we aim to offer; reliability, integrity, choice, honesty and availability

Data Policies

Data Protection : An introduction The Data Protection Act (DPA) 1998 came into full force on the 1st March 2000. This supersedes the 1984 Act. It provides living individuals with a right of access to personal information held about them. The right applies to all information held in computerised form and also to non-computerised information held in filing systems structured so that specific information about particular individuals can be readily retrieved. Access to records of deceased individuals still falls within the scope of the Access to Health Records Act 1990. The Data Protection Act places obligations on those who process information (data controllers) while giving rights to those who are the subject of that data (data subjects). Personal information covers both facts and opinions about the individual. Data Protection Principles The Data Protection Act 1998 contains eight Data Protection Principles. These are: Data must be processed fairly and lawfully; Personal data shall be obtained only for one or more specific and lawful purposes; Personal data shall be adequate, relevant and not excessive in relation to the purpose(s) for which they are processed; Personal data shall be accurate and where necessary kept up to date; Personal data processed for any purpose(s) shall not be kept for longer than is necessary for that purpose; Personal data shall be processed in accordance with the rights of data subjects under the 1998 Data Protection Act; Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data; Personal data shall not be transferred to a country outside the EEA, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. The Information Commissioner’s Office (ICO) has specific responsibilities for the promotion and enforcement of the DPA. Under the DPA, the Information Commissioner (IC) may: Serve information notices requiring data controllers to supply the IC with the information needed to assess compliance Where there has been a breach, serve an enforcement notice which requires data controllers to take specified steps or to stop taking steps in order to comply with the law. The Company Data Protection lead is James Clowes, Director. Access to personal data is a right under the Data Protection Act. Any request for access to data must be made in writing to: Star Support for You Limited 12 Creech View Denmead Waterlooville Hampshire PO7 6SU UK The General Data Protection Regulation (GDPR) The GDPR is a European-wide regulation that comes into force on 25 May 2018. The legislation is designed to protect people’s personal data from being stolen or exploited by companies. Central to the new regulation is the idea of keeping people’s personal data safe and accurate, obtaining consent to collect it, and having a business purpose to hold on to it. Current data-protection legislation goes some way towards this, but the GDPR goes further. What is personal data? Personal data is any information that can be used to identify an individual, such as name, postal address, email address, date of birth, gender, National Insurance number, NHS number, bank details, credit card details and so on. Often it is information that will be collected as part of marketing activity or held about customers that you’ve worked with. Some personal data is classified as sensitive and requires particularly careful handling. This includes data on an individual’s ethnicity, religion, political affiliation, sexual orientation, trade union membership, previous criminal convictions, biometric data (such as fingerprints or eye scans), physical or mental health. The GDPR broadens out the definition of personal data from the existing Data Protection Act. It now includes almost any information that can be used to identify an individual when combined with other elements of personal data. For example, items such as IP addresses (for individual computers) or physical records, such as business cards, record cards and manual filing systems, can now be classed as personal data. Also, businesses that use fingerprint recognition to gain access to a building or a locker (as in a gym) will also be subject to the regulations. Why does any of this matter? There are large fines for failing to comply with the collection and management of data as specified by the GDPR. The most serious cases can incur fines of up to 4% of global turnover or €20m, whichever is bigger. Will this still apply after Brexit? Yes. Brexit will not stop UK businesses having to comply with the new regulations – the UK will still be part of the EU when they come into force in May 2018. The GDPR will continue to apply until it is specifically repealed or overtaken by new legislation. What are the new areas of regulation? Accountability The GDPR contains a principle of accountability for all businesses that collect personal data (controllers) and process it (processors). Your business is accountable for the data it collects and processes. In practice, this means you must provide evidence of complying with the GDPR in the form of documented policies and procedures to deal with collecting and processing personal data. You will need to document what personal data you hold, what you do with it, and if you share it with any other organisations: who, what and why. Your business will be held responsible for the accuracy of the data you hold. This means checking that it’s up to date. If you share data and it turns out to be inaccurate, it’s up to you to contact other organisations you shared it with, to get it updated. Breach notification Under GDPR, you must report any significant personal-data breaches within 72 hours of their discovery to the relevant authority – in the UK, that’s the Information Commissioner’s Office (ICO). In the most serious cases you must report it to the individuals concerned too. The ICO defines a personal data breach as ‘a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.’ This means that a breach is more than just losing personal data. Collecting data and privacy notices Under current legislation, before you collect any personal data, you need to give your customers information about: who you are why you are collecting their data how you will use this information whether you will share it with any third parties. This information is usually shared in a privacy notice, which often takes the form of a few lines of text near a tick box, to allow customers to give their consent. Under the GDPR you will need to update your privacy notice. As well as the existing points, you will need to explain: your lawful basis for processing the data for how long you will keep the data the individual’s right to complain to the ICO if they think there’s a problem with how you’re handling their data. The GDPR emphasises the need for clear, transparent communication. It says the information you supply about the processing of personal data must be: concise, transparent, intelligible and easily accessible written in clear and plain language, particularly if addressed to a child free of charge. Data transfer The GDPR imposes restrictions on transferring data outside the EU. Even if you think this doesn’t apply to you, be careful – if you store data with a third-party company and it has servers outside the EU, then you would be in breach of the GDPR if it moved personal data you collect to those servers. Individuals’ rights Many of the individuals’ rights are similar to the current Data Protection Act. People have the right to request access to any personal data you hold on them, under a subject access request. Under the GDPR you must provide this free of charge, if it is a ‘reasonable’ request i.e. not one that has been made repeatedly and not for volumes of information that it would be impossible to produce within the time allowed. The deadline to provide the information has also been reduced to 30 days. Individuals are allowed to object to how you use their data. If you process data for direct marketing, you must stop using the person’s data as soon as you receive an objection, until either the objection is resolved, or the data is removed. People have the right to request that you delete their personal data if: it’s no longer needed for the purpose it was originally collected or processed they withdraw consent they formally object to its being used and there’s no overriding legitimate reason to continue using it it was processed unlawfully (in breach of the GDPR) there is a legal need to erase it. Preparing for and implement general Data Protection Regulations (GDRP) (2018) General Data Protection Regulations (GDPR): Setting the Scene The General Data Protection Regulation (GDPR) will apply in the UK from 25 May 2018. The UK Government has confirmed that Brexit will not affect the implementation of the GDPR, the Great Repeal Act means it is likely to be converted into British Law. The GDPR is applied to organisations that are either controllers of the data or those processing the data. As in the current DPA as we are a controller we are responsible for how and why personal data is processed and as a processor staff and associates are responsible to act on the controller’s behalf. However, in the GDPR the processor now has a specific legal obligation to maintain records on what personal data they are processing and the processing activities. Therefore, under GDPR both the controller and processor now have defined legal responsibilities. For most companies, they are both the controller and owner. There has been a lot in the press about the scale of the fines that can be levied against organisations. Whilst true, they are mainly referring to large corporations, however the Information Commissioner’s Office (ICO) do fine companies and charities and in April 2017, they announced that they had fined 11 charities between £6,000 and £18,000. These were ‘significantly reduced’ so as not to cause stress to donors, but under the GDPR it is said to increase substantially. In the GDPR, personal data has been redefined and now covers a much wider scope, including new areas such as IP addresses, CCTV and biometrics. The GDPR also covers a ‘special’ category of personal data, referred to as sensitive data and may only be processed within a limited number of circumstances. The principle that underpin the GDPR are ones that we would all hope that people will carry out with our own data. From Article 5, personal data shall be (paraphrased): processed lawfully, fairly and in a transparent manner; collected for specified, explicit and legitimate purposes; adequate, relevant and limited to what is necessary; accurate and, where necessary, kept up to date; kept for no longer than is necessary; processed in a manner that ensures appropriate security of the personal data. Buried in these principles are some very important new requirements. For example, Informed consent, that the information on which the consent was given is informative, unambiguous, and is given freely. In addition, consent can be withdrawn. Data from children (under 16) requires authorisation from a parent or guardian, and the controller and/or