Information Governance gives assurance to data subjects, including members of staff, individuals and clients that personal information is dealt with legally, securely, efficiently and effectively in order to deliver the best possible care. The Cube Disability Ltd. recognises that it is of paramount importance to ensure that information is effectively managed and that appropriate policies, procedures, management accountability and structures provide a robust governance framework for information management.
All members of staff must comply with this policy. In order to discharge its requirements, The Cube Disability Ltd. must ensure that clear policies and procedures are in place and that are supported by effective awareness training. It is The Cube Disability Ltd.’s policy that personal data will be:
- obtained, held and processed fairly
- held for specific purposes and used only for these purposes
- processed in accordance with the rights of the data subject
- relevant, accurate and kept up to date
- corrected if shown to be inaccurate
- kept for no longer than necessary and destroyed when no longer required, in line with best practice
- protected against loss or unauthorised or unlawful processing, accidental loss and destruction or damage using appropriate technical or organisational measures.
This policy should be read in conjunction with the Client Confidentiality Policy.
This policy applies to all members of staff at The Cube Disability Ltd. who should ensure that they are aware of their responsibilities in relation to information governance.
This policy applies to all personal data processed by The Cube Disability Ltd. relatable to any identifiable living person.
Data subject: the individual about whom The Cube Disability Ltd. has collected personal data.
Data Protection Act 2018: an Act of Parliament that updates data protection laws in the UK. It sits alongside the General Data Protection Regulation and implements the EU’s Law Enforcement Directive.
General Data Protection Regulation (EU) 2916/679: a regulation in EU law on data protection and privacy for all individuals within the European Union. The relevance of the GDPR is not impacted by UK’s departure from the European Union.
Personal data: any information about a living person including, but not limited to, names, email addresses, postal addresses, job roles, photographs, CCTV and special categories of data, as defined below.
Process or processing: doing anything with personal data, including, but not limited to, collecting, storing, holding, using, amending or transferring it. You do not need to be doing anything actively with the personal data; at the point you collect it, you are processing it.
Special categories of data: has an equivalent meaning to ‘sensitive personal data’ under the Data Protection Act 2018. Special categories of data include, but are not limited to, medical and health records (including information collected as a result of providing health care services) and information about a person’s religious beliefs, ethnic origin and race, sexual orientation and political views.
Data controller: the main decision-maker over the management of the data in question. They exercise overall control over the purposes and means of the processing of personal data. For the purposes of this policy, The Cube Disability Ltd. considers itself to be a data controller in respect of all members of staff and clients.
Data processor: acts on behalf of and only on the instructions of the relevant controller. For the purposes of this policy The Cube Disability Ltd. considers that they are the data processor in relation to the service delivered to its clients.
Personal Data Audits
The Cube Disability Ltd. will carry out PID (Personally Identifiable Data) Audits. The data audit will be carried out by the Data Protection Officer or a person to whom the Data Protection Officer has delegated this task responsibility and the results collated. The personal data audit will identify the following:
- whom the information is held about
- what personal information is held, including any sensitive personal data
- in which format the personal data is being collected (e.g., name, address, telephone number etc.)
- how the PID is stored (e.g., on a computer, manual files or both)
- who has access to this information
- the purpose(s) for which The Cube Disability Ltd. holds the personal data
- how the PID is collected
- whom the PID is collected from.
A Personal Data Audit form is available from the Data Protection Officer, Jonny Horsley. The Data Protection Officer will use the outcome of the Personal Data Audit to update the Information Asset Register.
Information Asset Register
Computerised and manual filing systems containing information relating to an identifiable person who can be directly or indirectly identified, such as name, identification number, location data or online identifier, must be documented in the Information Asset Register. The Asset Register will record:
- the Service Area to which the entry relates
- the name of the computer system, manual files or both in which the data is stored
- whom the information is held about
- what personal information is held, including any sensitive personal data that is being held
- how the data is protected (e.g., restricted access or protected access)
- retention period for the data
- The Information Asset Owner
Such systems must be managed to comply with GDPR/Data Protection principles.
