GDPR03 - Data Security and Data Retention Policy and Procedure
1.1 The purpose of this policy is to ensure that Lone Care Services and all its staff understand the principles set out in GDPR in relation to data retention and data security.
1.2 By reviewing this policy, Lone Care Services will be able to consider appropriate retention periods for the personal data it processes.
1.3 This policy will enable Lone Care Services and all staff working at Lone Care Services to review the policies and procedures they have in place to ensure that personal data they process is kept secure and properly protected from unlawful or unauthorised processing and accidental loss, destruction or damage.
1.4 To support Lone Care Services in meeting the following Key Lines of Enquiry:
Key Question Key Line of Enquiry (KLOE)
WELL-LED W2: Does the governance framework ensure that responsibilities are clear and that quality performance, risks and regulatory requirements are understood and managed?
1.5 To meet the legal requirements of the regulated activities that Lone Care Services is registered to provide:
• General Data Protection Regulation 2016
• Data Protection Act 2018
2.1 The following roles may be affected by this policy:
• All staff
2.2 The following people may be affected by this policy:
• Service Users
2.3 The following stakeholders may be affected by this policy:
• External health professionals
• Local Authority
3.1 The objective of this policy is to enable Lone Care Services to ensure its data retention and data security policies are GDPR compliant.
3.2 This policy will assist with defining accountability and establishing ways of working in terms of the use, storage, retention and security of personal data.
4.1 Data Retention
As a general principle, Lone Care Services will not keep (or otherwise process) any personal data for longer than is necessary. If Lone Care Services no longer requires the personal data once it has finished using it for the purposes for which it was obtained, it will delete the personal data.
4.2 Lone Care Services may have legitimate business reasons to retain the personal data for a longer period. This may include, for example, retaining personnel records in case a claim arises relating to personal injury caused by Lone Care Services that does not become apparent until a future date. Lone Care Services should consider the likelihood of this arising when it determines its retention periods - the extent to which medical treatment is provided by Lone Care Services will, for example, affect the likelihood of Lone Care Services needing to rely on records at a later date.
4.3 Lone Care Services may be required to retain personal data for a specified period of time to comply with legal or statutory requirements. These may include, for example, requirements imposed by HMRC in respect of financial documents, or guidance issued by the Home Office in respect of the retention of right to work documentation (see "Underpinning Knowledge" section).
4.4 Lone Care Services understands that claims may be made under a contract for 6 years from the date of termination of the contract, and that claims may be made under a deed for a period of 12 years from the date of termination of the deed. Lone Care Services may therefore consider keeping contracts and deeds and documents and correspondence relevant to those contracts and deeds for the duration of the contract or deed plus 6 and 12 years respectively.
4.5 Lone Care Services will consider how long it needs to retain HR records. Lone Care Services may choose to separate its HR records into different categories of personal data (for example, health and medical information, holiday and absence records, next of kin information, emergency contact details, financial information) and specify different retention periods for each category of personal data. Lone Care Services recognises that determining separate retention periods for each element of personal data may be more likely to comply with GDPR.
Lone Care Services may decide, however, that separating its HR records into different elements is not practical, and that it can determine a sensible period of time for which to keep the HR records in their entirety. The period of time that is appropriate may depend on the likelihood of a claim arising in respect of that employee in the future. If, for example, Lone Care Services is concerned that an employee may suffer personal injury as a result of its employment with Lone Care Services, Lone Care Services may choose to retain its HR records for a significant period of time. If any such claim is unlikely, Lone Care Services may choose to retain its files for 6 or 12 years (depending on whether the arrangement entered into between Lone Care Services and the employee is a contract or a deed).
4.6 Lone Care Services will consider for how long it is required to keep records relating to Service Users. In doing so, Lone Care Services will consider the data retention guidelines provided by the NHS, if applicable. Those guidelines can be accessed by using the link in the "Underpinning Knowledge" section.
If the NHS guidelines don't apply to Lone Care Services, Lone Care Services will determine an appropriate retention policy for Service User personal data. Lone Care Services may choose to retain personal data for at least 6 years from the end of the provision of services to the Service User, in case a claim arises in respect of the services provided.
4.7 Irrespective of the retention periods chosen by Lone Care Services, Lone Care Services will ensure that all personal data is kept properly secure and protected for the period in which it is held by Lone Care Services. This applies in particular to special categories of data.
4.8 Lone Care Services will record all decisions taken in respect of the retention of personal data. Lone Care Services recognises that if the ICO investigates Lone Care Services policies and procedures, a written record of the logic and reasoning behind the retention periods adopted by Lone Care Services will assist Lone Care Services position.