processor is to make all reasonable efforts to obtain this. There are now a number of rights of the individual: Right to be informed: we must provide ‘fair processing information’, Right to Access: confirmation that their data is being processed Access to their personal data; and other supplementary information Right to rectification: people can correct incorrect information. Right to erasure: that is to be forgotten. Right to restriction of processing: we can store but not process the data Right to portability: to take and reuse their personal data across a range of services Right to object. Right to decision making: people can object if a human is not in the loop on a decision about them. As part of the GDPR, the company must provide a Data Protection Impact Assessment (DPIA). The DPIA identifies the specific risks to personal data as a result of processing activity and must be undertaken whenever there is a change in processes, technology, or new activity within the organisation. There are two interrelated processes required for the implementation of the GDPR. Design of systems and processes which secure the data Design of systems and processes, which ensure that data is managed properly. The ICO will accept an organisation complying with Cyber Essentials as meeting the requirement for securing the data. Cyber Essentials is a scheme developed by the UK Government (with advice from GCHQ) and industry to give a clear statement of the basic controls to mitigate against internet based threats. The Information Assurance for Small and Medium Enterprises (IASME) Governance standard was developed in order to create a cyber security standard which would be an affordable and achievable alternative to the international standard, ISO27001. IASME Gold has been used by many organisations to demonstrate that they have the systems and processes, which ensure that data is managed properly. Included in this standard is the assessment against the GDPR requirements, enables companies to say they are GDPR READY. GDPR Overview What’s the current legal framework? The Data Protection Act 1998. This will be superseded by General Data Protection Regulation (GDPR) which comes into force on May, 2018. What’s the significance of GDPR? It’s not in fact a huge departure from the Data Protection Act; rather it updates and adds to the existing framework. The major changes are: Requirements for consent are more rigorous Consent is a very hot topic, especially within organisations such as Star Support for You Limited. The GDPR seeks to ensure that consent is given and given freely, which means the subject must have a choice and isn’t forced to give unnecessary details in the process of undertaking Star Support for You Limited business. Consent must be informed and specific, with clarity on how to opt in and out, and about how the data will be used. Lastly, a subject must actively confirm that they provide consent. As noted above, in the event that individuals do not have capacity to provide their consent, consent can be given by their advocate. Requirement to delete data at the subject’s request GDPR implementation will bring with it the ‘right to be forgotten’ and the ‘right to object’. All organisations must understand these rights and have processes in place to react to subjects invoking their rights, including, but not limited to, removing their consent and securely deleting their data. Requirement to notify authorities within 72 hours of any data breach There will be a requirement of all organisations to report any personal data breach to the relevant authorities and, in some cases, to the individuals affected by the breach. The requirement to notify is for breaches that may result in a risk to the rights and freedoms of individuals and this includes events that, for example, may lead to financial loss, discrimination or loss of confidentiality. This means you will need to think carefully about how you store data. Increased fines for failure to comply There are two tiers of fines: 2% of total annual turnover or €10 million (whichever is higher) and, for the more serious infringements, 4% of annual turnover or €20 million (again, whichever is higher). GDPR will apply to all organisations, no matter where they are based and their size, if they offer goods or services (even if free) to individuals in the EU. In addition, despite Brexit, the ICO have confirmed that they are likely to implement similar rules after we have left the EU, to allow the United Kingdom to operate on a level playing field with the continent. All organisations should plan for, and be ready to comply with, the GDPR. Subject Access Requests (SARs) What is a SAR? A SAR is a request for personal information that the company may hold about a data subject i.e. an individual. If an individual wishes to exercise their subject access right, the request must be made in writing. The purpose of a SAR is to make individuals aware of and allow them to verify the lawfulness of processing of their personal data. Under the GDPR and the current Data Protection Act (DPA), individuals have the right to obtain confirmation as to whether personal data about them is being processed by the company. If personal information is being processed, they are entitled to access: the reasons why their data is being processed; the description of the personal data concerning them; A copy of all records including e-mails where they are mentioned (see Appendix); information about anyone who has received or will receive their personal data; details of the origin of their data if it was not collected from them. Star Support for You Limited need to be mindful that the rules on subject access apply to any individual. Star Support for You Limited are likely to hold and process personal data about its staff; its associates; service users; clients; equipment suppliers, case managers and many others. Each category will have the same access rights. Key Changes to SARs under GDPR Under the GDPR, the procedure for making a SAR is similar to the procedure under the DPA. However, there are some key changes Star Support for You Limited need to be aware of which may require us to make changes to our procedures: Fees: Under the DPA, Star Support for You Limited can charge up to £10 for a SAR. Under the GDPR, a request for personal information is free unless the request is ‘manifestly unfounded or excessive.’ Star Support for You Limited can charge a ‘reasonable fee’ for multiple requests. Impact: This may have a significant effect where we receive large volumes of requests and this may result in an increase in administrative costs to our company. Response time: Under the DPA, we must respond to SARs within 40 days of receipt of the written request. Under the GDPR, we must respond to SARs within one month of receipt. This deadline can be extended by a further two months where there are a number of requests or the request is complex but we must contact the individual within a month of receipt, explaining why the extension is necessary. Impact: We will have a shorter time to deal with SARs; therefore, having an effective procedure in place will ensure that we are able to comply with the new reduced timescales. Being able to recognise a subject access request and pass it to the correct person in the company will be critical if we are to comply with the reduced timescales. Remember, for it to be a valid request, it doesn’t need to say it is a subject access request or even mention the DPA. If staff or associates have personal e-mail accounts where a SAR could be made, these should be monitored when the member of staff is out of the office (for example when on holiday or on secondment) to ensure that SAR’s are dealt with quickly. Remember you will only have up to one month to respond, Star Support for You Limited needs to have good procedures to make sure it complies on time and is able to provide the information that it needs to. The ICO will take a serious view of any delay in providing the information if a complaint is made either to us or to the ICO. Provision of Information: Individuals can make a SAR electronically. If they do so, the information provided should be in a commonly-used electronic format, unless otherwise requested. But remember Star Support for You Limited must verify the individual’s identity prior to granting access to information. This can sometimes take a little time especially if it is a guardian or someone acting under a power of attorney who are seeking the information about a data subject. In responding to a subject access request, the organisation will need to advise the data subject of: the purposes of the processing; the categories of personal data concerned; who are the recipients to whom we disclose the information; where possible, how long you will hold onto the information or what categories we use to decide how long the personal information will be held for; the right to request rectification, erasure or restriction of the processing, the right to lodge a complaint to the ICO; where the personal data are not collected from the data subject, the source from where Star Support for You Limited obtained the data; and finally, the existence of any automated decision-making. Impact: Where Star Support for You Limited doesn’t already have a procedure for staff or associates to identify a SAR and/or know how to escalate this to be dealt with – we will put a procedure in place and train staff accordingly. Data Retention A data retention policy is a requirement of the GDPR. Please refer to our Data Retention Policy (2018). Right to withhold Personal Data: Under the GDPR, Star Support for You Limited can withhold personal data if disclosing it would ‘adversely affect the rights and freedoms of others.’ It will be up to the UK government to introduce any further exemptions to SARs such as for national security, defence and public security. We should take advice if they are proposing to withhold information on this basis as Star Support for You Limited will need to carefully consider its applicability and its use should not act to result in a refusal to provide all information. How should the information be given to the applicant? A person making a subject access request only has the right to see their own personal data, rather than a right to see copies of the documents that contain their personal data. Often, the easiest way to provide the relevant information is to supply copies of original documents, but we are not obliged to do this. Once the personal data that is relevant to the request has been located and retrieved, it must be communicated to the applicant in intelligible form. In most cases, the information must be supplied in permanent form. Schedule 1 Searching for Information The ICO has given guidance on specific types of records and how the duty to locate personal data in response to a subject access request applies in these contexts: Archived information and back-up records in electronic form: To the extent that Star Support for You Limited search mechanisms allow it to find archived or backed-up data for its own purposes, the same effort should be used to find information