| Data Protection Policy | |
| Organisation | Ratnarajah Medical Services Limited trading as Extracellular Wellness |
| Scope of policy | Extracellular Wellness clients. |
| Policy operational date | 01/01/2025 |
| Policy prepared by | Ratnarajah Medical Services Limited |
| Policy review date | 01/01/2028 |
| Introduction | |
| Purpose of policy | To: ∙ complying with the law ∙ following good practice ∙ protecting clients, staff and other individuals ∙ protecting the organisation |
| Personal data | ∙ Client notes ∙ Demographics including email addresses |
| Policy statement | A commitment to: ∙ comply with both the law and good practice ∙ respect individuals’ rights ∙ be open and honest with individuals whose data is held ∙ provide training and support for staff who handle personal data, so that they can act confidently and consistently ∙ Notify (see notes) the Information Commissioner voluntarily, even if this is not required. |
| Data Protection Officer | Drs Niruban Ratnarajah and Maria Ratnarajah. Their responsibilities include: ∙ Briefing new staff on data protection ∙ Reviewing Data Protection and related policies ∙ Ensuring that Data Protection induction and training takes place whenever someone is hired ∙ Notification (see notes) ∙ Handling subject access requests from clients wanting to access or delete their data ∙ Approving unusual or controversial disclosures of personal data Approving contracts with Data Processors such as external payment processors, or mailing software like MailChimp (see notes) |
| Staff & volunteers | All staff and volunteers should be required to read, understand and accept any policies and procedures that relate to the personal data they may handle in the course of their work. (From now on, where ‘staff’ is used, this includes both paid staff and volunteers.) |
| Enforcement | The penalties for infringing the Data Protection and related policies are usually a disciplinary process. Extreme data breaches will be reported to ICO directly. |
| Confidentiality |
| Scope | Data that is confidential, but may well not be subject to Data Protection, include: ∙ Information about your clients ∙ Information about their children or extended family ∙ Information which is not recorded, either on paper or electronically, such as their emotional condition or aspects of their lives which are private and only revealed to you ∙ Information that may be private and / or embarrassing to them Information held on paper, but in a sufficiently unstructured way that it does not meet the definition of a “relevant filing system” in the Data Protection Act |
| Communication with Data Subjects | Clients, staff and other Data Subjects will be informed about confidentiality, via the Extracellular Wellness website. |
| Data recording and storage | |
| Storage | Data will be stored digitally using a compliant clinical recording system. |
| Retention periods | Data will be held in line with current guidance. |
| Subject access | |
| Responsibility | Extracellular Wellness will ensure that subject access requests (see notes) are handled within the legal time limit of 40 days. |
| Procedure for making request | Subject access requests must be in writing. |
| Transparency | |
| Commitment | Data Subjects will be made aware that their data is being processed and ∙ for what purpose it is being processed ∙ what types of disclosure are likely, and ∙ how to exercise their rights in relation to the data |
Notes
Data Controller
The Data Controller is the legal ‘person’ responsible for complying with the Data Protection Act. It will almost always be the organisation, not an individual staff member or volunteer. Separate organisations (for example a charity and its trading company) are separate Data Controllers. Where organisations work in close partnership it may not be easy to identify the Data Controller. If in doubt, seek guidance from the Information Commissioner.
Data Processor
When work is outsourced, which involves the contracting organisation in having access to personal data, there must be a suitable written contract in place, paying particular attention to security. The Data Controller remains responsible for any breach of Data Protection brought about by the Data Processor.
Fair processing conditions
Schedule 2 of the Data Protection Act lays down six conditions, at least one of which must be met, in order for any use of personal data to be fair. These are (in brief):
∙ With consent of the Data Subject
∙ If it is necessary for a contract involving the Data Subject
∙ To meet a legal obligation
∙ To protect the Data Subject’s ‘vital interests’
∙ In connection with government or other public functions
∙ In the Data Controller’s ‘legitimate interests’ provided the Data Subject’s interests are not infringed
Notification
All Data Controllers have to consider whether they are exempt from Notification. If they are not exempt, they have to Notify. This means completing a form for the Information Commissioner, and paying a fee of £35 a year. The Notification form covers:
∙ The purposes for which personal data is held (from a standard list) and for each purpose (again from standard lists):
∙ The types of Data Subject about whom data is held
∙ The types of information that are held
∙ The types of disclosure that are made
∙ Any transfers abroad
There is probably no need to mention the details of the organisation’s Notification in the policy. The Notification entry has to be reviewed each year, and may have to change if the organisation changes its processing in significant ways.
Subject access
Individuals have a right to know what information is being held about them. The basic provision is that, in response to a valid request (including the fee, if required), the Data Controller must provide a permanent, intelligible copy of all the personal data about that Data Subject held at the time the application was made. The Data Controller may negotiate with the Data Subject to provide a more limited range of data (or may choose to provide more), and certain data may be withheld. This includes some third party material, especially if any duty of confidentiality is owed to the third party, and limited amounts of other material. (“Third Party” means either that the data is about someone else, or someone else is the source.)
Recent Comments