Lawful basis for processing personal and special category data guidance

Similar documents
Summary Privacy Notice

Privacy Policy - Australian Privacy Principles (APPs)

The EU GDPR: Implications for U.S. Universities and Academic Medical Centers

Sample. Information Governance. Copyright Notice. This booklet remains the intellectual property of Redcrier Publications L td

HSE Privacy Notice Patients & Service Users

White Rose Surgery. How we collect, look after and use your data.

STEP BY STEP SCHOOL. Data Protection Policy and Privacy Notice

Draft Code of Practice FOR PUBLIC CONSULTATION

Privacy Code for Consumer, Customer, Supplier and Business Partner Data

POLICY STATEMENT PRIVACY POLICY

DATA PROTECTION POLICY (in force since 21 May 2018)

PRIVACY BREACH MANAGEMENT POLICY

AUSTRALIAN RESUSCITATION COUNCIL PRIVACY STATEMENT

THE PRIVACY ACT AND THE AUSTRALIAN PRIVACY PRINCIPLES FREQUENTLY ASKED QUESTIONS

Policy No. AD I1 ** Information from collection to retention shall be managed according to relevant legislation.

Date last amended: (refer Version Control Table) Director, Governance and Legal Division

I. PURPOSE DEFINITIONS. Page 1 of 5

MANITOBA GOVERNMENT INVENTORY OF PERSONAL INFORMATION SYSTEMS WORKSHEET. Here are a few important pointers to help you fill out the Worksheet:

CL006 Safeguarding Children Policy & Procedure

Sharing your information to improve care

Nurse Practitioner (Telephone Triage)

How we use your information. Information for patients and service users

Information for registrants. How to renew your registration

VERMONT JUDICIAL BRANCH EMPLOYMENT APPLICATION

ROLE DESCRIPTION. Physiotherapy Musculoskeletal Practitioner Telephone Triage Physiotherapist

Protecting and managing personal data Changes on the horizon for hospitals and other health and care organisations

Proposal for a new legal framework for data protection in EU

Lloyds Bank and Bank of Scotland Social Entrepreneurs Programme

Standard Operating Procedures (SOP) Research and Development Office

Client Information Form

ERIE COUNTY MEDICAL CENTER CORPORATION NOTICE OF PRIVACY PRACTICES. Effective Date : April 14, 2003 Revised: August 22, 2016

PRIVACY MANAGEMENT FRAMEWORK

PRIVACY POLICY 18/8/2016

National Industry Standards Code of Ethics and Conduct for Homeownership Professionals

Johns Hopkins Notice of Privacy Practices for Health Care Providers

Handout 8.4 The Principles for the Protection of Persons with Mental Illness and the Improvement of Mental Health Care, 1991

Leave for restricted patients the Ministry of Justice s approach

MICROSOFT CONVERGENCE SHARE YOUR STORY CONTEST OFFICIAL RULES

I rest assured that we can continue to be proud of our postgraduate residents and fellows!

Compliance Program And Code of Conduct. United Regional Health Care System

GPs as data controllers under the General Data Protection Regulation

JOB DESCRIPTION. As specified in the job advertisement and the Contract of. Lead Practice Teacher & Clinical Team Leader

If you have any questions about this notice, please contact our privacy officer Dr. Jev Sikes at

Standards of conduct, performance and ethics. consultation document

Date:21/02/2018 This policy will be reviewed every 12 months. Review Date:21/02/2019

Drainage of Abdominal Ascites

JOB DESCRIPTION & PERSON SPECIFICATION JOB DESCRIPTION. Highly Specialist Psychological Therapist

Policy Number: Disclosure of Personal. Health Information to Police Approval Signature: Original signed by A. Wilgosh.

