Management of Personal Data in line with Data Protection Requirements (incorporating GDPR)

1.0  Policy

Cowper Care complies with Data Protection legislation and supporting guidance to protect the rights and data of the residents, staff, volunteers and visitors. Cowper Care is responsible for ensuring that only personal information that is actually needed is held securely, for as long as it is needed, and for the specific purposes for which it was obtained (HIQA, 2017). It is our responsibility to create a balance between respecting individuals’ privacy and providing safe, effective care (HIQA, 2017).

Cowper Care recognises that due to the data processed in relation to residents and staff, Cowper Care is a Data Controller under the remint of the GDPR.

In accordance to the Data Protection legislation, staff data, resident data, next of kin data, volunteer data, etc., is considered “personal data” and in some cases “Special Categories of Data” and must be treated as such by Cowper Care.

Cowper Care fosters a culture among staff that places the confidentiality of Data Subject information at the forefront of their minds at all times (DPC, 2018f).

2.0  Definitions

GDPR: General Data Protection Regulation which increased rights for Data Subjects and increased accountability for Data Controllers and Data Processors.

Consent: Any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her (GDPR, 2016)

Confidentiality: The right of individuals to keep information about themselves from being disclosed (HIQA, 2018).

Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure or, or access to, personal data transmitted, stored or otherwise processed (GDPR, 2016).

Data Concerning Health: Personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status (GDPR, 2016). For example, resident medical records, employees’ fit to work certificates (NHI, 2018).

Data Controller: A person who, either alone or with others, controls the contents and use of personal data (GDPR, 2016).

Data Processor: An entity that processes personal data under the Data Controller's instructions (NHI, 2018).

Data Protection by Design: Embedding data privacy features and data privacy enhancing technologies directly into the design of projects at an early stage. This will help to ensure better and more cost-effective protection for individual data privacy (DPC, 2018b).

Data Subject: An individual who is the subject of personal data (GDPR, 2016). For example, staff members, volunteers, residents, relatives, visitors, contractors (NHI, 2018).

Lawful basis for processing personal data: In order to process personal data an organisation/individual must have a lawful basis to do so. The lawful grounds for processing personal data are set out in Article 6 of the GDPR. These are:

• the consent of the individual;
• performance of a contract;
• compliance with a legal obligation;
• necessary to protect the vital interests of a person;
• necessary for the performance of a task carried out in the public interest;
• or in the legitimate interests of company/organisation (except where those interests are overridden by the interests or rights and freedoms of the data subject).
  (DPC, 2018c)

Personal Data: Any information relating to an identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (GDPR, 2016).  Names, phone numbers, email addresses could be considered personal data (NHI, 2018).

Privacy Impact Assessment (PIA): A process designed to identify and address the privacy issues of a particular project. It considers the future consequences of a current or proposed action by identifying any potential privacy risks and then examining ways to mitigate or avoid those risks. The term ‘Data Protection Impact Assessment (DPIA)’ is used in the GDPR (HIQA, 2017).

Profiling: Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements (GDPR, 2016). For example, automated recruitment processes (NHI, 2018).

Processing: Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (GDPR, 2016).

Recipient: A natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not (GDPR, 2016).

Special Categories of Data: Special categories of data is defined in the Data Protection Acts as any personal data as to – 

1. the racial or ethnic origin, the political opinions or the religious or philosophical beliefs of the data subject
2. whether the data subject is a member of a trade union
3. the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person,
4. the physical or mental health or condition or sexual life of the data subject
5. the commission or alleged commission of any offence by the data subject, or
6. any proceedings for an offence committed or alleged to have been committed by the Data Subject, the disposal of such proceedings or the sentence of any court in such proceedings.

3.0 Responsibilities

3.1 All staff shall:

• Be aware of Cowper Care’s data protection requirements, and their roles and responsibilities in relation to their implementation.

• Maintain the data of residents confidential and secure at all times.

• Be bound by a duty of confidentiality.

3.2 Care Manager/Assistant Care Manager/Clinical Nurse Managers shall:

• Be fully informed and accountable for the ways in which personal information shall be used (HIQA, 2012).

• Fulfil the responsibilities of the Data Protection Officer, where appropriate.

• Ensure that clinical staff maintain good record keeping practices and adhere to the relevant process.

• Monitor the resident record access.

• Ensure that resident record access and security, storage and destruction is in accordance to this procedure.

• Ensure each resident has an allocated Unique Resident Identifier number.

3.3 Data Controller (Registered Provider/CEO) shall:

• Ensure Cowper Care has a robust data protection compliance framework in place that can be easily evidenced to the Office of the Data Protection Commissioner.

• Appoint a Data Protection Officer that has the professional qualities and particular expert knowledge of data protection law and practices.
• Publish the contact details of the Data Protection Officer and communicate them directly to the supervisory authority, that being the Office of the Data Protection Commissioner.
• Provide the Data Protection Officer with the resources necessary to carry out the required tasks and provide access to personal data and processing operations, and to maintain their expert knowledge.
• Provide the data protection practices and policies to the Office of the Data Protection Commissioner in advance of an audit.
• Ensure that any personal data breach is reported within 72 hours to the Office of the Data Protection Commissioner and provide all subsequent reports to the Office as requested.
• Ensure the completion of Privacy Impact Assessments (PIA) in relation to high-risk activities or processing prior to commencing the processing of that personal data.
• Complete regular reviews throughout the life cycle of the data.
• Ensure all staff are provided with allocated protected time for training in relation to data protection requirements.
• Approve access to central IT servers.

3.4 Data Protection Officer (Facilities Manager) shall:

• Be alerted to, and involved in a timely manner, of all issues which relate to the protection of personal data.

• Be the main point of contact for Data Subjects with regard to all issues related to the processing of their personal data and in exercising his rights under GDPR.

• Inform and advise the Data Controller or the processor of their obligations under GDPR.

• Compete ongoing formal reviews of data protection activities in accordance to this procedure. Ensure compliance and monitor compliance of regulations, including the protection of personal data, the assignment of responsibilities, awareness raising and training of staff who are involved in processing operations and the related audits.

• Respond to Subject Access Requests, requests relating to the right of erasure and requests relating to the right to object within 1 month (DPC, 2017).

• Advise on PIA’s and monitor their implementation and completion.

• Co-operate with the supervisory authority, the Office of the Data Commissioner, and act as the main contact point for Cowper Care.

• Support the Data Controller in providing the data protection practices and policies to the Office of the Data Protection Commissioner in advance of an audit.

• Ensure that all personal data processing is lawful, fair and done in a transparent manner.

• Ensure that all staff are appropriately educated and trained in relation to the organisation’s data protection requirements and are aware their roles and obligations in this regard.
  (NHI, 2018)

• Be responsible for the implementation of physical and software securities for personal data.

• Ensure that Data Subject records are up to date and available for inspection.

• Ensure that all of the other policies and procedures of Cowper Care are reflective of the data protection requirements of this policy.

Where the Data Protection Officer is performing a dual role, this should not result in a conflict of interest.

3.5 Data Processer (where processing data on behalf of the Data Controller) shall:

• See section 9.0 Data Processing Agreement below.

3.6 Office of the Data Protection Commissioner shall:

• Conduct investigations on the application of the GDPR, including on the basis of information received from another supervisory or other public authority;

• Investigate in connection with the handling of complaints; and

• Carry out periodic reviews of those who have been granted certifications such as seals or marks under GDPR. The Office of the Data Protection Commissioner has the following powers in line with Article 58(1):

  • The power to order the Data Controller and the Data Processor to provide any information it requires for the performance of its tasks;
  • The power to carry out investigations in the form of data protection audits;
  • The power to carry out a review on certifications issued pursuant to GDPR;
  • The power to notify the Data Controller or the Data Processor of an alleged infringement of GDPR;
  • The power to obtain, from the Data Controller and the Data Processor, access to all personal data and to all information necessary for the performance of its tasks, to obtain access to any premises of the Data Controller and the Data Processor, including to any data processing equipment and means.
  • The power to carry out audits of selected organisations.
    (NHI, 2018)

4.0 Individual Rights under GDPR (ICO, 2018)

4.1 Cowper Care is committed to ensuring the Data Subjects rights in relation to Data Protection are respected, those being:

1. The right to be informed: Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR. On this basis, Cowper Care must provide Data Subjects with the purposes for processing their personal data, the retention periods for that personal data, and details of who it will be shared with. This information must be concise, transparent, intelligible, easily accessible, and it must use clear and plain language. Further information is provided under Section 5 of this procedure.

2. The right of access: Individuals have the right to access their personal data, or subject access. Individuals can make a subject access request verbally or in writing and Cowper Care has one month to respond. Further information is provided under Principle 8.
3. The right to rectification: The GDPR includes a right for individuals to have inaccurate personal data rectified or completed if it is incomplete. Further information is provided under Principle 5.
4. The right to erasure: The GDPR introduces a right for individuals to have personal data erased. Individuals can make a request for erasure verbally or in writing and Cowper Care has one month to respond to a request. This right is not absolute and only applies in certain circumstances. For further information see section 10.0 Retention and Disposal of Data.
5. The right to restrict processing: Individuals have the right to request the restriction or suppression of their personal data. This is not an absolute right and only applies in certain circumstances. When processing is restricted, Cowper Care is permitted to store the personal data, but not use it. For further information see Principle 2.
6. The right to data portability: The right to data portability entitles an individual to:
   1. receive a copy of their personal data; and/or
   2. have their personal data transmitted from one Controller to another Controller.
   
   Individuals can request their data under Subject Access Requests (see section 12.0).
7. The right to object: The GDPR gives individuals the right to object to the processing of their personal data in certain circumstances. Whether it applies, depends on the purposes for processing and the lawful basis for processing. This right is unlikely to be directly related to Cowper Care use of personal data due to the legal basis utilised for the retention of data.
8. Rights in relation to automated decision making and profiling: The GDPR has additional rules to protect individuals if organisations are carrying out solely automated decision-making that has legal or similarly significant effects on them. This right is unlikely to be directly related to Cowper Care use of personal data due to service provided.

5.0 Principles of GDPR

This procedure is based on the 8 principles of data protection which are enshrined in existing legislation and continue to exist under GDPR. The principles, and the related outputs are illustrated in Figure 1 below.

5.1 Principle 1 Obtain and Process Information Fairly
5.1.1  The GDPR requires that the Data Controller must have a valid lawful basis for collecting and processing any of the personal data (of either the resident or staff member) being processed. Under GDPR there are six lawful bases which can be relied upon:
(a) Consent: The basis of consent requires a very clear and specific statement of consent for their personal data to be processed for specific purpose with a positive opt-in (see 5.1.3 below).
(b) Contract: The Data Controller can rely on this lawful basis if they need to process personal data to fulfil contractual obligations or because they have requested specific steps are taken before entering into a contract (e.g., contract of employment, contract for care). The processing must be necessary to fulfil these obligations
(c) Legal obligation: The Data Controller can rely on this lawful basis when the processing is necessary to comply with a statutory obligation (not including contractual obligations), e.g., Health Act 2007 (Care and Welfare of Residents in Designated Centres for Older People) Regulations 2013 or and National Vetting Bureau (Children and Vulnerable Persons) Act 2012.
(d) Vital interests: The Data Controller can rely on this lawful basis where the data processing is required to protect someone’s life.
(e) Public task: The Data Controller can rely on this lawful basis ‘in the exercise of official authority’ or to perform a specific task in the public interest that is set out in law. This will not generally apply to residential homes.
(f) Legitimate interests: the processing is necessary for the legitimate interests of the Data Controller or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. The threshold for evidencing legitimate interests as a lawful basis is high.
(ICO, 2018, NHI, 2018)

The Data Controller must determine the lawful basis, or reason, for collecting and processing the personal data before initiating the process. The lawful basis for collecting each aspect of personal data shall be recorded in the Data Register (see section 7.0 Data Register below).