in order to respond to a subject access request. Information contained in emails: The contents of emails stored on computer systems are a form of electronic record to which the general principles apply. For the avoidance of doubt, the contents of an email should not be regarded as deleted merely because it has been moved to a user’s ‘Deleted items’ folder. Deleted information: Information is ‘deleted’ when we try to permanently discard it and we have no intention of ever trying to access it again. If personal data held in electronic form is deleted by removing it (as far as possible) from our computer systems, the fact that expensive technical expertise might enable it to be recreated does not mean we must go to such efforts to respond to a subject access request. Information stored on personal computer equipment: If staff or associates hold personal data on their own devices, they may be processing that data on behalf of Star Support for You Limited, in which case it would be within the scope of a subject access request. In general, associates do not need to be asked to search their private emails or personal devices in response to a subject access request unless there are good reasons to believe they are holding relevant personal data Other records: Whether information in hard-copy records is personal data accessible via the right of subject access will depend primarily on whether the non-electronic records are held in a ‘relevant filing system’. Broadly speaking, a relevant filing system exists where information about individuals is held in a sufficiently systematic, structured way as to allow ready access to specific information about those individuals. Consent 1. The End of Passive Consent 1.1 One of the most significant impacts is the strengthened requirement for getting consent from someone to hold their data. Previously, consent was defined as any freely given specific and informed indication of their wishes. In practice companies often relied upon the person’s failure to opt out as evidence of his consent. 1.2 GDPR requires a positive, unambiguous, affirmative action. Anything less won’t be acceptable. A ticked box will still work (not a pre-ticked box!), as will an active opt in. Consent must be capable of being withdrawn at any time. 1.3 Data controllers must now capture each consent, together with the version of the privacy notice that accompanied the consent, and hold it on file for later inspection. If only partial consent is given, the system must be capable of screening out any unauthorised use. 1.4 Note that ‘Grandfather’ consents won’t be allowed, so any existing consents that don’t meet GDPR requirements won’t be valid after May 2018 and must be re- acquired. 1.5 Consents which depend on services which are conditional on the giving of consents will not be valid. 2. Legitimate Interests 2.1 As the consent rules become more stringent companies are likely to want to consider whether they can capture the data under the banner of legitimate interests. GDPR does allow legitimate interest processing but the tests are more stringent than before. For example, is it necessary for the performance of a contract or to comply with the law. It’s a balancing act between the subjects right to privacy and the companies interests. 2.2 GDPR adds 2 requirements; transparency and internal documentation. The subject must be explicitly informed at the time of the purpose for which the data is collected and the legitimate interest which pertains. This must be embodied in the privacy notice. All this must be documented and kept as in 1.3 above together with the rationale for using a legitimate interest as the lawful basis for collecting the data. Someone to be designated to take responsibility for compliance. Responsibility can be delegated but ultimate accountability will be held by the company. The person needs to be sufficiently competent and have sufficient independence to be able to be effective. 3. Transparency 3.1 GDPR focuses on the importance of transparency. Consent must be based on a written explanation couched in clear and plain language in an accessible form. 3.2 This is a list of information to be included: The controller’s identity and contact information; The Data Protection Officer’s (DPO) contact information; The purposes and legal basis of the processing; Details of the legitimate interests (if relied upon); Recipients of the personal data; Any intended transfer to a non-EU country and why; How long the data will be stored; Data subject rights; Ability to withdraw consent; Right to lodge a complaint and who to go to; Whether provision of data is required and consequences for failure; Whether automated decision-making is involved and the consequences to the data subject. Subject rights 4.1 Existing rights Right of access; Right of rectification; Right to object; Right to object to direct marketing; Right not to be subject to automatic processing (Unless necessary to fulfil a contract or required by law). 4.2 New or expanded rights Right to be forgotten without undue delay; Right to restrict processing, especially where accuracy of data is contested, or no longer needed; Right of data portability (in a commonly used format); Right to object to processing for scientific, historical, or statistical processes. 5. Accountability and Requirement of a Data Governance Programme 5.1 Whereas the concept of accountability has until now been implied, it must now be evidenced. The evidence must be kept and available for inspection. 5.2 Every consent must be kept and available for inspection (1.3 above.) The record keeping will need to be extensive. 