Access to Information and Disclosure Outside of The Cube Disability Ltd.
Members of staff will be granted access to the information that they need to carry out their work. Members of staff have a duty to keep the information they use confidential.
There are a number of occasions where it will be necessary for The Cube Disability Ltd. to share PID. The correct parameters of when it is appropriate to share and disclose data include relevant agreements and protocols that are in place that allow for the exchange of information between The Cube Disability Ltd. and other organisations. Any information disclosed must be necessary for the purpose for which it is disclosed. Therefore, members of staff should not, for example, disclose details of a member of staff’s religious beliefs if only their name and National Insurance number is required by the HMRC.
If it is necessary to discuss individual data subjects in reports or at meetings, a pseudonymisation process should be followed (e.g., Nurse A).
It is The Cube Disability Ltd. ’s policy that:
- Information Governance training will be classified as ‘mandatory’ in the induction programme
- all new members of staff to the business will receive information governance training relevant to their role, as soon as possible on commencement of their employment
- all individuals associated with The Cube Disability Ltd., whether employed or contracted, will receive information governance training at least every 12 months
- guidance and support is available to all members of staff who process PID.
Security Breach Notification and Investigation
Any breach or suspected breach of the GDPR must be reported immediately to the Data Protection Officer, providing as much information as possible. A breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability or personal data. There will be a personal data breach whenever personal data is lost, destroyed, corrupted or disclosed, as well as if someone accesses the data or passes it on without proper authorisation or if the data is made unavailable, for example, when it has been encrypted by ransomware or accidentally lost or destroyed.
The Data Protection Officer will investigate and, if appropriate, produce a report for the Senior Management Team. The Data Protection Officer will provide advice to the Senior Management Team on whether the breach requires notification to the Information Commissioner’s Office. This advice should take account of the information provided on the ICO’s website regarding the reporting of breaches.
The Data Protection Officer is required to notify the ICO of any breach that is likely to present a risk to the rights and freedoms of data subjects. If a decision is made not to report a breach to the ICO, the rationale must be documented so that it can be justified at a later date if required.
Individual Rights – The Right to be Informed
The Cube Disability Ltd.’s privacy notice supplied to members of staff regarding the processing of their personal data will be written in a clear, plain language, which is concise, transparent, easily accessible and free of charge.
In relation to data obtained both directly from the data subject and not obtained directly from the data subject, the following information will be supplied within the privacy notice:
- the identity and contact details of The Cube Disability Ltd. and the Data Protection Officer
- the purpose of and the legal basis for processing the data
- the legitimate interest of The Cube Disability Ltd. (if applicable) or a third party
- any recipient categories of recipients of the personal data
- any international transfers of data
- how long the data will be stored for
- the existence of the data subject’s rights, including the right to withdraw consent at any time and the right to lodge a complaint with a supervisory authority.
Where data is obtained directly from the data subject, information regarding whether the provision of personal data is part of a statutory or contractual requirement and the details of the categories of personal data, as well as any possible consequences of failing to provide the personal data, will be provided.
The privacy notice should also make reference to any online information collated such as cookies. In relation to cookies, The Cube Disability Ltd. will:
- tell people the cookies are there
- explain what the cookies are doing and why
- get the person’s consent to store a cookie on their device.
Individual Rights – Subject Access Requests (SARS)
Individuals have the right to obtain confirmation that their data is being processed. They also have the right to submit a subject access request (SAR) to gain access to their personal data in order to verify the lawfulness of the processing.
The GDPR requires that the data subject is provided with access to their personal data within 1 month of their request being validated by The Cube Disability Ltd. The Cube Disability Ltd. may extend the period of compliance by a further 2 months, where requests are complex or numerous. If this is the case, The Cube Disability Ltd. will inform the individual within 1 month of receipt of the request and explain why the extension is necessary.
