Saintly Care Limited
Lawful Bases.
Under the General Data Protection Regulation (GDPR), the lawful bases Saintly Care Limited rely on for processing this information are.
- Consent: the individual has given clear consent for us to process their personal data for a specified purpose.
- Contract: the processing is necessary for a contract you have with the individual, or because they have asked us to take specific steps before entering into a contract.
- Legal Obligation: the processing is necessary for us to comply with the law (not including contractual obligations) and CQC regulations.
- Vital Interests: the processing is necessary to protect someone’s life.
- Public Task: the processing is necessary for us to perform a task in the public interest, or for official functions and the task or function has a clear basis in law.
- Legitimate interests: the processing is necessary for our legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (Does not apply if a public authority is processing data to perform its official tasks).
There are several changes here in particular the Right of Access in relation to timescales and fees. These must be fully understood in relation to anyone submitting a Subject Access request.
The GDPR provides the following rights for individuals:
- Right to be informed:
Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the UK GDPR. Saintly Care will provide privacy information to you at the time we collect your personal data from you. - Right of access:
Individuals have the right to access and receive a copy of their personal data, and other supplementary information. - Right to rectification
The UK GDPR includes a right for individuals to have inaccurate personal data rectified, or completed if it is incomplete. An individual can make a request for rectification verbally or in writing. - Right to erasure
This introduces the right for individuals to have personal data erased. The right to erasure is also known as ‘the right to be forgotten’. - Right to restrict processing
Individuals have the right to request the restriction or suppression of their personal data. - Right to data portability
The right allows individuals to obtain and reuse their personal data for their own purposes across different services. - Right to object
This gives individuals the right to object to the processing of their personal data in certain circumstances. - Rights related to automated decision making including profiling
The UK GDPR has provisions on automated individual decision-making and profiling (automated processing of personal data to evaluate certain things about an individual). Profiling can be part of an automated decision-making process.
The Information Commissioner’s Office provides further information.
Working with partnership with NHS Digital, Saintly Care can demonstrate it is practicing good data security and be assured that personal information is handled correctly. See the certification above to demonstrate this.
01
File Retention
The GDPR sets out guidance on files and retention including archiving, specifically Health and Social Care personal data is generally exempt. As a provider of services, file and retention guidelines are in place from our Regulator, CQC as well as Local Authorities via the Service Specification within any contractual arrangements.
02
Compliance
A thorough knowledge of the Guidance is a priority for our Data Controller. It is also important that the Act is placed in the context of other compliance requirements namely The Health and Social Care Act 2008 (Regulated Activities) (Regulations 2014) and all other lawful requirements such as Regulation 18 Staffing.
03
Privacy and Electronic Communications
This deals with electronic marketing messages such as phone or email, including the use of cookies. It introduces specific roles on the above keeping such communication services secure and user’s privacy in regard to location data and line identification.
Data Protection Principles
The Act sets out 6 Principles, which must be adhered to when processing data Please refer to the Related Guidance links for further information. The GDPR sets out the following principles for which Saintly Care Limited is responsible and must meet. These require that personal data shall be:
Lawfulness, fairness and transparency
Processed lawfully, fairly and in a transparent manner in relation to individuals
Purpose limitation
Personal data is only collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes. The specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data.
Data minimisation
Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. This limits the collection and processing of personal information to what is directly relevant and necessary to accomplish a specified purpose. Stored personal data is limited to a strict minimum
Accuracy
Accurate and where necessary, kept up to date, every reasonable step must be taken that personal data that is inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
Storage limitation
Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer purposes in so far as the personal data will be processed solely for archiving purposes in the public interest, to safeguard the rights and freedoms of individuals
Integrity and confidentiality
Processed in a manner that ensures appropriate security of the personal data. Including protection against unauthorised or unlawful processing and against accidental loss. Destruction or damage, using appropriate technical or organisational measures
Training Statement
All staff are made aware of the changes to the Data protection Legislation during Onboarding & Induction. All relevant identified posts must have specific training on the requirements that are now place on organisations. Our Data Controller is responsible for the cascading of any training.
This policy will be reviewed tri-annually and updated when required.
Policy Statement
The Data Protection Act 2018 controls how your personal information is used by organisations and businesses. The Data Protection Act 2018 is the UK’s implementation of the General Data Protection Regulation (GDPR).ss user, you should go to your dashboard to delete this page and create new pages for your content. Have fun!