5.1.2  The lawful basis for the collection and processing of the personal data must be provided to the Data Subject in advance of the data collection, where possible, i.e., for each type of personal data retained by Cowper Care, the resident/staff member must know the legal grounds for retaining and processing that data by Cowper Care.

If any of these uses are secondary to the original purpose for which the data was obtained, and would not be obvious to the Data Subject, then the Data Subject shall be notified, and consent shall be requested. Request for consent for secondary purposes shall be requested though the Contract of Care for residents (see 5.2.5 and 5.2.6) and through the employment contracts of staff members.

5.1.3  Where consent is used as the lawful basis, it must be freely given, specific, informed and unambiguous. When relying on consent, Cowper Care shall:

• Provide clear information on what the consent relates to;
• Give the Data Subject sufficient information to make a choice;
• Explain the different ways Cowper Care shall use their information;
• Provide a clear and simple way for the Data Subject to indicate they agree to different types of processing. The consent forms shall provide Data Subjects with the choice to consent to their information being used for one purpose but not another.

Consent may be withdrawn at any stage and separate consent must be obtained for different processing operations. An example of consent being used as a legal basis is the use of CCTV’s within Cowper Care. A consent form is provided to resident’s and staff to clarify its uses and retention (see RR-012 Obtaining Resident Consent).
(ICO, 2018)

5.1.4  Cowper Care shall have information materials and guidance that explains how the Data Subjects’ personal information is used. This shall be provided in a format that can be easily understood. The Resident Information and Privacy Statement (see Appendix 1) shall be provided as part of the Resident’s Contract of Care. Cowper Care shall provide staff with a Staff Information & Privacy Statement (see Appendix 2) that clarifies the purpose and uses of the staff member’s personal data in their employment contract. Where the data is required for recruitment processes, the controls are also detailed in Appendix 2.

5.2  Principle 2 Keep personal data only for one or more specified, explicit and lawful purposes
5.2.1  The Data Controller must inform Data Subjects of the purpose of collecting and storing personal data and appropriate consent must be provided prior to any data processing. The purposes of the processing must be precisely and fully identified prior to, or at the moment of the collection. For residents, this shall be managed under the Contract of Care. For staff, this shall be detailed within their employment contract.

5.2.2  Personal Data can only be used for the purpose the Data Controller has specified it was collected for.

5.2.3  Personal data collected for a specific purpose may be further processed for different purposes provided that these are not incompatible with the initial purposes. If Cowper Care wishes to change or add an additional purpose which is not compatible with the original purpose, then the Data Subject must be made aware of the additional purpose for which the personal data will be processed.  For residents, information shall be provided in accordance to RR-003 Resident Communication Techniques.

5.2.4  Individuals have the right to request that Cowper Care restricts the processing of their personal data in the following circumstances:

• the individual contests the accuracy of their personal data and Cowper Care is verifying the accuracy of the data;
• the data has been unlawfully processed (i.e., in breach of the lawfulness requirement of the first principle of the GDPR) and the individual opposes erasure and requests restriction instead;
• Cowper Care no longer need the personal data but the individual needs Cowper Care to keep it in order to establish, exercise or defend a legal claim; or
• the individual has objected to Cowper Care processing their data under Article 21(1), and Cowper Care is considering whether its legitimate grounds override those of the individual.
  (ICO, 2018)

An individual can make a request for restriction verbally or in writing and Cowper Care has one calendar month to respond to a request.

5.2.5  Request for consent for secondary purposes shall be requested though the Contract of Care for residents. Where the resident refuses to give consent to the use of their information for a secondary purpose, they shall be assured that this will not adversely affect the care they shall receive from Cowper Care (HIQA, 2012).

5.2.6  Where the resident has provided their approval for secondary use of their personal information, the resident’s identity shall be pseudonymised at the earliest possible stage of the secondary use, minimising the risk to the residents’ privacy (HIQA, 2012).

5.2.7  The above requirements shall be communicated to the resident within the Resident Information & Privacy Statement (see Appendix 1), which is contained within the resident’s Contract of Care.

5.2.8  In circumstances where a Data Controller is engaging a Data Processor, a Data Processing Agreement should be in place (see section 9.0).

5.3  Principle 3: Personal data shall be used and disclosed only in ways compatible with these purposes
5.3.1  As in Principle 2 above, the Data Controller must inform Data Subjects precisely of the purpose of collecting and storing the personal data prior to, or at the moment of the collection.

5.4  Principle 4: Keep it safe and secure
5.4.1  Any changes to Cowper Care processes, that may impact on the quality and safety of the service provided, shall be managed in accordance to GM-017 Change Control. As part of this process, proposed changes shall be considered in relation to the potential impact on the safety and security of personal data. Where appropriate, through the use of Privacy Impact Assessments (PIA’s), Cowper Care shall embed data privacy features and data privacy enhancing technologies directly into the design of projects at an early stage. This shall ensure that all required controls are implemented to protect Data Subject’s personal information prior to the implementation of the change and therefore implementing data protection by design (see 6.0 Privacy Impact Assessment).

5.4.2  Where Cowper Care is currently processing personal data, and where a PIA was not previously completed, it shall consider whether a retrospective PIA is required to address any areas of risk to the Data Subjects. This shall be considered as part of the Corporate Risk Management Register (see GM-004 Risk Management Policy and Procedure).

5.4.3  The Data Controller must ensure appropriate safety measures are in place to ensure only authorised people who require access, can access the data (see section 8.0 Personal Data Protection and Security Measures below and Section 8.6 Staff Access to Records).

5.4.4  The GDPR requires that data security breaches are notified to the Office of the Data Protection Commissioner within 72 hours, and that Data Subjects are notified of the breach promptly if there is a high risk of their personal data being obtained or used inappropriately (see section 11.0 Personal Data Breaches below).

5.4.5  All staff shall receive appropriate education and training to recognise their roles and obligations in relation to the protection of personal data (see Section 14.0 Staff Education and Training).

5.5  Principle 5: Keep it accurate, complete and up to date
5.5.1  The Data Controller has an obligation to ensure that only accurate personal data is held on file. Personal data should be updated where necessary (see IM-001 Resident Records - Creation Initiation Content and Review).

5.5.2  Data Subjects have the right to have their personal data rectified if it is inaccurate, out of date or has been processed unfairly/incorrectly.

5.5.3  Requests rectification may be given verbally or in writing to the Data Protection Officer (ICO, 2018).

5.5.4  Cowper Care has one month to respond to a request (ICO, 2018).

5.5.5  Where a request for rectification has been received, the Data Protection Officer, in conjunction to other relevant staff as appropriate, shall take reasonable steps to ensure that the data is accurate and to rectify the data if necessary. Data is deemed inaccurate it is incorrect or misleading as to any matter of fact (ICO, 2018).

5.5.6  Where the Data Protection Officer is satisfied that the personal data is accurate, they shall inform the individual that the data of the decision not to amend the data and inform them of their right to make a complaint to the Office of the Data Commissioner (ICO, 2018).

5.5.7  The Data Protection Officer may refuse to comply with a request for rectification if the request is manifestly unfounded or excessive, taking into account whether the request is repetitive in nature. Where this is the case, the Data Protection Officer can:

• request a "reasonable fee" to deal with the request; or
• refuse to deal with the request.

In either case a justification will need to be provided, as well as informing the requestor with the reasons that the Data Protection Officer is not taking action and the requestors right to make a complaint to the Office of the Data Protection Commission.
(ICO, 2018)

5.5.8  The Data Controller shall:

• Ensure computer and administrative procedures are adequate and cross-checking exists to ensure high levels of data accuracy.
• Staff are aware of the general requirement to keep personal data up to date.
• Policies, procedures and practices provide for periodic reviews and audits to ensure that each data item is kept up to date, for example in tandem with four monthly care plan reviews and annual reviews, etc.

5.6  Principle 6: Ensure that it is adequate, relevant and not excessive
5.6.1  The Data Controller must make sure the personal data is adequate and is processed/used fairly and effectively. The information sought should be:

• Adequate in relation to the purpose(s) for which it was sought.
• Relevant in relation to the purposes for which it was sought.
• Not excessive in relation to the purposes for which it was sought.

5.6.2  Data Controllers must not ask for, process or hold personal data that is not relevant or needed for the purpose(s) for which it was obtained.

5.6.3  Data deletion and destruction controls are implemented as detailed in section 10.0 Retention and Disposal of Personal Data.

5.7  Principle 7: Retain it for no longer than is necessary for the purpose or purposes
5.7.1  The Data Controller shall ensure there is a clear policy for the retention and disposal of personal data they no longer required (see section 10.0). The retention times for personal data shall be detailed within the Data Register (see section 7.0).

5.7.2  Timeframes for retention of personal data should be clearly communicated to Data Subjects at the outset. The retention times for personal data shall be communicated to data subjects via the Resident and Staff Information & Privacy Statements (see Appendix 1 and Appendix 2).

5.8  Principle 8: Give a copy of his/her personal data to an individual, on request
5.8.1  Data Controllers must comply with a Subject Access Request under GDPR within 1 month. See section 12.0 below Subject Access Requests.

5.8.2  Feedback shall be requested from residents in relation to the manner in which their personal data is managed. This shall be managed in accordance to section 13.0 Resident Involvement in Data Protection below.

6.0. Privacy Impact Assessments (PIA’s) (HIQA, 2017)

6.1  Cowper Care accepts that PIA’s are required to identify and address the privacy issues of a particular change/project for implementation within Cowper Care, e.g., where Cowper Care decides to switch to a new IT provider (NHI, 2018). The PIA is used to understand the risks the project might entail for the rights of Data Subjects and then examining ways to mitigate or avoid those risks.

6.2  In the case of personal data is being processed, a PIA shall be undertaken and any recommendations to the project design implemented prior to information being processed.

6.3  Key stakeholders shall be involved in the PIA process, these may include:

• Internal stakeholders: Data Controller, project team, Data Protection Officer, IT staff, records management personnel, senior management, general staff.
• External stakeholders: residents or their representatives, third party organisations, industry experts and or academics.

6.4  The PIA shall be completed in under 5 stages, with each stage of the PIA process documented to ensure compliance with the GDPR. The stages are:

• Stage 1: PIA Threshold Assessment
• Stage 2: Identify the Privacy Risks
• Stage 3: Address Risks and Evaluation Privacy Solutions
• Stage 4: Produce the PIA report
• Stage 5: Incorporate the PIA outcomes into the Product Plan

6.5  Full details of how each of these stages are implemented is provided in GM-017 Change Management.

7.0  Data Register

7.1  Cowper Care shall maintain a permanent Data Register of all records that identifies all classes of records, the time period covered by the record, date of disposal and who is responsible for disposal of the records (HIQA, 2011; HIQA, 2012).