Rights and Responsibilities. A guide for patients, carers and families

JOB DESCRIPTION. Day Unit St Rocco s Hospice Warrington. Orford Jubilee Neighbourhood Hub. Clinical Lead St Rocco s Hospice

THE HEALTH CARE SYSTEM IN ESTONIA

Microsoft Small Business Contest Official Rules

The Code of Conduct Professional standards for nurses and midwives

Code of Guidance for Private Practice for Consultants and Speciality Doctors

PRIVACY MANAGEMENT PLAN

I SBN Crown copyright Astron B31267

Data Protection Register - Entry Details

Campus and Workplace Violence Prevention. Policy and Program

Standards of conduct, ethics and performance

NOTICE OF PRIVACY PRACTICES

FREEDOM OF INFORMATION AND PROTECTION OF PRIVACY A. 38

DATA PROTECTION POLICY

High Dependency Unit, Highgate Hospital

Associated Pediatric Dentistry Belleville, Edwardsville, O Fallon, IL

General Chiropractic Council. Guidance consultation: Consent

UCL Research Ethics Committee. Application For Ethical Review: Low Risk

Data Protection Privacy Notice

EQUAL OPPORTUNITY & ANTI DISCRIMINATION POLICY. Equal Opportunity & Anti Discrimination Policy Document Number: HR Ver 4

Karen LeVasseur, LCSW Calm4Kids Therapy Center, LLC 514 Main Street Bradley Beach, NJ

Safeguarding in Sheltered Housing A Best Practice Guide. Ruth Batt, Head of Supported Housing

PEDIATRIC HEALTH ASSOCIATES HIPAA NOTICE OF PRIVACY PRACTICES

Providing a phlebotomy service within the pre-assessment and other OPD clinics, and to perform other tests and duties within OPD as required.

Palliative Care. Care for Adults With a Progressive, Life-Limiting Illness

OCCUPATIONAL THERAPY JOB DESCRIPTION. Community Mental Health Rehabilitation & Enablement Team (CMHRES)

Privacy health check: Diagnosing for law reform

NOTICE OF PRIVACY PRACTICES

CHI Mercy Health. Definitions

Mandatory Reporting A process

DISCLOSURE & BARRING SERVICE POLICY AND PROCEDURES

RIVER CITY ADVOCACY COUNSELING SERVICES 145 Landa Street New Braunfels, TX (830)

Mental Capacity Act 2005

Welcome to LifeWorks NW.

Impact 2018 Award Rules & Regulations

WELCOME. Payment will be expected at the time of service. Please remember our 24 hour cancellation notice.

Notice of Privacy Practices

Osteopathic Practice Standards

PRIVACY POLICY OF THE W & L SCHWAB CHARITABLE TRUST. (The I & F Westheimer Trust is a subsidiary of the W & L Schwab Charitable Trust)

Sheffield. Juventa 4 Care Ltd. Overall rating for this service. Inspection report. Ratings. Good

Occupational Health Privacy Notice

ADULT SEPSIS SCREEN & BUNDLE (INCLUDING NEUTROPENIC GUIDELINES) FOR ESSENTIAL FIRST HOUR MANAGEMENT GUIDE

Code of Professional Conduct and Practice for Registrants with the Education Workforce Council

LICENSED CLINICAL SOCIAL WORKER-PATIENT SERVICES AGREEMENT

Patient Registration Form

Notice of Health Information Privacy Practices Acknowledgement

St. Jude Children s Research Hospital. Code of Conduct

Impact Assessment Policy. Document author Assured by Review cycle. 1. Introduction Policy Statement Purpose or Aim Scope...

What information does Genome.One collect about you and why?

SPECIFIC PRIVACY STATEMENT IMI JU

Slide 1 WHO IS THE CLIENT? WHO CONTROLS THE RECORD? ETHICS AND HIPAA. Slide 2. Slide 3. The Four As of Ethical Practice

The Code Standards of conduct, performance and ethics for nurses and midwives

Transcription:

Document author Assured by Data Protection Officer Information Governance Steering Group This document is version controlled. The master copy is on Ourspace. Once printed, this document could become out of date. Check Ourspace for the latest version. This procedure forms part of the P006 Data Protection policy Version History Version Date Revision description Editor Status 1.0 23/05/2019 New guidance Data Protection Officer Approved Review date: 23/05/2019 Version No: 0.01 Page 1 of 6

