GDPR Background

GDPR came into force on the 25 May 2018 and replaced the Data Protection Act 1998. Regardless of the impact of Brexit, GDPR will remain. GDPR provides greater protection to individuals and places greater obligations on organisations, but can be dealt with in bite-size chunks to ensure that any impact on the provision of care and services is minimised.

All staff need to ensure the ways in which they handle personal data meet the requirements of GDPR.

Nightingale Home Care (Scotland) Ltd’s Approach to GDPR

Nightingale Home Care (Scotland) Ltd is required to take a proportionate and appropriate approach to GDPR compliance. Nightingale Home Care (Scotland) Ltd understands that not all organisations will need to take the same steps – it will depend on the volume and types of personal data processed by a particular organisation, as well as the processes already in place to protect personal data. We understand that if we process significant volumes of personal data, including special categories of data, or have unusual or complicated processes in place in terms of the way we handle personal data, we will consider obtaining legal advice specific to the processing we conduct and the steps we may need to take.

GDPR does not apply to any personal data held about someone who has died. Both the Access to Medical Reports Act 1988 and the Access to Health Records 1990 will continue to apply.

Process for Promoting Compliance at Nightingale Home Care (Scotland) Ltd

To ensure Nightingale Home Care (Scotland) Ltd compliance with GDPR, a suite of documents are available and should be read in conjunction with this overarching policy to provide a framework:

  • GDPR – Key Terms Guidance
  • GDPR – Key Principles Guidance
  • GDPR – Processing Personal Data Guidance
  • Appointing a Data Protection Officer Guidance
  • Data Security and Data Retention Policy and Procedure
  • Website Privacy and Cookies Policy and Procedure
  • Subject Access Requests Policy and Procedure
  • Subject Access Requests Process Map
  • Subject Access Requests – Request Letter
  • Rights of a Data Subject Guidance
  • Breach Notification Policy and Procedure
  • Breach Notification Process Map
  • Fair Processing Notice Policy and Procedure
  • Consent Form
  • GDPR – Transfer of Data Guidance
  • Privacy Impact Assessment (Privacy Notice) Policy and Procedure

Overview of Key Principles and Documents

The key principles and themes of each of the documents listed above are summarised below:

Key Terms

GDPR places obligations on all organisations that process personal data about a Data Subject. A brief description of those three key terms is included in the Definitions section of this document and are expanded upon in the Key Terms Guidance.

The requirements that Nightingale Home Care (Scotland) Ltd need to meet vary depending on whether Nightingale Home Care (Scotland) Ltd is a Data Controller or a Data Processor. We recognise that in most scenarios, Nightingale Home Care (Scotland) Ltd will be a Data Controller. The meaning of Data Controller and Data Processor, together with the roles they play under GDPR, are explained in the Key Terms Guidance.

Special categories of data attract a greater level of protection, and the consequences for breaching GDPR in relation to special categories of data may be more severe than breaches relating to other types of personal data. This information is also covered in more detail in the Key Terms Guidance.

Key Principles

There are 6 key principles of GDPR which Nightingale Home Care (Scotland) Ltd must comply with. These 6 principles are very similar to the key principles that were set out in the Data Protection Act 1998. They are:

  • Lawful, fair and transparent use of personal data
  • Using personal data for the purpose for which it was collected
  • Ensuring that the personal data is adequate and relevant
  • Ensuring that the personal data is accurate Ensuring that the personal data is only retained for as long as it is needed
  • Ensuring that the personal data is kept safe and secure

These key principles are explained in more detail in the guidance entitled ‘GDPR – Key Principles’. Nightingale Home Care (Scotland) Ltd recognises that in addition to complying with the key principles, Nightingale Home Care (Scotland) Ltd must be able to provide documentation to the Information Commissioner’s Office (ICO) on request, as evidence of compliance. We understand that we must also adopt ‘privacy by design’. This means that data protection issues should be considered at the very start of a project, or engagement with a new Client. Data protection should not be an after-thought. These ideas are also covered in more detail in the Key Principles Guidance.

Processing Personal Data

The position has been improved under GDPR in terms of the ability of care sector organisations to process special categories of data. The provision of health or social care or treatment or the management of health or social care systems and services is now expressly referred to as a reason for which an organisation is entitled to process special categories of data.