7.2  The Data Register provides the specific details regarding the personal data, including the Special Category Data, Cowper Care retains. 

7.3  Cowper Care’s Data Register shall contain the following details:

• The type of personal data and whether it contains special categories of data;
• The source of the personal data;
• The method of obtaining the personal data;
• The format the personal data is retained in, e.g., hard or soft copy;
• The lawful basis/reason Cowper Care is relying on to retain and process the personal data;
• The uses of the personal data. Where the personal data has more than one use, all uses should be detailed. This includes whether consent was given for the documentation and retention of the personal data and how it was received;
• The legislation that applies to the processing of the personal data (if applicable – this will depend on the lawful basis); 
• The category of people the personal data applies to, e.g., resident, staff member, prospective staff member, volunteer, contractor;
• The storage location for the personal data and in what format it is retained (where this is in more than one location, all locations should be detailed and in which format it is retained);
• The individuals/roles with authorised access to the personal data;
• The security measures applied to the personal data to protect it from unauthorised access;
• The third parties the personal data is shared with and why. The Data Controller must ensure that there are appropriate agreements in place with these third parties;
• How the personal data is kept up to date and maintained;
• How long the personal data will be retained (see 10.0);
• How it the personal data is deleted/destroyed (see 10.0 below);
• Who is responsible for the personal data within the organisation, e.g. Care Manager responsible for residents’ records.
  (NHI, 2018)

7.4  The Data Register shall also include the following personal data records (NOTE: this list is not definitive):

• Staff feedback and performance reviews (see HR-008 Staff Performance Appraisal & PDP)

• Staff training records (see HR-006 Staff Education and Training)

• Directory of Residents.

• The Visitors Log (see RR-006 Visiting Residents at Cowper Care).

7.5  The Data Controller, in conjunction with the Data Protection Officer, is responsible for the maintenance and upkeep of the Data Register.

7.6  The Data Register shall be reviewed on an ongoing basis to ensure it is reflective of the personal data details, but specifically where a change control process is implemented that impacts on personal data and related controls.

8.0  Personal Data Protection and Security Measures

Cowper Care shall implement effective data security measures for personal data.

8.1  Physical Securities for Hardcopy Personal Data
8.1.1  The designated location utilised to retain personal data records shall have secure windows, doors and a controlled access system. This location shall allow for controlled access and speedy retrieval of records when and where they are required by authorised individuals (HIQA, 2011) but also provide controls to prevent unauthorised access (see section 8.7 below).

Staff shall be informed that the resident record storage area is generally out of bounds for all staff, with the exception of those who have authorised access for the purpose of the service being provided (DPC, 2018).

Staff who are authorised to access the resident records storage area shall be prohibited from bringing an unauthorised staff member into the storage area with them (DPC, 2018).

8.1.2  Other departments of Cowper Care shall not be physically located in the same area as the personal data records are stored unless robust access control measures are in place to restrict access to the area (DPC, 2018).

8.1.3  Personnel data shall be protected from hazards such as fire, flooding, temperature, humidity, atmospheric pollution, and vandalism by use of a fireproof cabinet that can be locked when not in use. The keys of locked filing cabinets shall be stored in a secure location and staff are prohibited from taking such keys home at the end of their shift (DPC, 2018).

8.1.4  All staff shall ensure that personal data is guarded securely at all times and shall take care to ensure that the Data Subjects information is not placed in any public place or where it may be viewed or accessed inappropriately (NHO, 2007).

• Personal data shall not be placed on reception desks or on trolleys except when they are required and under the supervision of appropriate clinic staff.
• Personal data records shall never be stored in an unsecured area (DPC, 2018f).
• Where trolleys are used to transport resident records throughout Cowper Care, these trolleys shall be covered over securely to protect the resident information held on the records from being seen or accessed by third parties. The records shall not be stored outside the secure bin compartment of trolleys while trolleys are in transit (DPC, 2018f).
• Resident’s shall never be required to carry their personal data information from one area of Cowper Care to the other (DPC, 2018f).
• Personal data shall not be left on desks in offices in the absence of the responsible staff. Whenever an office is left unattended it should be securely locked. 
• All personal data records shall be returned to their appropriate storage facility as soon as reasonably possible after use (ABA, 2002) (see 8.6 below).

8.1.5  All waste papers, printouts, etc. of personal data shall be stored in secure lockable confidential waste bins that have a bin top or slot through which confidential waste can be placed but not retrieved. This applies to all areas of Cowper Care, including office areas to which access is restricted to staff (DPC, 2018f). Waste paper shall be disposed of via confidential shredding by an approved supplier.

(For additional information on Filing of Residents Records see IM-001 Resident Records – Creation, Initiation, Content and Review).

8.1.6  Where utilised, all used handover lists, and resident lists are all disposed of safely in a shredder or in a secure lockable confidential waste bin (DPC, 2018f).

8.1.7  Observation charts shall be stored securely in a protected environment, in the immediate vicinity of a resident’s bed if necessary, where they are accessible only to the staff who have a professional need to access them. Resident charts, resident information or nursing notes shall never be stored in open shelving on trolley bins (DPC, 2018f).

8.1.8  Door access to areas of Cowper Care to which residents or members of the public do not have general access to shall be properly secured at all times to prohibit access by unauthorised persons (DPC, 2018).

8.1.9  Where keypad access controls are in use for certain areas of Cowper Care, the key codes shall be changed periodically (DPC, 2018).

8.1.10  Keys of locked offices should be stored in a secure location and staff shall be prohibited from taking such keys home at the end of their shift (DPC, 2018).

8.1.11  Postal correspondence, such as incoming and outgoing letters, that is awaiting collection or further distribution within Cowper Care, shall be held in a secure environment out of reach of residents or visiting members of the public (DPC, 201).

8.1.12  Where Cowper Care becomes aware of unauthorised access to personal data records by staff, this shall be treated as a disciplinary matter in accordance to HR-023 Disciplinary Procedure (DPC, 2018).

8.2  Software Securities for Data
Where the records of Data Subjects are retained via software systems, Cowper Care shall use technical security measures to protect the data. Minimum standards of security implemented by Cowper Care shall include the following:

8.2.1  Implementation of software controls to prevent external hacking and access by the cloud provider’s personnel or by other users. Anti-virus software shall be used and shall be kept up to date.

8.2.2  Access to central IT servers shall be restricted in a secure location with only a limited number of staff having access. The access for these individuals to the central IT server are approved by the Registered Provider, including any non-authorised staff or contractors.

8.2.3  Secure backup systems shall be in place for vital personal data. There shall be a back-up procedure in operation for data held on computer. This shall include an off-site back up.

8.2.4  Personal data on computer screens should be hidden from the view of passers-by at all times. Computer screens shall be set to automatically lock and log users off after a certain short period of inactivity. A screen saver shall appear on locked screens to ensure that no personal data of patients remains visible (DPC, 2018f).

8.2.5  Individual passwords for systems shall be used to stop unauthorised access to records. PC’s and laptops shall utilise encryption software. The standard of encryption shall be sufficiently robust to withstand attacks from newly developed decryption software (DPC, 2018e).

8.2.6  Transmission of personal data over external networks, such as the internet, should normally be subject to robust encryption (DPC, 2018e).

8.2.7  Access to personal data held in soft copy will be allocated in accordance to the roles and responsibilities of the staff member (see 8.6.5 below).

8.2.8  Staff are prohibited from accessing or editing, via other users’ accounts, the records of personal data on Cowper Care’s computer systems (DPC, 2018).

8.2.9  Where IT management and securities are managed by an external supplier, the supplier shall be formally approved in accordance to GM-009 Supplier Review and Approval. Where the supplier is involved in the storage or processing of data, a Data Processing Agreement shall be in place covering the security of the data that meets or exceeds the assessed level of protection required (see Section 9.0).

8.3  The Data Subject’s personal information shall not be discussed by staff outside Cowper Care or in Cowper Care corridors, lifts or canteen (HIQA, 2011).
Notices shall be displayed prominently in staffing areas of Cowper Care, such as offices, meeting rooms, staff canteens, etc. to continually highlight to staff their obligations in relation to respecting the data protection rights of residents (DPC, 2018f).

8.4  Where a discussion relating to personal information is taking place with a Data Subject, the door shall always be closed while in order to protect their data protection rights (DPC, 2018f).

8.5  During discussions with staff, residents shall be afforded sufficient space and privacy to allow them to provide details of their personal information without the risk of being over-heard by other residents, staff, or visitors (DPC, 2018f).

8.6  Where possible, regularly dialled fax numbers shall be pre-programmed into the fax machine to minimise the risk of misdialling errors. Where this is not possible, a directory of regularly dialled fax numbers typed in a clear and easy-to-read format shall be placed in a prominent position beside each fax machine (DPC, 2018f).

The fax machines shall have a guidance note on display nearby to provide users with advice on the circumstances in which it is appropriate to use fax machines to transmit personal or special categories of data and to warn users of the risks of transmitting the message to the wrong fax number. The guidance note shall also provide practical directions on how to use a fax machine and outline the procedures to be followed in the event that an outgoing fax message is mis-directed (DPC, 2018f).

8.7  Staff Access to Resident Records
8.7.1  All residents shall have individual records created as per IM-001 Resident Records – Creation, Initiation, Content and Review. All records shall be maintained in a manner to ensure completeness, accuracy and ease of retrieval to relevant individuals.

8.7.2  Cowper Care shall ensure the appropriate sharing of information to improve the residents’ outcome and quality of care, with identifiable information only being shared with staff members who have a duty of care to the resident (HIQA, 2011).

Arrangements shall be in place to ensure staff have access to the information they need in a timely manner. This shall include sharing information within and between services in a way that protects the privacy and confidentiality of the resident to whom the information relates, in line with legislation, National Standards and national guidance (HIQA, 2018).

8.7.3  Robust controls shall be put in place to limit staff access to resident record storage areas to those staff who have a need for such access. This access shall be held to a minimum (DPC, 2018f).

8.7.4  The level of access allocated shall be dependent on the roles and responsibilities of the staff member. No medical, clinical or nursing staff shall be given unrestricted access to all electronic resident records irrespective of whether or not they have a business need to have such access (DPC, 2018).

The relevant sections of the resident record and/or its information content shall be made available only to: 

• Medical, nursing/midwifery and other Health and Social Care Professionals who are responsible for providing or supervising the resident’s care.
• Any Health and Social Care Professional to whom the resident is being referred or transferred. Where the resident has been transferred or discharged to another healthcare service or medical practitioner for continuing care and treatment, information from the resident’s healthcare record of direct relevance to the continuing care and treatment should generally be released on written request by the healthcare service or medical practitioner. Information should also be released on confirmation by the receiving healthcare service of transfer arrangements (HSE, 2011).
• Staff members authorised by the Care Manager to process the record, to collate medical and statistical information, to collect data for authorised clinical research projects, to review the record for quality assurance, clinical audit, quality improvement, risk management or infection control purposes.
• Other individuals with specific written authorisation in accordance with the Data Protection Acts 1988 and 2003 and, where applicable, the Freedom of Information Act 2014. This may be for inspection or monitoring purposes (NHO, 2007) (HSE, 2011).
• For research purposes, where resident details are anonymised or where the healthcare organisation has obtained clear and unambiguous consent from the residents concerned for the use of their healthcare information for these purposes (HSE, 2011).
• Restrictions are implemented for Health Care Assistants (HCA’s) in relation to completing elements of the resident records. HCA’s shall:
  • Complete fluid balance and food intake charts and daily flow charts, care plans as appropriate.
  • Not complete on prescription charts, nursing event sheets/progress notes, medical notes and assessments.
  • Have entries to daily flow sheets and checklists counter signed by a nurse as appropriate.
    (Dougherty & Lister 2008)
• Cowper Care administrative and clerical support staff and other non-clinical members of the workforce shall only access as much information as they need to carry out their role. This may include access to the record for quality assurance, clinical audit, quality improvement, risk management or infection control purposes (HSE, 2011).

