Call us on: 0191 337 2215

GDPR Policy

Scope

This policy applies to all employees, service user and their representatives and other interested parties.

 

Principles

This policy has been written to ensure that the processing of personal data in connection with employees and service user will comply with the UK Data Protection Act 1998, which implements within the UK the requirements of the EC Data Protection Directive.

 

Content:

  1. General
  2. Right of Access
  3. Retention of Employment Records
  4. Retention of Service User Record
  5. Record Review
  6. Security

 

  1. General

We take a very serious view of our responsibilities and require each appropriate individual to comply with the data protection principles.  If an employee knowingly discloses personal information contrary to this policy, they may be held personally liable to criminal sanctions. In addition, any breach of this policy may render the employee liable to disciplinary action.  Employees must avoid unauthorised disclosure of data whether it is oral, printed, hand-written, computer based or microfiche.

Data relating to service users and/or employees must not be disclosed to third parties unless the service user and /or employee has given express written consent.

“Data” means information recorded in a form in which it can be processed by equipment operating automatically in response to instruction given for that purpose and includes computer – generated material.

“Personal data” means data consisting of information relating to a living individual who can be identified from that information (or from that and other information in the possession of a data user), including any expression of opinion about the individual.  In practice, this means any data recorded on our computers relating to a living person.

The basic requirements are that the processing, both automated and manual, shall comply with the following data protection principles that require that personal data shall:

  • Be processed fairly and lawfully
  • Be obtained only for specified and lawful purposes, and not be processed in any incompatible manner
  • Be adequate, relevant and not excessive in relation to the purpose(s) for which they are processed.
  • Be accurate and, where necessary kept up to date.
  • Not be kept longer than necessary for the purpose.
  • Shall be processed in accordance with the rights of Data Subject under the 1998 Data Protection Act.
  • Be protected by appropriate security measures.

An individual is entitled:

  • To be informed whether personal data is held of which they are the subject.
  • To access any such data.
  • When appropriate, to have such data corrected and erased.

Appropriate security measures must be taken against unauthorised access to or alteration, disclosure or destruction of personal data or accidental loss or destruction of personal data.

Oakwood Healthcare Solutions will ensure systems are in place to comply with the Caldicott Principles. This is in line with the 1996 Department of Health published guidance on the “Protection of Use of Patient Information”.

  • Justify the purpose(s)
  • Don’t use service user’s identifiable information unless it is absolutely necessary.
  • Use a minimum necessary service user identifiable information.
  • Access to service user identifiable information should be on a strict need to know basis.
  • Everyone should be aware of their responsibilities.
  • Understand and comply with the law.

Failure to comply with this policy by dealing with information in a confidential manner may results in disciplinary proceedings being taken against the staff member.

 

  1. Right of Access
  2. A) Service users and employees have the right to be supplied with a copy of their personal data the company retains. All requests are to be made to the Manager.
  3. B) An authorised representative may be allowed to view he data provided once the Manager is satisfied that the written permission has been given and proof of identity seen.
  4. C) We will give an approximate time scale for providing access (not more than 30 days).
  5. D) We may have to fillet the files first to ensure that other peoples’ data protection rights are not infringed.
  6. E) Viewing of the documents(s) will be in the presence of the Manager. This is for security reason so that no material can be removed or destroyed.
  7. F) Service users and employees are requested to inform the company of any changes in their circumstances that could affect the accuracy of the data.
  8. G) Every effort will be to resolve any disagreement between the organisation and the data subject, but in situations where the matter cannot be resolved, the following procedures are to be followed:
  • Service user are requested to use the Company’s formal complaints procedure.
  • Employees are requested to use the Company’s formal grievance procedures.

 

  1. Retention of Employments Records

Employment records covered by this policy shall be retained after the actual date of employee leaving for the following period of a minimum of 40 years.  After that period the records will be destroyed.

What may a personal employment record Contain?

It may contain any information legitimately required for the purpose of:

  • Statutory employment records and/or
  • Operational management and administration.

These may include the following:

  • Applications for vacancies and CV’s
  • Interview records
  • References
  • Medical Reports
  • Offers of employment
  • Statutory statement of terms and conditions
  • Disciplinary and grievance records
  • Performance appraisals and similar reviews
  • Notes of informal meetings and interview
  • Allowances and expenses
  • Training details
  • Salary, additional payments and bonuses etc.
  • Work permits
  • Related correspondence
  • Attendance records

These are examples only and there will be other legitimate entries that may be included.

What may not be included is information, data or other material that cannot legitimately be shown to be related directly or indirectly to the employment of the employee concerned.

 

  1. Retention of Service User Records

Service user records covered by this policy shall be retained after the actual date of the service user leaving, for the minimum period of 40 years.  After that period the records will be destroyed.

What may Service User Records Contain?

They may contain any information legitimately required for the purpose of:

  • Statutory records required by legislation, regulations or at the request of the registration authority.
  • Operational management and administration that will enable quality care to be given.

These may include the following:

  • Service user Agreements including commencement of service date
  • Service user Service Records
  • Service user Assessment Details
  • Service user Personal Service Plan to include any special needs
  • Service user Financial Account
  • Service user Medical Records (depending on Circumstances)
  • Risk Assessment forms associated with the service user
  • Service user Medication Assessments
  • Complaints

These are examples only and there will be other legitimate entries that may be included.

What may not be included is information, data or other materials that cannot legitimately be shown to be related directly or indirectly to affording the service users quality care.

 

  1. Record Review

To ensure accuracy of personal data all records will be reviewed every 12 months.  The Manager or a nominated representative is responsible for carrying out the above review.  A note will be put on the service users’ or employees’ file that an annual review has taken place.

 

  1. Security

Information held on computer is password controlled.  Only the Manager and/or nominated administration staff are allowed access.  Any information transferred to disc is held in a locked cabinet.

 

  1. Service User Address List

All staff working in the community are given a comprehensive Address list of all service user.  Before a new/update Address List is given to a carer, the existing list must be handed in to the office.  The carer will then sign to show the return of the existing list and acknowledge receipt of the new list.

As part of induction Training and supervision/appraisal all staff are made aware of the Company’s Data Protection Policy.  Staff are aware that part of the procedure on termination of employment is the return of all Company property which includes uniforms and any information list.  This is essential to enable the administration to fulfil its financial obligations regarding any outstanding pay obligations.  Failure to comply with this arrangements may lead to a delay in any finial financial settlement.

Written employment information is filed in a locked cabinet in the main office.  Only nominated staff are allowed access to this information.

 

Under no circumstances must any service user or employee records be taken off the premises without permission of the Manager