Data protection policy

Our responsibilities

We will:

  • register with the information commissioner’s office and pay the annual statutory data protection fee. Our data protection registration number is Z8397628
  • have policies and processes in place to support us to meet our data protection obligations
  • employ specialist staff with specific responsibility for providing support and guidance
  • ensure staff processing personal data understand that they are responsible for complying with data protection legislation and are appropriately trained

Data protection officer (DPO)

We will have in place a DPO.

The DPO supports us to meet our obligations under data protection legislation. The role, which is a statutory requirement will:

  • monitor our ongoing compliance
  • provide advice and guidance on all data protection matters
  • act as a point of contact for data subjects
  • investigate and respond to complaints concerning data protection (as defined in our complaints policy), aiming to provide a response within 15 working days
  • act as a single point of contact for the information commissioner’s office (ICO), including consulting the ICO on high-risk processing activities that we cannot fully reduce and manage

Data Protection roles and responsibilities

  • senior information risk owner (siro): owns information risk management at director level and is responsible for leading and fostering a culture that values, protects and uses information responsibly
  • Caldicott guardians: ensure compliance with both data protection legislation and the Caldicott Principles where personal data is processed for health and social care purposes
  • head of information assurance: manages the information assurance strategy and assists with in the identification, management and implementation of information risk
  • information governance manager: fulfils the role of data protection officer and manages a team who deliver information governance support and guidance, ensuring that staff are aware of their data protection responsibilities
  • information assurance team: provides advice, guidance and training on data protection, information security and records management
  • information asset owners (iao): oversee specific information assets and are key decision makers across information they are responsible for
  • managers: ensure that the requirements of this policy are integrated into service procedures and that staff comply with all policies relevant to their role
  • staff: ensure they process information in line with the requirements of this policy, undertake mandatory annual training and understand that failure to do so could result in disciplinary action

Records of processing activity

We will maintain written records of our data processing activities, including:

We will also have specific policies for processing special category data, criminal conviction data and law enforcement data.

Privacy notices 

We will provide privacy notices to individuals about how personal data about them is used. They will be in plain English, and available upon request and free of charge.

Data Protection Impact Assessment (DPIA)

For high-risk activities, such as large-scale processing of special category data or monitoring public spaces, we will conduct a DPIA to assess and address privacy risks.

Staff will consult with the Information Assurance team at an early stage to identify DPIA requirements.

The DPO shall be consulted on all DPIAs.

Security of personal data

We will implement organisational and technical controls that help reduce the risk of personal data breaches.

We will record and investigate all personal data breaches.

Where it is determined that a breach results in a risk to the rights and freedoms of an individual(s) we will aim to report the breach to the Information Commissioner's Office within 72 hours of becoming aware.

Where it is determined that a breach results in a high risk to the rights and freedoms of an individual(s) we shall inform the individual(s) without undue delay.

We will make security policies and procedures available to all staff.

Contracted services

Contracts will include measures to ensure third parties handling personal data on our behalf do so in accordance with data protection legislation.

We will only supply personal data to third parties for the agreed purposes as set out in the contract. Third parties will not be permitted to use or disclose personal data for any other reason.

We will ensure that before we share personal data with a third party as part of a contract, appropriate security controls are in place.

Sharing personal data

We will only share personal data where necessary and where the law allows it.

We will ensure that adequate security is in place to protect personal data when we share it with another organisation.

We shall ensure that information sharing arrangements are appropriately documented.

The Information Assurance Team will provide staff with guidance on:

  • sharing personal data in the context of systematic sharing and
  • sharing in ad-hoc, one off circumstances

NHS national data opt-out

We will comply with the NHS national data opt-out, allowing individuals to opt-out of their data being used for research and planning purposes.

We will only apply the requirements of the national data opt-out to:

  • personal data that identifies an individual in receipt of adult care services and
  • so far as that data relates specifically to their health, care or treatment

Individual rights

We will have processes in place to support individuals who wish to exercise their rights in respect of their personal data.

We will respond to any request to exercise individual rights within one calendar month.

Training and awareness

We will provide mandatory annual data protection training to all staff handling personal data.

Staff will maintain a good awareness of data protection.

Additional training will be provided where appropriate.

Surveillance camera systems

We will publish a surveillance camera system policy and supporting guidance for all staff. This will set out our commitment to meet our data protection and wider legal obligations when using such systems.

We will ensure that any use of surveillance camera systems is necessary and proportionate to achieve its objective. Any introduction of surveillance camera systems for a new purpose will be subject to a Data Protection Impact Assessment prior to being used.

International transfers

We will not transfer personal data outside the United Kingdom, unless required by law or with appropriate safeguards in place.

 Information Commissioner's Office

We will comply fully with all requests from the ICO to investigate and, or review our data processing activities.

We will have regard to advice and guidance produced by the ICO and will endeavor to align our practices to any published codes of practice.