GDPR Policy

Please see below our policies on GDPR policy

POSITIVE SUPPORT FOR YOU

GENERAL DATA PROTECTION REGULATION  (GDPR) POLICY – PERSONAL CLIENT INFORMATION

OUTCOME 21, REGULATION 20 (Records)

Data Protection Policy Statement

Positive Support for You believes that all records required for the protection of service users and for the effective and efficient running of the organisation should be collected, maintained and kept according to the General Data Protection Regulations of May 2018.

What the Law Says

POSITIVE SUPPORT FOR YOU CIC aims to comply with the spirit and letter of  the General Data Protection Regulations GDPR.

The organisation understands that personal data should:

  1. be obtained fairly and lawfully

  2. be held for specified and lawful purposes

  3. be processed in accordance with the person’s rights

  4. be adequate, relevant and not excessive in relation to that purpose

  5. be kept accurate and up to date

  6. not be kept for longer than is necessary for its given purpose

  7. be subject to appropriate safeguards against unauthorised use, loss or damage

  8. be transferred outside the European Economic Area only if the recipient country has adequate data protection

We also understand that the GDPR imposes specific rights for individuals with respect to data:

  • the right to be informed

  • the right to access

  • the right to rectification

  • the right to erasure

  • the right to restrict processing

  • the right to data portability

  • the right to object:

  • the right not to be subject to automated decision making including profiling

The GDPR requires certain types of organistion to have a Data Protection Officer designated. Although we do not fulfil the criterea for this we recognise it is best practice to do so and as such The Chief Executive will act as Data Protection Officer for Positive Support For You CIC. The Chief Executive also by definition acts as the “Senior Information Risk Owner”.

Lawful Basis for Holding Information

We understand that in all cases the personal data we hold has a lawful basis under the Care Standards Act  and associated Care Quality Commission Regulations.

CareCERT Advisories

Although our systems are not compatible with electronically derived CareCERT notifications should any be directly received by other means they will be addressed by the Data Protection Officer within required timescales – which if at the high severity level will be within 48 hours.

Continuity Plan

The Positive Support for You Business Continuity Plan has been revised to include GDPR and Cyber Security and this is reviewed periodically.

What We Will Do to Meet GDPR Requirements:

At Positive Support for You CIC we will strive to fulfil all the requirements of the  GDPR.

This means we will:

Make our Board and Senior Management Team aware of the the Law   and refresh this periodically

  • Document the Personal Data we hold, where it comes from and who we share it with.

  • Secure consent from individuals to hold, share and use information containing personal data where required to do so. We recognise the need to ensure consent takes account of individuals Capacity as defined in the Mental Capacity Act. We understand that consent must by definition be freely given, specific, informed and unambiguous. People must be able to withdraw consent.

  • Document the Retention Periods for Personal Data held.

  • Ensure individuals know about their right to complain to the Information Commissioners Office if they feel their data has been mis-handled.

We feel this gives a proportionate response for an Organisation of our size and scale

Data Breaches

In the event of a data breach the  Data Protection Officer  (DPO) will be informed at the earliest opportunity.

The DPO will ensure that the required report is made to the Information Commissioners Office, and that the Individual or Individuals involved are informed .

In each case the Breach will be investigated, a written report made to the Board and appropriate remedial action taken to prevent re-occurance.

National Data Opt-Out:

Positive Support For You CIC reviews all of our data processing on an annual basis to assess if the national data opt-out applies. This is recorded in our Record of Processing Activities. All new processing is assessed to see if the national data opt-out applies.

 If at any time our data processing falls within scope of the National Data Opt-Out we will use MESH to check if any of our service users have opted out of their data being used for this purpose.

At this time, we do not share any data for planning or research purposes for which the national data opt-out would apply. We review all of the confidential patient information we process on an annual basis to see if this is used for research and planning purposes. If it is, then individuals can decide to stop their information being shared for this purpose. You can find out more information at https://www.nhs.uk/your-nhs-data-matters/.

Subject Access Requests

In the event Positive Support For You CIC receives a subject access request we will:

  • Not Charge for processing this from May 2018

  • Comply within a month

  • Consider if the request is manifestly unfounded or excessive

  • Where any request is refused we will set out our thinking as to why, and ensure the person has the right to complain.

The DPO will in all cases coordinate any Subject Access Requests and be Responsible for Them. In practical terms our approach will be to put systems in place to deliver these outcomes in general.

It is not the case that this policy can set out how we will address every issue which could arise beyond this  - the GDPR is brand new and the guidance is being developed. As such whenever Subject access requests, deletion or portability requests ,Data Breaches,  or other queries relating to personal data are received the Data Protection Officer will take appropriate professional advice in each case, and document this and act accordingly and Transparently. All such matters will be reported to the Board, and this will enable the Board to periodically review and adjust this policy as practice around GDPR develops.

Training All new staff are encouraged to read the policies on GDPR  and on confidentiality as part of their induction process and receive training on this wish is refreshed.  The Skills for Care Common Induction Standards 1 – 8 are used and cover confidentiality and data protection. Training in the correct method for entering information in service users’ records is given to all care staff. All staff who need to use the computer system should be thoroughly trained in its use.

Information Commissioners Contact Details

Helpline: 03031231113

Email : registration@ico.org.uk

Information Commisssioners Office

Wycliffe House

Water Lane

Wilmslow     

Cheshire SK9 5AF

Positive Support For You CIC Data Protection Officer Contact Details

Chief Executive

Positive Support for You CIC

Office 7 Beresford Buildings

Thorntree

Middlesbrough    TS3 9NB                           e mail: info@psforyou.org

 At Positive Support for You we value your safety and your right to Data privacy , please click here to view an easy read guide to GDPR