Head Office
34 Percival Road, Carrington, Nottingham, NG5 2EY
0115 9984902
24/7 Customer Support
Mon - Fri: 9:00 AM - 05:00 PM
Visit our offices
Menu
Menu
34 Percival Road, Carrington, Nottingham, NG5 2EY
24/7 Customer Support
Visit our offices
1.1 The purpose of this policy is to ensure that 4Life Care Chesterfield understands the key principles of the General Data Protection Regulation (GDPR).
1.2 This policy sets out the steps that need to be taken by 4Life Care Chesterfield to ensure that 4Life Care Chesterfield handles, uses and processes personal data in a way that meets the requirements of GDPR. It should be read alongside the suite of 4Life Care Chesterfield policies, procedures and guidance.
1.3 This policy applies to all staff at 4Life Care Chesterfield who process personal data about other staff, Service Users /Clients and any other living individuals as part of their role.
2.1 The following roles may be affected by this policy:
All staff
2.2 The following people may be affected by this policy:
Service User/ Clients
2.3 The following stakeholders may be affected by this policy:
Commissioners
3.1 The objective of this policy is to ensure staff have a working knowledge of the principles and requirements of GDPR.
3.2 Alongside the suite of policies, procedures, and guidance available 4Life Care Chesterfield can demonstrate that appropriate steps are taken to ensure 4Life Care Chesterfield complies with GDPR when handling and using personal data provided by both staff and Service Users/ Clients.
3.3 This policy will assist with defining accountability and establishing ways of working in terms of the use, storage, retention, and security of personal data.
3.4 This policy will assist with understanding the obligations of 4Life Care Chesterfield with respect to the rights of the staff and service users/clients who have provided personal data and the steps 4Life Care Chesterfield should take if it breaches GDPR.
GDPR came into force on 25 May 2018 and replaced the Data Protection Act 1998.
Regardless of the impact of Brexit, GDPR will remain. GDPR provides greater protection to individuals and places greater obligations on organisations but can be dealt with in bite-size chunks to ensure that any impact on the provision of care and services is minimised.
GDPR does not apply to personal data about someone who has died. Both the Access to Medical Reports Act 1988 and the Access to Health Records 1990 will continue to apply.
4Life Care Chesterfield is required to take a proportionate and appropriate approach to GDPR compliance. 4Life Care Chesterfield understands that not all organizations will need to take the same steps – it will depend on the volume and types of personal data processed by a particular organization, as well as the processes already in place to protect personal data.
We understand that if we process significant volumes of personal data, including special categories of data, or have unusual or complicated processes in place in terms of the way we handle personal data, we will consider obtaining legal advice specific to the processing we conduct and the steps we may need to take.
GDPR does not apply to any personal data held about someone who has died. Both the Access to Medical Reports Act 1988 and the Access to Health Records 1990 will continue to apply.
To ensure 4Life Care Chesterfield’s compliance with GDPR, a suite of documents is available and should be read in conjunction with this overarching policy to provide a framework:
• Initial Privacy Impact Assessment Policy & Procedure
• GDPR – Key Terms Guidance
• GDPR – Key Principles Guidance
• GDPR – Processing Personal Data Guidance
• Appointing a Data Protection Officer Guidance
• Data Security and Retention Policy & Procedure
• Website Privacy Policy & Procedure
• Subject Access Requests Policy & Procedure
• Subject Access Requests Process Map Policy & Procedure
• Subject Access Requests – Request Letter Policy & Procedure
• Rights of a Data Subject Guidance
• Breach Notification Policy & Procedure
• Breach Notification Process Map Policy & Procedure
• Fair Processing Notice Policy & Procedure
• Consent Form
• GDPR – Transfer of Data Guidance
• Privacy Impact Assessment Policy & Procedure
The key principles and themes of each of the documents listed above are summarised below:
Initial Audit and Privacy Impact Assessment
4Life Care Chesterfield understands that we should conduct an audit of the personal data we currently process. This can be carried out internally by 4Life Care Chesterfield with the assistance of key staff members. The audit will reveal whether how 4Life Care Chesterfield processes personal data meets the requirements of GDPR and will also indicate whether 4Life Care Chesterfield should delete some of the personal data it currently holds. An initial Privacy Impact Assessment template is provided as part of the GDPR documentation.
