Policies

Data Protection Policy

 

1.Introduction

 

Access All Areas respects the privacy of all individuals and takes very seriously its responsibilities under the Data Protection Act 1998 (“DPA”). This policy is designed to ensure that all information held on individuals are properly handled in all cases.

 

This policy applies to all partners and staff working within them (including employees, agency workers, contractors and temporary staff) who may process personal data about  employees or other individuals. Compliance with this policy is mandatory.

 

2.Scope

 

This policy applies to the treatment of personal data for which Access All Areas Training CIC is the data processor or data controller and applies to all staff members, temporary staff members, associates, and sub-processors.

 

Personal data is defined as any data that can be used to identify a living individual.  Anonymised or aggregated data is not regulated by the Data Protection Act (DPA) or General Data Protection Regulation (GDPR), providing the anonymisation or aggregation has not been done in a reversible way.  For clarity, Individuals can be identified by various means including their name and address, telephone number, Email address NI number, photographs, passport, driving license, CCTV images of individuals, salary/job titles or opinions which allow individuals to be identified.

 

Confidential data - “sensitive personal data”, must be treated with an enhanced level of diligence.  For clarity, confidential data includes any data (or information) which is shared under a reasonable expectation of confidentiality, but specifically includes all Special Categories of Data as defined in the GDPR:

 

1. Race or ethnic origin.

2. Political opinions.

3. Religious or philosophical beliefs.

4. Trade union membership.

5. Genetic data.

6. Biometric data.

7. Health data.

8. Sexual history and/or sexual orientation.

9. Criminal data.

3.Purpose

 

This document states and explains how we comply with the principles of data protection and acts as a statement of intent to which the company, employees or third parties must abide. This policy is published and distributed to staff, customers, customers or service users, and clients as required for informative purposes. This policy cannot and does not aim to cover every possible use of data but should be used for guidance where required.

 

4.Commitments

 

Access All Areas Training CIC will:

  1. Ensure that we comply with the Principles of Data Protection

  2. Meet our legal obligations as laid down by the General Data Protection Regulation, Human Rights Act 1990, Health and Social Care Act 2015, Access to Health Records Act 2000, and any other relevant legislation.

  3. Ensure that processes and procedures are in place to allow data subjects’ rights to exercise their rights.

5.Data Protection Principles

 

The data protection principles shall be used to guide all use of personal data:

  1. Accountability – This means that we acknowledge and understand our role and responsibilities as a data controller and data processor. We ensure this by having appropriate governance of how data is used, at the appropriate level of management

  2. Lawfulness, Fairness, and Transparency –

    1. Lawfulness means having a legitimate legal basis for processing personal data. This is the service contracts or agreements we have in place with our customers. When a customer purchases our services, refers a client to us, or a client self-refers, this gives us the legitimate legal basis to process their personal data.

    2. Fairness means only using data in the manner which is expected. We ensure this by making sure customers and service users are aware of, and understand how, we process their personal data, ensuring that this is clear and accurate, and ensuring that we do not use data in any other way.

    3. Transparency means that customers and service users must be aware of how we use their data. We ensure this by publishing information on how we use personal data (such as this policy), and on gathering relevant informed consents.

  3. Purpose Limitation – This means that data may only be collected for specific, explicit and legitimate purposes. We ensure this by having clear agreements with our customers and suppliers which limit the use of personal data, and only using data in the manner which would be expected.

  4. Data Minimisation – This means that only the minimum relevant personal data should be collected for the agreed purposes. We ensure this by only collecting the data we require to provide our services, and by ensuring that staff are adequately trained.

  5. Accuracy – This means ensuring that data is accurate and up to date. We ensure this by adequately training our staff, and by having a process in place to allow customers and service users to access and request corrections to their personal data.

  6. Storage Limitation – This means that personal data should only be kept for the minimum time necessary. We ensure this by regularly reviewing the data we hold and destroying it in line with our own policies and any other relevant guidance, regulation or legislation.  In practice this means that we store counselling/clinical data for eight years from when the customer or service user last contacted us.

6.The Data we Collect

 

Access All Areas collects and stores personal data on behalf of private customers, the NHS, employers, Occupational Health providers, or insurance companies who pay for our services, and website users who visit our webpages and resources.  Generally, the data we collect may consist of (where required for treatment or the provision of services):

  1. name.

  2. address and post code.

  3. telephone number.

  4. employee number or employment details.

  5. email address.

  6. payment card details.

  7. medical history.

  8. medical conditions.

  9. age or date of birth.

  10. gender.

  11. ethnic group or race.

  12. sexual orientation.

  13. criminal offences.

  14. political, religious or philosophical beliefs.