The Cube Disability Ltd. will verify the identity of the person making the request before any information is supplied. The Data Protection Officer must be advised of all subject access requests and keep a record of these to demonstrate compliance with the requirements of the legislation. The response time will not commence until all of the conditions identified above been satisfied. All requests will be responded to without delay and at the latest, within 1 month of receipt.
A copy of the information will be supplied to the individual free of charge. However, The Cube Disability Ltd. may impose a ‘’reasonable fee‟ to comply with requests for further copies of the same information. Fees will be based on the administrative cost of providing this information. Where a request is manifestly unfounded, excessive or repetitive, a reasonable fee will also be charged.
Where a SAR has been made electronically, the information will be provided in a commonly used electronic format. All manual data in relevant filing systems will be reviewed and any personal data relating to third parties removed, anonymised or consent for its disclosure obtained from the third party.
Where a request is manifestly unfounded or excessive, The Cube Disability Ltd. holds the right to refuse to respond to the request. The individual will be informed of this decision and the reasoning behind it, as well as their right to complain to the supervisory authority (the Information Commissioner’s Office) within 1 month of the refusal.
In the event that a large quantity of information is being processed about an individual, The Cube Disability Ltd. will ask the individual to specify the information the request is in relation to.
Individual Rights – Right to Rectification
Individuals are entitled to have any inaccurate or incomplete personal data rectified.
Where the personal data in question has been disclosed to third parties, The Cube Disability Ltd. will inform them of the rectification, where possible. Where appropriate, The Cube Disability Ltd. will inform the individual about the third parties that the data has been disclosed to.
Requests for rectification will be responded to within 1 month; this will be extended by 2 months where the request for rectification is complex.
Where no action is being taken in response to a request for rectification, The Cube Disability Ltd. will explain the reason for this to the individual and will inform them of their right to complain to the supervisory authority and to a judicial remedy.
Individual Rights – The Right to Erasure
Individuals hold the right to request the deletion or removal of personal data where there is no compelling reason for its continued processing. Individuals have the right to erasure in the following circumstances:
- where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed
- when the individual withdraws their consent
- when the individual objects to the processing and there is no overriding legitimate interest for continuing the processing
- the personal data was unlawfully processed
- the personal data is required to be erased in order to comply with a legal obligation
- the personal data is processed in relation to the offer of information society services to a child.
The Cube Disability Ltd. has the right to refuse a request for erasure where the personal data is being processed for the following reasons:
- to exercise the right of freedom of expression and information
- to comply with a legal obligation for the performance of a public interest task or exercise of official authority
- for public health purposes in the public interest
- for archiving purposes in the public interest, scientific research, historical research or statistical purposes
- the exercise or defence of legal claims.
Where personal data has been disclosed to third parties, they will be informed about the erasure of the personal data, unless it is impossible or involves disproportionate effort to do so.
Where personal data has been made public within an online environment, The Cube Disability Ltd. will inform the other organisations who process the personal data to erase links to and copies of the personal data in question.
Individual Rights – The Right to Restrict Processing
Individuals have the right to block or suppress the processing of personal data by The Cube Disability Ltd.
In the event that processing is restricted, The Cube Disability Ltd. will store the personal data, but will not process it further, guaranteeing that just enough information about the individual has been retained to ensure that the restriction is respected in future. The Cube Disability Ltd. will restrict the processing of personal data in the following circumstances:
- where an individual has objected to the processing and The Cube Disability Ltd. is considering whether there are legitimate grounds to override those of the individual
- where processing is unlawful, and the individual opposes erasure and requests restriction instead
- where The Cube Disability Ltd. no longer needs the personal data but the individual requires the data to establish, exercise or defend a legal claim.
Where an individual contests the accuracy of the personal data, processing will be restricted until The Cube Disability Ltd. has verified the accuracy of the data. If the personal data in question has been disclosed to third parties, The Cube Disability Ltd. will inform them about the restriction on the processing of the personal data, unless it is impossible or involves a disproportionate effort to do so. The Cube Disability Ltd. will inform individuals when a restriction on processing has been lifted.
