GENERAL DATA PROTECTION REGULATION (GDPR) POLICY

Kardinal healthcare LTD

Purpose of this Document
This policy applies to Kardinal Healthcare Ltd and all employees, suppliers, and directors. It concerns records held and processed by Kardinal Healthcare Ltd in any format. The policy covers all aspects of information within the organisation, including (but not limited to):
• Staff, client and user information
• Personal information
• Organisational information
This document is held in accordance with the requirements of The Data Protection Act 1998 and section 250 of the Health and Social Care Act SCCI1605 Accessible Information Standard.

Roles and Responsibilities
The Managing Director has ultimate responsibility for the Data Protection, Confidentiality and Disclosure policy within Kardinal Healthcare Ltd. Implementation of, and compliance with this policy is delegated to the Registered manager.Seniors and Supervisors are responsible for ensuring this policy is complied with and for contribution to policy review and updates of best practice guidance, as well as being responsible for ensuring sufficient resources are available to enable all staff to be appropriately trained and aware of their responsibilities for good information governance and protecting the rights of the people who use our services. Registered Managers are responsible for the effective implementation of this policy within their registered location and that all staff engaged with people in receipt of support with medication management, are aware of this policy and guidance. Registered Managers will identify training needs and ensure staff are appropriately trained and will keep a record of all training, which will be incorporated into staff performance reviews using the process of accessing competency. Registered Managers will ensure that any breaches of confidentiality are reported, reviewed and investigated.
Care and support staff (including office staff of all departments) are responsible for ensuring and maintaining confidentiality and the correct handling of all information they have access to in the organisation.

Our Legal Obligations
The Data Protection Act of 1998 lays down regulation for the handling of personal data. For all such data, it is essential to abide by the eight principles which govern the care and use made of the data. Personal information must:
1. Be fairly and lawfully processed
2. Be processed for limited purposes
3. Be adequate, relevant and not excessive
4. Be up to date and accurate
5. Not be kept for longer than necessary
6. Be processed in line with the data subjects’ rights
7. Be secure
8. Not be transferred to other countries without adequate protection
The Data protection Act regulates when and how a person’s personal data may be obtained, held, used, disclosed and generally processed. The Act also dictates that information must only be disclosed on a need to know basis.
The DPA requires every organisation that processes personal information to register the Information Commissioner’s Office (ICO). Kardinal Healthcare Ltd is responsible for its own records under the terms of the Data protection Act and is registered with the Information Commissioners Office Data Protection Register.

The Health and Social Care Act 2012 is used by the Care Quality Commission (CQC) to regulate health and social care providers; the CQC can use the Act to enforce other pieces of relevant legislation such as the

Data Protection Act.
Consent
To be able to lawfully process the personal information of an individual, Kardinal Healthcare Ltd must first obtain their consent; this is applicable to both people who use services, and staff; this is straightforward for staff who recruiting managers will inform by means of their appointment as information is contained within their contract of employment which they must sign. For people who use services, it is very important that reasonable efforts are made to ensure that they understand how their information is to be used to support their care and support how their information might be shared with others involved in their care and ensuring they have no objections. In some circumstances some people requiring care and support may lack the capacity to extend this trust, but this does not diminish the duty of confidence that their information will not be used or disclosed for purposes other than for which is what provided.
To promote a service which is open and transparent, Kardinal Healthcare Ltd has developed an information leaflet which provides people with specific information about how their information will be collected, stored, used and shared for the provision of continued care and support. In accordance with principle six of the DPA, people have the right to object to the processing of their personal and/or sensitive data that is likely to cause or is causing damage or distress.
Where Kardinal Healthcare Ltd receives written instruction from an individual that they wish to object to the processing of their personal data, this objection will be considered by the Registered Manager. Their decision will be fully documented and retained for future reference. Kardinal Healthcare Ltd will endeavour to comply with the request from the individual; however, this may not always be possible.

Relatives or carers
Some people may wish to restrict the amount of information about their care and support to their relatives; they should be encouraged to be very explicit if there is anyone that they do not want to give information to. In the event of the person being unable to give permission, an advocate must be identified to act on behalf of the person and the permission obtained from him/her. It should however be noted that relatives, carers and even those documented as next of kin, do not necessarily have the right to access the personal records of a person.

Disclosure under the Data Protection Act and Confidentiality
In certain circumstances, personal information may be disclosed, however it is vital that staff assess the need to disclose the information and document that the information has been released to whom and for what reason.

