Data Protection Policy & Procedure

Last Updated 5th November 2021

Introduction

Careful Systems LImited (CAREFUL) is committed to protecting the rights and freedoms of data subjects and safely and securely processing their data in accordance with all of our legal obligations. 

This document sets out how we seek to protect personal data and ensure that CAREFUL contractors and staff understand the rules governing their use of the personal data to which they have access in the course of their work.

Policy

Responsibilities

  1. The Careful Systems Limited Board is overall responsible for ensuring the organisation’s compliance with Data Protection legislation. The task of reviewing ongoing compliance and assurance is delegated to the Risk, Safety and Compliance Meeting
  2. The CEO is overall responsible for ensuring the policy and procedures meets the legal and professional standards required
  3. The Data Protection Officer (DPO) assists with the monitoring of internal compliance, informs, and advises on data protection obligations, provides advice regarding Privacy Impact Assessments (PIAs) and acts as a contact point for data subjects and the supervisory authority. The DPO tasks are as follows:
    1. to inform and advise contractors and employees about their obligations to comply with the GDPR and other data protection laws
    2. to monitor compliance with the GDPR and other data protection laws including managing internal data protection activities; raising awareness of data protection issues, training staff and contractors and conducting required audits
    3. to advise on, and to monitor, data protection impact assessments
    4. to cooperate with the supervisory authority
    5. to be the first point of contact for supervisory authorities & to be the point of contact  for individuals whose data is processed (employees, customers etc).
  4. CAREFUL managers are responsible for ensuring this policy and procedure is implemented and followed by staff and contractors.
  5. CAREFUL staff and contractors are responsible for following this policy and procedures 
  6. The Risk, Safety and Compliance Committee is responsible for reviewing and approving all Policy and Procedure documents

Audience

This document is for the CAREFUL staff and contractors.

Scope

This strategy applies to the CAREFUL organisation and to all activities relating to data 

Definitions

Term Definition 
Data ControllerA controller determines the purposes and means of processing personal data.  This is usually the client (healthcare provider).
GDPRThe General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU). The GDPR sets out the principles for data management and the rights of the individual, while also imposing fines that can be revenue-based.
Data processorA processor is responsible for processing personal data on behalf of a controller. At CAREFUL any staff or contractor who processes staff, consultant or patient data is a data processor.  
Personal dataAny information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier
Consentfreely given, specific, informed and explicit consent by statement or action signifying agreement to the processing of their personal data
Data ErasureAlso known as the Right to be Forgotten, it entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties cease processing of the data
Data PortabilityThe requirement for controllers to provide the data subject with a copy of his or her data in a format that allows for easy use with another controller
Data Protection OfficerAn expert on data privacy who works independently to ensure that an entity is adhering to the policies and procedures set forth in the GDPR
Encrypted DataPersonal data that is protected through technological measures to ensure that the data is only accessible/readable by those with specified access
Personal Data BreachA breach of security leading to the accidental or unlawful access to, destruction, misuse, etc. of personal data
Data Protection (Privacy) Impact AssessmentA tool used to identify and reduce the privacy risks of entities by analysing the personal data that are processed and the policies in place to protect the data
PseudonymisationThe processing of personal data such that it can no longer be attributed to a single data subject without the use of additional data, so long as said additional data stays separate to ensure non-attribution
Subject Access RightAlso known as the Right to Access, it entitles the data subject to have access to and information about the personal data that a controller has concerning them
Supervisory AuthorityA public authority which is established by a member state in accordance with article 46

Lawful basis and Privacy notice

There are six lawful bases for processing data. The Organisation will process different data using four different lawful basis:

  1. The individual has given clear consent for the organisation to process their personal data for a specific purpose – see section 5. Example: for agreement to receive ongoing marketing; for specific access to the patient’s own clinical record
  2. It is necessary for the performance of a contract or to take steps to enter into a contract with the data subject. Example; contracts with clients to provide a service using data supplied by them as data controller
  3. It is necessary for compliance with a legal obligation. Example – Information from accident reports require processing for health and safety records (Health and Safety Law).
  4. It is necessary for the purposes of legitimate interests. Example – Web analytics to assess the number of visitors, posts, page views, reviews and followers in order to optimise future marketing campaigns.

