GENERAL DATA PROTECTION REGULATION (GDPR) POLICY

Lawful Bases.

Under the General Data Protection Regulation (GDPR), the lawful bases Waverly Care Services Ltd rely on for processing this information are.

Consent: the individual has given clear consent for us to process their personal data for a specified purpose.

Contract: the processing is necessary for a contract you have with the individual, or because they have asked us to take specific steps before entering into a contract.

Legal Obligation: the processing is necessary for us to comply with the law (not including contractual obligations) and CQC regulations.

Vital Interests: the processing is necessary to protect someone’s life.

Public Task: the processing is necessary for us to perform a task in the public interest, or for official functions and the task or function has a clear basis in law.

Legitimate interests: the processing is necessary for our legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (Does not apply if a public authority is processing data to perform its official tasks).

There are several changes here in particular the Right of Access in relation to timescales and fees. These must be fully understood in relation to anyone submitting a Subject Access request.

The GDPR provides the following rights for individuals:

Right to be informed:

Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the UK GDPR. Saintly Care will provide privacy information to you at the time we collect your personal data from you.

Right of access:

Individuals have the right to access and receive a copy of their personal data, and other supplementary information.

Right to rectification

The UK GDPR includes a right for individuals to have inaccurate personal data rectified, or completed if it is incomplete. An individual can make a request for rectification verbally or in writing.

Right to erasure

This introduces the right for individuals to have personal data erased. The right to erasure is also known as ‘the right to be forgotten’.

Right to restrict processing

Individuals have the right to request the restriction or suppression of their personal data.

Right to data portability

The right allows individuals to obtain and reuse their personal data for their own purposes across different services.

Right to object

This gives individuals the right to object to the processing of their personal data in certain circumstances.

Rights related to automated decision making including profiling

The UK GDPR has provisions on automated individual decision-making and profiling (automated processing of personal data to evaluate certain things about an individual). Profiling can be part of an automated decision-making process.

The Information Commissioner’s Office provides further information.

01 File Retention

The GDPR sets out guidance on files and retention including archiving, specifically Health and Social Care personal data is generally exempt. As a provider of services, file and retention guidelines are in place from our Regulator, CQC as well as Local Authorities via the Service Specification within any contractual arrangements.

02 Compliance

A thorough knowledge of the Guidance is a priority for our Data Controller. It is also important that the Act is placed in the context of other compliance requirements namely The Health and Social Care Act 2008 (Regulated Activities) (Regulations 2014) and all other lawful requirements such as Regulation 18 Staffing.

03 Privacy and Electronic Communications

This deals with electronic marketing messages such as phone or email, including the use of cookies. It introduces specific roles on the above keeping such communication services secure and user’s privacy in regard to location data and line identification.