8.7.5  The staff member who takes a residents’ record is responsible for its safety, for ensuring its confidentiality (as per HR-018 Confidentiality Policy) that it is returned to the correct storage area and tracked back (HSE, 2011).

8.7.6  Cowper Care shall have an accessible log for tracking resident records that informs the Care Manager/DPO of the following:

• when records are being removed from the records storage
• who removed the records
• description of the record (including volume number/media type)
• where the records were taken to
• when the records were returned
  (HIQA, 2012; HSE, 2011).

This log, in conjunction with any swipe card data, shall be routinely reviewed by the Data Protection Officer, in conjunction with the Care Manager, to generate Access Reports in respect of staff access to resident records. These access reports shall be monitored on a regular basis to detect if any suspicious patterns of access are occurring (DPC, 2018).

The review shall also alert the Data Protection Officer and Care Manager where resident records have not been returned to the resident record storage area by a certain period of time (DPC, 2018).

8.7.7  Where Cowper Care becomes aware of unauthorised access to resident records by staff, this shall be treated as a disciplinary matter in accordance to HR-023 Disciplinary Procedure (DPC, 2018).

8.8  Unique Resident Identifier
8.8.1  Cowper Care shall have a mechanism to uniquely identify each resident using their service in order to avoid duplication and misidentification, in line with national Standards and best practice (HIQA, 2018).

8.8.2  Each resident shall be allocated a Unique Resident Identification number by Cowper Care. The identifier shall be created so that individuals cannot be identified from their number, e.g., the following shall not be utilised:

• dates of birth,
• admission dates,
• room numbers
• other individual specific data, including National Intellectual Disability Database (NIDD) personal identification numbers)
  (HIQA, 2014)

8.8.3  The Registered Provider shall retain a log of the allocated unique resident numbers. This log, and related code if applicable, shall be accessible only to the Registered Provider and the Care Manager/Assistant Care Manger/DPO and shall be appropriately secured. Access shall be provided to HIQA Chief Inspectors if requested.

8.9  Transfer of Resident Personal Data
8.9.1  Where resident records are to be transferred, they shall be securely packaged with the destination clearly identified (NHO, 2007).

8.9.2  Resident records shall be transported in such a way that residents’ names are not visible (NHO, 2007).

8.9.3  Resident records shall never be left unattended in the course of their delivery (NHO, 2007).

8.9.4  A record shall be kept of all resident records that are transferred out of Cowper Care (NHO, 2007).

8.9.5  Where the records are being transferred outside the European Economic Area (EEA) this shall be in line with Data Protection legislation (HIQA, 2012).

9.0  Data Processing Agreement

9.1  All data processing arrangements with third party service providers shall meet the requirements of Section 2C(3) of the Data Protection Acts 1988 & 2003 and the requirements of the GDPR from 25 May 2018.

9.2  Where Cowper Care engages the services of a Data Processor, it shall take certain steps to ensure that the data protection standards are maintained. A Data Processor shall be engaged to complete data processing for Cowper Care under a written contract, which details appropriate data securities and safeguards (DPC, 2018e).

9.3  The overall responsibility for the duty of care owed to personal data is held by the Data Controller.

9.4  Any contract utilised for the engagement of a Data Processor shall specify:

• The subject matter of the data and duration of the processing;
• The type of personal data and categories of data subject.
• The obligations and rights of Cowper Care as the Data Controller.
• The instructions as to what the Data Processor can do with the personal data provided.
• The nature and purpose of the processing, that the Data Processor will process personal data only on the basis of the authorisation and instructions received from the Data Controller. This provision ensures that personal data passed on to a Data Processor may not be retained or used by the data processor for its own purposes.
• That the Data Processor must be committed to apply appropriate security measures to the personal data to protect it from unauthorised access or disclosure. This provision ensures that the standard of security must be maintained when the personal data is passed from Cowper Care to its agent.
• That the Data Processors ensure that people processing the personal data are subject to a duty of confidence.
• That the Data Processors may only engage sub-processors with the prior consent of the Data Controller and under a written contract.
• That the Data Processors assist the Data Protection Officer in providing Subject Access Requests and allowing Data Subjects to exercise their rights under the GDPR.
• Any penalties in place should the terms of the contract be broken by the Data Processor.
• That the Data Controller or their agents have a right to inspect the premises of the Data Processor as to ensure compliance with the provisions of the contract.
• That the Data Processor must submit to audits and inspections by the Data Processor to ensure compliance with the provisions of the contract, or by the Office of the Data Commissioners, and provide the Data Controller with whatever information it needs to ensure that they are both meeting their Article 28 obligations.
• That the Data Processor shall tell the Data Controller immediately if there is a personal data breach or is asked to do something infringing the GDPR or other data protection law of the EU or a member state.
• That the Data Processor must register with the Office of the Data Protection Commissioner for the duration of the contract.
• That the deletion or return of the data is required upon termination or ending of the contract.

9.5  Data Subjects shall be made aware in the Information and Privacy Statements (see Appendix 1 and Appendix 2) where personal data will be disclosed to third parties, such as Data Processors.

10.0  Retention and Disposal of Personal Data

10.1  Information should not be retained once the initial purpose has ceased, unless there is a clear lawful basis. Cowper Care recognises that personal data cannot be retained just in case the Data Subject makes a request at some time in the future. For the majority of personal data, apart from the data detailed in section 10.3 below, Cowper Care shall not retain personal data for any purpose for longer than is necessary (GDPR, 2016). Cowper Care shall consider the purpose of the information, shall formalise a retention period for that type of personal data and provide adequate justification for this required retention period. This retention timeline and justification shall be detailed in the Data Register (see section 7.0). After this retention period has elapsed, the personal data and associated records shall be securely deleted.

10.2  The retention policy for all data is detailed within the Data Register (as per section 7.0).  The retention for certain records created by Cowper Care is specified under relevant regulation.

10.2.1  The following personal data records shall be retained for periods as directed by the regulation:

• Resident records: Resident records, as set out in Schedule 3 of S.I. 415 of 2013 shall be retained for a period of not less than seven years after the resident has ceased to reside in Cowper Care (see Appendix 1 How to develop a Resident Information and Privacy Statement for list of records to be retained for 7 years).
• Documents held in respect of the Person in Charge, and each member of staff shall be retained for a period of not less than seven years after the staff member has ceased to be employed in the designated centre concerned (see HR-012 Staff Records - Content Access and Review). These include:
  • Evidence of the person’s identity, including his or her full name, address, date of birth and a recent photograph.
  • A vetting disclosure in accordance with the National Vetting Bureau (Children and Vulnerable Persons) Act 2012.
  • Details and documentary evidence of any relevant qualifications or accredited training of the person.
  • A record of current registration details of professional staff subject to registration.
  • A full employment history, together with a satisfactory history of any gaps in employment.
  • Correspondence, reports, records of disciplinary action and any other records in relation to his or her employment.
  • Details of any previous experience (if any) of carrying on the business of a designated centre.
  • Three written references, including a reference from a person’s most recent employer (if any).
• The following shall be retained for a period of not less than four years from the date of their making:
  • Staff duty rosters (see HR-022 Staffing Levels, Rotas and Working Hours)
  • The Visitors Log (see RR-006 Visiting Residents at Cowper Care).
  • Complaints records (see RR-017 Responding to Complaints)

10.2.2  The following general records shall be retained for a period of not less than seven years from the date of their making:

• notifications (see GM-019 Management of HIQA Notification Forms)
• incidents, including adverse events and medication errors, and incident logs.

10.2.3  The following general records shall be retained for a period of not less than four years from the date of their making:

• fire safety records, including:
  • fire practice,
  • drill or test of firefighting equipment, including fire alarm equipment and any taken to remedy any defects found,
  • the number, type, and maintenance records of firefighting equipment (see CE-022 Management of Internal Emergencies (incorporating Fire Safety and Evacuation))

10.2.4  Other general records to be retained for inspection where requested include:

• The annual review reports (see GM-012 Quality Assurance and Continuous Improvement).
• The Statement of Purpose (see GM-003 Development and Communication of the Statement of Purpose).
• The residents’ guide (see RR-001 Resident Information Education Material).
• All inspection reports (see GM-013 Registration and Inspection Management Policy).
• Details of charges (see RR-014 Development and Agreement of Resident Contract of Care).
• Records related to food (see HS-025 Nutritional Status and Management);
• Audit records (see GM-005 Audit Management).
• Minutes of meetings (see GM-001 Internal & External Communication Processes).
• Surveys of people who use the service (see RR-011 Resident Involvement, Consultation and Feedback).

10.3  After the retention period has passed, the records that meet approval for destruction by the Data Protection Officer, in conjunction with the Care Manager. Cowper Care shall ensure record disposal safeguards are implemented and maintained and records shall only be destroyed under confidential, secure conditions (NFVSP, 2019). Record destruction includes secure shredding and comprehensive electronic deletion with certification of deletion/destruction (NFVSP, 2019).

10.4  Cowper Care shall maintain a Register of Records Destroyed as proof that the confidential records no longer exist (NFVSP, 2019). The Register shall contain the following:

• Residents’/Persons’ name.
• Date of birth.
• Address.
• Name of the file.
• File/record number.
• Former location of file.
• Date of destruction.
• Person who provided authority to destroy the records and signature of approval for destruction.
  (NFVSP, 2019)

10.5  Under the Data Protection legislation, a Data Subject has the right to request all information held in relation to them be destroyed, however this right is not absolute, e.g. a staff member who has had their employment terminated may request their personal data is destroyed, however if there is a lawful reason why this personal data must be retained such as a legal claim, Cowper Care can refuse and continue to retain it in accordance with Cowper Care’s determined retention periods. This shall be dealt with on a case by case basis by the Data Protection Officer, in conjunction with the Data Controller and the Care Manager. 

10.6  In certain situations, the Data Subject may have the right to request personal data be moved, e.g., to a new care provider. This request shall be supported by the Data Protection Officer.

10.7  Where the resident is deceased or is discharged from Cowper Care, the records shall be stored securely in a secure location away from the ward (see 8.0 above)

11.0  Personal Data Breach

11.1  A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. Personal data breaches can include:

• access by an unauthorised third party;
• deliberate or accidental action (or inaction) by a controller or processor;
• sending personal data to an incorrect recipient;
• computing devices containing personal data being lost or stolen; 
• alteration of personal data without permission; and
• loss of availability of personal data.
  (ICO, 2018)

11.2  Where staff identify that a possible personal data breach has occurred, they shall report this to the Data Protection Officer.