In terms of other types of personal data, Nightingale Home Care (Scotland) Ltd must only process personal data if it is able to rely on one of a number of grounds set out in GDPR. The grounds which are most commonly relied on are:

  • The Data Subject has given his or her consent to the organisation using and processing their personal data
  • The organisation is required to process the personal data to perform a contract; and
  • The processing is carried out in the legitimate interests of the organisation processing the data – note that this ground does not apply to public authorities

The other grounds which may apply are:

  • The processing is necessary to comply with a legal obligation
  • The processing is necessary to protect the vital interests of the Data Subject or another living person
  • The processing is necessary to perform a task carried out in the public interest

The grounds set out above and the impact of the changes made in respect of special categories of data are explained in more detail in the guidance entitled ‘GDPR – Processing Personal Data’.

Data Protection Officers

Nightingale Home Care (Scotland) Ltd understands that some organisations will need to appoint a formal Data Protection Officer under GDPR (a “DPO”). The DPO benefits from enhanced employment rights and must meet certain criteria, so we recognise that it is important to know whether Nightingale Home Care (Scotland) Ltd requires a DPO. This requirement is outlined in the policy and procedure on Data Protection Officers.

Whether or not Nightingale Home Care (Scotland) Ltd needs to appoint a formal Data Protection Officer, Nightingale Home Care (Scotland) Ltd will appoint a single person to have overall responsibility for the management of personal data and compliance with GDPR.

Data Security and Retention

Two of the key principles of GDPR are data retention and data security.

  • Data retention refers to the period for which Nightingale Home Care (Scotland) Ltd keeps the personal data that has been provided by a Data Subject. At a high level, Nightingale Home Care (Scotland) Ltd must only keep personal data for as long as it needs the personal data
  • Data security requires Nightingale Home Care (Scotland) Ltd to put in place appropriate measures to keep data secure

These requirements are described in more detail in the policy and procedure entitled Data Security and Data Retention.

Website Privacy and Cookies Policy and Procedure

Where Nightingale Home Care (Scotland) Ltd collects personal data via a website, we understand that we will need a GDPR compliant website privacy policy. The privacy policy explains how and why personal data is collected, the purposes for which it is used and how long the personal data is kept. A template website policy is provided.

Subject Access Requests

One of the key rights of a Data Subject is to request access to and copies of the personal data held about them by an organisation. Where Nightingale Home Care (Scotland) Ltd receives a Subject Access Request, we understand that we will need to respond to the Subject Access Request in accordance with the requirements of GDPR. To help staff at Nightingale Home Care (Scotland) Ltd understand what a Subject Access Request is and how they should deal with a Subject Access Request, a Subject Access Request Policy and Procedure is available to staff. A Nightingale Home Care (Scotland) Ltd process map to follow when responding to a Subject Access Request, as well as a Subject Access Request letter template is also included.

The Rights of a Data Subject

In addition to the right to place a Subject Access Request, Data Subjects benefit from several other rights, including the right to be forgotten, the right to object to certain types of processing and the right to request that their personal data be corrected by Nightingale Home Care (Scotland) Ltd. All rights of the Data Subject are covered in detail in the corresponding guidance.

Breach Notification Under GDPR

We understand, that in certain circumstances, if Nightingale Home Care (Scotland) Ltd breaches GDPR, we must notify the ICO and potentially any affected Data Subjects. There are strict timescales in place for making such notifications. A policy and procedure for breach notification that can be circulated to all staff, together with a process map for Nightingale Home Care (Scotland) Ltd to follow if a breach of GDPR takes place is available.

We understand that this requirement is likely to have less impact on NHS organisations that are already used to reporting using the NHS reporting tool.

Fair Processing Notice and Consent Form

Organisations are required to provide Data Subjects with certain information about the ways in which their personal data is being processed. The easiest way to provide that information is in a Fair Processing Notice. A Fair Processing Notice template is available for Nightingale Home Care (Scotland) Ltd to use and adapt on a case by case basis.

The Fair Processing Notice sits alongside a consent form which can be used to ensure that Nightingale Home Care (Scotland) Ltd obtains appropriate consent, particularly from the Client, to the various ways in which Nightingale Home Care (Scotland) Ltd uses the personal data. The Consent Form contains advice and additional steps to take if the Client is a child or lacks capacity.

Transfer of Data

If Nightingale Home Care (Scotland) Ltd wishes to transfer personal data to a third party, we understand that we should put in place an agreement to set out how the third party will use the personal data. The transfer would include, for example, using a data centre in a non-EU country. If that third party is based outside the European Economic Area, we recognise that further protection will need to be put in place and other aspects considered before the transfer takes place. Guidance has been produced to explain the implications of transferring personal data in more detail.