5.3 Data Protection Officer (DPO)A formal DPO must be appointed as the core activity of the company consists of regular and systematic monitoring or processing of sensitive or criminal data on a large scale. (What is large scale is not defined but some authorities believe 500 entries to be ‘large’). DPOs must have appropriate knowledge and skills and sufficient independence to perform their duties. Their duties will consist of advising colleagues, performing PIAs (Privacy Impact Assessments) and audits, monitoring compliance, cooperating with DPAs and serving as a contact point for data subjects. 5.4 The Data Controller (DC) must conduct a PIA for any processing that is likely to pose a high risk to individuals’ rights. This must include a description of the planned processing, an analysis of the necessity for it, an assessment of the risks to privacy, and the measures that may be put in place to mitigate the risks to the rights and freedoms of the data subjects. If the risk is high the DPO must be consulted before any processing. 5.5 Privacy must be built into the design of the companies products and services. 5.6 GDPR record keeping requirements are strict. They must include: Names and contact details of officials involved – DPO and DC; Categories of processing; Purposes of processing; Who will see the data; Retention periods; Description of security measures in place; Details of any cross-border transfers of information. 6. Data Breach Notifications 6.1 Under GDPR a data breach must be reported within 72 hours unless the controller can demonstrate that it’s unlikely to result in risk to data subjects. 6.2 If there’s a serious risk to data subjects they must also be notified. The risk would be the likelihood of fraud, or extreme distress or embarrassment. 6.3 Encryption is a likely panacea for breach notification obligations. If all breached data is encrypted the controller would not normally need to report it. 7. Summary 7.1 For the first time data processors have specific obligations. These will include the requirement to implement appropriate security measures and keep detailed records. 7.2 Under GDPR and violations carry the risk of fines and private rights of action. Subject Access Requests Purpose This document sets out our policy for responding to subject access requests under the Data Protection Act 1988 (DPA). The Act took effect from 24 October 1998 and the General Data Protection Regulation, effective 25th May 2018. It is the legislation in the UK that explains the rights and responsibilities of those dealing with personal data. All staff are contractually bound to comply with this legislation and other relevant the Authority policies. Introduction – What is the DPA? The DPA gives individuals the right to know what information is held about them. It provides a framework to ensure that personal information is handled properly. The Act works in two ways. Firstly, it states that anyone who processes personal information must comply with eight principles, which make sure that personal information is: Fairly and lawfully processed Processed for specific and lawful purposes Adequate, relevant and not excessive Accurate and up to date Not kept for longer than is necessary Processed in line with the individuals’ rights Secure Not transferred to other countries without adequate protection Secondly, it provides individuals with important rights, including the right to find out what personal information is held on computer and most paper records. What is the Authority’s general policy on providing information? We welcome the rights of access to information that are set out in the DPA. We are committed to operating openly and to meeting all reasonable requests for information that are not subject to specific exemption in the Act How do you make a subject access request? A subject access request is a written request for personal information (known as personal data) held about you by the Authority. Generally, you have the right to see what personal information we hold about you, you are entitled to be given a description of the information, what we use it for, who we might pass it onto, and any information we might have about the source of the information. However, this right is subject to certain exemptions that are set out in the Data Protection Act. What is personal information? Personal data is information which is biographical or which has the individual as its focus. Further information on what amounts to personal data can be found at appendix A. What do we do when we receive a subject access request? Checking of identity We will first check that we have enough information to be sure of your identity. Often we will have no reason to doubt a person’s identity, for example, if we have regularly corresponded with them. However, if we have good cause to doubt your identity we can ask you to provide any evidence we reasonably need to confirm your identity. For example, we may ask you for a piece of information held in your records that we would expect you to know: a witnessed copy of your signature or proof of your address. If the person requesting the information is a relative/representative of the individual concerned, then the relative/representative is entitled to personal data about themselves but must supply the individual’s consent for the release of their personal data. If you have been appointed to act for someone under the Mental Capacity Act 2005, you must confirm your capacity to act their behalf and explain how you are entitled to access