4.9 Lone Care Services will implement processes for effectively destroying and/or deleting personal data at the end of the relevant retention period. Lone Care Services will consider whether personal data stored on computers, including in emails, is automatically backed up and how to achieve deletion of those backups or ensure that the
archived personal data is automatically deleted after a certain period of time. Lone Care Services will consider circulating guidance internally to encourage staff to regularly delete their emails.
Lone Care Services will introduce policies relating to the destruction of hard copies of documents, including by placing the documents in confidential waste bins or shredding them.
4.10 Data Security
Lone Care Services will take steps to ensure the personal data it processes is secure, including by protecting the personal data against unauthorised or unlawful processing and against accidental loss, destruction or damage.
4.11 Lone Care Services understands that all health and care organisations, as detailed below, are required to comply with the Data Security and Protection Toolkit. A link to an explanatory guidance note is included in the "Underpinning Knowledge" section. Compliance with the Data Security and Protection Toolkit facilitates compliance with GDPR.
Lone Care Services understands that the following types of organisation must comply with the Data Security and Protection Toolkit:
• Organisations contracted to provide services under the NHS Standard Contract
• Clinical Commissioning Groups
• General Practices that are contracted to provide primary care essential services
• Local authorities and social care providers must take a proportionate response to the new toolkit:
◦ Local authorities should comply with the toolkit where they provide adult social care or public health and other services that receive services and data from NHS Digital, or are involved in data sharing across health and care where they process confidential personal data of Service Users who access health and adult social care services
◦ Social care providers who provide care through the NHS Standard Contract should comply with the toolkit. It is also recommended that social care providers who do not provide care through the NHS Standard Contract consider compliance with the toolkit as this will help to demonstrate compliance with the ten security standards and GDPR
4.12 Lone Care Services will implement and embed the use of policies and procedures to ensure personal data is kept secure. The suggestions below apply in addition to the steps Lone Care Services is required to take pursuant to the Data Security and Protection Toolkit, if the toolkit applies to Lone Care Services.
For paper documents, these will include, where possible:
• Keeping the personal data in a locked filing cabinet or locked drawer when it is not in use
• Adopting a "clear desk" policy to ensure that personal data is not visible or easily retrieved
• Ensuring that documents containing personal data are accessible only by those who need to know/review the documents and the personal data contained within them
• Redacting personal data from documents where possible
• Ensuring documents containing personal data are placed in confidential waste bins or shredded at the end of the relevant retention period
For electronic documents, the measures taken by Lone Care Services will include, where possible:
• Password protection or, where possible, encryption
• Ensuring documents containing personal data are accessible only by those who need to know/review the documents and the personal data contained within them
• Ensuring ongoing confidentiality, integrity and reliability of systems used online to process personal data (this may require a review of IT systems and software currently used by Lone Care Services
• The ability to quickly restore the availability of and access to personal data in the event of a technical incident (this may require a review of IT systems and software currently used by Lone Care Services
• Taking care when transferring documents to a third party, ensuring that the transfer is secure and the documents are sent to the correct recipients
Lone Care Services will ensure that all business phones, computers, laptops and tablets are password protected.
Lone Care Services will encourage staff to avoid, storing personal data on portable media such as USB devices. If the use of portable media can't be avoided, Lone Care Services will ensure that the devices it uses are encrypted or password protected and that each document on the device is encrypted or password protected.
4.13 Lone Care Services will implement guidance relating to the use of business phones and messaging
apps. Lone Care Services understands that all personal data sent via business phones, computers, laptops and tablets may be captured by GDPR, depending on the content and context of the message. As a general
rule, Lone Care Services will ensure that staff members only send personal data by text or another messaging service if they are comfortable that the content of the messages may be captured by GDPR and may be provided pursuant to a Subject Access Request (staff should refer to the Lone Care Services Subject Access Policy and Procedure for further details).
4.14 Lone Care Services will ensure that all staff are aware of the importance of keeping personal data secure and not disclosing it on purpose or accidentally to anybody who should not have access to the information. Lone Care Services will provide training to staff if necessary. Lone Care Services will consider in particular, the likelihood that personal data, including special categories of data, will be removed from Lone Care Services premises and taken to, for example, Service Users' homes and residences. Lone Care Services will ensure that all staff understand the importance of maintaining the confidentiality of personal data away from Lone Care Services premises and take care to ensure that the personal data is not left anywhere it could be viewed by a person who should not have access to that personal data.
4.15 Lone Care Services will adopt policies and procedures in respect of recognising, resolving and reporting security incidents including breaches of GDPR. Lone Care Services understands that it may need to report breaches to the ICO and to affected Data Subjects, as well as to CareCERT if Lone Care Services is required to comply with the Data Security and Protection Toolkit.