We only process the personal data that we need for our purposes(s), and that we only use the data for those purposes

The organisation’s Privacy Notice, found on the website, states the legal basis by which data from clients, website users and contractors and employees is processed (see appendix)

Data Security by design

The UK GDPR requires us to put in place appropriate technical and organisational measures to implement the data protection principles effectively and safeguard individual rights. This is ‘data protection by design and by default’. This means we integrate data protection into our processing activities and business practices, from the design stage right through the lifecycle.

Data security

We are required to process all data, electronic, or paper, securely. This includes every aspect of the processing of personal data and means the security measures should seek to ensure that:

  1. The data can be accessed, altered, disclosed or deleted only by those who are authorised to do so by:
  • Users and administrators of our electronic patient record systems, as appropriate and authenticated and delegated in accordance with contracts with our clients.
  • Staff level of access to electronic data is controlled by the IT department. Roles are given specific access to data agreed with the CSO
  • Only the Chief Technical Officer (CTO), or the delegated member of the IT team can make data alterations and deletions under direction of the CSO or DPO.
  1. The data is accurate and complete. 
  2. The data remains accessible and usable, i.e., if personal data is accidentally lost, altered or destroyed, you should be able to recover it and therefore prevent any damage or distress to the individuals concerned.

Physical security of data includes:

  • Staff records are kept in locked filing cabinets in a locked room in a building requiring key access.
  • All confidential waste is disposed by shredding and destroyed by a specialised waste company

Cyber security of data includes:

  • The organisation contracts a Cyber Security company who provides specialist advice and guidance on best practice Cyber Security.
  • At least once a year the organisation undertakes a penetration test which will highlight any vulnerabilities within the network and allow the IT system to be continually improved to ensure it is as secure as possible.  
  • Company data is stored online securely and access is subject to industry standard protections to known vulnerabilities. Data is stored on recognised industry-standard hosting platforms and protected by industry standard protections to known vulnerabilities and is stored and transmitted in encrypted form. 
  • All of these measures are monitored by the company and any vulnerabilities are investigated and rectified with speciality support. 
  • As part of the Data Security & Protection Toolkit, the organisation ensures that they review and implement cyber security advice/guidance that is reported by the UK’s NHS Digital. 

Individual Rights and Requests

Individuals have a right to be informed about the collection or use of their personal data. This includes the purposes for processing their personal data, the retention periods and who it will be shared with. This is achieved in the following ways:

  • Via the privacy notice on the website 
  • Via the privacy notice provided to contractors and employees

If the data is to be used for a new purpose, the staff identifying this would contact the individual and communicate the changes to the individual and gain further consent before use.

Procedures

Procedure for any data requests relating to individual rights 

  1. Requests can be made verbally or in writing. Staff/consultants who receive data requests should pass all requests, verbally transcribed into writing and letters scanned in and sent, to the central e-mail of privacy@careful.online
  2. The identity of the individual whose data is requested must be verified if there is a doubt about identity. Verification can be achieved through standard ID (Passport, driving licence). Where verification is not straightforward the decision of verifying identity must be made by the DPO. 
  3. Data Requests will be sent to the DPO for consideration. This will include reviewing the evidence presented by the individual data subject, assessing the accuracy of the data and considering the significance of the data in question.  
  4. Once reviewed, the DPO must respond to the individual data subject outlining the outcome of the review and any actions taken. This response will include information on right of appeal. 
  5. Data requests must be responded to within 1 month (this can be extended by a further 2 months if the request is complex or there are a number of requests, and the individual must be informed).  There will be an automatic reply on the e-mail outlining the data request process and explaining the requirement to verify the identity of the individual and expected timeframes. 
  6. Where a data request is manifestly unfounded or excessive, taking into account whether the request is repetitive in nature, the DPO can decide to either request a reasonable administrative fee to deal with the request, or refuse to deal with the request. This decision will be made by the DPO and a full explanation will be given to the individual within 1 month, information will be provided about their right to complain and outline of their ability to seek to enforce this right through judicial remedy.
  7. All data requests are logged on a Central Data Request database
  8. Data requests relating to Personal data held and processed on behalf of a client would be referred back to the client (data controller) for agreement on proceeding with the request.

