Data protection policy - The Rotherham NHS Foundation Trust · Web viewThe Rotherham NHS Foundation Trust is committed to compliance with the Data Protection Act 2018 and will follow
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Ref No: 108
DATA PROTECTION POLICY
SECTION 1PROCEDURAL INFORMATION
Version: 6Ratified by: Document Ratification GroupDate ratified: September 2018Name of author: IG Assurance and Security ManagerName of responsible committee: Information Governance CommitteeDate issued: September 2018Review date: September 2019Target audience: All Staff, Contractors, agents, elected
members, FT members, charitable groups, partners or other service providers of the Trust
Version 6 DATA PROTECTION POLICY Page 5 of 24Please check the intranet to ensure you have the latest version
1. INTRODUCTION
The Rotherham NHS Foundation Trust is committed to compliance with the Data Protection Act 2018 and will follow procedures that aim to ensure that all employees, contractors, agents, elected members, partners or other service providers of the Trust are fully aware of and abide by their duties and responsibilities under the DPA and also taking account of the requirements set out in the following legislation:
Crime and Disorder Act 1998
Human Rights Act 1998
Police Act 1997
Access to Health Records Act 1990
Freedom of Information Act 2000
The Trust will ensure that personal data is handled, legally, securely, efficiently and effectively and in accordance with the eight principles of the Data Protection Act 2018 (see paragraph 4.2 below).
This Policy sets out the process for accessing both Health Records and Non-Health Records held by the Trust.
In order to operate efficiently the Trust will collect and use data relating to patients receiving care and the people with whom it collaborates including members of the public, current, past and prospective employees, suppliers and other visitors. In addition, it may be required by law to collect and use data in order to comply with the statutory requirements of the Department of Health, the NHS England, the Health and Social Care Information Centre and other government departments.
All personal data, regardless of how it is collated, recorded, utilised and disposed of, whether on paper, by computer or other recording material, will be handled by the Trust within the safeguarding principles of the DPA and Information Governance frameworks issued by the Department of Health.
2. PURPOSE & SCOPE
2.1 Purpose
This policy applies to the handling of all Personal Data that is used within the Rotherham NHS Foundation Trust, held on any media including CCTV, Dictaphone, electronic or manual records.
This Policy can be found in the Information Governance Policies section of the Trust’s Intranet.
Version 6 DATA PROTECTION POLICY Page 6 of 24Please check the intranet to ensure you have the latest version
This Policy forms part of a framework of other Information Governance policies which can also be found on the Trust’s Intranet (see section 7 for further details).
2.2 Scope
This Policy applies to all employees of the Trust, including Medical and Dental employees, contractors, agents, elected members, FT members, charitable groups, partners or other service providers of the Trust.
3 ROLES & RESPONSIBILITIES
Roles ResponsibilitiesChief Executive The Chief Executive has overall responsibility for:
Ensuring that the processes are in place for the implementation of the policy.
Ensuring that the processes are in place for the monitoring of the policy.
These responsibilities are delegated as described.Data Controller The Rotherham NHS Foundation Trust is the Data
Controller. The Chief Executive has overall responsibilities for the organisation and may delegate relevant duties to both the Data Protection Officer and Senior Officers as appropriate.
Data Protection Officer The designated Data Protection Officer will be responsible for ensuring overall compliance with the Data Protection Act 2018, Access to Health Records Act 1990 and this policy. This officer holds responsibility to the Chief Executive and Board with delegated roles and responsibilities documented in their job description.
All staff will be made aware of the identity of the Data Protection Officer and the policies and procedures surrounding Data Protection and Confidentiality.
Data Owners Data Owners will be identified for all items of Personal Data kept and used by the Trust. The Data Owners will normally be the most appropriate departmental manager or designated Information Asset Owner (IAO) and will be responsible for risk management of the information asset(s) within their responsibility.
Data Protection Lead For the purpose of implementation of this Policy, the nominated Data Protection Lead for the Trust is responsible for reviewing the Data Protection Register annually and for notifying the Information Commissioner of any changes within 28 days.
Version 6 DATA PROTECTION POLICY Page 7 of 24Please check the intranet to ensure you have the latest version
Roles ResponsibilitiesThe Data Protection Lead, in conjunction with the Senior Information Risk Owner will determine, through appropriate management and the use of strict criteria and controls, the purpose for which non-clinical personal data can be processed.
Senior Information Risk Owner (SIRO)
The SIRO shall advise the Chief Executive, as Accounting Officer, and the Trust Board on data protection issues and provide periodic reports and briefings. The SIRO is a member of the Trust Board, who is responsible to ensure organisational information risk is properly identified and managed and that appropriate assurance mechanisms exist.
The Caldicott Guardian The Caldicott Guardian has lead responsibility for strategy and governance issues (relating to patient information), confidentiality & data protection expertise, internal information processing and information sharing with external bodies.
The Caldicott Guardian will authorise the sharing of patient information when consent has not been obtained.
IG Assurance & Security Manager
The IG Assurance & Security Manager will act as the Privacy Officer for the Trust. They will ensure adequate processes are in place to maintain the security of personal data held, and that audit mechanisms are implemented to ensure compliance.
Information Governance Team
The Information Governance Department will be responsible for the implementation of this policy
Health Records Manager The Health Records Manager will ensure health records are maintained according to national legislation and guidance. The Health Records Manager will act as the Data Officer in relation to clinical data/health records.
The Health Records Manager will provide practical support and advice to all employees on the application of this Policy in relation to clinical data/health records.
Health Records Representatives
As designated by the Health Records Manager, Health Records representatives will collect and process appropriate data and only to the extent that it is required to fulfil operational needs or to comply with any statutory or information governance standards.
Head of Human Resources
The Head of Human Resources must ensure that personal data held by the Human Resources Department is protected from unauthorised or unlawful access, loss or disclosure. The Head of Human Resources will act as
Version 6 DATA PROTECTION POLICY Page 8 of 24Please check the intranet to ensure you have the latest version
Roles Responsibilitiesthe Data Officer in relation to Human Resources records.
Human Resources Representatives
As designated by the Head of Human Resources, Human Resources representatives will collect and process appropriate data and only to the extent that it is required to fulfil operational needs or to comply with any statutory or information governance standards.
The Human Resources Department will provide practical support and advice to all employees on the application of this Policy in relation to non-clinical data.
Director of Estates and Facilities
Shall be responsible for compliance with the DPA and related legislation in relation to personal data obtained through the Directorate’s activities including but not exclusive to:
Telephone logging The use of CCTV Staff Car Parking Card issue ID Badges
Trade Unions/Employee Representatives
Trade unions will collect and maintain personal data in order to provide membership services and comply with certain statutory obligations.
All personal data will be treated with the utmost confidentiality and with appropriate levels of security.
Contractors/Consultants/Partners or other Servants or Agents
All collaborators with the Trust must ensure that:-
They and all of their employees who have access to personal data held or processed for or on behalf of the Trust are aware of this Policy and are fully trained in and are aware of their duties and responsibilities under the DPA. Any breach of any provision of the DPA will be deemed as being a breach of any contract between the Trust and that individual, company, partner or firm.
Data Protection audits required by the Trust are permitted upon request
The Trust is indemnified against any prosecutions, claims, proceedings, actions or payments of compensation or damages, without limitation.
All Employees Employees are responsible for ensuring that this Policy (and related policies in paragraph 7) is followed.
Employees must ensure that personal data is kept secure
Version 6 DATA PROTECTION POLICY Page 9 of 24Please check the intranet to ensure you have the latest version
Roles Responsibilitiesat all times against unauthorised or unlawful loss or disclosure and in particular will ensure that personal data is kept:-
In a safe place where there would be no unauthorised access, and must not be left unattended in public/waiting areas
In a locked filing cabinet or drawer where possible In an office with restricted access, or On disk, memory stick or other electronic storage
system, appropriate security measures must be used (contact the IT Service Desk for further information)
Employees must:-
Check that any personal data they provide to the Trust is accurate and up to date
Ensure data provided by and recorded for others (i.e. patients) is accurate and up to date
Inform the Trust of any changes to personal data they have provided, e.g. change of address, change of name, photographic identity
Check the accuracy of data, including sensitive data, which the Trust may send out from time to time, in order to update existing personal data.
Understand that they must be appropriately trained and supervised to handle Data including requests for the disclosure or sharing of Data
Employees have the right to request a copy of their personal data held by the Trust (see paragraph 4.8 – Written Requests to Supply Data).
Any breach of this Policy and Procedure may result in disciplinary action being taken.
Version 6 DATA PROTECTION POLICY Page 10 of 24Please check the intranet to ensure you have the latest version
4 PROCEDURAL INFORMATION
4.1 Registration and Notification to the Information Commissioner
The IG Assurance and Security Manager is responsible for notifying the Information Commissioner regarding the Trust’s Data Protection Register Entry and for supplying details of any subsequent amendments.
The Register Entry describes in general terms, the personal data being processed by the Trust and includes:
Staff Administration Accounts and Records Health Administration and Services Research Crime Prevention and Prosecution of Offenders Public Health Administration of Membership Records Data Matching Advertising, Marketing & Public Relations Fundraising Pastoral Care Property Management Realising the Objectives of a Charitable Organisation or Voluntary
Body
4.2 The Six Principles of Data Protection
The Data Protection Act 2018 stipulates that anyone processing personal data must comply with the Six Principles of good practice. These Principles, which are legally enforceable, are as follows:- Used fairly, lawfully and transparently Used for specified, explicit purposes Used in a way that is adequate, relevant and limited to only what is
necessary Accurate and, where necessary, kept up to date Kept for no longer than is necessary Handled in a way that ensures appropriate security, including
protection against unlawful or unauthorised processing, access, loss, destruction or damage
4.3 Rights of the Data Subject
To access information of which they are the subject To consent or to withhold consent To opt out of direct marketing To restrict automated decision making To ask for an assessment To apply for subject access
Version 6 DATA PROTECTION POLICY Page 11 of 24Please check the intranet to ensure you have the latest version
4.4 Exemptions
The rights of Data Subjects can be restricted on the following grounds:-
National security Crime and taxation Health, education and social work Regulatory activities Journalism, literature and art Research, History and statistics Legal privilege Confidential references given by the Data Controller Further categories introduced by the Secretary of State
4.5 Sensitive Personal Data
The DPA 2018 makes a distinction between personal data and “sensitive” personal data which refers to the following:-
Racial or ethnic origin Political opinion Religious or other beliefs Trade Union membership Physical or mental health or condition Sexual life Criminal proceedings or convictions
Sensitive personal data can be processed provided that at least one of the following conditions has been met:-
The Data Subject has given their explicit consent It is necessary for monitoring equal opportunities It is a legal requirement of the subject’s employment It is necessary to protect the vital interests of the subject It is carried out by certain non-profit bodies established for political,
philosophical, religious or trade union purposes It is necessary for legal proceedings It is necessary for medical purposes The Secretary of State has given consent It is necessary for the prevention or detection of any unlawful act It is necessary for the provision of services such as confidential
counselling or advice It is necessary for insurance or occupational pension scheme contracts
This list is not exhaustive and new categories may be added by the Secretary of State.
4.6 Processing Data
Version 6 DATA PROTECTION POLICY Page 12 of 24Please check the intranet to ensure you have the latest version
An essential requirement of the DPA is that all data must be processed “fairly”. The Trust will therefore ensure that:-
The Data Subject will not be deceived or misled The Data Subject will be informed of the purpose for which the
personal data is intended to be used by the Information Officer or their nominated deputy
The Data Subject will be informed whether the data is likely to be passed to a third party
4.7 Transferring Data Abroad
Personal Data will not be transferred outside of the United Kingdom unless that country or territory “ensures adequate level of protection” for the rights and freedoms of Data Subjects.
