The European Union General Data Protection Regulations (GDPR) which was adopted by the European Union in 2016 will automatically come into force on 25th May 2018. The Government is introducing a UK Data Protection Bill (currently in draft) which incorporates and supplements the GDPR to create a UK data protection regime pre and post Brexit.
To comply with the law staff who process personal information must ensure they follow Data Protection Principles. The obligation to keep information confidential arises out of the common law duty of confidentiality, professional obligations and staff/third party contracts. All staff with access to confidential personal information must keep the information safe and secure.
This document sets out Hampton Wick Health’s commitment to the confidentiality of personal information and its responsibilities with regard to the disclosure of such information which you may provide in relation to your treatment in the clinic.
It aims to ensure that all staff whether directly employed or self- employed within the Clinic are aware of their responsibilities towards the confidentiality of personal information.
Data Protection Principles
Personal data shall be:
1) Fairly and lawfully processed.
2) Processed for specific purposes only.
3) Adequate relevant and not excessive.
5) Not kept longer than necessary.
6) Processed in accordance with the data subject’s rights.
8) Not transferred to countries outside the EU without adequate protection.
The Act requires Hampton Wick Health to register as a Data Controller with the Office of the Information Commissioner detailing the purpose for which personal information is used and use of data beyond that specified in the registration is unlawful. An annual fee is paid to the ICO’s to maintain notification on the register.
Disclosure of Personal Information
Whether personal information can be disclosed to others is dependent on a number of factors, including, whether the patient/service user has consented to the information being shared, to whom the information is being disclosed and the reason for its disclosure.
In order to ensure the confidentiality of personal information, systems and procedures are in place to control access to such information. Such controls are essential to ensure that only authorised persons have physical access to computer hardware and equipment and access to either electronic or paper records containing confidential information about individuals.
Staff members who process personal data about clients, staff, job applicants, or any other individual must comply with the requirements of this policy.
Staff members must ensure that:
· All personal data is kept securely
· No personal data is disclosed either verbally or in writing, accidentally or otherwise, to any unauthorised third party.
· Personal data is kept in accordance with the Clinic’s record keeping retention policy.
· Any queries regarding data protection, including subject access requests and complaints, are promptly directed to the Data Protection Officer (Sabrina or Christian).
· Any data protection breaches are swiftly brought to the attention of the Owner and/or Data Protection Officer.
· Where there is uncertainty around a Data Protection matter, advice is sought from the Data Protection Officer.
Staff who are unsure about who the authorised third parties to whom they can legitimately disclose personal data should seek advice from the Owner and /or Data Protection Officer.
Where a third-party Data Processor is used (i.e. Cliniko)
· The Data Processor must provide sufficient guarantees about its security measures to protect the processing of personal data.
· Reasonable steps must be taken that such security measures are in place.
· A written contract establishing what personal data will be processed and for what purpose must be set out.
· A data processing agreement must be signed by both parties.
Self-Employed Contractors (Therapists)
The Clinic is responsible for the use made of personal data by anyone working on its behalf. Such staff must be appropriately vetted for the data they will be processing. In addition, the Clinic must ensure that:
· Any personal data collected or processed, in the course of work undertaken for the Clinic is kept securely and confidentially.
· All personal data processed (e.g. notes) are held in the clinic, including any copies that may have been made.
· The Clinic receives prior notification of any disclosure of personal data to any other organisation or any person who is not a direct employee of the Clinic.
· Any personal data made available by the Clinic, or collected, in the course of the work, is neither stored nor processed outside the UK unless written consent to do so has been received from the Clinic.
· All practical and reasonable steps are taken to ensure that self- employed contractors (Therapists) do not have access to any personal data beyond what is essential for the work to be carried out properly.
· Therapists must familiarise themselves with the principles of GDPR before they start.
· Ensuring that their personal data provided to the Clinic is accurate and up to date.
Subject Access Requests
The Clinic is required to permit individuals to access their own personal data held by the Clinic via a subject access request. Any individual wishing to exercise this right should do so in writing to the Data Protection Officer.
The Clinic aims to comply with requests for access to personal information as quickly as possible but will ensure that it is provided within 1 month of receipt of the request.
Data Protection breaches
Where a Data Protection breach occurs, or is suspected, it should be reported immediately to the Data Protection Officer.
The report should include full and accurate details of the incident including who is reporting the incident and what classification of data is involved.
Queries regarding this policy or the Data Protection Act at large should be directed to the Owner/ Data Protection Officer.
Please write to:
Hampton Wick Health
46 High Street