Contents 1. Introduction... 3 2. Responsibilities... 3 2.1 All staff... 3 3. What is personal data?... 3 4. Lawful basis... 3 5. The six lawful basis for processing personal data... 4 6. What is special category data?... 4 7. The ten additional conditions for processing special category data... 4 8. Criminal convictions and offence data... 5 9. Further support... 6 Review date: 23/05/2019 Version No: 0.01 Page 2 of 6

1. Introduction Under the General Data Protection Regulation (GDPR), the Trust must have a valid lawful basis in order to process personal and special category data. 2. Responsibilities 2.1 All staff This procedure applies to all Trust employees and those working on behalf of the Trust in any capacity who has access to personal and sensitive data about service users, carers, staff or about anyone else. 3. What is personal data? Personal data is defined as any information relating to an identified or identifiable natural person the data subject. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as: a name an identification number location data an online identifier or to one or more factors specific to the: physical physiological genetic mental economic cultural social identity of that natural person 4. Lawful basis There are six available lawful bases for processing personal data, also known as general processing. No single basis is better or more important than the others which basis is most appropriate to use will depend on the purpose and relationship with the data subject. Most lawful bases require that processing is necessary. If we can reasonably achieve the same purpose without the processing, we won t have a lawful basis. We must determine the lawful basis before we begin processing and it must be documented with the purpose for processing (see fair processing notices - link). We must ensure that we get the lawful basis right first time as it should not be swapped to a different lawful basis at a later date without good reason. Review date: 23/05/2019 Version No: 0.01 Page 3 of 6

5. The six lawful basis for processing personal data At least one of the following lawful basis for processing personal data must apply, no basis, no processing: (a) Consent: the individual has given clear consent to process their personal data for a specific purpose. (b) Contract: the processing is necessary for a contract with the individual, or because they have asked for specific steps to be taken before entering into a contract. (c) Legal obligation: the processing is necessary to comply with the law (not including contractual obligations). (d) Vital interests: the processing is necessary to protect someone s life. (e) Public task: the processing is necessary to perform a task in the public interest or for official functions, and the task or function has a clear basis in law. (f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.) For the processing of personal data of a service user, carer and employee to provide health and social care, employment and occupational services the Trust applies point: (c) Legal obligation: the processing is necessary to comply with the law (not including contractual obligations). This means that the consent of the service users, carers or staff members is NOT required for the provision of health or social care or employment; however, the right to be informed is mandatory. 6. What is special category data? Special category data is defined as data revealing: racial or ethnic origin political opinions religious or philosophical beliefs trade union membership and the processing of genetic data biometric data for the purpose of uniquely identifying a natural person, data concerning health data concerning a natural person s sex life or sexual orientation 7. The ten additional conditions for processing special category data The Trust has to identify both a lawful basis for general processing (as above) and an additional condition for processing special category data: a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law Review date: 23/05/2019 Version No: 0.01 Page 4 of 6

c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent; d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects; e) processing relates to personal data which are manifestly made public by the data subject; f) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity; g) processing is necessary for reasons of substantial public interest h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes For the processing of special category data of a service user, carer and employee to provide health and social care, employment and occupational services the Trust applies points: b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent; g) processing is necessary for reasons of substantial public interest h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes 8. Criminal convictions and offence data We must identify both a general lawful basis for processing and an additional condition for processing this type of data. The general lawful basis is: (c) Legal obligation: the processing is necessary to comply with the law (not including contractual obligations). And the additional conditions are: Review date: 23/05/2019 Version No: 0.01 Page 5 of 6

b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law g) processing is necessary for reasons of substantial public interest h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and 9. Further support Please contact the Information Governance Team or Data Protection Officer via logging a call in MySupport or emailing awp.infogov@nhs.net. Review date: 23/05/2019 Version No: 0.01 Page 6 of 6

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback