Privacy Policy
This Policy defines the arrangements in place within the Organisation that assures compliance to the requirements of the Data Protection Act 1998, as relevant to the Organisation’s business interests:
A: INTRODUCTION:
- The Data Protection Act 1998 addresses certain requirements for all Organisations that collect and process personal data as part of their on-going business operations. Personal data is defined as any information relating to an “identifiable living individual”, and will therefore apply to the Organisation’s service users, employees and suppliers.
- The Data Protection Act 1998 applies to any data recorded in a filing system that allows personal data to be easily accessed.
- The Data Protection Act 1998 applies to records kept in hard copy (paper) format, and in computer files.
B: PRINCIPLES OF DATA PROTECTION:
B.1 Anyone processing personal data must comply with the eight enforceable principles of good practice.
These state that data must be:
-
- Fairly and lawfully processed
- Processed for limited purposes
- Adequate, relevant and not excessive
- Accurate
- Not kept longer than necessary
- Processed in accordance with the data subject's rights
- Secure
- Not transferred anywhere without adequate protection
B.2 The Organisation is committed to the enforcement of the following Code of Good Practice in relation to the data it keeps on service users and employees. In summary, data will:
-
- be fairly and lawfully processed;
- be used for a limited and well-explained purpose;
- be relevant to the Organisation’s needs;
- not be unnecessarily excessive in detail;
- be accurately maintained;
- not be kept any longer than is necessary, or required by law;
- only be used in accordance with the individual subject’s rights;
- be securely stored;
- only be made available to authorised persons (see section C.4 of this Policy).
B.3 In this respect the following additional policies within the Organisation’s documentation system are relevant:
-
- Control of Records & Service Users’ Access to Personal Files
- Records Maintained at the Service User’s Home
- Confidentiality Policy
- Information Security Policy
- Electronic Communications Policy - Code of Practice
- Business Continuity Planning Policy
C: POLICY DETAILS:
- The Organisation will require written consent from the subject individual in order for personal data to be collected and processed. In this respect it will be taken that consent is implied through the following:
- Service users - by the service user accepting the Contract for Care, which is signed by the service user or authorised representative. In order for the Organisation to develop an appropriate Plan of Care personal details must be divulged and kept on record. In this respect Policy Nos 1500 & 1505 (above) are relevant.
- Employees - by completing the Job Application Form at onset of employment, and where the employee has not registered an objection to their data being used.
- Registration under the Data Protection Act 1998 - as a fundamental requirement the Organisation will check with the Data Commissioner as to whether the type of personal data held on service users and employees requires a formal registration to be in place.
- All individuals, service users and employees, have the right of access to manual and computerised records concerning their personal data. For service users.
- Where it is deemed necessary to divulge personal data to a third party this will only be done with the express permission of the individual subject, ref. Confidentiality Policy, No 1505. In this respect both staff and service users / relatives / advocates will also be advised that personal information held by the Organisation may be shared with the Registration / Regulating Authority, as appropriate.
- Personal data and records will be maintained under appropriate conditions of security to prevent any unauthorised or accidental disclosure. Records can be hard copy (paper) format and electronic (word processed and scanned pdf format) files. and particular attention is paid to the following aspects of records storage:
-
- Hard Copy (paper) files:
-
-
- location of storage;
- identification of those employees authorised to have access;
- responsibilities for secure storage;
- retention times; i.e. how long records are kept for.
- Electronic (computer) files:
-
-
-
- responsibilities for implementing security systems for computer files;
- password-protection for access to sensitive data files;
- who is authorised to have knowledge of these passwords;
- how often passwords are changed;
- implications for networked systems;
- how long records are kept for;
- back-up, control and management of what are essentially copies of personal data.
-
6. When personal data is being processed, administrative staff will take all reasonable precautions to prevent access of data by unauthorised persons:
6.1 Record files are locked away when not in use.
6.2 Where practical, computer VDU screens should be tilted towards the user and away from the general office environment
6.3 VDUs are not left on when not in use .
6.4 Manage a “clear desk” policy for personal office housekeeping.
6.5 Ensure that confidential conversations are not overheard.
6.6 Ensure information is transported securely.