Data rectification 

The GDPR includes a right for individuals to have inaccurate personal data rectified, or completed if it is incomplete. Where the data in question is a medical opinion and is stated as such this would not be accepted for rectification.

Where data rectification has occurred, a note will be made on the individual data subjects records (electronic and paper/scanned versions)

Right to erasure

An individual has a right to have personal data erased ‘the right to be forgotten’

Individuals have a right to have their personal data erased if:

  • The personal data is no longer necessary for the purpose which we originally collected or processed it for;
  • We are relying on consent as our lawful basis for holding the data, and the individual withdraws their consent;
  • We are relying on legitimate interests as our basis for processing, but the individual objects to the processing of their data, and there is no overriding legitimate interest to continue this processing;
  • We are processing the personal data for direct marketing purposes and the individual objects to that processing;
  • We have processed the personal data unlawfully (i.e. in breach of the lawfulness requirement of the 1st principle);
  • We have to do it to comply with a legal obligation.

Where personal data has been disclosed to other organisations or has been made public each organisation must be informed about the erasure and reasonable steps made.

The right to erasure does not apply for the following reasons:

  • To exercise the right of freedom of expression and information;
  • To comply with a legal obligation;
  • For the performance of a task carried out in the public interest or in the exercise of official authority;
  • For archiving purposes in the public interest, scientific research, historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing; or
  • For the establishment, exercise or defence of legal claims
  • If the processing is necessary for public health purposes in the public interest (eg protecting against serious cross-border threats to health, or ensuring high standards of quality and safety of health care and of medicinal products or medical devices)
  • If the processing is necessary for the purposes of preventative or occupational medicine (e.g. where the processing is necessary for the working capacity of an employee; for medical diagnosis; for the provision of health or social care; or for the management of health or social care systems or services). This only applies where the data is being processed by or under the responsibility of a professional subject to a legal obligation of professional secrecy (e.g. a health professional).

The right to erasure does not extend to medical records (special category data) but requests would need to be logged, considered and a response with explanation provided. 

Data erasure requests will be considered by the DPO and, if approved, passed onto the Chief Technical Officer (CTO) who will instigate the following:

  • The Chief Technical Officer (CTO) will search all relevant databases and IT software systems to identify where personal data is held relating to the request.
  • The Chief Technical Officer (CTO) will ensure all relevant data is erased from the system.  
  • The erasure will be logged in the data erasure database with evidence of approvals 

Right to restrict processing

An individual has a right to restrict the processing of their personal data in certain circumstances:

  • the individual contests the accuracy of their personal data and we are verifying the accuracy of the data;
  • the data has been unlawfully processed (i.e. in breach of the lawfulness requirement of the first principle of the GDPR) and the individual opposes erasure and requests restriction instead;
  • we no longer need the personal data but the individual needs us to keep it in order to establish, exercise or defend a legal claim; or
  • the individual has objected to us processing their data and we are considering whether our legitimate grounds override those of the individual.

Data processing requests will be considered by the DPO and, if approved, passed onto the Chief Technical Officer (CTO) who will:

  • Search all relevant databases and IT software systems to identify where personal data is held relating to the request.
  • The Chief Technical Officer (CTO) will liaise with the relevant departments where data is held on the system to ensure all relevant data is marked as restricted for use on the system. This will be time limited and reviewed by the Chief Technical Officer (CTO), in conjunction with the DPO, on expiry. This is logged on the restricted database.

In many cases restriction is temporary, and once the decision has been made on the restriction, the DPO can make a decision on ongoing restriction or lifting the restriction as appropriate. If a restriction is to be lifted, the individual data subject must be informed with an explanation as to the grounds to do so. 

Right to Portability

The right to data portability gives individuals the right to receive personal data they have provided to the organisation in a structured, commonly used and machine readable format. It does not include data created by the organisation – for this the individual would need to do a subject access request. It also gives them the right to request that a controller transmits this data directly to another controller. 

This only applies when the lawful basis for processing information is consent or performance of a contract and the processing is by automated means (i.e. only electronic)

Data portability requests will be considered by the DPO and if approved passed onto the Chief Technical Officer (CTO) who will:

  • Search all relevant databases and IT software systems to identify where personal data is held relating to the request.
  • Arrange for the download of data and for an encrypted e-mail or portable device to be provided to the individual data subject. 

