Data Protection Policy

2.1.2  Data can only be collected and used for specified, explicit and legitimate purposes.

2.1.3  Data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

2.1.4  Data must be accurate and up to date.

2.1.5  Data must not be held any longer than is necessary for its given purpose.

2.1.6  Data must be processed in a manner that ensures appropriate security ofthe personal data, including protection from unauthorised access,accidental loss or damage.

2.1.7  The Hospice shall be responsible for, and be able to demonstrate,compliance with the above principles.

3. SCOPE

3.1  This policy will ensure that personal identifiable and sensitive information is processed, handled, transferred, disclosed and disposed of lawfully. Personal identifiable information should be handled in the most secure manner by authorised staff only, on a need to know basis.

3.2  The Data Protection Act 2018 applies to all aspects of handling personal identifiable information by St. Cuthbert’s Hospice, whether clinical or non-clinical, including (but not limited to) structured record systems (paper and electronic) and the transmission of information (fax, email, post and telephone) that identifies or could identify an individual.

3.3  This policy applies to:

• All information used by the Hospice,
• All information systems managed by or for the Hospice
• Any individual using information “owned” by the Hospice
• Any individual requiring access to information “owned” by the Hospice
• Any individual working on behalf of the Hospice, or anyone who accessesHospice premises and information which is owned or managed by the Hospice.

3.4 This policy covers all aspects of information within St Cuthbert’s Hospice includingbut not limited to (collectively known as clients):

• • Patients/guests/relatives/carers
  • Customers/suppliers/contractors
  • Human Resources – staff and volunteers
  • Finance and Service User information
  • Organisational administrative information
  • Complainants
  • Information provided from donors and supporters through the fundraising team.

4. DEFINITIONS

4.2  Sensitive personal dataMay consist of information that makes reference to particular matters of an identifiable person, e.g. their health, ethnicity, religion, criminal records, sexual life. The Hospice holds such data for instance for equal opportunities monitoring

4.3  “Processing” in relation to information or data is a wide ranging activity that includes obtaining, recording, holding or storing personal data and carrying out any operations on it such as adaptations, alterations, transfer, retrieval, disclosure and erasure or destruction.

4.4  Data controllerThe Hospice, as an organisation, is the Data Controller and determines the purposes for which and the manner in which any personal data are, or are to be, processed. Data controllers must ensure that any processing of personal data for which they are responsible complies with the Data Protection Act 2018. Failure to do so risks enforcement action, even prosecution, and compensation claims from individuals.

4.5  A Processor is responsible for processing personal data on behalf of a controller and is required to maintain records of personal data and processing activities.

4.6  Data subject means an individual who is the subject of personal data.

4.7  The Information Commissioners Office (ICO)The ICO Is the UK’s independent regulator set up to uphold the public’s information rights. The ICO investigates complaints made by the public and provides guidance for the public and organisations.

4.8  Privacy NoticeA Privacy notice is published on the Hospice’s website. This indicates what to expect when the Hospice collects personal information.

5. ROLES AND COMPETENCIES

5.1 Board of Trustees/Chief Executive

The Board of Trustees is ultimately responsible for the policy’s implementation. Responsibility for information governance is delegated to the Chief Executive

5.2  Data Co-ordinatorThe Hospice has designated the Head of Human Resources as Data Co- ordinator to deal with any day-to-day matters arising from the implementation of the Data Protection Policy and any requests for information under the Data Protection Act 2018. The Data co-ordinator is also responsible for notifying to the Information Commissioner the purposes for which it processes personal data. Details of the Hospice’s Data Controller Notification can be obtained from the Information Commissioner’s website www.ico.org.uk. (Registered no: Z22126399).

5.3  Caldicott GuardianThe Clinical Services Manager acts as the Caldicott Guardian. The Caldicott Guardian is responsible for agreeing and reviewing protocols for governing the transfer and disclosure of patient-identifiable information across the Hospice, supporting agencies and external parties.

5.4  Central Support Services ManagerSupport the effective governance of St Cuthbert’s Hospice which drives performance improvement.

5.5  Information Asset Owners (IAO)It is the responsibility of the Hospice’s Information Asset Owners to ensure that all information assets are documented and kept appropriately secure, in line with the Data Protection Act 2018 and are not kept for longer than necessary. IAO will be supported by Asset Administrators, but the overall responsibility rests with the IAO. Details of owners and administrators identified in appendix 1.

5.6  All Staff and Volunteers

5.6.1 Hospice staff, Board of Directors, volunteers and any third parties, permitted to access, process or use any personal information in the course of their duties must ensure that the Data Protection Act 2018 principles are followed at all times. The Hospice will provide guidance and training to enable staff and volunteers to understand and carry out their responsibilities and monitor compliance with their obligations.

