❋ Data Protection Policy
DATA PROTECTION POLICY
1. Introduction
United Medical Group Healthcare is committed to a policy protecting the rights and privacy of individuals that demands high transparency and accountability for how the company collects and uses personal data.
This policy sets out the organisation's commitment to meeting its data protection obligations, individual’s rights and obligations in relation to personal data in accordance with the UK General Data Protection Regulation (GDPR).
1. Scope
This policy applies to the personal data of clients, service users, visitors and the public. This policy does not apply to the personal data of employees, workers or other personal data processed for business purposes.
This policy sets out what United Medical Group Healthcare expects from its employees for the company to comply with applicable law. An employee’s compliance with this Data Protection policy is mandatory. Any breach of this policy may result in disciplinary action.
The organisation keeps a record of its processing activities in respect of personal data in accordance with the requirements of UK GDPR.
2. Accessibility
If any aspect of this policy or procedure causes you difficulty on account of any disability that you have may have, or if you need assistance because English is not your first language, you should raise this with your HR contact, who will make appropriate arrangements.
3. Definitions
Personal data is any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. .
Processing is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Special categories of personal data are information about an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetics, biometrics, health, sex life or sexual orientation.
Criminal records data is information about an individual's criminal convictions and offences, and information relating to criminal allegations and proceedings.
Data Subject is an individual whose personal data is processed.
4. Data Protection Principles
United Medical Group Healthcare processes personal data in accordance with the following data protection principles:
§ Processes personal data lawfully, fairly and in a transparent manner.
§ Collects personal data only for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
§ Process personal data only where it is adequate, relevant and limited to what is necessary for the purposes of processing.
§ Keep accurate, up to date personal data and take all reasonable steps to ensure that inaccurate personal data is rectified or erased without delay.
§ Only keep personal data only for the period necessary for processing personal data in accordance with the rights of the data subject under the legislation.
§ Put appropriate measures in place to make sure that personal data is secure, and protected against unauthorised or unlawful processing, and accidental loss, destruction or damage.
§ United Medical Group Healthcare shall be responsible for, and be able to demonstrate compliance with, these principles.
5. Legal basis for processing personal data
United Medical Group Healthcare is required to have a valid lawful basis to process personal data. The six available lawful bases for processing are:
§ Consent
§ Contract
§ Legal obligation
§ Vital interests
§ Public interest
§ Legitimate interests
United Medical Group Healthcare has outlined in its Client Privacy Notice the lawful bases for processing individual’s data, how the company uses personal data and the relevant legal basis for processing and that the company will not process personal data of individuals for other reasons.
6. Right to withdraw consent
In the limited circumstances where individuals may have provided their consent to the collection, processing and transfer of your personal information for a specific purpose, they have the right to withdraw consent for that specific processing at that time. To withdraw their consent, individuals should contact teams@unitedmedicalorg.uk Once we have received notification that they have withdrawn their consent, we will no longer process their information for the purpose or purposes they originally agreed to, unless we inform them that we have another legitimate basis for doing so.
The national data opt-out enables patients to opt out from the use of their data for research or planning purposes. In line with the recommendations, the Caldicott Guardian and the Data Protection Officer will remove anyone who has been opted out from any data disclosures for purposes beyond individual care.
Patients can view or change their national data opt-out choice at any time by using the online service at www.nhs.uk/your-nhs-data-matters or by calling 0300 303 5678.
7. Individual Rights
The GDPR provides the following rights for individuals:
§ The right to be informed: an organisation’s obligation to be transparent of how they use an individual’s personal data (Privacy Notice).
§ The right of access: allows individuals to obtain a copy of their personal data (Subject Access).
§ The right to rectification: an individual can request their personal data to be rectified if it is inaccurate or incomplete.
§ The right to erasure: an individual can request the deletion or removal of personal data that is no longer necessary for the purposes of processing. (Right to be forgotten).
§ The right to restrict processing: an organisation must stop processing or erase data if the individual's interests override the organisation's legitimate grounds for processing data (where the organisation relies on its legitimate interests as a reason for processing data).
§ The right to data portability: allows individuals to obtain and transmit their personal data to another controller.
§ The right to object: an individual can request a stop to their data being processed if processing is based on public interest or legitimate interest.
§ Rights in relation to automated decision making and profiling: an individual can request not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them, unless overridden by legal requirements.