Individual Rights – The Right to Data Portability
Individuals have the right to obtain and reuse their personal data for their own purposes across different services. Personal data can be easily moved, copied or transferred from one IT environment to another in a safe and secure manner, without hindrance to usability. The right to data portability only applies in the following cases:
- to personal data that an individual has provided to a controller
- where the processing is based on the individual’s consent or for the performance of a contract
- when processing is carried out by automated means.
Personal data will be provided in a structured, commonly used and machine-readable form. The information will be provided free of charge. The Cube Disability Ltd. is not required to adopt or maintain processing systems that are technically compatible with other organisations.
In the event that the personal data concerns more than one individual, The Cube Disability Ltd. will consider whether providing the information would prejudice the rights of any other individual.
The Cube Disability Ltd. will respond to any requests for portability within 1 month. Where the request is complex, or a number of requests have been received, the timeframe can be extended by 2 months, ensuring that the individual is informed of the extension and the reasoning behind it within 1 month of receipt of the request.
Where no action is being taken in response to a request, The Cube Disability Ltd. will, without delay and at the latest within 1 month, explain to the individual the reason for this and will inform them of their right to complain to the Information Commissioner’s Office.
Fair and Lawful Processing
Under the GDPR, data will be lawfully processed by The Cube Disability Ltd. under the following conditions:
- the consent of the data subject has been obtained
- processing is necessary for:
- compliance with a legal obligation
- the performance of a task carried out in public interest or in the exercise of official authority vested in the controller
- for the performance of a contract with the data subject or to take steps to enter into a contract
- protecting the vital interests of a data subject or another person
- for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.
Sensitive data will only be processed under the following conditions:
- The Cube Disability Ltd. will not use personal data for any purposes other than those advised to individuals directly or detailed in the relevant entry in the Register of Data Controllers published by the Information Commissioner’s Office
- as far as possible, The Cube Disability Ltd. will process personal data only where it is necessary for compliance with the law, the performance of a contract, with a view to establishing a contract, or it is in the organisation’s legitimate business interests to do so
- where this is not possible, or in the case of sensitive personal data (see below), consent of the individual will be sought to enable the personal data to be processed.
The Cube Disability Ltd. will obtain the explicit consent of the individual concerned for all processing of sensitive personal data, unless:
- it is information relating to racial/ethnic origin, disability or religious belief that is being collected purely for monitoring equality of opportunity or treatment
- it relates to the employment of individuals
- it is necessary for the provision of advice or support and the data subject cannot reasonably be expected to give explicit consent.
The Cube Disability Ltd. will require all data processors to formally agree that personal data will not be used for any purpose other than that agreed. The Cube Disability Ltd. will not disclose personal data to third parties, unless:
- carrying out obligations under employment, social security or social protection law or a collective agreement
- protecting the vital interests of a data subject or another individual where the data subject is physically or legally incapable of giving consent
- the establishment, exercise or defence of legal claims or where courts are acting in their judicial capacity
- reasons of substantial public interest on the basis of Union or Member State law, which is proportionate to the aim pursued and which contains appropriate safeguards
- the purposes of preventative or occupational medicine, for assessing the working capacity of the members of staff, medical diagnosis, the provision of health, social care, treatment, management of health, or social care systems and services on the basis of Union or Member State law or a contract with a health professional
- reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of healthcare and of medicinal products or medical devices
- archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes in accordance with Article 89(1).
All disclosures of personal data to third parties must be authorised by a member of the Senior Management Team and be limited to the minimum information required. All disclosures must be recorded either in the personnel or client’s record.
Retention of Information
Personal data shall be retained in accordance with the period detailed below. Where a retention period is not specified, personal information will only be retained for the longer of:
- as long as required for its purpose
- as required by law
- as recommended by the Chartered Institute of Personnel & Development.
Paper based records will be disposed of in the confidential waste bins provided ready for shredding. Further advice can be sought from the Data Protection Officer. The Cube Disability Ltd. requires all data processors to formally agree that personal data shall not be retained for longer than the purpose for which they are processing it. In the table below, retention periods in bold are statutory, those not in bold are best practice: