  1. Data Protection Officer: The IG Lead is the data protection officer for C2Cs various departments and services.  The DPO will provide advice, monitor compliance, and be the first point of contact in the organisation for data protection matters. The DPO reports to the SIRO and directly to the Board in relation to data protection matters.
  2. All Employees: All employees will, through appropriate training and management:
  • Observe all forms of guidance, codes of practice and procedures about the collection and use of personal information;
  • Understand fully the purposes for which C2C uses personal information;
  • Collect and process appropriate information, and only in accordance with the purposes for which it is to be used by C2C to meet its service needs or legal requirements;
  • Ensure the information is destroyed in accordance with the provisions of the Data Protection Act and General Data Protection Regulation when it is no longer required;
  • On receipt of a request by or on behalf of an individual for information held about them, or any other data subjects’ rights in relation to their personal data, immediately notify their line manager and appropriately log the access request;
  • Not send any personal information outside of the United Kingdom without the authority of the Data Protection Officer;
  • Understand that breaches of this Policy may result in disciplinary action, up to and including dismissal.

Data Protection Policies

The following policies and sub-policies are related to this policy:

  • Information Governance Policy
  • Data Protection Policy
  • How We Use Your Data
  • Privacy Impact Assessment Policy
  • Photography and Videography Policy
  • Website Privacy Policy
  • Information Security Policy
  • Confidentiality Policy
  • Document and Records Management Policy
  • Information Sharing Policy

Distribution and Training

  1. This policy will be centrally published an accessible to all staff.
  2. The subject matter of this policy will form part of mandatory induction training and mandatory annual training for all staff.

Monitoring

Compliance with this policy will be monitored by the DPO as part of the Quality and Safety System, including through internal audit.  Findings shall be reported directly to the SIRO, Caldecott Guardian, and if required to the Board of Directors.

Common Questions

Every effort will be made to ensure that customers or service users clearly understand how their data is used, and employees must seek advice if they are unsure – never guess or misrepresent facts to a patient.  This policy answers most questions which a patient is likely to ask and customers or service users may be referred back to this document, however staff should be aware of the following details:

  1. Identity and contact details of the controller and the data protection officer. This is generally the customer organisation; however, this can vary between contracts and services.  Always check with the Commit2Care Services Data Protection Officer, or relevant Account Manager.
  2. Purpose of the processing and the lawful basis for the processing. See sections 7 and 8.
  3. The legitimate interests of the controller or third party, where applicable. See sections 7 and 8.
  4. Any recipient or categories of recipients of the personal data. See section 10.
  5. Details of transfers to third country and safeguards – See section 8.
  6. Retention period or criteria used to determine the retention period. See section 11.
  7. The existence of each of data subject’s rights. See section 14.
  8. The right to withdraw consent at any time, where relevant. See section 14.
  9. The right to lodge a complaint with a supervisory authority. See section 20.
  10. Where any data we already hold about the patient came from. Usually this is name only and comes from the referral source.
  11. Our contractual obligation to collect data, and possible consequences of failing to provide the personal data. This varies between contracts, and should be referred to the Data Protection Officer, or relevant Account Manager.
  12. The existence of automated decision making. Some digital triage may produce automated outcomes.  These decisions are routinely reviewed by members of staff and this may form part of the treatment process, however customers or service users may request a review of any automated decisions.

Making a Data Rights Request

General queries may be answered verbally by any member of staff once a person’s identity has been confirmed; however, the following apply:

  1. Requests to access a patient’s personal data which do not fall under the remit of continuation of care can be made verbally or in writing.
  2. We must positively identify the patient’s identity prior to fulfilling any such request.
  3. On receiving an access request, we are usually bound to inform the relevant Customer organisation and may need to refer the request back to them, dependant on our contractual agreements.
  4. Where a request for a patient’s personal data does not come from the patient, refer the matter to the Data Protection Officer immediately.
  5. Requests to transfer the data to another provider, or other health professional, or another professional (such as a solicitor) must follow the procedure outlined above for access requests.
  6. Requests to correct inaccurate data may be made verbally as long as the patient has passed the standard data protection checks. In general, treatment records may not be edited but a note may be added showing a correction.  Where required, customers or service users shall be requested to write a supplementary statement of the correction required to add to a case file.
  7. Requests to erase data, or suspend processing, or withdraw consent may be made verbally, however these should be referred to the Commit2Care Services Data Protection Officer, and the consequences of this explained to the patient, which may vary between contracts. In general, we may not erase any part of a medical record, but may be able to offer alternative solutions on a case-by-case basis, and if consent is withdrawn, further treatment may be withdrawn.
  8. Requests from children, from an adult who provided data to us as a child, or from a parent regarding a child will be dealt with on a case-by-case basis by the Commit2Care Services Data Protection Officer.

Make a Complaint or Ask a Question

Whilst we make every effort to uphold the principles of data protection and the Caldicott Principles, occasionally we may make mistakes.  If a client or customer wishes to ask a question direct them to contact:

1.Commit2Care Services Data Protection Officer:

Commit2Care Services Ltd, Unit 70 Waterham Business Park, Highstreet Road, Hernhill Faversham ME13 9EJ

Phone: 03333551213

References

NHS England Data Protection Policy.

ICO Website.