4.16 Lone Care Services will adopt processes to regularly test, assess and evaluate the security measures it has in place for all types of personal data.
4.17 Privacy By Design
Lone Care Services will take into account the GDPR requirements around privacy by design, particularly in terms of data security.
4.18 Lone Care Services understands that privacy by design is an approach set out in GDPR that promotes compliance with privacy and data protection from the beginning of a project. Lone Care Services will ensure that data protection and GDPR compliance is always at the forefront of the services it provides, and that it won't be treated as an afterthought.
4.19 Lone Care Services will comply with privacy by design requirements by, for example:
• Identifying potential data protection and security issues at an early stage in any project or process, and addressing those issues early on; and
• Increasing awareness of privacy and data protection across Lone Care Services, including in terms of updated policies and procedures adopted by Lone Care Services
4.20 Lone Care Services will conduct Privacy Impact Assessments to identify and reduce the privacy and security risks of any project or processing carried out by Lone Care Services. A template Privacy Impact Assessment is available within the Lone Care Services Initial Privacy Impact Assessment Policy and Procedure.
5.1 Lone Care Services will consider data retention and data security issues and concerns at the beginning of any project (whether the project is the introduction of a new IT system, a new way of working, the processing of a new type of personal data or anything else that may affect Lone Care Services processing activities). Lone Care Services appreciates that this is key for complying with the privacy by design requirements in GDPR.
5.2 Lone Care Services will review the periods for which it retains all the personal data that it processes.
5.3 Lone Care Services will, if necessary, adopt new policies and procedures in respect of data retention and will circulate those policies and procedures to all staff. Lone Care Services will consider providing training to staff in respect of data retention.
5.4 Lone Care Services will review the security measures currently in place in respect of all the personal data it processes.
5.5 Lone Care Services will document the decisions it takes, and the logic and reasoning behind those decisions, in respect of both data retention and data security. Lone Care Services will keep a record of all policies and procedures it implements to demonstrate its compliance with GDPR.
6.1 Care CERT
• The Care Computing Emergency Response Team, developed by NHS Digital. Care CERT offers advice and guidance to support health and social care organisations to respond to cyber security threats
6.2 Data Subject
• The individual about whom Lone Care Services has collected personal data
6.3 Data Protection Act 2018
• The Data Protection Act 2018 is a United Kingdom Act of Parliament that updates data protection laws in the UK. It sits alongside the General Data Protection Regulation and implements the EU's Law Enforcement Directive
• General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union. It was adopted on 14 April 2016 and after a two- year transition period became enforceable on 25 May 2018
6.5 Personal Data
• Any information about a living person including but not limited to names, email addresses, postal addresses, job roles, photographs, CCTV and special categories of data, defined below
6.6 Process or Processing
• Doing anything with personal data, including but not limited to collecting, storing, holding, using, amending or transferring it. You do not need to be doing anything actively with the personal data - at the point you collect it, you are processing it
6.7 Special Categories of Data
• Has an equivalent meaning to "Sensitive Personal Data" under the Data Protection Act 2018. Special categories of data include but are not limited to medical and health records (including information collected as a result of providing health care services) and information about a person's religious beliefs, ethnic origin and race, sexual orientation and political views
Professionals providing this service should be aware of the following:
• Personal data will not be kept longer than necessary
• Personal data will be deleted when no longer needed
• Personal data may be held for longer than needed for the purposes of processing if there are justified reasons such as to meet regulations, insurance or other statutory requirements
• Retention periods are the decision of Lone Care Services, but guidance
• All personal data will be kept securely
• All retention periods need to be documented and justified
• Lone Care Services has effective and robust processes for destroying data
• Lone Care Services will comply with the Data Security and Protection Toolkit when necessary
• Electronic devices will be password protected to aid security
• Documents containing personal data are only shared with people who need to know the content
• Anybody who processes personal data on behalf of Lone Care Services should be made aware of and should comply with Lone Care Services policies in respect of data retention and data security
Key Facts - People Affected by The Service
People affected by this service should be aware of the following:
• Lone Care Services will implement and embed the use of policies and procedures to ensure that all personal data processed about people affected by the services provided by Lone Care Services, including Service Users, is retained and is kept secure and protected in accordance with GDPR
There is no further reading for this policy, but we recommend the 'Underpinning Knowledge' section of the review sheet to increase your knowledge and understanding.
To be 'Outstanding' in this policy area you could provide evidence that:
• You have considered the personal data you process and adopted and documented appropriate retention periods for each type of personal data
• You have reviewed the security measures in place in respect of the personal data Lone Care Services processes
• You have reviewed and considered the documents and guidance referenced in the "Underpinning Knowledge" and "Further Reading" sections
• The wide understanding of the policy is enabled by proactive use of the QCS App