THC Care Privacy Policy
Document Information
Last Reviewed | 27 Sep 2021 |
Last Amended | 27 Sep 2021 |
Next Planned Review | on or before 27 Sep 2022 |
Business impact | High impact. These changes require action as soon as possible. |
Reason for this review | Improve usability |
Were changes made? | Yes |
Summary | This policy outlines the process for the business and all staff to understand the principles set out in UK GDPR in relation to data retention and data security. It has been reviewed with the UK General Data Protection Regulation (UK GDPR) definition updated and further reading added. Key facts and references have also been updated, including reference to the updated Records Management Code of Practice 2021. |
Relevant legislation |
|
Underpinning knowledge - What have we used to ensure that the policy is current. |
|
Suggested action |
|
Equality Impact Assessment | QCS have undertaken an equality analysis during the review of this policy. This statement is a written record that demonstrates that we have shown due regard to the need to eliminate unlawful discrimination, advance equality of opportunity and foster good relations with respect to the characteristics protected by equality law. |
Other Formats |
1. Purpose
- The purpose of this policy is to ensure that THC Care Ltd and all its staff understand the principles set out in UK GDPR in relation to data retention and data security.
- By reviewing this policy, THC Care Ltd will be able to consider appropriate retention periods for the personal data it processes and ensure that it stores personal data for an appropriate period of time.
- This policy will enable THC Care Ltd and all staff working at THC Care Ltd to review the policies and procedures they have in place to ensure that personal data they process is kept secure and properly protected from unlawful or unauthorised processing and accidental loss, destruction or damage.
- To support THC Care Ltd in meeting the following Key Lines of Enquiry:
Key Question | Key Lines of Enquiry |
---|---|
WELL-LED | W2: Does the governance framework ensure that responsibilities are clear and that quality performance, risks and regulatory requirements are understood and managed? |
- To meet the legal requirements of the regulated activities that {THC Care Ltd} is registered to provide:
-
Data Protection Act 2018
-
UK GDPR
2. Scope
- The following roles may be affected by this policy:
-
All staff
- The following Service Users may be affected by this policy:
-
Service Users
- The following stakeholders may be affected by this policy:
-
Family
-
Advocates
-
Representatives
-
Commissioners
-
External health professionals
-
Local Authority
-
NHS
3. Objectives
- The objective of this policy is to enable THC Care Ltd to ensure that its data retention and data security policies are UK GDPR compliant.
- This policy will assist with defining accountability and establishing ways of working in terms of the use, storage, retention and security of personal data.
4. Policy
-
Data Retention
As a general principle, THC Care Ltd will not keep (or otherwise process) any personal data for longer than is necessary. If THC Care Ltd no longer requires the personal data once it has finished using it for the purposes for which it was obtained, it will delete the personal data unless it is required by law to retain the data for an additional period of time. -
THC Care Ltd may have legitimate business reasons to retain the personal data for a longer period. This may include, for example, retaining personnel records in case a claim arises relating to personal injury caused by THC Care Ltd that does not become apparent until a future date. THC Care Ltd should consider the likelihood of this arising when it determines its retention periods - the extent to which medical treatment is provided by THC Care Ltd will, for example, affect the likelihood of THC Care Ltd needing to rely on records at a later date.
-
THC Care Ltd may be required to retain personal data for a specified period of time to comply with legal or statutory requirements. These may include, for example, requirements imposed by HMRC in respect of financial documents, or guidance issued by UK Visas and Immigration and Immigration Enforcement in respect of the retention of right to work documentation (see the "Underpinning Knowledge" section).
-
THC Care Ltd understands that claims may be made under a contract for 6 years from the date of termination of the contract, and that claims may be made under a deed for a period of 12 years from the date of termination of the deed. THC Care Ltd may therefore consider keeping contracts and deeds and documents and correspondence relevant to those contracts and deeds for the duration of the contract or deed plus 6 and 12 years respectively.
-
THC Care Ltd will consider how long it needs to retain HR records. THC Care Ltd may choose to separate its HR records into different categories of personal data (for example, health and medical information, holiday and absence records, next of kin information, emergency contact details, financial information) and specify different retention periods for each category of personal data. THC Care Ltd recognises that determining separate retention periods for each element of personal data may be more likely to comply with UK GDPR.