Privacy Impact Assessments

Nightingale Home Care (Scotland) Ltd must carry out Privacy Impacy Assessments each time it processes personal data in a way that presents a “high risk” for the Data Subject. Examples of when a Privacy Impact Assessment should be conducted are provided in the relevant policy and procedure. Given the volume of special categories of data that are frequently processed by organisations in the health and care sector, there are likely to be a number of scenarios which require a Privacy Impact Assessment to be completed.

The Privacy Impact Assessment template may also be used to record any data protection incidents, such as breaches or ‘near misses’.

Compliance with GDPR

Nightingale Home Care (Scotland) Ltd understands that there are two primary reasons to ensure that compliance with GDPR is achieved:

  • It promotes high standards of practice and Care, and provides significant benefits for staff and, in particular, Clients
  • l Compliance with GDPR is overseen in the UK by the ICO. Under GDPR, the ICO has the ability to issue a fine of up to 20 million Euros (approximately  17,000,000) or 4% of the worldwide turnover of an organisation, whichever is higher. The potential consequences are therefore significant.

Nightingale Home Care (Scotland) Ltd appreciates that it is important to remember, however, that the intention of the ICO is to educate and advise, not to punish. The ICO wants organisations to achieve compliance. A one-off, minor breach may not attract the attention of the ICO but if Nightingale Home Care (Scotland) Ltd persistently breaches GDPR or commits significant one-off breaches (such as the loss of a large volume of personal data, or the loss of special categories of data), it may be subject to ICO enforcement action. In addition to imposing fines, the ICO also has the power to conduct audits of Nightingale Home Care (Scotland) Ltd and our data protection policies and processes. Nightingale Home Care (Scotland) Ltd realises that the ICO may also require Nightingale Home Care (Scotland) Ltd to stop providing services, or to notify Data Subjects of the breach, delete certain personal data we hold or prohibit certain types of processing.

Cookie Policy

Cookies are small text files which a website may put on your computer or mobile device when you first visit the website. The cookies will help the website recognise your device the next time you visit. Web beacons or other similar files can also do the same thing. We use the term “cookies” in this policy to refer to all files that collect information in this way.

We use cookies to distinguish you from other users of the website. This helps us to provide you with a good experience when you use the website and also allows us to improve the services, we provide to you. On revisiting the website, we will be able to obtain information about your previous visits and about your computer including where available, your IP address, operating system, and browser type, for system administration and analytics.

This is statistical data about your browsing actions and patterns and does not identify you. For the same reason, we may obtain information about your general internet usage by using a cookie file which is stored on the hard drive of your computer.

We use the following cookies:

  • Strictly necessary cookies. These are cookies that are essential in order to enable you to move around the website and use its features, such as accessing secure areas of the website. Disabling them may mean you are not able to access parts of our website.
  • Analytical or performance cookies. We use these cookies to collect information about how visitors use the website, for instance which pages visitors go to most. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily. Some of these cookies are known as analytic cookies which allow us to monitor website traffic using industry accepted third parties.
  • Functionality cookies. These cookies are used to recognise you when you return to our website and to remember changes you have made to things such as text size, fonts and other parts of the website you can change so we can personalise our content for you.

For more details on the specific cookies we use, why we use them and when they will expire, please see Part 1 of Appendix 1 of this Cookie Policy.

Please note that third parties (such as advertising networks and providers of external services) may also use cookies on the website, over which we have no control. These cookies are likely to be analytical cookies, performance cookies or targeting cookies.

Part 2 of Appendix 1 of this Cookie Policy provides a list of the third parties who may use these cookies and the reasons for which they use them.

Most browsers accept cookies automatically, but you can change your cookie preferences by adjusting your browser settings to refuse the setting of all or some cookies if you prefer. You can usually do this by visiting the “options” or “preferences” menu on your browser. Please note, however, that if you do this and choose to block all cookies (including essential cookies) we cannot guarantee that your experience will be as fulfilling as it would otherwise be, and you may not be able to access all or parts of our website.

Where we collect personal data as part of our use of cookies on the website, we will do so in accordance with our Privacy Policy.

Appendix 1

Part 1 – Cookies Used

TitlePurposeMore InformationExpiry
Cookie ConsentStores the user’s cookie consent state for the current domain Year

Part 2 – Third-party cookies

TitlePurposeMore InformationExpiry
_gaRegisters a unique ID that is used to generate statistical data on how the visitor uses the website. Year
_gtaUsed by Google Analytics to throttle request rate Day
_gidRegisters a unique ID that is used to generate statistical data on how the visitor uses the website. Day
_ga_#Used by Google Analytics to collect data on the number of times a user has visited the website as well as dates for the first and most recent visit. Years