their information. If you are the parent/guardian of a child under 16, we will need to consider whether the child can provide their consent to you acting on their behalf. Should you make a data subject access request but you are not the data subject, you must stipulate the basis under the Data Protection Act that you consider makes you entitled to the information. Collation of information We will check that we have enough information to find the records you requested. If we feel we need more information, then we will promptly ask you for this. We will gather any manual or electronically held information (including emails) and identify any information provided by a third party or which identifies a third party. If we have identified information that relates to third parties, we will write to them asking whether there is any reason why this information should not be disclosed. We do not have to supply the information to you unless the other party has provided their consent or it is reasonable to do so without their consent. If the third party objects to the information being disclosed we may seek legal advice on what action we should take. Before sharing any information that relates to third parties, we will where possible anonymise information that identifies third parties not already known to the individual (e.g. the Authority employees), and edit information that might affect another party’s privacy. We may also summarise information rather than provide a copy of the whole document. The DPA requires us to provide information not documents. Issuing our response Once any queries around the information requested have been resolved, copies of the information in a permanent form will be sent to you except where you agree, where it is impossible, or where it would involve undue effort. In these cases, an alternative would be to allow you to view the information on screen at the Authority. We will explain any complex terms or abbreviations contained within the information when it is shared with you. Unless specified otherwise, we will also provide a copy of any information that you have seen before. Will we charge a fee? Under the GDPR we don’t charge a fee for a SAR. What is the timeframe for responding to subject access requests? We have one calendar month starting from when we have received all the information necessary to identify someone, to identify the information requested, to provide someone with the information or to provide an explanation about why we are unable to provide someone the information. In many cases, it will be possible to respond in advance of the target and we will aim to do so where possible Are there any grounds we can rely on for not complying with a subject access request? Previous request If someone has made a previous subject access request we must respond if a reasonable interval has elapsed since the previous request. A reasonable interval will be determined upon the nature of the information, the time that has elapsed, and the number of changes that have occurred to the information since the last request. Exemption The Act contains a number of exemptions to our duty to disclose personal data and we may seek legal advice if we consider that they might apply. Possible exemptions would be: information covered by legal professional privilege, information used for research, historical and statistical purposes, and confidential references given or received by the Company. What if there is an error in our records? If the information is inaccurate, we will correct it and where practicable, destroy the inaccurate information. We will consider informing any relevant third party of the correction. If we do not agree or feel unable to decide whether the information is inaccurate, we will make a note of the alleged error and keep this on file. What if someone wants the company to stop processing their data? Under section 10 of the DPA, someone can object to the company processing their data altogether, in relation to a particular purpose or in a particular way through a data subject notice. However, this only applies to certain processing activities and there is a process that someone must follow when making such an objection. We must then give you written notice that either we have complied with your request, intend to comply with it or state the extent to which we will comply with it and why. This information will be given to you within 21 days of the company receiving the data subject notice. Further information on this, can be found at informationcommissioner.gov.uk. Our complaints procedure If someone is not satisfied by our actions, they can seek recourse through our internal complaints procedure, the Information Commissioner or the courts. 12.2 The company director will deal with any written complaint about the way a request has been handled and about what information has been disclosed. The director can be contacted at: Star Support for You Limited 12 Creech View Denmead Waterlooville PO7 6SU T: +44 (0) 23 9200 6166 M: +44 (0) 7391 134733 If someone remains dissatisfied, they have the right to refer the matter to the Information Commissioner. The Information Commissioner can be contacted at: Information Commissioner’s Office Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF Telephone: 01625 545 745| Fax: 01625 524 510|Email: enquiries @ico.gsi.gov.uk Appendix A Personal data is information that relates to a living individual who can be identified from the information and which affects the privacy of that individual, either in a personal or professional capacity. Any expression