  15. other details about a client as required for legitimate therapy related treatment purposes.

  16. Relevant interests or activities.

  17. Some data is collected automatically by our websites. See relevant website Privacy Policy for more details.

 

7.How we Use Personal Data

 

The data we collect is used for legitimate business purposes only.  We never sell data any to third party and we aim to be fully transparent in its use.  Data is used in the following ways:

  1. for the provision of Careers IAG, Monitoring, training, welfare advice, Talking Therapy, Counselling, and Employment support.

  2. to provide reports to customers or service users in line with our agreements.

  3. to positively identify service users or other individuals.

  4. for clinical or business audit and quality assurance purposes.

  5. to provide analysis and intelligence reports to customers or for use internally.

  6. for billing, payment, or accounting purposes.

  7. (NB. in most cases and where suitable, personal data is anonymised when reporting to customer organisations to protect service user confidentiality)

  8. to send or supply goods, products or services.

  9. to manage inquiries or complaints.

  10. to send communications about services, or that have been specifically requested.

  11. to send some marketing communications relating to our business or products, or those of selected third parties.

8.Who Has Access to Personal Data

 

Personal data collected when assessing/providing the right service may be accessed by Therapists or administrative members of staff as required for the provision of services, or by auditors who ensure the quality of service.  This data may also be shared with other third-party professionals outside of Access All Areas, where this is required for the provision of services, is required by law, or when required to safeguard the wellbeing of a client or other person.  Data may occasionally be accessed by selected service suppliers who provide technical support.

Access All Areas may share data with other third-party agencies such as the local authority, funding bodies and other voluntary agencies.

 

The Individual/Service User will be made aware in most circumstances how and with whom their information will be shared. There are circumstances where the law allows Access All Areas to disclose data (including sensitive data) without the data subject’s consent.

 

These are:

 

  1. Carrying out a legal duty or as authorised by the Secretary of State

  2. Protecting vital interests of an Individual/Service User or other person

  3. The Individual/Service User has already made the information public

  4. Conducting any legal proceedings, obtaining legal advice, or defending any legal rights

  5. Monitoring for equal opportunities purposes – i.e., race, disability, or religion

  6. Providing a confidential service where the Individual/Service User’s consent cannot  be obtained or where it is reasonable to proceed without consent: e.g., where we would wish to avoid forcing stressed or ill Individuals/Service Users to provide consent signatures.

 

Access All Areas regards the lawful and correct treatment of personal information as especially important to successful working, and to maintaining the confidence of those with whom we interact with.

 

Access All Areas will adhere to the Principles of Data Protection, as detailed in the Data Protection Act 1998.

 

Specifically, the Principles require that personal information:

 

  1. Shall be processed fairly and lawfully and, in particular, shall not be processed  unless specific conditions are met,

  2. Shall be obtained only for one or more of the purposes specified in the Act, and shall        not be processed in any manner incompatible with that purpose or those purposes,

  3. Shall be adequate, relevant and not excessive in relation to those purpose(s)

  4. Shall be accurate and, where necessary, kept up to date,

  5. Shall not be kept for longer than is necessary

  6. Shall be processed in accordance with the rights of data subjects under the Act,

  7. Shall be kept secure by the Data Controller who takes appropriate technical and other measures to prevent unauthorised or unlawful processing or accidental loss or destruction of, or damage to, personal information,

  8. Shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of Individuals/Service Users in relation to the processing of personal information.

  9. Access All Areas will, through appropriate management and strict application of criteria and controls:

  10. Observe fully conditions regarding the fair collection and use of information

  11. Meet its legal obligations to specify the purposes for which information is used

  12. Collect and process appropriate information, and only to the extent that it is needed to fulfil its operational needs or to comply with any legal requirements

  13. Ensure the quality of information used

 

  1. Ensure that the rights of people about whom information is held, can be fully exercised under the Act. These include:

    1. The right to be informed that processing is being undertaken,

    2. The right of access to one’s personal information

    3. The right to prevent processing in certain circumstances and

    4. The right to correct, rectify, block or erase information which is regarded as  incorrect information)

  2. Take appropriate technical and organisational security measures to safeguard  personal information

  3. Ensure that personal information is not transferred abroad without suitable safeguards

  4. Treat people justly and fairly whatever their age, religion, disability, gender, sexual orientation, or ethnicity when dealing with requests for information

  5. Set out clear procedures for responding to requests for information

 

9. How Long we Keep Personal Data

 

Personal data collected by a healthcare professional forms part of a medical record and we are legally required to maintain this data in line with the guidance of relevant healthcare governing bodies. In general terms, this means that data is stored for 8 years after a customers or service users last contact with a therapist, however there are exceptions for minors, or following the death of a client. 