Disclosing information against the person’s wishes without consent
The responsibility of whether information should be withheld or disclosed without a person’s consent, lies with the Manager involved at the time or the Senior Manager of the department or service, and cannot be delegated. Circumstances where the person’s right to confidentiality may be overridden are rare; examples of these situations are:
• Where the individual lacks capacity and has a power of attorney in place for health and welfare
• Following an incident where Duty of Candour applies, and it is deemed appropriate for the relatives and others involved in an individual’s life to be notified (NB: where the person to whom the incident relates has capacity to understand the circumstances, our Duty of Candour is toward them directly)
• Where the information is in the form of a summary or collection of anonymised information so framed that it is not possible to ascertain from it information relating to any person
• When there is serious risk of harm to the individual, as in a threatened suicide
• Where the person is in such poor health that he/she is unable to consent but requires emergency lifesaving treatment
• To protect others. For example, information about possible abuse should be disclosed to the appropriate agency
• To prevent a serious criminal act, especially where others may be endangered. Though there is no obligation in general to pass on knowledge of a crime, it is a criminal offence to:
• Deliberately mislead the police
• Receive an award of any kind in return for not notifying the police about a criminal act
• Fail to notify the police about an act that could be construed as an act of terrorism
• Fail to notify the police about an act that could be construed as drug trafficking
• Knowingly take monies from a benefits agency fraudulently

Working and sharing information
Data sharing must be must be carried out under a written agreement, setting out the scope and limits of the sharing; people using the service sign their consent to agree to any contract with Kardinal Healthcare Ltd, agreeing that information can be shared with relevant personnel for the purpose of safeguarding their well-being. Staff sign their contract terms and conditions of employment which references the sharing of their information where required. Any disclosure of personal data will be in line with all legislative requirements.
Every member of staff is personally responsible to take precautions to ensure and maintain the security of confidential personal information both whilst it is in their possession, and when it is being transferred from one person or organisation to another.
The following is a list of recommended procedures to ensure the safe transfer of information:
• Envelopes must be securely sealed, clearly addressed to a known contact and marked ‘confidential’ and ‘addressee only’. A return postal should also be marked on the envelope
• Telephone validation or ‘call back’ procedures must be followed before disclosing information to someone you do not know to confirm their identity and authorisation
• E-mailing confidential information is only permitted via the use of secure networks, or if it is appropriately encrypted. When anonymised information is shared, care must be taken to ensure that the method used is effective and individuals cannot be identified from the limited data set, e.g. CQC Notification use of unique ID’s
The Accessible Information standard of the Health and Social Care Act 2012 requires providers of health and social care to provide information which is able to be read or received and understood by the individual or group for which it is intended. Where people who use services have specific communication requirements, the need for information to be produced in different formats will be assessed and information provided accordingly. This standard is implemented throughout other policy documents and procedural guidance available to Kardinal Healthcare Ltd staff, i.e. person-centred care planning guidance, which requires an assessor to understand and assess a person’s communication needs, and mental capacity guidance which instructs assessors to identify a person’s needs and abilities to communicate any decisions about their care or the processes involved.

Information Governance
The Information Governance assessment (toolkit) enables Kardinal Healthcare Ltd to measure its compliance with the information handling requirements by assessing themselves against the following initiatives:
• Clinical Information Assurance
• Secondary Uses Assurance
• Corporate Information Assurance
• Information Governance Management
• Confidentiality and Data Protection Assurance
• Information Security Assurance

Document and Data Control
The Directors and Registered Manager will:
• Approve the content of all Policies and Procedure prior to their issue
• Maintain a register of all controlled documents. This will include all documents that bear on the quality of the service which will be marked with an appropriated control (issue) number
• Ensure that all amendments are approved
• Ensure all procedures are reviewed on a regular and planned basis
• Ensure that all amended documents are approved and issued by the PRG are immediately incorporated in the system, any printed versions will require updating as directed
• Approve all proposed amendments to the control documents prior to their incorporation and use
• Ensure all out of issue documents are withdrawn and archived

Data Retention
In accordance with principle five of the DPA, all data held should be kept for the time periods

Consequences of a Breach of Policy
A deliberate breach of this policy will be considered a serious disciplinary matter and will be dealt with accordingly. Examples of offences which may be considered as gross misconduct (the list is not exhaustive) which may result in immediate dismissal are:
• Unlawful disclosure of Personal Data and Sensitive Personal Data
• Inappropriate use of Personal Data and Sensitive Personal Data
• Accessing client or staff personal data in the absence of legitimate professional relationship (including accessing your own records)
• Misuse of the Personal Data and Sensitive Personal Data which results in any claim being made against Kardinal Healthcare Ltd

Training
It is required through the Health and Social Information Care (HSCIC) and Care Quality Commission (CQC) IG Toolkit, that all staff must complete Information Governance Training annually. Data Protection and confidentiality will be available to all staff as workbook-based training.
The training will ensure general awareness of the GDPR Principles.
Ongoing supervision and training are provided to all staff as part of a core training and development programme. The office manager ensures training courses are attended by appropriate staff within agreed timescales.

We are registered with the Commission for Social Care and Inspection and are also members of the United Kingdom Home Care Association and The Care Training Consortium.