11.3  The Data Protection Officer, in conjunction with the Data Controller shall complete an investigation to quickly establish whether a personal data breach has occurred. Where required, additional support shall be sourced to investigate the possible breach, e.g., IT Support Services, external Data Processers, etc. (ICO, 2018).

11.4  Where it is found that a personal data breach has occurred, the Data Protection Officer and the Data Controller shall establish the likelihood and severity of the resulting risk to the Data Subject’s rights and freedoms.

11.5  Data Controllers do not have to notify the Office of the Data Protection Commissioner if the breach is unlikely to result in a risk to the rights and freedoms of Data Subjects e.g., a laptop is stolen but it is protected to a high standard, e.g., appropriately encrypted. Cowper Care shall also be exempt from reporting where the full extent and consequences of the incident has been reported without delay directly to the affected Data Subject(s) and it affects no more than 100 data subjects, and it does not include special categories of data or personal data of a financial nature (DPC, 2018b). Even where there is no obligation to notify the breach, the Data Controller must still document the breach and the steps taken to resolve it and to prevent it from occurring again.

11.6  If it’s likely that there is a risk to personal data then the Office of the Data Protection Commissioner must be notified without undue delay, but not later than 72 hours after becoming aware of it (DPC, 2018f).

11.7  When reporting a breach to the Data Protection Commissioner, the following must be provided:

• a description of the nature of the personal data breach including, where possible:
  • the categories and approximate number of individuals concerned; and
  • the categories and approximate number of personal data records concerned;
• the name and contact details of the Data Protection Officer, or other contact point where more information can be obtained;
• a description of the likely consequences of the personal data breach; and
• a description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.
  (ICO, 2018)

11.8  This initial contact with the Office of the Data Protection Commissioner may be by e-mail (preferably), telephone or fax and must not involve the communication of personal data. Cowper Care can also use the ‘Report a breach’ online form which is available from https://forms.dataprotection.ie/report-a-breach-of-personal-data.

11.9  Where it is not possible to investigate a breach fully within 72 hours to understand exactly what has happened and what needs to be done to mitigate it, the Office of the Data Protection Commissioner shall accept the required information in phases, as long as this is done without undue further delay (ICO, 2018).

11.10  The Data Subject(s) shall be notified of the personal data breach promptly by the Data Controller if there is a high risk that their personal data has been obtained or used inappropriately. Supports shall be provided by Cowper Care to the affected parties. The information to be provided to the Data Subjects in clear and plain language include:

• the nature of the personal data breach;
• the name and contact details of the Data Protection Officer;
• a description of the likely consequences of the personal data breach;
• a description of the measures taken, or proposed to be taken, to deal with the personal data breach and including, where appropriate, of the measures taken to mitigate any possible adverse effects.

The Data Protection Officer shall make themselves available to the Data Subject to discuss the issue further and shall provide the Data Subject with ongoing updates relating to the investigation and close out.

11.11  In appropriate cases, Data Controllers should also notify organisations that may be in a position to assist in protecting data subjects including, where relevant, An Garda Síochána, financial institutions etc. (DPC, 2018b).

11.12  All appropriate actions shall be taken by the Data Controller, in conjunction with the Data Protection Officer to contain the breach, assess and address the potential adverse consequences for individuals and address the root cause of the breach to prevent reoccurrence. Cowper Care recognises that Data Controllers can be subject to large fines, unless they can demonstrate appropriate measures were taken to ensure the personal data was safe and secure.

11.13  Depending on the nature of the incident, the Office of the Data Protection Commissioner may investigate the circumstances surrounding the personal data security breach. Investigations may include on-site examination of systems and procedures and could lead to a recommendation to inform Data Subjects about a security breach incident where a Data Controller has not already done so. If necessary, the Commissioner may use his enforcement powers to compel appropriate action to protect the interests of the Data Subjects (DPC, 2018h).

11.14  Following containment of the breach, the Data Protection Officer, in conjunction with the Data Controller shall review the incident to consider what lessons can be learnt from the breach and Cowper Care’s response to the breach.

11.15  All personal data breaches, whether reportable to the Office of the Data Protection Commissioner or not, shall be documented within the incident management process (see GM-010 Incident Reporting - Identification Documentation Rectification Review and Communication). The incident report shall document the facts relating to the breach, its effects, the roles and responsibilities and the remedial actions taken to contain an incident and rectify it as appropriate. These records should be provided to the Office of the Data Protection Commissioner upon request.

11.16  Where it is found that the personal data breach was due to a staff member not adhering to the personal data controls of Cowper Care, they shall be subject to disciplinary action as per HR-023 Disciplinary Process (NHO, 2007).

11.17  Where Cowper Care utilises a Data Processor, and this processor suffers a breach then, under Article 33(2) of the GDPR, the Data Processer is required to inform Cowper Care without undue delay as soon as it becomes aware of the breach. As the Data Controller, Cowper Care is then required to notify the Data Protection Commissioner.

12.0  Right of Access – Subject Access Requests

12.1  Under the Data Protection Acts 1988 to 2018, Data Subjects have a right to obtain a copy, clearly explained, of any information relating to them that is kept on computer or in a structured manual filing system or intended for such a system by any entity or organisation.

Subject Access Requests are only available for residents who are still living. For residents who are deceased, and where there is a data access request made, these shall be managed in accordance to the Freedom of Information Act.

12.2  Cowper Care recognises that Data Subjects are entitled to:

• a copy of the data Cowper Care is keeping about him or her;
• know the categories of their data and Cowper Care’s purpose/s for processing it;
• know the identity of those to whom Cowper Care discloses the data;
• know the source of the data, unless it is contrary to public interest;
• know the logic involved in automated decisions;
• data held in the form of opinions, except where such opinions were given in confidence and even in such cases where the person’s fundamental rights suggest that they should access the data in question it should be given. (NHI, 2018)

12.3  All Subject Access Requests must be made to the Data Protection Officer. This may be made verbally or in writing (ICO, 2018), however, personal information shall never be provided to individuals over the phone. This point of contact shall be communicated to all Data Subjects, to staff as part of their induction training and to resident’s within their Contract of Care and Residents Guide.

12.4  On receipt of the request from a Data Subject, where appropriate, the Data Protection Officer shall verify the identity of the person making the request, using ‘reasonable means’. If a request is received and the Data Protection Officer is not satisfied as to the person’s identity, evidence of identity may be required from the requestor. This shall be applied where it is deemed necessary and where there is a risk of disclosing personal data to a third party.

12.5  Data Subjects are entitled to the following information once a Subject Access Request has been made:

• Confirmation that their personal data is being processed
• A copy of their personal data
• The categories of their personal data processed and your purpose for processing it
• The identity of those to whom Cowper Care has disclosed the data
• The source of the data, unless it is contrary to public interest
• The logic involved in automated decisions (if any). It should be noted that Data Subjects are entitled to object to profiling.
  (ICO, 2018)
  
  The resident shall only be entitled to see their own information. A redaction exercise shall be carried out to remove any information about other individuals before information is sent to the resident

12.6  Copies of the personal data information must be provided free of charge; however, the Data Protection Officer can charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive.

A reasonable fee may also be charged to comply with requests for further copies of the same information. This does not apply for all subsequent access requests.

Any fees applied must be justifiable and based on the administrative cost of providing the information (ICO, 2018).

12.6  CCTV footage can be released in two forms:

• A video copy of the footage
• Still images (photograph) taken from the camera. Where still images are provided, they shall be at a rate of one photograph per second of video.

Where CCTV footage is requested, the DPO shall ensure that images of other residents/individuals shall be pixelated or otherwise blanked out.

12.7  If the request is made electronically, the personal data shall be provided in a commonly used electronic format. Where the information is being sent by post it shall be sent by registered post, double wrapped, and marked confidential (HSE, 2011).

12.8  Copies of the personal data information must be provided free of charge; however, the Data Protection Officer can charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive.

A reasonable fee may also be charged to comply with requests for further copies of the same information. This does not apply for all subsequent access requests.

Any fees applied must be justifiable and based on the administrative cost of providing the information (ICO, 2018).

12.9  Information must be provided to the Data Subject without delay and at the latest within one month of receipt. An extended period of compliance may be applied by a further two months where requests are complex or numerous. If this is the case, the Data Protection Officer must inform the individual within one month of the receipt of the request and explain why the extension is necessary.

12.10  Where Cowper Care has a large quantity of information about an individual, the Data Protection Officer may ask the individual to specify the information the request relates to (Recital 63). The GDPR does not include an exemption for requests that relate to large amounts of data, but the Data Protection Officer may be able to consider whether the request is manifestly unfounded or excessive.

12.11  Where the data relates to information managed by a Data Processor, the Data Protection Officer shall work with the external provider to source the requested information.

12.12  The Data Protection Officer shall keep a note of the efforts made by Cowper Care in searching for data in case there is a complaint made by the individual to the Office of the Data Protection Commissioner.

12.13  Where the Data Protection Officer believes the requests are manifestly unfounded or excessive, in particular because they are repetitive within a short period of time, they may:

• charge a reasonable fee taking into account the administrative costs of providing the information; or
• refuse to respond.

Where the Data Protection Officer refuses to respond to a request, they must provide a justification to the individual, informing them of their right to complain to the Office of the Data Protection Commissioner without undue delay and at the latest within one month.

12.14  Exemptions to the Right of Access
Individuals do not have a right to see information relating to them where any of the following circumstances apply.

• If the information is kept for the purpose of preventing, detecting or investigating offences, apprehending or prosecuting offenders, or assessing / collecting any taxes or duties: but only in cases where allowing the right of access would be likely to impede any such activities.
• If the information concerns an estimate of damages or compensation in respect of a claim against Cowper Care, where granting the right of access would be likely to harm the interests of the organisation.
• If the information would be subject to legal professional privilege in court.
• If the information is kept only for the purpose of statistics or carrying out research, but only where the information is not disclosed to anyone else, and where the results of the statistical work or research are not made available in a form that identifies any of the individuals involved
• If the information is back-up data. (NOTE: back-up data is not necessarily the same as old or archived data. Such archive data is subject to an individual's right of access in the normal way).
• The Data Protection (Access Modification) (Health) Regulations, 1989 (SI No. 82 of 11989) produce that health data relating to an individual should not be made available to the individual, in response to a Subject Access Request, if that would be likely to cause serious harm to the physical or mental health of the Data Subject. Where the Data Subject is a resident, in this instance, the Data Protection Officer shall discuss the issue with the Multidisciplinary Team.
• A Data Protection Officer is not obliged to comply with an access request if that would result in disclosing data about another individual, unless that other individual has consented to the disclosure. However, the Data Protection Officer shall disclose so much of the information as can be supplied without identifying the other individual by reaction of names or particulars.
• Where personal data consists of an expression of opinion about the Data Subject by another person, the Data Subject has a right to access that opinion except if that opinion was given in confidence. If that opinion was not given in confidence, then the possible identification of the individual who gave it does not exempt it from access.

13.0  Resident’s Involvement in Data Protection

13.1  Cowper Care shall seek resident’s participation in decisions about treatment and management of their personal information and monitor 'user satisfaction' with information handling practices through resident groups and surveys (HIQA, 2011)

13.2  Cowper Care staff shall be able to discuss any concerns raised by residents in relation to their records or be able to direct them to a more knowledgeable member of staff (HIQA, 2011). Cowper Care shall record and manage any concerns or complaints relating to resident's records in accordance to RR-017 Responding to Complaints.

Where residents or their families have issues with the data security process implemented within Cowper Care, and feel their rights are being infringed, can complain to the Office of the Data Commissioner, who will investigate the matter, and take whatever steps may be necessary to resolve it (DPC, 2018h). This process will be supported by the Data Protection Officer.

14.0  Staff Education and Training

14.1  The Care Manager shall identity the education and training requirements of staff to help ensure that Cowper Care complies with legislation and best practice when handling Data Subject’s personal information. Staff at all levels shall be adequately trained to understand the implications of losing personal data.

14.2  All reasonable measures should be taken to ensure that staff are made aware of the organisation’s data security measures and that staff are complying with them. All staff shall receive training at induction, and on a periodic basis, in accordance to their role, to ensure their awareness of the data protection requirements. The training shall include:

• their obligations in respecting and ensuring appropriate data protection within Cowper Care.
• the need for data privacy.
• how to recognise data security breaches and what to do in the event of a data security breach (DPC, 2018f).

Training programmes for reception staff shall be rolled out on a regular basis to ensure that best practices for the capture of personal data are observed and implemented at all times (DPC, 2018).

14.3  Cowper Care shall ensure that data dictionary, terminology systems, data collection, data classification or coding manuals are freely available for staff and version controlled to reflect changes to documentation (HIQA, 2012).

14.4  Cowper Care shall ensure that the Data Protection Officer should have an appropriate level of expertise in data protection law and practices to enable them to carry out their critical role, including the ability to support Subject Access Requests (Data Protection Commissioner, 2018). The appropriate level of qualification and expert knowledge shall be determined according to the personal data processing operations carried out, the complexity and scale of data processing, the sensitivity of the data processed and the protection required for the data being processed (see dataprotection.ie for guidance on appropriate qualifications for a Data Protection Officer).

15.0  Audits by the Office of the Data Protection Commissioner

15.1  The Office of the Data Protection Commissioner will carry out audits of selected organisations against the regulatory requirements relating to Data Protection. The aim of an audit is to identify any issues of concern about the way the organisation deals with personal data and to recommend solutions.

15.2  The Office of the Data Protection Commissioner will carry out audits of selected organisations against the regulatory requirements relating to Data Protection. Data Controllers will be asked to provide their data protection practices and policies to the Office of the Data Protection Commissioner in advance of an audit. The inspection team will then meet with staff of the Data Controller and inspect electronic and manual records and ensure the practices and policies are in line with those that had been provided prior to the audit.

16.0  Audit and Evaluation

16.1  Annual information governance assessments shall be performed internally by the Care Manager to help identify good practice and highlight areas that need improvements (HIQA, 2011).

16.2  The Registered Provider/Head of Services – Non-Clinical (DPO) shall evaluate the effectiveness of record management storage, security, and destruction as part of annual review process (see GM-012 Quality Assurance and Continuous Improvement).

16.3  Regular audits shall be completed by the Data Protection Officer to ensure that:

• Personal data that is due for deletion /destruction in accordance to the retention periods as detailed in the Data Register is securely and confidentially destroyed.
• Access rights to hard copy personal data records and electronic records are confined to those staff who require access on a ‘need to know’ basis to in line with their job role, including and the care and treatment of the resident as appropriate.
• Data protection controls are implemented in accordance to this policy. The Data Protection Officer shall complete this process via a review of relevant records, incident reports, through observation and by utilising the appropriate audit tools. The audits will incorporate review of other related policies and procedures that should be reflective of the data protection requirements detailed within this procedure, these include:
  • CE-022 Management of Internal Emergencies (incorporating Fire Safety and Evacuation)
  • PR-001 Safeguarding and Protection of the Resident
  • PR-002 Recognising and Responding to Allegations of Abuse
  • PR-003 Management of Whistleblowing
  • PR-004 Security of Residents’ Accounts and Personal Property
  • HS-001 Management of Admission, Assessment and Care Initiation
  • HS-006 Prescription, Ordering, Storage and Disposal of Medications
  • HS-025 Nutritional Status and Management
  • HS-032 Resident Transfer Discharge and Overnight Leave
  • QL-005 Management Behaviour that is Challenging and Behavioural and Psychological Symptoms of Dementia
  • RR-001 Management of Resident Information and Education Material
  • RR-004 Provision of Information to Resident's Family
  • RR-010 Residents Rights, Development, Review, Approval and Communication
  • RR-017 Responding to Complaints
  • GM-004 Risk Management Policy and Procedure
  • GM-012 Quality Assurance and Continuous Improvement
  • GM-018 Health and Safety Risk Management
  • GM-019 Management of HIQA Notification Forms

Results of these audits are presented to the Management Team.

17.0  Records (specific to Data Protection Requirements)

• Subject Access Requests and supporting documentation of efforts implemented to source data.
• Information and Privacy Statements
• Data Register
• Data Protection Agreements
• Resident User Satisfaction Records (relating to Data Protection)
• Privacy Impact Assessment Records and Reports (including Change Control Records)
• Records of Personal Data Destruction
• Staff training records (relating to Data Protection)
• Consent Records
• Access Reports (swipe card and resident record logs)

18.0  References

Data Protection Acts 1988 and 2003

Data Protection Commissioner (DPC, 2018). Frequently Asked Questions [Accessed 9^th May 2018]. View on dataprotection.ie

Data Protection Commissioner, (DPC, 2018b). Personal Data Security Breach Code of Practice. View on dataprotection.ie [Accessed 10th May 2018].

Data Protection Commissioner (DPC, 2018c). A Guide for Data Controllers.  [Accessed 10^th May 2018] View on dataprotection.ie

Data Protection Commissioner (DPC, 2018d). Exemptions to the Right of Access [Accessed 10^th May 2018]. View on dataprotection.ie

Data Protection Commissioner (DPC, 2018e). What should be contained in a contract between a Data Controller and a Data Processor.  View on dataprotection.ie [Accessed 10th May 2018].

Data Protection Commissioner (DPC, 2018f). A Data Protection Investigation in the Hospitals Sector: Overview and Scope. View on dataprotection.ie [Accessed 22^nd May 2018].

Data Protection Commissioners (DPC, 2018g). Security Measures for Personal Data. View on dataprotection.ie

Data Protection Commissioners (2017) Access Rights and Responsibilities A guide for Individuals and Organisations

Data Protection Insights (2014). Data Protection The New Rules: Regulatory Obligations and Business Requirements, Data Protection Insights, CPD Learning Limited, Dublin

Data Protection Commissioner. Guidance on appropriate qualifications for a Data Protection Officer, (GDPR). (Available at View on dataprotection.ie ) [Accessed on 2^nd May 2018].

Data Protection Commissioner Preparing (2017). YOUR ORGANISATION FOR THE GENERAL DATA PROTECTION REGULATION YOUR READINESS CHECKLIST.

Draft Data Protection Bill 2018

EU Data Protection Directive 95/46/EC

EU Data Protection Directive 2002/58/EC

National Federation of Voluntary Service Providers (2019). Guidance on Records Retention [online]. Available: www.fedvol.ie [Accessed 16^th August 2019].

Government of Ireland (2013). Health Act 2007 (Care and Welfare of Residents in Designated Centres for Older People) Regulations 2013 (S.I. No. 415 of 2013). Dublin: Stationery Office.  

Health Information and Quality Authority (2017), Privacy Impact Assessment toolkit for health and social care. Dublin: Health Information and Quality Authority.

Health Information and Quality Authority (2016). National Standards for Residential Care Settings for Older People in Ireland, 2016.  Dublin: Health Information and Quality Authority.

Health Information and Quality Authority (2011). What you should know about Information Governance. A Guide for Health and Social Care Staff. Dublin. Health Information and Quality Authority.

Information Commissioners Office (ICO, 2018) Guide to Data Protection. View on ico.org.uk  [Accessed 15^th May 2018].

Nursing Homes Ireland (2018), NHI Guidance for Providers, Persons in Charge & HR Managers Managing Data Protection in Nursing Homes, Version 1.0, March 2018.

REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, 2016).

19.0 Cookies

A "cookie" is a small data text file that is placed in your browser and allows Cowper Care to recognise you each time you visit this site (customisation etc). Cookies themselves do not contain any personal information, and Cowper Care does not use cookies to collect personal information.

Cowper Care use Google Analytics (just like virtually everybody else) which is a service provided by Google. They gather anonymous data of how people are using this site and then provide us with visitor statistics, details of page views etc etc. To opt-out of being tracked by Google Analytics please click here.

In order for the Cowper Care website to function correctly, it stores the following cookies on your computer:

20.0  Appendices

20.1  Appendix 1: How to develop a Resident Information & Privacy Statement, incorporating examples

20.2  Appendix 2: How to develop a Staff Information & Privacy Statement, incorporating examples

 

20.1  Appendix 1: How to develop your Information and Privacy Statement, incorporating examples

1.0  Language Considerations

1.1  When developing an Information and Privacy Statement, Cowper Care shall:

• use clear, straightforward language;
• adopt a simple style that the Data Subject will find easy to understand;
• not assume that everybody has the same level of understanding;
• avoid confusing terminology or legalistic language;
• align to Cowper Care’s own house style.
• align with Cowper Care’s values and objectives. Doing so means that people will be more inclined to read privacy notices, understand them and trust your handling of their information;
• be truthful. Cowper Care shall not offer people choices that are counter-intuitive or misleading;
• follow any specific sectoral rules as well as complying with data protection law, for example in advertising or financial services sectors; and
• ensure your privacy notices are consistent across multiple platforms and enable rapid updates to them all when needed.
• Provide the notice free of charge.
  (ICO, 2018)

2.0  Content for Consideration: Please note that the examples provided are for guidance only – and should be customised by Cowper Care in line with the Data protection requirements.

2.1  Provide Service Details
Provide the following information:

• The services provided (as per Statement of Purpose)
• The population catered for (as per Statement of Purpose)
• Provide a definition of what a privacy statement is:

Example: A Privacy Statement is a statement by Cowper Care to residents, staff and visitors (known as the Data Subjects) that describes how we collect, use, retain and disclose personal information which Cowper Care holds and processes. This Privacy Statement is part of Cowper Care’s commitment to ensure that we processes your personal data fairly and lawfully.
(NHS, 2017).

2.2  Explain why Cowper Care has a privacy statement
Example: Cowper Care complies with Data Protection legislation and supporting guidance to protect the rights and data of Data Subjects, those being, the residents, staff, volunteers and visitors. Cowper Care is responsible for ensuring that only personal information that is actually needed is held; that it is held securely, for as long as it is needed, and for the specific purposes for which it was obtained (HIQA, 2017).

There are 6 core principles in relation to data protection, that Cowper Care is committed to adhering to, those are:

1. Obtain and process information fairly
2. Keep it only for one or more specified, explicit and lawful purposes.
3. Use and disclose it only in ways compatible with these purposes,
4. Keep it safe and secure.
5. Keep it accurate, complete and up-to-date.
6. Ensure that it is adequate, relevant and not excessive.
7. Retain it for no longer than is necessary for the purpose or purposes.
8. Give a copy of his/her personal data to than individual, on request.

This statement illustrates the ways in which we demonstrate our commitment to these principles and our values by being transparent and open with you, how we control and secure your data, and what rights you have in controlling how Cowper Care uses your information.