4Life Care Chesterfield understands that there are two primary reasons to ensure that compliance with GDPR is achieved:
• It promotes high standards of practice and Support, and provides significant benefits for staff and, in particular, Service User/ Clients
• Compliance with GDPR is overseen in the UK by the ICO. Under GDPR, the ICO has the ability to issue a fine of up to 20 million Euros (approximately £17,000,000) or 4% of the worldwide turnover of an organisation, whichever is higher.
The potential consequences are therefore significant.
4Life Care Chesterfield appreciates that it is important to remember, however, that the intention of the ICO is to educate and advise, not to punish. The ICO wants organisations to achieve compliance. A one off, minor breach may not attract the attention of the ICO but if 4Life Care Chesterfield persistently breaches GDPR or commits significant one-off breaches (such as the loss of a large volume of personal data, or the loss of special categories of data), it may be subject to ICO enforcement action. In addition to imposing fines, the ICO also has the power to conduct audits of 4Life Care Chesterfield and our data protection policies and processes.
5.1 All staff should review the GDPR policies procedures and guidance that will be produced over the next few months.
5.2 4 Life Care Chesterfield will nominate a person or team to be responsible for data protection and GDPR compliance (if a formal Data Protection Officer is not required, somebody with an understanding of the requirements who can act as a day-to-day point of contact will be chosen).
5.3 The Registered Manager should ensure all staff understand the policies and procedures provided, including how to deal with a Subject Access Request and what to do if a member of staff breaches GDPR.
5.4 The Registered Manager will consider providing training internally about GDPR (in particular, the Key Principles of GDPR) to all staff members.
5.5 4Life Care Chesterfield will conduct an audit of the personal data currently held by 4Life Healthcare Ltd (the initial Privacy Impact Assessment template provided will be used for this purpose).
5.6 4Life Care Chesterfield will delete any personal data that 4Life Care Chesterfield no longer needs, based on the results of the audit conducted, taking into account any relevant guidance, such as the Records Management Code of Practice for Health and Social Care 2016.
5.7 4 Life Care Chesterfield will, if necessary, put in place new measures or processes to ensure that personal data continues to be processed in line with GDPR.
5.8 4 Life Care Chesterfield will, if necessary, finalize and circulate a Fair Processing Notice to Service Users/ Clients.
5.9 4 Life Care Chesterfield will ensure proper consent is obtained from each Service User/Client in line with GDPR (the Consent Form provided can be used for this purpose). 4Life Care Chesterfield will review the additional steps that 4Life Care Chesterfield should take to ensure that 4Life Care Chesterfield obtains consent from parents, guardians, carers, or other representatives where 4Life Healthcare Ltd works with children or those who lack capacity.
5.10 4 Life Care Chesterfield will ensure that processes and procedures are in place to respond to requests made by Data Subjects (including Subject Access Requests) and to deal appropriately with any breaches or potential breaches of GDPR.
5.11 The Registered Manager will maintain a log of decisions taken and incidents that occur with respect to the personal data processed by 4Life Care Chesterfield using the 4Life Care Chesterfield Privacy Impact Assessment template
6.1 Data Subject
• The individual about whom 4Life Care Chesterfield has collected personal data
6.2 Data Protection Act 2018
• The Data Protection Act 2018 is a United Kingdom Act of Parliament that updates data protection laws in the UK. It sits alongside the General Data Protection Regulation and implements the EU’s Law Enforcement Directive
6.3 GDPR
• General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union. It was adopted on 14 April 2016 and after a two-year transition period became enforceable on 25 May 2018
6.4 Personal Data
• Any information about a living person including but not limited to names, email addresses, postal addresses, job roles, photographs, CCTV, and special categories of data, defined below
6.5 Process or Processing
• Doing anything with personal data, including but not limited to collecting, storing, holding, using, amending, or transferring it. You do not need to be doing anything actively with the personal data – at the point you collect it, you are processing it.