Right to object 

Individuals have a right to object to processing of their data based on legitimate interests or public interest/exercise of official authority, direct marketing or processing for purposes of scientific / historical research and statistics.

  • An individual data subject must have an objection on grounds relating to his or her particular situation. The organisation must stop processing the data unless there are compelling legitimate grounds which override individual interests, rights and freedoms or if the processing of data is for the use in legal claims. 
  • If a request for objection relates to direct marketing purposes, data processing by the hospital must be stopped immediately. This will be confirmed to the individual in writing
  • In all other cases the DPO, will consider the request and provide a response. If   there is a compelling reason for continuing to use the data, then a full response and explanation will be provided to the individual.

Automated decision making and profiling 

The organisation does not use automated decision making or profiling

Subject Access Rights and Requests

Individuals have the right to access their personal data and supplementary information. The right of access allows individuals to be aware of and verify the lawfulness of the processing. The information must be provided free of charge. Information must be provided within 1 month of request; where request are complex or numerous this period can be extended and the individual informed with clear explanation.

Where requests are unfounded or excessive or repetitive, an administration fee can be charged or the request refused. This decision will be made by the DPO and a full explanation given to the individual and information provided on their right to complain.

Procedure for Subject Access Requests (SAR)

Staff / contractors who receive an SAR should pass all requests to the DPO. There will be an automatic reply acknowledging the request, outlining the process and explaining the need to verify the identity of the individual and expected timeframes. The request is logged on central SAR database by the DPO.

Data requests for data processed on behalf of a client would be referred back to the client (data controller) for agreement on proceeding with the request

The identity of the individual whose data is requested must be verified. This has to be proportionate so may be done by checking against a passport or driving licence or similar document. 

Where Data is requested on behalf of an individual (for example solicitors on behalf of their client) the identity of the requester and the individual whose data is being requested must be verified and we must be satisfied that the individual whose data is being requested has consented for the 3rd party to act on their behalf. If there is doubt the individual whose data is being requested must be contacted and confirmation sought. 

Where possible, information will be sent electronically via encrypted e-mail in a CVS and PDF file.  

The DPO reviews and approves all disclosures. 

The SAR database will be reviewed by the Risk and Compliance meeting quarterly (anonymised) to review process and timeframes

Data Breach process

  1. A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.
  2. When we have been made aware that a significant personal data breach has occurred it must be reported within 72hrs to the Information Commissioners Office (ICO).
  3. If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, the organisation must also inform those individuals without undue delay
  4. If a staff member becomes aware of a possible or actual data breach they must immediately inform the DPO and CEO immediately. If it involves IT the Chief Technical Officer (CTO) must also be informed 
  5. The incident must be recorded on the incident spreadsheet and include the following information: 
  • the nature of the personal data, 
  • the number of records, 
  • the individuals involved,
  • the likely consequences of the breach, 
  • the immediate measures taken, including mitigation.
  1. Where the data breach is considered ‘high risk’ to the rights and freedoms of individuals (for example: a patient’s medical records are accidently disclosed to a 3rd party) then the individual data subject must be informed as soon as possible. 
  2. Where the data breach involves data being processed on behalf of a client the client must be informed as soon as possible and liaise with them in terms of actions, notifications and investigations
  3. The decision and action of informing the individual is the responsibility of the DPO but when absent (or out of working hours) the CEO can perform this. All conversations with individuals need to be recorded and kept as part of the investigation 
  4. The DPO will review and decide if the breach is reportable to the ICO. If reportable, the DPO is responsible for ensuring this is reported within 72hrs (the notification can be delegated by the DPO on agreement) https://ico.org.uk/for-organisations/report-a-breach/ 
  5. All formal notifications (including ICO reference number), and follow up investigations must be recorded 
  6. All data breaches will be reviewed at the Risk, Safety and Compliance Meeting and the Board will be notified. 