THC Care Ltd may decide, however, that separating its HR records into different elements is not practical, and that it can determine a sensible period of time for which to keep the HR records in their entirety. The period of time that is appropriate may depend on the likelihood of a claim arising in respect of that employee in the future. If, for example, THC Care Ltd is concerned that an employee may suffer personal injury as a result of its employment with THC Care Ltd, THC Care Ltd may choose to retain its HR records for a significant period of time. If any such claim is unlikely, THC Care Ltd may choose to retain its files for 6 or 12 years (depending on whether the arrangement entered into between THC Care Ltd and the employee is a contract or a deed). - THC Care Ltd will consider the following advice and guidelines when deciding for how long to retain HR data. THC Care Ltd acknowledges that the suggested retention periods below are based on guidance within relevant legislation:
- Immigration checks - two years after the termination of employment
-
PAYE records - at least three years after the end of the tax year to which they relate
-
Payroll and wage records for companies - six years from the financial year-end in which payments were made
-
Records in relation to hours worked and payments made to workers - three years beginning with the day on which the pay reference period immediately following that to which they relate ends
-
Records required by the Working Time Regulations:
-
Working time opt out - two years from the date on which they were entered into
-
Compliance records - two years after the relevant period
-
-
Maternity records - three years after the end of the tax year in which the maternity pay period ends
-
Accident records - at least three years from the date the report was made, or potentially longer if deemed appropriate given the possibility of ongoing relevance of the records
-
THC Care Ltd will consider for how long it is required to keep records relating to Service Users. In doing so, THC Care Ltd will consider the data retention guidelines provided by the NHS, if applicable. Those guidelines can be accessed by using the link in the "Underpinning Knowledge" section.
If the NHS guidelines do not apply to THC Care Ltd, THC Care Ltd will determine an appropriate retention policy for Service User personal data. THC Care Ltd may choose to retain personal data for at least 6 years from the end of the provision of services to the Service User, in case a claim arises in respect of the services provided. -
Irrespective of the retention periods chosen by THC Care Ltd, THC Care Ltd will ensure that all personal data is kept properly secure and protected for the period in which it is held by THC Care Ltd. This applies in particular to special categories of data.
-
THC Care Ltd will record all decisions taken in respect of the retention of personal data. THC Care Ltd recognises that if the ICO investigates the policies and procedures at THC Care Ltd, a written record of the logic and reasoning behind the retention periods adopted by THC Care Ltd will assist the position of THC Care Ltd.
-
THC Care Ltd will implement processes for effectively destroying and/or deleting personal data at the end of the relevant retention period. THC Care Ltd will consider whether personal data stored on computers, including in emails, is automatically backed up and how to achieve deletion of those backups or ensure that the archived personal data is automatically deleted after a certain period of time. THC Care Ltd will consider circulating guidance internally to encourage staff to regularly delete their emails.
THC Care Ltd will introduce policies relating to the destruction of hard copies of documents, including by placing the documents in confidential waste bins or shredding them. -
Data Security
THC Care Ltd will take steps to ensure that the personal data it processes is secure, including by protecting the personal data against unauthorised or unlawful processing and against accidental loss, destruction or damage. - THC Care Ltd understands that all health and care organisations, as detailed below, are required to comply with the Data Security and Protection Toolkit. A link to an explanatory guidance note is included in the "Underpinning Knowledge" section. Compliance with the Data Security and Protection Toolkit facilitates compliance with UK GDPR.
THC Care Ltd understands that the following types of organisation must comply with the Data Security and Protection Toolkit:
-
Organisations contracted to provide services under the NHS Standard Contract
-
Clinical Commissioning Groups
-
General Practices that are contracted to provide primary care essential services
-
Local authorities and social care providers must take a proportionate response to the new toolkit:
-
Local authorities should comply with the toolkit where they provide adult social care or public health and other services that receive services and data from NHS Digital, or are involved in data sharing across health and care where they process confidential personal data of Service Users who access health and adult social care services
-
Social care providers who provide care through the NHS Standard Contract should comply with the toolkit. It is also recommended that social care providers who do not provide care through the NHS Standard Contract consider compliance with the toolkit as this will help to demonstrate compliance with the ten security standards and UK GDPR
-
-
THC Care Ltd will implement and embed the use of policies and procedures to ensure that personal data is kept secure. The suggestions below apply in addition to the steps THC Care Ltd is required to take pursuant to the Data Security and Protection Toolkit, if the toolkit applies to THC Care Ltd.
