Introduction and Definitions
Care Consort (we, our, us) is committed to complying with the requirements of Data Protection Law and ensures that all suppliers and third parties either comply with the Data Protection Law or the US/EU Privacy Shield for those suppliers based in the United States of America.
The following key words and phrases are used within this DP Policy:
Confidential Information | means all information (however recorded, preserved or disclosed) disclosed to Care Consort or its representatives, whether or not marked as “confidential”, including but not limited to:
|
Data | means information that is processed electronically (e.g. by computer); is recorded manually (e.g. on paper) with the intention of being processed electronically; or is recorded as part of any filing system structured by reference to individuals or criteria relating to them in such a way that specific information relating to a particular individual is readily accessible; |
Data Controller | means the organisation that determines the purposes for which and the manner in which Personal Data are processed; |
Data Processor | means the organisation that processes Personal Data on behalf of the Data Controller; |
Data Protection Law | means any laws and regulations in the UK relating to privacy or the use or processing of data relating to natural persons, including: (a) EU Directives 95/46/EC and 2002/58/EC (as amended by 2009/136/EC) and any legislation implementing or made pursuant to such directives, including (in the UK) the Data Protection Act 1998 (the DPA) and the Privacy and Electronic Communications (EC Directive) Regulations 2003; and (b) from 25 May 2018, EU Regulation 2016/679 (GDPR); and (c) any laws or regulations ratifying, implementing, adopting, supplementing or replacing GDPR or DPA; in each case, to the extent in force, and as such are updated, amended or replaced from time to time; |
Data Subject | means a living, identifiable individual about whom Personal Data is processed; |
Data Protection Officer | refers to the individual currently appointed to the role; |
Personal Data | means Data which relate to a living individual who can be identified from those Data or from those Data and other information which is in the possession of or is likely to come into our possession as Data Controller or Data Processor, as the case may be. Personal Data include opinions and any indications of our intentions towards an individual; |
Processing | includes obtaining, recording, holding, altering, retrieving, consulting, using, disclosing, blocking, erasing or destroying Personal Data; |
Pseudonymisation | means the processing of personal data in such a manner that the Personal Data can no longer be attributed to a specific Data Subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the Personal Data are not attributed to an identified or identifiable natural person; |
Special Category Data | means information about the Data Subject relating to the (a) racial or ethnic origin, (b) political opinions, (c) religious beliefs or other beliefs of a similar nature, (d) trade union membership, (e) physical or mental health or condition, (f) sexual life, (g) commission or alleged commission by any offence, and (h) any proceedings for any offence committed or alleged to have been committed, the disposal of such proceedings or the sentence of any court in such proceedings. |
Who does this DP Policy apply to?
This Data Protection Policy (DP Policy) sets out the principles which we apply to our Processing of Personal Data (whether as Data Controller or as Data Processor) in the course of business.
This DP Policy applies:
- to all employees and contractors of Care Consort (Care Consort personnel, you, your);
- regardless of the media on which that Data is stored or whether it relates to past or present employees, workers, customers, clients or supplier contacts, shareholders, website users or any other Data Subject; and
All Care Consort Personnel must:
- read, understand and comply with this DP Policy when Processing Personal Data on our behalf;
- attend training on its requirements;
- comply with all related Care Consort policies, to the extent that they apply to your role at Care Consort; and
- apply the provisions of this DP Policy to all Processing of Personal Data and handling of Confidential Information, whether Care Consort is acting as Data Controller or Data Processor (or both).
This DP Policy sets out what we expect from you in order for Care Consort to comply with applicable law. Your compliance with this DP Policy is mandatory. Related policies are available to help you interpret and act in accordance with this DP Policy. Any breach of this DP Policy may result in disciplinary action. Care Consort provides Care Consort Personnel with regular instruction and training in relation to this DP Policy.