5.6.2 All staff and volunteers are responsible for ensuring they keep up to date with Hospice policies, procedures and guidance.

5.6.3 Staff and volunteers are also responsible for ensuring that the personal data the Hospice holds about them is accurate and up to date by informing the Human Resources Department of any changes or errors.

6. PERSONAL DATA RELATING TO CLIENTS

6.1 The Hospice obtains contact details (names, addresses, and phone numbers) and health details from clients. This data is obtained, stored and processed solely to assist staff and volunteers in the efficient running of the service requested by the client. Personal details supplied by clients are not used to send marketing material or Hospice newsletters, unless prior consent is obtained.

7. PERSONAL DATA RELATING TO CONTRACTORS/SUPPLIERS

7.1 Where a contractor undertakes work on behalf of the Hospice which involves the processing of personal data, the Hospice remains the data controller of that data. It is the contractor’s responsibility to inform the Hospice of any change in the “processing of data” that is owned by the Hospice this includes any change in software or subcontracting.

8. PERSONAL DATA RELATING TO DONORS

9. SECURITY OF PERSONAL DATA

9.1 Staff and volunteers must ensure that they employ safeguards for personal data proportionate to the risks presented in their processing activities. Personal data should not be taken off site unless absolutely necessary and with the permission of a member of the Senior Management Team.

10. TRANSFER OF DATA TO THIRD PARTIES

10.1 Personal data must not be disclosed to any third party (including family members and the police) except in the following circumstances:

• The data subject have given consent. This is unambiguously achieved
• It is necessary to protect the vital interests of the data subject
• It is necessary to prevent serious harm to a third party
• It is required to safeguard national security
• It is necessary for the prevention or detection of crime, the apprehension or prosecution of offenders, or the assessment or collection of any tax or duty
• It is necessary for the discharge of regulatory functions including securing the health, safety and welfare of persons at work
• It is available to the public anyway by law
• It is necessary to establish, exercise or defend legal rights
• It has been published

11. RIGHT TO ACCESS PERSONAL INFORMATION

11.1 Under the Data Protection Act 2018, all data subjects have the right to request access to his/her personal data held by the Hospice. Such a request is known as a “subject access request”.

11.2 All applications must be directed through the Data Co-ordinator who should deal with the request on behalf of the Hospice in line with the Access to Records Procedure.

12. RIGHT TO REQUEST THAT PERSONAL DATA ARE NOT PROCESSED

12.1 The Hospice recognises that under the Data Protection Act 2018 an individual can request that his/her personal data is not processed for one or more purposes by a data controller (The Hospice). However, in some cases, the Hospice may lawfully decline such a request.

13. REPORTING BREACH OR LOSS OF PERSONAL DATA

13.1 Any breaches/losses of personal data must be reported to the line manager and the Data Co-ordinator. The incident reporting procedure will be followed.

14. RETENTION/DISPOSAL OF RECORDS CONTAINING PERSONAL DATA

14.1 The Hospice must only retain personal data for the length of time the information is required for the specific purpose they were collected.

14.2  Reference should be made to the Document Archiving, Retrieval and Destruction procedure together with the Hospice’s Document Retention Procedure which details the minimum periods of retention of records and the process for archiving and destruction of Information.

14.3  Staff and volunteers must ensure the destruction of personal data is carried out confidentially and completely. Where multiple copies of the data exist, all paper and electronic copies must be destroyed. Where personal data is recorded in paper form, the paper must be securely shredded.

15. REVIEW AND AUDIT

15.1  This Policy will be reviewed by the Information Governance and Quality Working Group every three years or more frequently if appropriate to take into account changes to legislation that may occur, and/or guidance from the Information Commission.

15.2  Line Managers will be responsible for auditing and monitoring compliance with this policy at least once every two years.

15.3  The HR Sub Committee will be responsible for receiving and considering reports on any breaches of this policy.

ASSOCIATED DOCUMENTS AND PROCEDURES

• Access to Records Procedure
• Sharing Patients Information Policy • Information Governance Policy
• Social Media Policy & Guide
• Privacy Notice
• Website Privacy Policy
• Electronic Data Use, Storage and Archiving Policy
• Document Archiving, Retrieval and Destruction Procedure
• Document Retention Procedure
• IT Security Procedure
• Complaints Policy

POLICY NAME: Data Protection Policy July 2016

DATE OF FIRST APPROVAL: April 2018

DATE OF LAST REVIEW: April 2018

DATE OF NEXT REVIEW: Sep 2021