THC Care Ltd will bear in mind the following principles when deciding how to ensure that personal data is kept secure:
-
Confidentiality - ensuring that personal data is accessible only on a need to know basis
-
Integrity - ensuring that there are processes and controls in place to make sure personal data is accurate and complete
-
Availability - ensuring that personal data is accessible when it is needed for business purposes of THC Care Ltd
-
Resilience - ensuring that personal data is able to withstand and recover from threats For paper documents, these will include, where possible:
-
Keeping the personal data in a locked filing cabinet or locked drawer when it is not in use
-
Adopting a "clear desk" policy to ensure that personal data is not visible or easily retrieved
-
Ensuring that documents containing personal data are accessible only by those who need to know/review the documents and the personal data contained within them
-
Redacting personal data from documents where possible
-
Ensuring that documents containing personal data are placed in confidential waste bins or shredded at the end of the relevant retention period
-
Minimising the transfer of personal data from outside of business premises and, where such transfer cannot be avoided, ensuring that the paper documents continue to be kept confidential and secure
For electronic documents, the measures taken by THC Care Ltd will include, where possible:
-
Password protection or, where possible, encryption
-
Ensuring that documents containing personal data are accessible only by those who need to know/review the documents and the personal data contained within them
-
Ensuring ongoing confidentiality, integrity and reliability of systems used online to process personal data (this may require a review of IT systems and software currently used by THC Care Ltd)
-
The ability to quickly restore the availability of and access to personal data in the event of a technical incident (this may require a review of IT systems and software currently used by THC Care Ltd)
-
Taking care when transferring documents to a third party, ensuring that the transfer is secure and the documents are sent to the correct recipient
THC Care Ltd will ensure that all business phones, computers, laptops and tablets are password protected. THC Care Ltd will encourage staff to avoid storing personal data on portable media such as USB devices. If the use of portable media cannot be avoided, THC Care Ltd will ensure that the devices it uses are encrypted or password protected and that each document on the device is encrypted or password protected.
-
THC Care Ltd will implement guidance relating to the use of business phones and messaging apps. THC Care Ltd understands that all personal data sent via business phones, computers, laptops and tablets may be captured by UK GDPR, depending on the content and context of the message. As a general rule, THC Care Ltd will ensure that staff members only send personal data by text or another messaging service if they are comfortable that the content of the messages may be captured by UK GDPR and may be provided pursuant to a Subject Access Request (staff should refer to the Subject Access Requests Policy and Procedure at THC Care Ltd for further details).
-
THC Care Ltd will ensure that all staff are aware of the importance of keeping personal data secure and not disclosing it on purpose or accidentally to anybody who should not have access to the information. THC Care Ltd will provide training to staff if necessary. THC Care Ltd will consider in particular, the likelihood that personal data, including special categories of data, will be removed from the premises of THC Care Ltd and taken to, for example, Service Users' homes and residences. THC Care Ltd will ensure that all staff understand the importance of maintaining the confidentiality of personal data away from the premises of THC Care Ltd and take care to ensure that the personal data is not left anywhere it could be viewed by a person who should not have access to that personal data.
-
THC Care Ltd will adopt policies and procedures in respect of recognising, resolving and reporting security incidents including breaches of UK GDPR. THC Care Ltd understands that it may need to report breaches to the ICO and to affected Data Subjects, as well as to CareCERT if THC Care Ltd is required to comply with the Data Security and Protection Toolkit.
-
THC Care Ltd will adopt processes to regularly test, assess and evaluate the security measures it has in place for all types of personal data.
-
Privacy by Design
THC Care Ltd will take into account the UK GDPR requirements around privacy by design, particularly in terms of data security. -
THC Care Ltd understands that privacy by design is an approach set out in UK GDPR that promotes compliance with privacy and data protection from the beginning of a project. THC Care Ltd will ensure that data protection and UK GDPR compliance is always at the forefront of the services it provides, and that it will not be treated as an afterthought.
-
THC Care Ltd will comply with privacy by design requirements by, for example:
- Identifying potential data protection and security issues at an early stage in any project or process, and addressing those issues early on; and
- Increasing awareness of privacy and data protection across THC Care Ltd, including in terms of updated policies and procedures adopted by THC Care Ltd
-
THC Care Ltd will conduct Privacy Impact Assessments to identify and reduce the privacy and security risks of any project or processing carried out by THC Care Ltd. A template Privacy Impact Assessment is available within the Privacy Impact Assessment (Privacy Notice) Policy and Procedure at THC Care Ltd.
5. Procedure
-
THC Care Ltd will consider data retention and data security issues and concerns at the beginning of any project (whether the project is the introduction of a new IT system, a new way of working, the processing of a new type of personal data or anything else that may affect the processing activities at THC Care Ltd). THC Care Ltd appreciates that this is key for complying with the privacy by design requirements in UK GDPR.
-
THC Care Ltd will review the periods for which it retains all the personal data that it processes.
-
THC Care Ltd will, if necessary, adopt new policies and procedures in respect of data retention and will circulate those policies and procedures to all staff. THC Care Ltd will consider providing training to staff in respect of data retention.
-
THC Care Ltd will review the security measures currently in place in respect of all the personal data it processes.
-
THC Care Ltd will document the decisions it takes, and the logic and reasoning behind those decisions, in respect of both data retention and data security. THC Care Ltd will keep a record of all policies and procedures it implements to demonstrate its compliance with UK GDPR.