2.3  Detail the key legislation that Cowper Care is governed by
This should include:

• Regulation (EU) 2016/679 of the European Parliament of the Council of 27 April 2016 and repealing Directive 95/46/EC (General Data Protection Regulation - GDPR)
• EU Data Protection Directive 95/46/EC
• EU Data Protection Directive 2002/58/EC
• Data Protection Acts 1988 and 2003
• Draft Data Protection Bill 2018
• S.I.415 of 2013 Health Act 2007 (Care and Welfare of Residents in Designated Centres for Older People) Regulations 2013

2.4  Detail who is responsible for the control and management of the personal data within Cowper Care.
Example: Cowper Care is committed to the protection of your personal data, with responsibilities allocated throughout the senior management team. The primary points of contact in relation to Data Protection are as follows:

Data Controller: (name) (Registered Provider)
Phone, Email, Address Contact details

Data Protection Officer: (name)
Phone, Email, Address Contact details

2.5  Detail the resident’s rights in relation to personal data
Example: You have certain rights in relation to your personal data. You have the right to request from us access to and rectification or erasure of your personal data, the right to restrict processing, object to processing as well as in certain circumstances the right to data portability.

You have the right to refuse/withdraw consent to information sharing at any time. We will fully explain the possible consequences to you, which could include delays in you receiving care. This withdrawal shall not impact on the quality of the care provided to you by Cowper Care.

Your personal data, that is collected for a specific purpose may be further processed for different purposes provided that these are not incompatible with the initial purposes. If Cowper Care wishes to change or add an additional purpose, which is not compatible with the original purpose, then you will be made aware of the additional purpose. You have a right to refuse to give consent to the secondary use of your data. This refusal shall not adversely affect the care you receive from Cowper Care.

Where you do provide consent for a secondary use of your personal information, your identity shall be disguised at the earliest possible stage in the process.

As applicable, Cowper Care has incorporated these rights throughout the policies and procedures of Cowper Care. You are entitled to extend these rights in relation to your personal data at any stage within Cowper Care.

2.6  Detail why and how Cowper Care collects information
Example: Cowper Care may ask for or retain personal confidential information about you which will be used to

• Support the delivery of appropriate care and treatment to you.
• Adhere to our contract of care with you.
• Adhere to our legal obligations under S.I.415 of 2013 and the Fair Deal (NHSS Act 2009).
• Address your vital interests in the event of any emergency arising in relation to you and your care;
• Address the legitimate interests of Cowper Care in providing our services.

All personal data retained and processed by the service must be held where there is a lawful basis of retention and processing, that being one of the following:
(a) Consent: The lawful basis of consent requires a very clear and specific statement of consent for your personal data to be processed for specific purpose with a positive opt-in
(b) Contract: This can be used as a lawful basis where we need to process personal data to fulfil contractual obligations with you or because you have requested specific steps are taken before entering into a contract (e.g. contract for care). The processing must be necessary to fulfil these obligations
(c) Legal obligation: This may be used as a lawful basis when the processing is necessary to comply with a statutory obligation (not including contractual obligations), e.g. Health Act 2007 (Care and Welfare of Residents in Designated Centres for Older People) Regulations 2013.
(d) Vital interests: This may be used as a lawful basis where the data processing is required to protect someone’s life.
(e) Public task: This may be used as a lawful basis ‘in the exercise of official authority’ or to perform a specific task in the public interest that is set out in law. This will not generally be used by Cowper Care.
(f) Legitimate interests: This may be used where the processing is necessary for the legitimate interests of the Data Controller or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. The threshold for evidencing legitimate interests as a lawful basis is high.

To meet the applicable regulatory requirements, the following records are retained for a period of seven years after you have ceased to reside in Cowper Care.

• The resident’s individual assessment and care plan
• A recent photograph of the resident
• The details held within Directory of Residents, including
  • your name, address, date of birth, sex, and marital status;
  • the details of your emergency contacts, including their name, address and telephone number of your next of kin or of any person authorised to act on your behalf;
  • the name, address and telephone number of your GP and of any officer of the Health Service Executive whose duty it is to supervise your welfare;
  • the date you were first admitted to Cowper Care;
  • the date on which you were discharged if you came from another hospital;
  • details of your transfer from Cowper Care, where applicable;
  •  the name and address of any authority, organisation or other body, which arranged your admission to Cowper Care.
• A record of your medical, nursing and psychiatric (where appropriate) condition at the time of your admission;
• Details of your care plan, in respect of medication, nursing care, specialist health care or nutrition;
• Daily progress notes that provide a nursing record of your health and condition and treatment given
• Medication records of each drug and medicine administered to you;
• A record of on-going medical assessment, treatment and care provided by Cowper Care and your GP (these may include the initial Comprehensive Assessment Form; a copy of the ‘Fair Deal’ Care Needs Assessment; Dependency Assessments; Individual Assessments on specific needs, e.g. continence, falls, nutritional assessments, etc);
• A record of all your medical referrals and follow-up medical appointments;
• A record of your decisions not to receive certain medical treatments or refused treatment;
• A record of any accidents or incidents that may have happened to you during your time in Cowper Care.
• A record of any specialist communication needs;
• A record of all money or other valuables deposited by you within Cowper Care.
• A record of any furniture brought by you to Cowper Care.
• A copy of any correspondence to or from Cowper Care to you in relation to your care, including a copy of the Contract of Care.
• A record of any complaints received from or about you.

Other records retained in relation to your personal information include:

• Financial information in relation to your ‘Fair Deal’ contribution and any additional fees payable under the contract of care or where we have been appointed as a ‘pension agent’ for you which may include your bank details; individual statements; invoices for care services provided; etc;
• Notification forms that we are required to send to HIQA;
• Risk assessments (e.g. risks relating to your evacuation from the centre if there is a fire; smoking risk assessments; your risk of falls; etc.)
• In addition, we may record images of you on CCTV [Highlight here where you monitor CCTV, what your policy states, etc]
• Other personal information that may be retained shall include personal sensitive information such as sexuality, race, your religion or beliefs. It is important for us to have a complete picture, as this information assists staff involved in your care to deliver and provide improved care, deliver appropriate treatment and care plans, to meet your needs.
  (S.I. 415 of 2013 and NHI, 2018)

The lawful basis for the retention of the majority of the data listed above is based on legal requirements (see 2.3 above). Full details of the lawful basis for the retention of the personal information, and its period of retention, is detailed within Cowper Care’s Data Register. This document can be requested from the Data Protection Officer (see 2.4 for contact details).

2.7  Detail how Cowper Care uses personal resident information
Example: Cowper Care uses your personal information in the following ways:

• To help inform decisions that we make about your care. 
• To work effectively with other organisations who may be involved in your care.
• To review care provided to ensure it is of the highest standard possible.
• To train our staff.
• To audit our services to ensure it meets the regulatory requirements and our internal policies and procedures.
• To prepare statistics on our services performance.
• To plan services.
• To ensure our services can meet future needs.
• To monitor our resources.
• To evaluate our governance.
• To improve resident safety.

We keep your personal information accurate and up to date to ensure you get the best possible care from us, and from any other healthcare professional should you need to be referred. Where possible, when using information to inform future services and provision, non-identifiable information will be used.

2.8  Detail how information is retained and kept safe
Example: Information is retained within Cowper Care in secure electronic and paper records and access is restricted to only those who require it to provide services to you. We are committed to ensure that your information is kept safe and secure at all times to protect your confidentiality. Physical and software controls are implemented for your data records, and, where possible, your privacy is shielded by removing your identifying information. Cowper Care also ensures strict sharing or processing agreements are in place where external processers are utilised.

Cowper Care is registered with the Office of the Data Protection Commission as a Data Controller. Details of our registration can be found on here.

2.9  Detail how information is kept confidential
Example: Everyone working in Cowper Care completes a Confidentiality Agreement.  Information provided in confidence will only be used for the purposes to which you consent to, unless there are other circumstances covered by the law. All staff are required to protect information, inform you of how your information will be used and allow you to decide if and how your information can be shared. This will be noted in your records. All staff are required to undertake annual training in data protection, confidentiality, IT/cyber security, with additional training for the Data Protection Officer and IT staff.

2.10  Detail who information be shared with outside of Cowper Care
Example: To provide the best care possible, sometimes we will need to share information about you with others.

Some government bodies have a legal basis to inspect information contained in your personnel file and Cowper Care must make this information available to them (PROVIDE EXAMPLES). Cowper Care may also provide some of the information contained in your personnel file to third party to carry out a task on Cowper Cares behalf (LIST THIRD PARTIES OR CATEGORIES OF THIRD PARTIES). Some of this information may be stored on a cloud storage system and when this takes place your information will be protected with a Data Processing Agreement with the cloud storage provider that complies with EU transborder data transfer rules.
(NHI, 2018)

2.11  Detail how long personal data is retained for
Example: As required by law, the personal data we retain about you must be retained for a period of seven years after you leave Cowper Care, after which it will be destroyed by [give details of how the information is deleted/ destroyed here] (NHI, 2018). Our Data Protection Policy and Procedure provides full details of the storage requirements for personal data. A copy of this document can be requested from the Data Protection Officer.

2.12  Detail how to contact Cowper Care for their personal data
Example: Cowper Care has a Data Protection Officer who is responsible for protecting the confidentiality of your information and enabling appropriate sharing. If you have any questions or concerns regarding the information we hold on you, the use of your information or would like to discuss further, please contact the Data Protection Officer at the contact details above.

Requests for personal data can be made through a Subject Access Request, through the Data Protection Officer. All appropriate assistance will be provided to you to support your request.

2.13  Detail how to contact Cowper Care if there is a complaint or concern
Example: We try to meet the highest standards when collecting and using personal information. As part of our data protection process, we will be seeking your feedback in relation to the way you feel we manage your data. We encourage people to bring concerns to our attention and we take any complaints we receive very seriously. You can submit a complaint to

Name:                                     (Data Protection Officer)
Address
Phone number
Email address

Where you are unhappy about how your personal information is managed by Cowper Care, and you are not satisfied with our response to your concerns or believe that we have not complied with our data protection obligations you may lodge a complaint with the Office of the Data Protection Commissioner at:

Data Protection Commissioner 
Canal House
Station Road
Portarlington 
R32 AP23 Co. Laois

Phone 057 8684800 / 076 1104800 / Lo Call: 1890 252231
(Phone lines open 09:15 – 17:30 – 17.15 Friday)
Fax: 0578684757
Email: info@dataprotection.ie
(NHS, 2017 & NHI, 2018)

20.2  Appendix 2:  How to develop a Staff Information and Privacy Statement (applicable to volunteers also)

1.0  Language Considerations

1.1  When developing an Information and Privacy Statement, Cowper Care shall:

• use clear, straightforward language;
• adopt a simple style that the Data Subject will find easy to understand;
• not assume that everybody has the same level of understanding;
• avoid confusing terminology or legalistic language;
• align to Cowper Care’s own house style.
• align with Cowper Care’s values and objectives. Doing so means that people will be more inclined to read privacy notices, understand them and trust your handling of their information;
• be truthful. Cowper Care shall not offer people choices that are counter-intuitive or misleading;
• follow any specific sectoral rules as well as complying with data protection law, for example in advertising or financial services sectors; and
• ensure your privacy notices are consistent across multiple platforms and enable rapid updates to them all when needed.
• Provide the notice free of charge.
  (ICO, 2018)

2.0  Content for Consideration: Please note that the examples provided are for guidance only – and should be customised by Cowper Care in line with the Data protection requirements.

