Privacy & Confidentiality Policy/Procedures
Inner City Life acknowledges that in properly carrying out its duties, its employees will have access to information that is personal and often also highly confidential regarding both the Company, Staff member colleagues and also service users.
Furthermore, the law concerning Personal Information has been updated by the General Data Protection Regulation (EU Regulation 2016/679) (the “GDPR”), from 25th May 2018, and all Staff are reminded that no-one should discuss or otherwise share any service user’s or other Staff colleague’s personal information regarding: –
- External Discussion – ie with an external person, a statutory body or an agency, unless a ‘Data Exchange’ agreement has been authorised and signed.
- With other service users.
- regarding ‘internal discussion’ – it is distinctly part of their authorized operational/supervisory duties and even then, information should only be shared on a ‘need to know’ basis.
Inner City Life expects all contracted Providers (and their Staff) to also adhere to this Policy statement. In doing so, their person responsible for Data Protection Officer in their organization should be quoted.
Any enquiries concerning personal data held by individual Providers, should be made direct to the Provider concerned.
Inner City Life’s Data Protection Officer = Saad Burbank
Email address = <email@example.com>
Telephone number: 0121 389 4033
- What does Confidentiality entail?
Confidentiality refers to any information (written or verbal) about an individual, which must not be shared without that person’s permission and must only be recorded/stored in designated and in an appropriately secure manner and not used improperly. This includes anything discussed with Staff or service users during their respective support sessions.
2.2 What does Privacy entail?
Every data controller (eg Inner City Life) must issue Privacy Notice to all individuals that they hold personal data for. This must show the purposes of the processing of Personal data.
GDPR also requires that we have identified and published a ‘valid lawful basis’ in order to process personal data’ – Inner City Life has considered this and our view is shown at para 2.4 below
2.3 What is Personal Data?
Personal data has been defined as ‘any information relating to a person who can then be directly or indirectly identified, including by use of a reference as an identifier’. Personal data therefore covers obvious information such as name, contact details, NI no’s, Next of Kin, but it also covers less obvious information such as unique identification numbers. The Personal Data collected on all individuals (i.e. service users, Staff, Non-Executive Directors) associated with Inner City Life, has been detailed in individual Privacy Notices sent out during May 2018 – and will be provided for all ‘new starters’ in the various areas.
The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria.
2.4 What are the lawful bases for processing?
Under the GDPR, we must always have a lawful basis for using personal data. The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever personal data is processed. Inner City Life has considered this and detailed below (in italics) is how Inner City Life interprets each of the relevant legal bases:
- Consent: the individual has given clear consent for us to process their personal data for a specific purpose – this is ascertained via the signed consent notice attached to every individual’s Privacy Notice. √
- Contract: the processing is necessary for contracts (/agreements) we have with the individuals ie agreement to provide support. √
- Legal obligation: the processing is necessary for Inner City Life to comply with the law. √
- Vital interests: the processing is necessary to protect someone’s life. Safeguarding of individuals (i.e. service users, Staff and any visitors) is of paramount importance to Inner City Life √
- Public task: the processing is necessary for the performance of a task in the public interest or for your official functions, and the task or function has a clear basis in law. N/A
- Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.) √
To summarise, we believe that the personal data collected is needed for Inner City Life to perform the service of providing vulnerable people with support. Consent has been obtained via signed Privacy Notices. The personal data will be used for the following purposes:
- Providing and managing support.
- Personalising and tailoring services as agreed with the individual.
- Communicating with individuals.
- Evidencing to our Commissioners and Regulators.
- For the safety of the service users, Staff and general public.
With the permission and/or where permitted by law, we may also use the personal data for marketing purposes, which may include contacting the individuals by email and telephone and post with information, news, or services. We will however not send any unlawful marketing or spam. We will always work to fully protect individual’s rights and comply with our obligations under the GDPR and the Privacy and Electronic Communications (EC Directive) Regulations 2003.
We do not use the automated system for carrying out any kinds of decision- making or profiling.
3. Summary Procedures
- Duties & Responsibilities:
All employees are required to sign a confidentiality statement before their employment commences. All member of Staff should also receive training as part of their Induction on the principle elements of the company’s confidentiality policy and the basic principles of the Data Protection Act/New GDPR and the implications that this will have on their work.
Every employee has a duty of confidentiality to service users and a duty to support professional ethical standards of confidentiality. Everyone within Inner City Life and covered by Inner City Life contracts must be aware of the importance of confidentiality. All Staff need to be aware of their responsibilities for safeguarding service users confidentiality and keeping information secure.
3.2 Record keeping/Storage:
- Care must be taken to ensure that any markings on the external page of a file/lever arch file, is not made visible to any visitor to the accommodation or office.