Privacy Impact Assessment

  1. A Privacy Impact Assessment (PIA) is a process which assesses the potential risk to personal data due to a new project or change in operational processes in relation to an existing project. 
  2. The PIA describes the nature, scope, context and purposes of the processing, assesses necessity, proportionality and compliance measures, identifies and assesses risks to individuals and identifies any additional measures to mitigate those risks.
  3. To assess the risk level, both the likelihood and the severity of any impact on individuals are assessed. High risk could result from either a high probability of some harm, or a lower possibility of serious harm.
  4. The DPO needs to review and advise on all PIA, which will be submitted to the Risk, Safety and Compliance Meeting for consideration and approval. See Appendix for Privacy Impact Assessment Form.
  5. If a high risk is identified that cannot be mitigated, the ICO will be consulted before starting the processing.

Data Retention and Destruction

There is required period of retention for different data sets/record types.

Digital data

At least 6-monthly, a programme will be run on all CAREFUL database in order to automatically identify records that should be considered for destruction. In order to remove digital data, all copies of such data will be reviewed by the Chief Technology Officer (CTO) and appropriate programmatic scripts will be run in order to remove this from the databases, and for records to be zero’d out of any magnetic media, where appropriate.

Paper data

Once a document meets the criteria for destruction if it contains personal data it needs to be disposed as confidential waste. 

Period of Retention

Record typeRetention periodAction at end of retention period
Board and Risk, compliance meetings (papers + minutes)May retain up to 20yrsTransfer to place of deposit
Complaints Case files10yrs from closureReview and destroy if no longer needed
Expenses 6yrsReview and destroy if no longer needed
Final Annual accounts report20yrsReview and consider transfer to place of deposit
Finance accounts6yrsReview and destroy if no longer needed
Incidents (not serious)10yrsReview and destroy if no longer needed
Incidents (serious)25yrsReview and consider transfer to place of deposit
Intranet and website6yrsReview and consider transfer to place of deposit
Litigation records25yrs from closureReview and consider transfer to place of deposit
Occupational Health records (when staff member leaves)Keep until 75th birthday or up to 6yrs after leavingReview and destroy if no longer needed
Policies / Procedures / Guidelines / Clinical Protocols and SOPs25yrsReview and consider transfer to place of deposit
Salaries paid to staff7yrsReview and destroy if no longer needed
SAR correspondence3yrs from closureReview and destroy if no longer needed
Staff RecordKeep up to 75th birthday or up to 6yrs after leavingCreate a summary record then destroy main file. Summary should be transferred to place of deposit

Audit and Training 

The following audits will be undertaken annually to ensure we meet the standards required and provide assurance to The Board and clients. Where standards are not met, action plans will be put in place and monitored via the Risk, Safety and Compliance Meeting. 

  • Penetration Testing
  • CareCERT notifications 
  • Data requests (all types); timeliness and compliance with process
  • Data breaches: timeliness and compliance with process

All staff and contractors are required to complete annual Information Governance training. E-learning modules are provided

Appendix

Privacy Notice 

CAREFUL Systems Ltd is committed to protecting your privacy and meeting the requirements of data protection legislation. This privacy notice explains:

  • what personal data we collect about you;
  • why we collect that personal data;
  • who we share your personal data with;
  • why we might contact you and how you can change that;
  • how long we retain your personal data;
  • how we keep your personal data secure; and
  • what rights you have in relation to your personal data.

When we talk about “personal data” in this notice, we mean any information which could be used to identify you, either directly or indirectly when combined with any other information we may hold about you.

In this privacy notice, when we refer to “we”, “us” or “our”, we mean CAREFUL Systems Limited, Vestry House, Laurence Pountney Hill, London EC4 0EH. We are the data controller under the Information Commissioner’s Office registration number 10176186

If you need to contact us about this privacy notice or further details on how we use your personal information please contact the Data Protection Officer.

This privacy policy does not cover the links within our websites linking to other websites. We encourage you to read the privacy statements on the other websites you visit.

Personal data collected by CAREFUL Systems Limited

We are contracted to process data by clients within our systems. In these circumstances, we do not hold this data; it is held within the clients domain and they remain the data controllers.

We may also collect and hold personal data on our CAREFUL systems as data controllers. We do not share such data with third parties without explicit consent from individuals. 

We do hold personal data of staff and contractors who work for us under the legal basis of a performance of a contract. We do not share this data with any other third parties. This data is kept securely in a password protected file within very limited access for the duration of the required retention period.