This DP Policy (together with related policies) is an internal document and cannot be shared with third parties, clients or regulators without prior authorisation from the Data Protection Officer
Care Consort as Data Processor
A Data Processor uses Personal Data provided by a Data Controller in order to provide services to the Data Controller or even to the Data Subject directly. Any processing activity must be approved in writing by the relevant Data Controller and a Data Processor must not process the relevant Personal Data in any other way – unless it is willing to act as the Data Controller.
Care Consort processes Personal Data relating to its customers. The scope and type of processing activity depends on the specific deployment model, butCare Consort always processes Personal Data, e.g., in the course of providing support services and invoicing and processing customer payments.
As an employee or contractor, you must be careful to process Personal Data only in the manner authorised to do so. If you have any doubts, please contact the relevant Data Owner before processing the Personal Data.
Data Management
We are committed to complying with the principles relating to Processing of Personal Data set out in Data Protection Law.
Personal Data must be Processed lawfully, fairly and in a transparent manner.
You may only collect, Process and share Personal Data fairly and lawfully and for specified purposes. Data Protection Law restricts our actions regarding Personal Data to specified lawful purposes. These restrictions are not intended to prevent Processing, but ensure that we Process Personal Data fairly and without adversely affecting the Data Subject.
Data Protection Law requires Data Controllers to provide detailed, specific information to Data Subjects depending on whether the information was collected directly from Data Subjects or from elsewhere. Such information must be provided through appropriate Privacy Notices which must be concise, transparent, intelligible, easily accessible, and in clear and plain language so that a Data Subject can easily understand them. Privacy Notices (and any amendments made to them) must be approved by the Data Protection Officer before you are allowed to use them.
When Personal Data is collected indirectly (for example, from a third party or publicly available source), you must provide the Data Subject with all the information required by Data Protection Law as soon as possible after collecting/receiving the data. You must also check that the Personal Data was collected by the third party in accordance with Data Protection Law and on a basis which contemplates our proposed Processing of that Personal Data.
Personal Data must be collected only for specified, explicit and legitimate purposes.
You cannot use Personal Data for new, different or incompatible purposes from that disclosed when it was first obtained unless you have informed the Data Subject of the new purposes and they have consented where necessary.
Personal Data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is Processed.
You must:
- only Process Personal Data when performing your job duties requires it;
- not Process Personal Data for any reason unrelated to your job duties;
- only collect Personal Data that you require for your job duties (do not collect excessive data);
- ensure any Personal Data collected is adequate and relevant for the intended purposes; and
- ensure that when Personal Data is no longer needed for specified purposes, it is deleted or anonymised in accordance with Care Consort’ data retention guidelines, set out in our Data Retention Policy.
Personal Data must be accurate and where necessary kept up to date.
You must:
- ensure that the Personal Data we use and hold is accurate, complete, kept up to date and relevant to the purpose for which we collected it;
- check the accuracy of any Personal Data at the point of collection and at regular intervals afterwards; and
- take all reasonable steps to destroy or amend inaccurate or out-of-date Personal Data.
Personal Data must be kept in a form which does not permit identification of Data Subjects for longer than is necessary for the purposes for which the data is Processed.
Care Consort will maintain retention policies and procedures to ensure Personal Data is deleted after a reasonable time for the purposes for which it was being held, unless a law requires such data to be kept for a minimum time. You must comply with our Data Retention Policy.
You must:
- not keep Personal Data in a form which permits the identification of the Data Subject for longer than needed for the legitimate business purpose or purposes for which we originally collected it including for the purpose of satisfying any legal, accounting or reporting requirements;
- take all reasonable steps to destroy or erase from our systems all Personal Data that we no longer require in accordance with all Care Consort’ applicable records retention schedules and policies (this includes requiring third parties to delete such data where applicable); and
- ensure Data Subjects are informed of the period for which data is stored and how that period is determined in any applicable Privacy Notice.
Personal Data must be Processed in a manner that ensures its security using appropriate technical and organisational measures to protect against unauthorised or unlawful Processing and against accidental loss, destruction or damage (PlanXL Information Security Policy deals with this in more detail).