 

Personal data collected by administrative staff to support clients into training, employment, general welfare advice, and IAG will be retained up to 2 years. There are exceptions for minors or following the death of a client. 

 

Other personal data collected through websites or other means will be kept only for the minimum amount of time required and then deleted.

 

10.Data access and accuracy

 

All Individuals/Service Users have the right to access the information Access All Areas holds about them. Access All Areas will also take reasonable steps ensure that this information is kept up to date by asking data subjects whether there have been any changes.

 

In addition, Access All Areas:

 

  1. Will ensure they have a Data Protection Officer with specific responsibility for ensuring compliance with Data Protection

  2. Partners and Staff processing personal information understands that they are  contractually responsible for following good data protection practice

  3. Partners and Staff processing personal information is appropriately trained to do so.

  4. Partners and Staff processing personal information is appropriately supervised

  5. Partners and Staff wanting to make enquiries about handling personal information understand the process

  6. Manage all matters promptly and courteously with any enquiries about handling       personal information

  7. Will describe clearly how they manage personal information

  8. Will regularly review and audit the ways they hold, manage, and use personal  information

  9. Regularly assesses and evaluates its methods and performance in relation to handling personal information

  10. All staff are aware that breach of the rules and procedures identified in this policy  may lead to disciplinary action being taken against them

 

This policy will be updated as necessary to reflect best practice in data management, security and control and to ensure compliance with any changes or amendments made to the Data Protection Act 1998.

 

In case of any queries or questions in relation to this policy please contact the Access All Areas Data Protection Officer.

 

11.What Happens if There is a Data Breach

 

Any data breach which may result in harm to an individual will be reported to the individual, to any relevant customer organisation, and if required to the Information Commissioner’s Office, within 72 hours of discovery.

Any individual who believes their data may have been used unlawfully should contact the data protection officer immediately using the details at the bottom of this policy.

Any data security breach (such as a loss of personal data) must be immediately reported to the Data Protection Officer. All staff must co-operate with the Data Protection Officer in the investigation and management of that breach. Please refer to the Data security breach policy to ensure the correct procedure is followed.

 

12.How we Keep Personal Data Safe

  1. Access All Areas Training CIC systems and processes are protected by technical controls which are subject to regular internal audits.

  2. Data is stored on locally hosted and remote UK based platform-as-a-service hosted servers, which are managed and maintained by an ISO27001:2013 certified IT Service provider. Customer Data is also stored on a remote software-as-a-service Case Management System. These services are securely connected to our local network or accessed by encrypted connections.

  3. All servers and user endpoints are protected with enterprise grade Anti-Virus/Anti-Malware software which is monitored and updated on a continuous basis. High risk end points are monitored with device monitoring software which allows remote secure deletion of files, or disablement.

  4. All users have unique login credentials with passwords which meet common complexity guidance, and monthly password changes are enforced by network policy. Users with regular access to sensitive data are subject to Enhanced DBS background checks, criminal records checks, previous employment checks, and governing body certification checks.

  5. Where data is transmitted outside of the network, it is protected by pseudonymisation, anonymisation, or encryption.

  6. Data is backed up locally, and remote copies are stored encrypted for one month. Key systems are also replicated or have redundant failover to ensure continuity of services in the event of a disaster or technical incident.

  7. Network security is tested by external penetration and vulnerability testing annually, and backups and business continuity measures are fully tested at least annually.

  8. When client Data reaches end of life, it is securely destroyed, deleted, or otherwise made inaccessible by secure physical shredding, digital shredding, or database anonymisation.

13.Data Subjects Rights

 

Whilst data is collected on behalf of our private customers and business customers, all individuals have the following inalienable rights when it comes to their data:

  1. The right to be informed: Customers or service users should be informed, at the earliest opportunity, what data is to be collected and what it will be used for.  This must be provided in a clear, concise, and transparent format.

  2. The right of access: Customers or service users may request, verbally or in writing and free of charge, access to their own records.  These should be provided in an accessible format once the customers or service users identity has been confirmed, and within 30 calendar days in most circumstances.

  3. The right to rectification: Customers or service users may request that inaccurate or incomplete data is rectified, and where this data has been disclosed to another party, such as their insurance provider or employer, we have an obligation to inform them of corrections.

  4. The right to erase: Bearing in mind the legal protection required for medical records, customers or service users may request the deletion of data where it is no longer required for legitimate purposes, or where they withdraw their consent to processing.

  5. B. Under no circumstances may a counselling record be altered or erased without seeking the proper authority and consulting with the Access All Areas Training CIC Data Protection Officer.