2.1  Provide Service Details:
Provide the following information:

• The services provided (as per Statement of Purpose)
• The population catered for (as per Statement of Purpose)
• Provide a definition of what a privacy statement is:
  Example: A Privacy Statement is a statement by Cowper Care to residents, staff and visitors (known as the Data Subjects) that describes how we collect, use, retain and disclose personal information which Cowper Care holds and processes. This Privacy Statement is part of Cowper Care’s commitment to ensure that we processes your personal data fairly and lawfully.
  (NHS, 2017).

2.2  Explain why Cowper Care has a privacy statement:
Example: Cowper Care complies with Data Protection legislation and supporting guidance to protect the rights and data of Data Subjects, those being, the residents, staff, volunteers and visitors. Cowper Care is responsible for ensuring that only personal information that is actually needed is held; that it is held securely, for as long as it is needed, and for the specific purposes for which it was obtained (HIQA, 2017).

There are 6 core principles in relation to data protection, that Cowper Care is committed to adhering to, those are:

1. Obtain and process information fairly
2. Keep it only for one or more specified, explicit and lawful purposes
3. Use and disclose it only in ways compatible with these purposes
4. Keep it safe and secure
5. Keep it accurate, complete and up-to-date
6. Ensure that it is adequate, relevant and not excessive
7. Retain it for no longer than is necessary for the purpose or purposes
8. Give a copy of his/her personal data to than individual, on request.

This statement illustrates the ways in which we demonstrate our commitment to these principles and our values by being transparent and open with you, how we control and secure your data, and what rights you have in controlling how Cowper Care uses your information.

2.3  Detail the key legislation that Cowper Care is governed by:
This should include:

• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 and repealing Directive 95/46/EC (General Data Protection Regulation - GDPR)
• EU Data Protection Directive 95/46/EC
• EU Data Protection Directive 2002/58/EC
• Data Protection Acts 1988 and 2003
• Draft Data Protection Bill 2018
• S.I.415 of 2013 Health Act 2007 (Care and Welfare of Residents in Designated Centres for Older People) Regulations 2013

2.4  Detail who is responsible for the control and management of the personal data within Cowper Care
Example: Cowper Care is committed to the protection of your personal data, with responsibilities allocated throughout the senior management team. The primary points of contact in relation to Data Protection are as follows:

Data Controller: (name) (Registered Provider)
Phone, Email, Address Contact details

Data Protection Officer: (name)
Phone, Email, Address Contact details

2.5  Detail the individual’s rights in relation to personal data:
Example: You have certain rights in relation to your personal data. You have the right to request from us access to and rectification or erasure of your personal data, the right to restrict processing, object to processing as well as in certain circumstances the right to data portability.

You have the right to refuse/withdraw consent to information sharing at any time. We will fully explain the possible consequences to you, which could include delays in you receiving care. This withdrawal shall not impact on the quality of the care provided to you by Cowper Care.

As applicable, Cowper Care has incorporated these rights throughout the policies and procedures of Cowper Care. You are entitled to extend these rights in relation to your personal data at any stage within Cowper Care.

2.6  Detail why and how Cowper Care collects information
Example: Cowper Care may ask for or retain personal confidential information about you which will be used to:

• Manage our contract of employment with you;
• Comply with our Legal Obligations e.g. Employment Legislation, Care and Welfare Regulations, Health and Safety requirements, Garda Vetting legislation etc.;
• Look after your Vital Interests in the event of an emergency;
• Carry out our Legitimate interests in managing and running Cowper Care.
  (NHI, 2018)

All personal data retained and processed by the service must be held where there is a lawful basis of retention and processing, that being one of the following:

(a) Consent: The lawful basis of consent requires a very clear and specific statement of consent for your personal data to be processed for specific purpose with a positive opt-in.
(b) Contract: This can be used as a lawful basis where we need to process personal data to fulfil contractual obligations with you or because you have requested specific steps are taken before entering into a contract (e.g. contract of employment). The processing must be necessary to fulfil these obligations
(c) Legal obligation: This may be used as a lawful basis when the processing is necessary to comply with a statutory obligation (not including contractual obligations), e.g. Health Act 2007 (Care and Welfare of Residents in Designated Centres for Older People) Regulations 2013 or and National Vetting Bureau (Children and Vulnerable Persons) Act 2012.
(d) Vital interests: This may be used as the lawful basis where the data processing is required to protect someone’s life.
(e) Public task: This lawful basis may be used ‘in the exercise of official authority’ or to perform a specific task in the public interest that is set out in law. This will not generally apply to residential homes.
(f) Legitimate interests: This lawful basis may be used where the processing is necessary for the legitimate interests of the Data Controller or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. The threshold for evidencing legitimate interests as a lawful basis is high.

To meet the applicable regulatory requirements, the following personal data records are retained for a period of seven years:

• Evidence of your identity, including your full name, address, date of birth and a recent photograph.
• A vetting disclosure in accordance with the National Vetting Bureau (Children and Vulnerable Persons) Act 2012.
• Details and documentary evidence of any relevant qualifications or accredited training completed by you.
• A record of current registration details where you are a professional staff member that is subject to registration.
• A full employment history, together with a satisfactory history of any gaps in employment.
• Correspondence, reports, records of disciplinary action and any other records in relation to your employment.
• Details of any previous experience (if any) of carrying on the business of a residential home (where appropriate)
• Two written references, including a reference from your most recent employer (if any).
• Your contract of employment.
• the dates on which your commenced (and ceased) employment;
• the position you hold in Cowper Care
• the work that you do;
• a record of your training.
• Your details within the duty rosters.
  (S.I.415 of 2013)

Other records retained by Cowper Care in relation to your personal data include:

• Records of holidays, sickness and other absences (where required to meet our health and safety and occupational health requirements – provide details)
• information needed for equal opportunities monitoring policy;
• information needed for payroll, benefits and expenses purposes;
  (NHI, 2018)

[INSERT ANY FURTHER CATEGORIES HERE].

Where Cowper Care processes information relating to your racial or ethnic origin, political opinions, religious and philosophical beliefs, trade union membership, biometric data or sexual orientation, Cowper Care shall obtain your detailed consent to the sourcing of this unless this is not required by law or the information is required to protect your health in an emergency.

In addition, we monitor telephone/mobile telephone/computer] use, as detailed in (the relevant) policy. We also retain records of our staff rosters and clocking on and off system, as detailed in (the relevant policy) (NHI, 2018)

The lawful basis for the retention of staff personal data is detailed within Cowper Care’s Data Register. This document can be requested from the Data Protection Officer (see 2.4 for contact details).

If at any stage the information you have provided changes (e.g. change of address) XXX should be notified in writing so our records can be updated.

2.7  Detail how information is retained and kept safe
Example: Information is retained within Cowper Care in secure electronic and paper records and access is restricted to only those who require it to provide services to you. We are committed to ensure that your information is kept safe and secure at all times to protect your confidentiality. Physical and software controls are implemented for your data records, and, where possible, your privacy is shielded by removing your identifying information. Cowper Care also ensures strict sharing or processing agreements are in place where external processers are utilised.

Cowper Care is registered with the Office of the Data Protection Commission as a Data Controller. Details of our registration can be found on https://www.dataprotection.ie/docs/Current-list-of-Registrations-held-by-the-Data-Protection-Commissioner/8.htm.

2.8  Detail how information is kept confidential
Example: Everyone working in Cowper Care completes a Confidentiality Agreement.  Information provided in confidence will only be used for the purposes to which you consent to, unless there are other circumstances covered by the law.  Relevant staff involved in the management of staff data are required to protect your information, inform you of how your information will be used and allow you to decide if and how your information can be shared. This will be noted in your records. All staff are required to undertake annual training in data protection, confidentiality, IT/cyber security, with additional training for the Data Protection Officer and IT staff.

2.9  Detail who information be shared with outside of Cowper Care
Example: Some government bodies have a legal basis to inspect information contained in your personnel file and Cowper Care must make this information available to them (PROVIDE EXAMPLES). Cowper Care may also provide some of the information contained in your personnel file to third party to carry out a task on Cowper Cares behalf (LIST THIRD PARTIES OR CATEGORIES OF THIRD PARTIES). Some of this information may be stored on a cloud storage system and when this takes place your information will be protected with a Data Processing Agreement with the cloud storage provider that complies with EU transborder data transfer rules.
(NHI, 2018)

2.10  Detail the data retention policy details
Example: Our Data Protection Policy and Procedure provides full details of the storage requirements for personal data. A copy of this document can be requested from the Data Protection Officer.

2.11  Detail how to contact Cowper Care for their personal data
Example: Cowper Care has a Data Protection Officer who is responsible for protecting the confidentiality of your information and enabling appropriate sharing. If you have any questions or concerns regarding the information we hold on you, the use of your information or would like to discuss further, please contact the Data Protection Officer at the contact details above.

Requests for personal data can be made through a Subject Access Request, through the Data Protection Officer. All appropriate assistance will be provided to you to support your request.

2.12  Detail how to contact Cowper Care if there is a complaint or concern
Example: We encourage people to bring concerns to our attention and we take any complaints we receive very seriously. You can submit a complaint to

Name:                                     (Data Protection Officer)
Address
Phone number
Email address

Where you are unhappy about how your personal information is managed by Cowper Care, and you are not satisfied with our response to your concerns or believe that we have not complied with our data protection obligations you may lodge a complaint with the Office of the Data Protection Commissioner at:

Data Protection Commissioner 
Canal House
Station Road
Portarlington 
R32 AP23 Co. Laois

Phone 057 8684800 / 076 1104800 / Lo Call: 1890 252231
(Phone lines open 09:15 – 17:30 – 17.15 Friday)
Fax: 0578684757
Email: info@dataprotection.ie
(NHS, 2017 & NHI, 2018)

Information Held for Recruitment (Policy notice as per Appendix 2 above apart from below) (NHI, 2018)

2.13  Detail why and how Cowper Care collects information
Applicants are required to provide the following documentation to be considered for the position, as part of the recruitment process:

(List of documents required and why, e.g. application information, including the application form and references, interview notes and correspondence with or about the individual in relation to the application process).

Additional information may also be collected as part of the assessment process (List information collected e.g. Where necessary, information may be retained relating to the individual’s health, which could include information provided by the individual on any medical conditions which would impact on their ability to carry out the role).

This information will be used in order to comply with our health and safety and occupational health obligations – to consider how your health may affect your ability to carry out the job you have applied for and whether any reasonable adjustments would be required.

This information will be collectively known as your application file.

2.14  Detail the data retention policy
Your personal data will be stored for a period of [INSERT PERIOD HERE] or the criteria used for determining how long your data will be stored for is [INSERT CRITERIA HERE].
(NHI, 2018)

 

REFERENCE NO: IM-007
AUTHOR (OWNER): Fergus Shields, Head of Services – Non-Clinical
REVISION NO: 1
APPROVED BY: Executive Management Team
EFFECTIVE FROM: 03/08/2021
REVIEW DATE: 03/08/2023