Transfers of Data may take place:
Where the data subject has given explicit consent It is necessary to perform or make a contract By reason of substantial public interest Is part of Personal Data on a Public Register Is on terms approved by the Information Commissioner Patient Identifiable Information must only be transferred outside
the UK on approval of the Caldicott Group / Caldicott Guardian
4.8 Written Requests to Supply Data (Subject Access Request (SARs))
The Trust maintains two processes for SARs: The SARs for patients’ records of health records and the other non-health records. The Trust has standard operating procedure for the SAR of health records which is available on The Hub and Trust external Internet pages.
The SAR for non-health records procedure is outlines in the appendix 1.
Upon written request from the Data Subject, the Data Officer, or their nominated deputy, is obliged to supply:-
A description of the Data The purpose for which Data is being held The source of the Data The person(s) to whom the Data will be or may be disclosed
Proof of identity will be required to ensure that data is provided to the correct individual. Where a request is made in person, two original pieces of documentation, for example a recent utility bill or bank statement showing the individual’s name and current address, will be required. In some cases additional details such as a passport or photo ID driving licence may be required due to the sensitive nature of the information held. Where the
Version 6 DATA PROTECTION POLICY Page 13 of 24Please check the intranet to ensure you have the latest version
request is to be sent via the post, this will only be sent to the registered address for the individual. If another address is stipulated, this will be investigated further to determine the legitimacy of the request.
The Data Officer will supply everything held at the time the application was made within 1 month (see paragraph 4.9. below regarding disproportionate effort).
4.9 Withholding Data
Data may be withheld either if the Subject agrees or the supply of information would involve disproportionate effort.
Data may also be withheld if it identifies a third party.
4.10 Opting In / Out
Employees must read carefully any documentation which implies their consent to the processing of personal data, for example, the completion of a booking form for a conference which states that information may be used for other specific purposes as this may be beyond the control of the Trust.
On occasions where an employee may be asked to participate in any photographic or other publicity campaign on behalf of the Trust, employees will be consulted and unless the employee explicitly opts out, consent will be assumed by attendance in the photograph or campaign.
Employees have the right to opt out of Direct Marketing and in deciding to do so, should ensure that the relevant tick box indicating Direct Marketing is NOT checked.
The Trust will ensure that employees are kept informed of the methods used to arrive at any automated decisions (e.g. job applications) thereby giving the choice of opting out of the process.
4.11 Possible Consequences of a Breach of Confidentiality (From the Trust Code of Conduct for Staff)
The Trust employs three levels of breach relating to confidentiality. Penalties for these infractions will range from informal warnings through to dismissal.
Minor Misconduct: Inadvertent disclosure of privileged or confidential information.
Serious Misconduct: Careless disclosure of privileged or confidential information.
Gross Misconduct: Deliberate disclosure of privileged or confidential information to unauthorised people.
5 DEFINITIONS AND ABBREVIATIONS
Version 6 DATA PROTECTION POLICY Page 14 of 24Please check the intranet to ensure you have the latest version
5.1 Definitions
Data – Information held on a computer, filing system or part of any accessible record
Data Controller – Data controllers will usually be organisations or a person who either alone or jointly in common with others determines the purposes for which personal data will be used. The IG Assurance and Security Manager will carry out this role within the Trust.
Data Officer – A person designated by the Data Controller to process data requests and jointly ensures methods are in place to secure personal data. The Director of Human Resources & Health Records Manager will carry out this role within the Trust.
Data Protection Lead – The role of the Data Protection Lead is to ensure that the organisation complies with the Data Protection Act 2018, and to ensure that employees are fully informed of their own responsibilities for acting within the law and that the public, including employees, are informed of their rights under the Act.
Data Subject – An individual who is the subject of the personal data being kept
Personal Data – Information relating to a living individual who can be identified from the Data and other information in the possession of the Data Controller and includes any expression of opinion about that individual.