  6. The right to restrict processing: Processing of data may be suspended should a client contest the accuracy of personal data, or where they object to processing, prior to any decision being made about rectifying or deleting data.  Enough data may be retained in any case to ensure that any restrictions on processing are respected in the future.

  7. The right to data portability: Customers or service users are allowed to obtain and reuse their personal data for their own purposes.  We must be prepared to transfer personal data across organisations or IT systems without hindrance to usability.

  8. The right to object: Customers or service users may object to their data being used on grounds relating to their particular situation unless we can demonstrate compelling legitimate grounds to continue.  This should be considered on a case-by case basis.

Rights in relation to automated decision making and profiling:  If an automated decision is made about an individual, they may request that this decision is reviewed by a human being.

14.Roles and Responsibilities

 

The following roles have specific responsibilities for data protection.  These are in addition to other responsibilities within the Information Governance Policy:

  1. Data Protection Officer: The IG Lead is the data protection officer for Access All Areas various departments and services.  The DPO will provide advice, monitor compliance, and be the first point of contact in the organisation for data protection matters. The DPO reports to the ICO and directly to the Board in relation to data protection matters.

  2. All Employees: All employees will, through appropriate training and management:

    • Observe all forms of guidance, codes of practice and procedures about the collection and use of personal information.

    • Understand fully the purposes for which Access All Areas uses personal information.

    • Collect and process appropriate information, and only in accordance with the purposes for which it is to be used by Access All Areas to meet its service needs or legal requirements.

    • Ensure the information is destroyed in accordance with the provisions of the Data Protection Act and General Data Protection Regulation when it is no longer required.

    • On receipt of a request by or on behalf of an individual for information held about them, or any other data subjects’ rights in relation to their personal data, immediately notify their line manager and appropriately log the access request.

    • Not send any personal information outside of the United Kingdom without the authority of the Data Protection Officer.

    • Understand that breaches of this Policy may result in disciplinary action, up to and including dismissal.

 

15.Data Protection Policies

 

The following policies and sub-policies are related to this policy:

  • Information Governance Policy

    • Data Protection Policy

      • How We Use Your Data

      • Privacy Impact Assessment Policy

      • Photography and Videography Policy

      • Website Privacy Policy

  • Information Security Policy

  • Confidentiality Policy

  • Document and Records Management Policy

  • Information Sharing Policy

 

16.Distribution and Training

  1. This policy will be centrally published an accessible to all staff.

  2. The subject matter of this policy will form part of mandatory induction training and mandatory annual training for all staff.

 

17.Monitoring

 

Compliance with this policy will be monitored by the DPO as part of the Quality and Safety System, including through internal audit.  Findings shall be reported directly to the DPO and if required to the Board of Directors.

18.Making a Data Rights Request

 

General queries may be answered verbally by any member of staff once a person’s identity has been confirmed; however, the following apply:

  1. Requests to access a client’s personal data can be made verbally or in writing.

  2. We must positively identify the client’s identity prior to fulfilling any such request.

  3. On receiving an access request, we are usually bound to inform the relevant Customer organisation and may need to refer the request back to them, dependant on our contractual agreements.

  4. Where a request for a client’s personal data does not come from the client itself, refer the matter to the Data Protection Officer immediately.

  5. Requests to transfer the data to another provider, or other health professional, or another professional (such as a solicitor) must follow the procedure outlined above for access requests.

  6. Requests to correct inaccurate data may be made verbally as long as the client has passed the standard data protection checks. In general, therapy records may not be edited but a note may be added showing a correction.  Where required, customers or service users shall be requested to write a supplementary statement of the correction required to add to a case file.

  7. Requests to erase data, or suspend processing, or withdraw consent may be made verbally, however these should be referred to the Access All Areas Data Protection Officer, and the consequences of this explained to the client, which may vary between contracts. In general, we may not erase any part of a client service record but may be able to offer alternative solutions on a case-by-case basis, and if consent is withdrawn, further service may be withdrawn.

  8. Requests from children, from an adult who provided data to us as a child, or from a parent regarding a child will be dealt with on a case-by-case basis by the Access All Areas Data Protection Officer.

 

 

 

19.Make a Complaint or Ask a Question

 

Whilst we make every effort to uphold the principles of data protection, if a client or customer wishes to ask a question, direct them to contact:

 

1.Access All Areas Training CIC Data Protection Officer:

Phone: 01664 784 044

Email: roma@accessaa.info

ICO Registration Numbers: ZA806730

Complaints about how a case has been handled may be escalated to:

2.The Information Commissioner’s Office:

The Information Commissioner, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Phone: 0303 123 1113

Website: www.ico.org.uk

3.Or, to the employer or service provider who referred the client