8. Subject Access Request (SARs)
To exercise any of the above rights, the individual should complete United Medical Group Healthcare’s Subject Access Request Form and send this to team@unitedmedical.org.uk
After receipt of a request and any information required as proof of identity of the individual making the request, United Medical Group Healthcare will ensure that the individual receives access within one month from the date its received, and inform subjects if there is a valid reason for an extension or an exemption is applicable. In such cases, United Medical Group Healthcare will write to the individual within one month of receiving the original request to inform them of the delay or exemption and the response will be extended by up to two months.
Whilst there is no legal limit the number of subject access requests an individual can make to the organisation, United Medical Group Healthcare isn’t obliged to comply with an identical or similar request to one already dealt with, unless a reasonable interval has elapsed between the first request and any subsequent ones. If an individual submits a request that is unfounded or excess, United Medical Group Healthcare will notify the individual that this is the case and how it will be responded to.
9. Individual Responsibilities
Individuals are responsible for:
§ Ensuring that any information they provide to United Medical Group Healthcare is accurate and up to date;
§ Informing United Medical Group Healthcare of any changes to their personal information (the organisation has a responsibility to update personal data promptly if any individual advises that the information has changed or is inaccurate).
Individuals who have access to personal data are required:
§ To access only data that they have authority to access and only for authorised purposes;
§ not to disclose data except to individuals (whether inside or outside the organisation) who have appropriate authorisation;
§ to keep data secure (for example by complying with rules on access to premises, computer access, including password protection, and secure file storage and destruction);
§ not to remove personal data, or devices containing or that can be used to access personal data, from the organisation's premises without adopting appropriate security measures (such as encryption or password protection) to secure the data and the device; and
§ not to store personal data on local drives or on personal devices that are used for work purposes.
10. Data Breaches
A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. The incident may affect the confidentiality, integrity or availability of personal data that has caused or has the potential to cause damage to United Medical Group Healthcare’s information assets and/or reputation. This includes breaches that are the result of both accidental and deliberate causes.
It is an employee’s responsibility to report a data breach incident immediately to HR, who will consult the Data Protection Officer. If the breach occurs or is discovered outside of normal working hours, it must be reported as soon as is practicable. The report must include full and accurate details of the incident, when the breach occurred (dates and times), who is reporting it, if the data relates to people, the nature of the information, and how many individuals are involved.
The Data Protection Officer will investigate the incident and establish whether notification needs to be made to the Information Commissioner’s Office and/or the data subject. Every incident will be assessed on a case-by-case basis.
11. Disciplinary procedure
All staff should be aware that any breach of Data Protection legislation including failing to observe the requirements outlined in this policy may result in United Medical Group Healthcare’s Disciplinary Procedures being instigated. Significant or deliberate breaches of this policy may constitute gross misconduct and could lead to dismissal without notice.
Please contact HR if you require further information on United Medical Group
Healthcare’s Disciplinary Procedure.
12. Data Security
United Medical Group Healthcare takes the security of personal data seriously. The organisation has internal policies and controls in place to protect personal data against loss, accidental destruction, misuse or disclosed, and to ensure that data is not accessed, except by employees in the proper performance of their duties. United Medical Group Healthcare’s IT infrastructure is protected by antivirus software and secure firewalls.
Where the organisation engages third parties to process personal data on its behalf, such parties do so on, the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.
13. Data protection impact assessments
Some of the processing that the organisation carries out may result in risks to privacy. Where processing would result in a high risk to an individual’s rights and freedoms, the organisation will carry out a data protection impact assessment to determine the necessity and proportionally of processing. This will include considering the purposes for which the activity is carried out, the risks for individuals and the measures that can be put in place to mitigate those risks.
14. Data Protection Officer (DPO)
United Medical Group Healthcare has a Data Privacy director as Data Protection Officer (DPO) to oversee compliance with the data protection and GDPR legislation.
The DPO’s responsibilities include:
§ To inform and advise United Medical Group Healthcare and its employees about their obligations to comply with the GDPR and other data protection laws.
§ To monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments, train staff and conduct internal audits.
§ To be the first point of contact for supervisory authorities and for individuals whose data is processed (employees and customers).
Employees have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK’s supervisory authority for data protection issues.
15. Changes to this policy and Client Privacy notice
United Medical Group Healthcare reserves the right to update this policy and its Client Privacy Notice at any time and we will provide employees with a new privacy notice when we make substantial updates. We may also notify you in other ways from time to time about the processing of employee personal information.
16. Linked Policies/Templates
· Client Privacy Notice
· Subject Access Request Policy
· Subject Access Request Form Template
· Data Protection Impact Assessment Policy
· Data Quality Policy
· Acceptable Use Policy
· National data opt-out SOP