6.6 Special Categories of Data
• Has an equivalent meaning to “Sensitive Personal Data” under the Data Protection Act 2018. Special Categories of Data include but are not limited to medical and health records (including information collected as a result of providing health care services) and information about a person’s religious beliefs, ethnic origin and race, sexual orientation, and political views
Key Facts – Professionals
Professionals providing this service should be aware of the following:
• GPDR provides greater protection for staff and Service Users/ Clients in respect of their data
• Compliance is mandatory, not optional
• 4Life Care Chesterfield Ltd has adopted an appropriate and proportionate approach what is right and necessary for 4Life Healthcare Ltd may not be right for another organization
• Achieving compliance with GDPR will not only reduce the risk of ICO enforcement or fines but will also promote a better-quality service for Service Users/ Clients and an improved working environment for staff
• This is the overarching policy and provides a high-level reference to all areas that are important for compliance with GDPR
• Understanding of the content of this policy should be embedded with all staff at 4Life Care Chesterfield
• 4Life Care Chesterfield must appoint a person with overall responsibility for managing GDPR. This person may be an official Data Protection Officer (DPO) or a person appointed to oversee privacy, governance, and data protection.
Key Facts – People Affected by The Service
People affected by this service should be aware of the following:
• Your data will be protected
• You have a right to see what information we hold about you
• You will be asked for your consent before we obtain your data in line with GDPR requirements
• In addition to the GDPR, our staff will continue to follow confidentiality policies about all aspects of your Support
As well as the information in the ‘Underpinning Knowledge’ section of the review sheet we recommend that you add to your understanding , of this policy area by considering the following materials:
The Records Management Code of Practice for Health and Social Care 2016 has been issued by the Information Governance Alliance for the Department of Health.
It is available on the NHS Digital website
https://digital.nhs.uk/article/1202/Records-Management-Code-of-Practice-for-Health-and- Social-Care-2016
To be ‘Outstanding’ in this policy area you could provide evidence that:
• 4Life Care Chesterfield provides training to all staff in respect of GDPR and the new policies and processes that have been adopted
• 4Life Care Chesterfield Conducts Privacy Impact with Assessments for to each new processing activity carried out, whether or not the processing presents a ‘high risk’ to the Data Subjects
• There is evidence that 4Life Care Chesterfield conducts regular (6 monthly or annual) audits of the personal data that is processed to ensure continued compliance with GDPR
• 4Life Care Chesterfield, with respect to can provide evidence that there are processes in place for ensuring 4Life Care Chesterfield remains up to date with guidelines and recommendations relating to data protection, including ICO guidance and guidance issued by NHS Digital, and this information is effectively cascaded to all relevant staff
• The wide understanding of the policy is enabled by the proactive use of the QCS App
Some of the organisations we have worked with
We seized this opportune moment to paint a vivid picture of what 4Life Care’s Chesterfield represents and the values we uphold. Through interactive sessions and engaging conversations, we elucidated not only the essence of our services but also the ethos that underpins every aspect of our operations.
One of the highlights of our engagement was the plethora of inquiries from students regarding placements, apprenticeships, and potential job opportunities within our organisation. It was heartening to witness their keen interest in becoming a part of our team, driven by a shared passion for making a tangible difference in people’s lives. We took the time to address each query thoughtfully, providing insights into the diverse career paths and growth opportunities available within our dynamic work environment.
Furthermore, our team conducted illuminating talks shedding light on the foundational principles of 4Life Care’s Chesterfield, emphasising our unwavering commitment to excellence, compassion, and social responsibility. We delved into the intricacies of the care we provide, offering a comprehensive understanding of our holistic approach towards enhancing the quality of life for those we serve. The culmination of these discussions was marked by an engaging Q&A session, where students had the opportunity to delve deeper into our practices and aspirations.
Beyond interacting with students, our presence at these events also facilitated valuable networking opportunities with other companies. By fostering new relationships and exchanging insights, we gained invaluable knowledge on how to better support our clients and enhance our service delivery. These connections serve as a testament to our commitment to continuous improvement and collaboration within the broader community of care providers.
In essence, our participation in school open days transcended mere promotional efforts; it was a testament to our dedication to nurturing talent, fostering meaningful connections, and enriching lives. As we reflect on the impact of these events, we are filled with optimism for the future, knowing that each interaction has the potential to sow the seeds of inspiration and pave the way for a brighter tomorrow.