of opinion about the individual or any indication of the intentions of any person in respect of the individual will be personal data. Provided the information in question can be linked to an identifiable individual, the following are likely to be examples of personal data: an individual’s salary or other financial information information about an individual’s family life or personal circumstances, employment or personal circumstances, any opinion about an individual’s state of mind sensitive personal information – an individual’s racial or ethnic origin, political opinions, religious beliefs, physical or mental health, sexual orientation, criminal record and membership of a trade union. The following are examples of information, which will not normally be personal data: mere reference to a person’s name, where the name is not associated with any other personal information incidental reference in the minutes of a business meeting of an individual’s attendance at that meeting in an official capacity where an individual’s names appears on a document or email indicating only that it has been sent or copied to that particular individual the content of that document or email does not amount to personal data about the individual unless there is other information about the individual in it. If a document has been sent by a third party, that contains information about an individual, which relates to their personal or professional life, it is personal data. An outline of an organisation’s standard procedure, relevant to an individual’s complaint/s29 case will not be personal data. Further information can be found here; https://ico.org.uk/media/for-organisations/documents/1554/determining-what-is-personal-data.pdf Data Retention Purpose The purpose of this policy is to detail the procedures for the retention and disposal of information to ensure that we carry this out consistently throughout the company and that we fully document any actions taken. Unless otherwise specified the retention and disposal policy refers to both hard and soft copy documents, and the application of a retention policy within the office365 suite. Review Review is the examination of closed records to determine whether they should be destroyed, retained for a further period or transferred to an archive for permanent preservation. How long we should keep our paper records Records should be kept for as long as they are needed to meet the operational needs of Wheel of Health, together with the legal and regulatory requirements imposed on the company. We have assessed our records to: determine their value as a source of information about the company, its operations, relationships and environment, assess their importance as evidence of business activities and decisions establish whether there are any legal or regulatory retention requirements (including: Data Protection Act 1988, EU General Data Protection Rule, the Freedom of Information Act 2000). Where records are likely to have a historical value, or are worthy of permanent preservation, we will transfer them to our online Archives after 25 years. Disposal schedule A disposal schedule is a key document in the management of records and information. It is a list of series or collections of records for which predetermined periods of retention have been agreed between the company directors. Records on disposal schedules will fall into three main categories: Destroy after an agreed period – where the useful life of a series or collection of records can be easily predetermined (for example, destroy after3 years; destroy 2 years after the end of the financial year). Automatically select for permanent preservation – where certain groups of records can be readily defined as worthy of permanent preservation and transferred to an archive. Review – see 2 above Records can be destroyed in the following ways: Destruction Non-sensitive information – can be placed in a normal rubbish bin Confidential information – cross cut shredded and pulped or burnt. Electronic equipment containing information – destroyed using killdisc and for individual folders, they will be permanently deleted from the system. Archival transfer This is the physical transfer of physical records to a permanent custody. Destruction of electronic records should render them non-recoverable even using forensic data recovery techniques. Sharing of information Duplicate records should be destroyed. Where information has been regularly shared between business areas, only the original records should be retained in accordance with the guidelines in section 2 above. Care should be taken that seemingly duplicate records have not been annotated. Where we share information with other bodies, we will ensure that they have adequate procedures for records to ensure that the information is managed in accordance with the relevant legislation and regulatory guidance. An audit trail You do not need to document the disposal of records, which have been listed on the records retention schedule. Documents disposed of outwit the schedule either by being disposed of earlier or kept for longer than listed will need to be recorded for audit purposes. This will provide an audit trail for any inspections conducted by the Information Commissioner and will aid in addressing Subject Access Requests, where we no longer hold the material. Monitoring Responsibility for monitoring the disposal policy rests with the Data Protection Officer and the Directors of the company. This policy should be reviewed according to the agreed schedule in the title.

Policies

Policies