{{org_field_logo}}

{{org_field_name}}


Data Protection and Compliance with the General Data Protection Regulation (Scotland) Policy

Aim and Scope of Policy

The policy, which is in line with UK data protection laws, shows how this care service complies with the data protection requirements found in My Support, My Life, particularly Section 4: “I have confidence in the organisation providing my care and support”. This requires a care provider to have good governance of record keeping resulting in records that are comprehensively fit for purpose and securely maintained.

{{org_field_name}} recognises that it must keep full, accurate, up-to-date records on people receiving care, staff and other aspects concerning the running of the service in line with data protection, confidentiality, secure storage and authorised access policies and procedures.

This care provider also understands that all records required for the protection of people receiving care and for the effective and efficient running of {{org_field_name}} should be collected, maintained and kept according to the Data Protection Act 2018 and the General Data Protection Regulation (GDPR).

This data protection policy applies to all manual and digital records kept by the service in relation to people receiving care, including those involved with them, whose personal data might be found on their records It applies to all staff and any third parties (agencies and professionals) with whom anyone’s personal data information held by the service might have to be disclosed or shared.

The policy is used with other relevant record-keeping and information governance policies.

Policy Statement

{{org_field_name}} recognises it must keep all records required for the protection and wellbeing of people receiving care, and those for the effective and efficient running of {{org_field_name}} such as staff records to comply currently with the Data Protection Act 2018 and the General Data Protection Regulation (GDPR), which came into force in May 2018.

In line with its registration under the Data Protection Act, and to comply with GDPR, the service understands that it will be accountable for the processing, management and regulation, and storage and retention of all personal data held in the form of manual records and on computers.

This means that all personal data obtained and held by {{org_field_name}} to carry out its activities as a registered care provider must:

In line with the Data Protection Act 2018 and the GDPR, {{org_field_name}} has a data controller and a nominated data protection officer, who is responsible for the safekeeping and safeguarding of all personal data held by {{org_field_name}}.

Procedures

The service has taken the following steps to protect everyone’s personal data, which it holds or to which it has access so that it complies with current data protection laws and GDPR.

  1. It appoints or employs staff with specific responsibilities for:
    a. the processing and controlling of data (data controller)
    b. the comprehensive reviewing and auditing of its data protection systems and procedures (data protection manager or auditor)
    c. overviewing the effectiveness and integrity of all the data that must be protected (data protection officer).
    There are clear lines of responsibility and accountability for these different roles.
    Note:
    How these roles and data protect functions are organised and distributed in an organisation will vary, but it is important to specify who is responsible for what.
  2. It provides information to people who use services and others involved in their care on their data protection rights, national data opt-out policy, how it uses their personal data and how it protects it. The information includes the actions people who use services and staff can take if they think that their data has been compromised in any way (eg through the complaints procedure or grievance procedure in the case of staff).
  3. It provides its staff with information and training to make them aware of the importance of protecting people’s personal data, to teach them how to do this, and to understand how to treat information confidentially.
  4. It can account for all personal data it holds, where it comes from, and who it is and might be shared with.
  5. It carries out risk assessments as part of its reviewing activities to identify any vulnerabilities in its personal data handling and processing, and to take measures to reduce the risks of mishandling and potential breaches of data security. The procedure includes an assessment of the impact of both use and potential misuse of personal data in and by the service.
  6. It recognises the importance of seeking individuals’ consent for obtaining, recording, using, sharing, storing and retaining their personal data, and regularly reviews its procedures for doing so, including the audit trails that are needed and are followed for all consent decisions.
  7. It has policies and procedures for enabling people who use services and/or staff to have access to their personal information, and for the making of subject access requests that are in line with GDPR.
  8. It has the appropriate mechanisms for detecting, reporting and investigating suspected or actual personal data breaches, including security breaches. It is aware of its duty to report significant breaches that cause significant harm to the affected individuals to the Information Commissioner, and is aware of the possible consequences (eg fine).
  9. [Where applicable.] If the organisation holds personal data on any child under the age of 16, it informs the child how their data is being protected in ways that the child can understand and has procedures in place to obtain consent of the responsible parent for obtaining and using the child’s data.

Training

New staff must read and understand the policies on data protection and confidentiality as part of their induction.

All staff receive training covering basic information about confidentiality, data protection and access to records.

Training in the correct method for entering information in an individual’s records is given to all care staff.

The nominated data controller/auditors/protection officers for {{org_field_name}} are trained appropriately in their roles under GDPR.

All staff who need to use the computer system are trained to protect individual’s private data, to ensure data security, and to understand the consequences to them as individuals and the organisation of any potential lapses and breaches of the service’s policies and procedures.


Responsible Person: {{org_field_registered_manager_first_name}} {{org_field_registered_manager_last_name}}

Reviewed on: {{last_update_date}}

Next Review Date: {{next_review_date}}

Copyright ©2024 {{org_field_name}}. All rights reserved

Leave a Reply

Your email address will not be published. Required fields are marked *