5.2 Abbreviations
CSU Clinical Service UnitDPA The Data Protection Act 2018EPR Electronic Patient RecordFT Foundation TrustHODs Heads of DepartmentIT Information TechnologyICO The Information Commissioner’s OfficeIAO Information Asset OwnerIGC Information Governance CommitteeSIRO Senior Information Risk Owner
6 REFERENCES
The Data Protection Act 2018
Freedom of Information Act 2000
NHS Information Governance Toolkit
Data Protection Good Practice – Information Commissioners Office
Version 6 DATA PROTECTION POLICY Page 15 of 24Please check the intranet to ensure you have the latest version
NHS Employers – Policies and best practice procedures
Benchmarking other NHS and Public Sector Data Protection practices
7 ASSOCIATED DOCUMENTATION
IT Security & Acceptable Use Policy
Health Records Policy
Information Governance Policy
Policy on the Use & Protection of Patient Information (Confidentiality Code of Conduct)
Corporate Records Management Policy
Risk Register & Risk Management Policy
Safe Haven Policy
Subject Access Request SOP
Version 6 DATA PROTECTION POLICY Page 16 of 24Please check the intranet to ensure you have the latest version
Section 1Appendix 1
THE DATA PROTECTION ACT 2018
SUBJECT ACCESS REQUEST FORM – NON HEALTH RECORDS
Please refer to the attached guidance notes overleaf.
SECTION A: PERSONAL DETAILS
Surname: Former name (if applicable):
MR/MRS/MISS/MS: First Name(s):
Date of Birth: Employee No:
Present Address: Post Code
Telephone No:
Mobile No:
SECTION B: DETAILS OF THE DATA REQUESTED
Subject/Topic/Area
SECTION C: PROOF OF IDENTIFICATION
Documents Supplied (See attached Guidance Notes)
SECTION D:
The completed form and supporting proof of identity should be submitted to:Chief Human Resources Officer, Data Officer, Rotherham General Hospital, Moorgate Road, Rotherham S60 2UD
Signature of applicant: ………………………………………………………………………
Date ……………………………
PRINT NAME: …………………………………………………………………………………
Version 6 DATA PROTECTION POLICY Page 17 of 24Please check the intranet to ensure you have the latest version
SUBJECT ACCESS REQUEST FORM GUIDANCE NOTES – NON HEALTH RECORDS
1. Personal Details: Please complete your personal details as requested. Please tell us if you have been previously known by any other name. If you are requesting historical information, please provide as many details as possible, e.g. previous addresses (use a separate sheet if necessary.
2. Details of the Data you require: You should give as much assistance as
you can about particular areas to search so that we can give you what you require without delay. You should also give any relevant reference numbers that might be useful. These details are required to assist in locating the data so that you can be given a copy of everything.
3. Proof of Identification: Proof of name and address is required to ensure we only give information to the correct person. We require two original pieces of documentation, for example, a recent utility bill, bank statement (photocopies are not acceptable) showing your name and address. In some cases, additional details such as a passport or photo ID driving licence may be required due to the sensitive nature of the information held.
4. Keep your documents secure: Always send important documents by recorded delivery or other special post as necessary. The Trust cannot be held liable for items lost in the post.
5. If you have any questions relating to identification requirements or any other aspect of a subject access request, please contact the Human Resources Department by telephone on 01709 820000.
Version 6 DATA PROTECTION POLICY Page 18 of 24Please check the intranet to ensure you have the latest version
DATA PROTECTION POLICY
SECTION 2DOCUMENT DEVELOPMENT, COMMUNICATION, IMPLEMENTATION AND
MONITORING
Version 6 DATA PROTECTION POLICY Page 19 of 24Please check the intranet to ensure you have the latest version
8. CONSULTATION AND COMMUNICATION WITH STAKEHOLDERS
The Deputy Health Records Manager and the Interim Director of Human Resources were consulted on revision of the policy and subject access processes.
Specialist knowledge was sought from:
IG Assurance and Security Manager Caldicott Co-ordinator Members of the Information Governance Committee
9. APPROVAL OF THE DOCUMENT
This policy has been approved by the Information Governance Committee.
10. RATIFICATION OF THE DOCUMENT
The Trust Document Ratification Group has ratified this policy.
11. EQUALITY IMPACT ASSESSMENT STATEMENT
The Trust aims to design and implement services, policies and measures that meet the diverse needs of its service, population and workforce, ensuring that none are placed at a disadvantage. See Appendix 1 for the results of the assessment on this policy.
12. REVIEW AND REVISION ARRANGEMENTS
This policy will be reviewed by the Information Governance Committee within a three year time period or sooner if required by legislation or organisational change.
The Information Governance Assurance and Security Manager will be the lead officer for ensuring the policy is reviewed and approved according to the method identified.
13. DISSEMINATION AND COMMUNICATION PLAN
To be disseminated to
Disseminated by
How When Comments
Quality Governance Team via policies email
Author Email Within 1 week of ratification
Remove watermark from ratified document and inform Quality Governance Team if a revision and which document it replaces and
Version 6 DATA PROTECTION POLICY Page 20 of 24Please check the intranet to ensure you have the latest version
To be disseminated to
Disseminated by
How When Comments
where it should be located on the intranet. Ensure all documents templates are uploaded as word documents.
Communication Team(documents ratified by the document ratification group)
Quality Governance Team
Email Within 1 week of ratification
Communication team to inform all email users of the location of the document.
All email users Communication Team
Email Within 1 week of ratification
Communication team will inform all email users of the policy and provide a link to the policy.
Key individuals
Staff with a role/responsibility within the document
Heads of Departments /Matrons
Author Meeting/Email as appropriate
When final version completed
The author must inform staff of their duties in relation to the document.
All staff within area of management
Heads of Departments /Matrons
Meeting / Email as appropriate
As soon as received from the author
Ensure evidence of dissemination to staff is maintained. Request removal of paper copiesInstruct them to inform all staff of the policy including those without access to emails
14. IMPLEMENTATION AND TRAINING PLAN
The responsibility for implementing this policy lies with the Information Governance Department. The Information Governance Department are
Version 6 DATA PROTECTION POLICY Page 21 of 24Please check the intranet to ensure you have the latest version
responsible for ensuring that all relevant areas within the Trust are made of aware of any changes required in the policy.
The implementation process will commence upon approval of this policy by the Trust Document Ratification Group. It is the responsibility of Matrons/Heads of Departments/Service to ensure that new staff receive information about this policy and it should be part of any local inductions. They must also ensure that any changes to this policy are effectively communicated within their areas of responsibility.
The Health Records and Human Resources departments will ensure relevant staff are aware of and follow the subject access process.
Information Governance training is a core MAST subject that all staff must complete on an annual basis. This is undertaken via e-learning on the ESR system. The Information Governance Team will provide assistance to Human Resources to ensure departments are equipped to undertake this training, and where applicable, local assistance will be provided.