Information we collect when you visit our website or use our online services

Activities that may result in collection of personal information

  • visits to our websites
  • enquiries about our products or services
  • information contained in enquiry or booking forms
  • information you provide in surveys or in feedback

Personal identifiers from your browsing activity

  • Requests by your web browser to our servers for web pages and other content on our website are recorded.
  • We record information such as your geographical location, your Internet service provider and your IP address. We also record information about the software you are using to browse our website, such as the type of computer or device and the screen resolution.
  • We use this information in aggregate to assess the popularity of the webpages on our website and how we perform in providing content to you.
  • If combined with other information we know about you from previous visits, the data possibly could be used to identify you personally, even if you are not signed in to our website.

Cookies

Cookies are small text files that are placed on your computer’s hard drive by your web browser when you visit any website. They allow information gathered on one web page to be stored until it is needed for use on another, allowing a website to provide you with a personalised experience and the website owner with statistics about how you use the website so that it can be improved. Some cookies may last for a defined period of time, such as one day or until you close your browser. Others last indefinitely. Your web browser should allow you to delete any you choose. It also should allow you to prevent or limit their use.


Our website uses cookies. They are placed by software that operates on our servers, and by software operated by third parties whose services we use. When you first visit our website, we ask you whether you wish us to use cookies. If you choose not to accept them, we shall not use them for your visit except to record that you have not consented to their use for any other purpose.


If you choose not to use cookies or you prevent their use through your browser settings, you will not be able to use all the functionality of our website.

We use cookies in the following ways:

  • to track how you use our website
  • to record whether you have seen specific messages we display on our website
  • to keep you signed in our site
  • to record your answers to surveys and questionnaires on our site while you complete them

Receiving communications from CAREFUL Systems Limited and updating your preferences

We may contact you about goods and services which we think may be of interest to you where you have consented to us using your information in this way.

We will only send you marketing information where you have provided your consent to receive it. You have the right to ask us to stop processing your personal information for marketing purposes by contacting the Data Protection Officer.

You can update your communications preferences at any time by informing a member of staff or by contacting the Data Protection Officer. 

Retention of personal data

We retain personal data for no longer than required and in line with CAREFUL Systems Limited policy retention schedule. This is based on statutory requirements and legal obligations, as well as our business requirements.

Security of personal data

We take our duty to protect your personal information and confidentiality very seriously and we are committed to taking all reasonable measures to ensure the confidentiality and security of personal data for which we are responsible, whether computerised or on paper. 

We do not transfer data outside of the European Economic Area (EEA) 

Personal information transmitted to the CAREFUL Systems Limited is held on secure servers and encrypted. However, the transmission of information via the internet is not completely secure and we cannot guarantee the security of your information transmitted to our websites; any transmission is at your own risk.

Where we have given you (or where you have chosen) a password which enables you to access certain parts of our websites, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.

Personal data and your rights

Data protection legislation gives you the right to:

  • Correct any data we hold about you that is not correct (Rectification)
  • Request that we delete your personal data (Erasure)
  • Block or suppress the further processing of your personal data in certain circumstances (Restriction)
  • Request access to personal data that we hold about you (Subject Access)
  • In some circumstances, receive the personal data which you have provided to us, in a structured, commonly used and machine-readable format and have this transmitted to another data controller (Data Portability)
  • Withdraw consent where this is the legal basis for us processing your information
  • Object to processing where CAREFUL Systems Limited is relying on its legitimate interests as the legal ground for processing
  • Not be subject to automatic decisions (i.e. decisions that are made about you by computer alone) that have a legal or other significant effect on you.

Please contact the Data Protection Officer if you wish to exercise your rights in relation to personal data using the contact information below. Our policy is to verify the authenticity of all requests made, and requests may be refused if we are unable to verify the identity of the requester.

If you have concerns about the way we have handled your personal data please contact the Data Protection Officer in the first instance.

By Post:

Data Protection Officer 

Vestry House, 

Laurence Pountney Hill, 

London 

EC4 0EH

By email:  Data Protection Officer at privacy@careful.online

If you remain unsatisfied you can contact the Information Commissioner’s Office (ICO) on 0303 123 1113, by emailing casework@ico.org.uk  or by post at Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

Subject Access Request Form

CAREFUL Systems Limited collect certain personal information from staff and contractors and process patient personal information for clients.   As a data subject you have a right under the General Data Protection Regulation (GDPR) to find out about the use of your personal data and to request the data we hold on you.