- All Staff records should be kept in a secure area (electronically/secure rooms/filing cabinets) in the Company’s Head Office
- Records relating to service users (eg Support Plans/Personal Files etc) should again be kept in a secure area (secure rooms/filing cabinets) in the Home Providers Head Office location. All records must always be locked away when not being used and when in use must not be able to be viewed by anyone other than the data subject or an authorized officer.
- The filing cabinet/secure area must be locked at all times when not being used by a Staff member. No service user’s records should be taken off the designated premises. When service user files are needed, Staff should get them from the secure area, not leave them unattended and return them immediately following their use.
- In office locations, care must be taken not to display on walls/noticeboards etc, any personal information which could identify service user details
- No computer screens (or other display screens) showing service user personal data (including even names) must be visible to visitors to the office or in the office from a ‘counter area’.
- With regard to confidentiality, all service users have the right to receive their confidential post un-opened. This is in accordance with the Data Protection Act and Human Rights legislation.
- Personal information regarding Staff members should also be kept in the strictest of confidence and accessed only by management. No Staff records must leave the premises at any time.
- Any personal data which is no longer needed must be disposed of securely (in accordance with ‘Data Retention Policy’ periods). This means that paper and other physical records should be thoroughly shredded, and disposal arrangements made with a company that has achieved BS EN 15713:2009
- Personal data held on computers etc. that are sold on or donated – It is no longer acceptable to just re-format hard disk drives. As there are tools now readily available which can recover data from formatted disks. It is therefore important that organizations contract with a company which guarantees full data as being irrecoverable.
- Personal data will only be stored in the UK. This means that it will be fully protected under the GDPR
- Staff must comply with the requirements of the Data Protection Act Breaches of confidentiality are a serious matter. Non-compliance with this policy code of conduct may result in disciplinary action being taken.
- There are however exceptions to our Privacy & Confidentiality policy. If we think that a person is at serious risk or we are given information about a crime, then we may have to pass this onto other people. We would normally tell the individual before we do this and will provide reasons in writing for our action.
4) How long will we keep the Personal Data?
We will not keep personal data for any longer than is necessary in light of the reason(s) for which it was first collected and also in line with guidance
from our insurers and/or if there is an ongoing query from a statutory body (eg HM Revenues) or an ongoing legal claim/court proceeding. Please see the separate Data Retention Policy displayed on the Inner City Life web site.
5) How do we share the Personal Data collected?
We will not share any personal data with any third parties other than where we have obtained a ‘Data Sharing Agreement’. This is however subject to one important exception.
In some limited circumstances, we may be legally required to share certain personal data, if we are involved in legal proceedings or complying with legal obligations, a court order, or the instructions of a government authority. In these instances, we will always endeavor to inform the individual concerned.
6) An individual’s rights
Under the GDPR, every person has the following rights with regard to Personal Information/Data: –
- The right to be informed about the collection and use of their personal data. This Privacy and Confidentiality Policy & Practice (freely available on the Inner City Life web pages and referred to in documentation provided to service users & Staff) should tell an individual everything they need to know, but if people have any further questions they should approach the person in the organization/s who has responsibility for Data Protection.
- The right to access personal data that is held concerning themselves.
- The right to have personal data rectified if any of the personal data held by us is inaccurate or incomplete. In this event contact should be made using the details shown in para 7.
- The right to ask to be forgotten, i.e. the right to ask us to delete or otherwise dispose of any aspect of an individual’s personal data that we have.
- The right to restrict (ie prevent) the processing of personal data.
- The right to object to us using an individual’s personal data for a
particular purpose or purposes.
- The right to data portability. This means that, if someone has provided personal data to us directly, then we are using it with their consent for the performance of a task which has been explained to them. The individual can then ask us for a copy of that personal data to re-use when eg they move to another job (ie Staff) or to another support provider (service users).
- Rights to be made aware when the data held is used for automated do not intend to use personal data in this way. decision-making and profiling. However, Inner City Life would point out that we currently
Further information about an individual’s rights can also be obtained from the Information Commissioner’s Office or your local Citizens Advice Bureau.
If an individual has any cause for complaint about our use of their personal data, they have the right to lodge a complaint with the Information Commissioner’s Office.
7) How can individuals access their Personal Data?
If any individual wants to know what personal data is held about them, they can ask: –
- For service users – their coordinator should be contacted. Indeed, service users are positively encouraged to review their Support Plans monthly. They should also be encouraged to review any other Personal Files held and in doing so inform us of any data which is ‘out of date’ or otherwise incorrect.
- Staff – should contact the Human Resources area of their respective employing organisations.
- Next of Kin (NOK for service users or Staff) – they are able to ask for details of the personal data held about themselves. They should contact the respective Home Provider direct to do this. This is known as a “subject access request.” If a NOK wants to check personal information held concerning a relative, this can only be permitted if the service user or Staff member themselves agrees.