15. PLAN TO MONITOR THE COMPLIANCE WITH, AND EFFECTIVENESS OF THE TRUST DOCUMENT
15.1 Process for Monitoring Compliance and Effectiveness
• Overall monitoring of the Policy will be actioned by the Information Governance Committee
Audit/Monitoring Criteria
Process for monitoring e.g. audit, survey
Audit / Monitoring performed by
Audit / Monitoring frequency
Audit / Monitoring reports distributed to
Action plans approved and monitored by
Reporting of confidentiality breaches
Trust’s Incident Reporting System
All Staff As and when incidents occur
Confidentiality Incidents are reported at Caldicott and Information Governance meetings
As per Trust’s incident Reporting Policy. Where an issue has arisen that requires disciplinary action, Trust Disciplinary Policy will be followed
Unannounced Audit. The audit will entail a walkthrough of the department, and the completion
Caldicott Security Audit
Member of the Caldicott Group & Ward Dept Manager
A rolling programme of unannounced audits will
Caldicott Group and Manager of Ward/Dept audited
Caldicott Group and Manager of Ward/Dept audited
Version 6 DATA PROTECTION POLICY Page 22 of 24Please check the intranet to ensure you have the latest version
Audit/Monitoring Criteria
Process for monitoring e.g. audit, survey
Audit / Monitoring performed by
Audit / Monitoring frequency
Audit / Monitoring reports distributed to
Action plans approved and monitored by
of the Caldicott Security Audit Checklist
from the area being audited. A log of areas audited and individuals involved will be maintained by the Caldicott Coordinator
be undertaken on a quarterly basis
Reporting of SI (Serious Incidents) to ICO (Information Commissioner’s Office)
Department of Health SIRI (Serious Incident Requiring Investigation) Tool
Information Governance Team
As and when incidents occur
Information Governance Committee
Information Governance Committee
Audits of processes related to subject access requests for health records
Audit Health Records
A rolling programme of unannounced audits
Information Governance Committee
Information Governance Committee
Audits of processes related to subject access requests for non-health records
AuditHuman Resources Department
A rolling programme of unannounced audits
Information Governance Committee
Information Governance Committee
15.2 Standards/Key Performance Indicators (KPIs)
All Subject Access Requests responded to within the specified timescales
Information Governance Toolkit
Version 6 DATA PROTECTION POLICY Page 23 of 24Please check the intranet to ensure you have the latest version
Section 2Appendix 1
EQUALITY IMPACT ASSESSMENT (EIA) INITIAL SCREENING TOOLDocument Name: Data Protection Policy Date/Period of Document: Jan 2016 – Jan 2019
Lead Officer: Senior Information Risk Owner (SIRO) Directorate: Corporate
Services Reviewing Officers: IG Assurance and Security Manager
Function Policy Procedure Strategy Joint Document, with whom?Describe the main aim, objectives and intended outcomes of the above:Data must only be processed in accordance with the rights of Data Subjects and in accordance with the Data Protection Act 2018To ensure data is processed fairly and lawfully.
You must assess each of the 9 areas separately and consider how your policy may affect people’s human rights.1. Assessment of possible adverse impact against any minority groupHow could the policy have a significant negative impact on equality in relation to each area?
Response If yes, please state why and the evidence used in your assessment
Yes No1 Age? x2 Sex (Male and Female? x3 Disability (Learning Difficulties/Physical or Sensory Disability)? x4 Race or Ethnicity? x5 Religion and Belief? x6 Sexual Orientation (gay, lesbian or heterosexual)? x7 Pregnancy and Maternity? x8 Gender Reassignment (The process of transitioning from one
gender to another)?x
9 Marriage and Civil Partnership? xYou need to ask yourself: Will the policy create any problems or barriers to any community of group? Yes/No Will any group be excluded because of the policy? Yes/No Will the policy have a negative impact on community relations? Yes/NoIf the answer to any of these questions is yes, you must complete a full Equality Impact Assessment
2. Positive impact:Could the policy have a significant positive impact on equality by reducing inequalities that already exist?Explain how will it meet our duty to:
Response If yes, please state why and the evidence used in your assessment
Yes No1 Promote equal opportunities x2 Get rid of discrimination x3 Get rid of harassment x4 Promote good community relations x5 Promote positive attitudes towards disabled people x6 Encourage participation by disabled people x7 Consider more favourable treatment of disabled people x8 Promote and protect human rights x
3. SummaryOn the basis of the information/evidence/consideration so far, do you believe that the policy will have a positive or negative adverse impact on equality?Positive Please rate, by circling, the level of impact Negative
HIGH MEDIUM LOW NIL LOW MEDIUM HIGHDate assessment completed:November 2015
Is a full equality impact assessment required?
Yes(documentation on the intranet)
No
Version 6 DATA PROTECTION POLICY Page 24 of 24Please check the intranet to ensure you have the latest version