If your request relates to data we process on behalf of another organisation we will liaise with them regarding this request

Whilst you do not have to use this form to make a subject access request, it is helpful for us to manage your request effectively.  We may contact you to request additional supporting information and/or proof of your identify to safeguard your privacy and personal data.

If you are making a Subject Access Request on someone else’s behalf they will need to provide clear documented consent that they are allowing you to access their data. If we are not satisfied with the consent provided we will contact the individual directly to verify the request. 

No fee is payable under normal circumstances, but we do reserve the right to charge a reasonable administrative fee for requests that are excessive or repetitive and we will advise you as such.

We aim to respond to all subject access requests within a month of receipt.  If we require more information from you, or if the request is excessive or repetitive, we may require more time and we will inform you of this accordingly.

Please complete the sections below and send it back to privacy@careful.online

Where data is requested electronically, the data requested will be sent via encrypted e-mail or using password encrypted files (where the password is sent by other means) to the recipient. This allows for an efficient and secure communication that can be tracked and audited. 

The organisation has a Data Protection Officer who provides expert advice and support on data matters. They can also be contacted via the e-mail above.

 Subject Access Request Form

Title (optional)
Forename (s)
Surname
Date of Birth
Address
Telephone number
e-mail address
Information being requestedPlease provide specific details, including location and dates, of the information being requested and any additional information that may help us to locate your personal data and confirm your identify









DeclarationBy signing below you are confirming you are the individual named in this Subject Access Request form
Signature

Date of signing

Data Privacy Impact Assessment template

CAREFUL Systems Limited |   Privacy Impact Assessment form

Project name:
Summary:       
Assessor:
Date:
  1. Identify need for PIA

Complete this form early on during the project planning stage when the overall aims are known and future processes can be adapted to address privacy concerns

If you answer ‘yes’ to any of the below you need to complete the whole form

YesNo
1Will the project involve the collection of new information about individuals?
2Will the project compel individuals to provide information about themselves?
3Will information about individuals to be disclosed to organisations or people who have not previously had routine access to the information?
4Are you using information about individuals for a purpose it is not currently used for, or in a way it is not currently used?
5Does the project involve you using new technology which might be perceived as being privacy intrusive? For example biometrics or facial recognition
6Will the project result in you making decisions or taking action against individuals in ways which can have a significant impact on them?
7Is the information about individuals of a kind likely to raise privacy concerns or expectation? For example health records, criminal records, or other private information?
8Will the project require you to contact individuals in ways they may find intrusive?
  1. Describe information flows & consultation requirements
The collection, use, retention and deletion of personal data should be described.  This reduces the risk of function creep when data is used in unintended ways








Identify the number and groups of individuals who may be affected by the project 







Explain practical steps to ensure you identify and address privacy risks. Who should be consulted internally and externally? How will you carry out the consultation?







  1. Identify privacy and related risks and solutions

To help to understand the likelihood and severity of privacy risks and be open and transparent about risks and potential impact on the project.

To identify and log actions required to reduce, accept or eliminate risks.

Privacy risk identified Risk to individual / compliance with GDPR / organisaionSolution (s)Result  (is risk reduced, accepted  or eliminated)Evaluation (is final impact on individuals justified, compliant and proportionate response to the aims of the project) 



  1. Sign off

The privacy risks need to be approved reviewed at the Risk, Safety and Compliance Meeting and approved by one of the CEO. The DPO also needs to review and advise on the PIA.

Privacy risk identified Approved solution (s) Approved by (executive)



Yes  / NoDate
Submitted and reviewed at Risk, Safety and Compliance Meeting
Submitted and reviewed by DPO (include advice given)
  1. Integration into project plan

The person undertaking the PIA must report back to the main project and update the project plan based on the outcome of the PIA. Actions agreed must be taken forward and completed.

If the project expands or changes the PIA must be referred to and re-reviewed. 

Identify contact person if any privacy concerns arise during the implementation of the project. 

Action to be taken Date for completion Person responsible 



Completed forms must be submitted to the DPO for inclusion in the agenda at the Risk, Safety and Compliance Meeting, where ongoing actions will be monitored