We will:
- develop, implement and maintain safeguards appropriate to our size, scope and business, our available resources, the amount of Personal Data that we own or maintain on behalf of others and identified risks (including use of encryption and Pseudonymisation where applicable); and
- regularly evaluate and test the effectiveness of those safeguards to ensure security of our Processing of Personal Data.
You must:
- implement the reasonable and appropriate security measures designed by Care Consort against unlawful or unauthorised Processing of Personal Data and against the accidental loss of, or damage to, Personal Data;
- exercise particular care in protecting Special Categories of Data (where applicable) from loss and unauthorised access, use or disclosure;
- follow all procedures and technologies we put in place to maintain the security of all Personal Data from the point of collection to the point of destruction;
- only transfer Personal Data to third-party service providers who agree to comply with the required policies and procedures and who agree to put adequate measures in place, as requested;
- maintain data security by protecting the confidentiality, integrity and availability of the Personal Data, defined as follows:
- confidentiality means that only people who have a need to know and are authorised to use the Personal Data can access it;
- integrity means that Personal Data is accurate and suitable for the purpose for which it is processed; and
- availability means that authorised users are able to access the Personal Data when they need it for authorised purposes;
- comply with and not attempt to circumvent the administrative, physical and technical safeguards we implement and maintain in accordance with Data Protection Law and relevant standards to protect Personal Data.
Personal Data must be transferred to another country only when there are appropriate safeguards being in place.
Data Protection Law restricts data transfers to countries outside the EEA in order to ensure that the level of data protection afforded to individuals by Data Protection Law is not undermined. You transfer Personal Data originating in one country across borders when you transmit, send, view or access that data in or to a different country.
If you have any doubt as to the legal status of a transfer of Personal Data, you must ask your departmental manager, who will escalate to the Data Protection Officer if required.
Personal Data must be made available to Data Subjects and Data Subjects are allowed to exercise certain rights in relation to their Personal Data.
Data Subjects have rights when it comes to how we handle their Personal Data. These include rights to:
- withdraw consent to Processing at any time;
- receive certain information about the Data Controller’s Processing activities;
- request access to their Personal Data that we hold;
- prevent our use of their Personal Data for direct marketing purposes;
- ask us to erase Personal Data if it is no longer necessary in relation to the purposes for which it was collected or Processed or to rectify inaccurate data or to complete incomplete data;
- restrict Processing in specific circumstances;
- challenge Processing which has been justified on the basis of our legitimate interests or in the public interest;
- request a copy of an agreement under which Personal Data is transferred outside of the EEA;
- object to decisions based solely on automated processing, including profiling;
- prevent Processing that is likely to cause damage or distress to the Data Subject or anyone else;
- be notified of a Personal Data breach which is likely to result in high risk to their rights and freedoms;
- make a complaint to the supervisory authority; and
- in limited circumstances, receive or ask for their Personal Data to be transferred to a third party in a structured, commonly used and machine-readable format.
You must immediately forward any Data Subject access request you receive to the Data Protection Officer and comply with the Subject Access Request Policy.
We are responsible for and must be able to demonstrate compliance with the data protection principles listed above.
Data Breach
In the event of a Data Breach (whether suspected or verified), you must:
- immediately inform the Data Protection Officer;
- notify the department manager; and
- comply with the Data Breach Policy
Training and Audit
We are required to ensure all Care Consort Personnel have undergone adequate training to enable them to comply with Data Protection Law. We must also regularly test our systems and processes to assess compliance.
You must:
- undergo all mandatory data protection related training and ensure your team undergo similar mandatory training in accordance with Care Consort’ training guidelines; and
- regularly review all the systems and processes under your control to ensure they comply with this DP Policy and check that adequate governance controls and resources are in place to ensure proper use and protection of Personal Data.
Amendments To This Policy
This Policy and its Schedules will be updated from time to time by the Data Protection Officer to reflect any changes in legislation or in our methods or practices.
Date of issue: July 2018