GDPR03 - Data Security and Data Retention Policy and Procedure

​

4.1 Data Retention

 

'The UK GDPR does not dictate how long you should keep personal data. It is up to you to justify this, based on your purposes for processing. You are in the best position to judge how long you need it'. (ICO)

 

COTSWOLD COMMUNITY CARE LIMITED will not keep (or otherwise process) any personal data for longer than is necessary. If COTSWOLD COMMUNITY CARE LIMITED no longer requires the personal data once it has finished using it for the purposes for which it was obtained, it will delete the personal data, unless it is required by law to retain the data for an additional period of time.

1. COTSWOLD COMMUNITY CARE LIMITED will therefore retain personal data for a specified period of time to comply with legal or statutory requirements. These may include, for example, requirements imposed by HMRC in respect of financial documents, or guidance issued by UK Visas and Immigration and Immigration Enforcement in respect of the retention of right to work documentation (see the Underpinning Knowledge section).

 

COTSWOLD COMMUNITY CARE LIMITED is required to have a clear data retention schedule in place which all staff are aware of. To support, a template Data Retention Schedule can be found in the Forms section of this policy.

1. When creating a data retention schedule, it is important to consider that COTSWOLD COMMUNITY CARE LIMITED may also have legitimate business reasons to retain the personal data for a longer period. This can include, for example, retaining personnel records in case a claim arises relating to personal injury caused by COTSWOLD COMMUNITY CARE LIMITED that does not become apparent until a future date.

 

COTSWOLD COMMUNITY CARE LIMITED will determine the likelihood of this arising when it confirms its retention periods - for example, the extent to which medical treatment is provided by COTSWOLD COMMUNITY CARE LIMITED will affect the likelihood of COTSWOLD COMMUNITY CARE LIMITED needing to rely on records at a later date.

 

A link to the NHS Records Management Code of Practice is also available in the Underpinning Knowledge section. It is a guide in relation to the practice of managing records, with minimum retention periods for different types of records relating to health and care.

1. COTSWOLD COMMUNITY CARE LIMITED understands that claims can be made under a contract for six years from the date of termination of the contract, and that claims can be made under a deed for a period of twelve years from the date of termination of the deed. COTSWOLD COMMUNITY CARE LIMITED will therefore retain contracts and deeds as well as documents and correspondence relevant to those contracts and deeds for the duration of the contract or deed plus six and twelve years respectively.

 

1. COTSWOLD COMMUNITY CARE LIMITED will also retain HR records in line with legal or statutory requirements. Further information about this can be found in the Forms section.

 

HR records can be separated into different categories of personal data (for example, health and medical information, holiday and absence records, next of kin information, emergency contact details, financial information) and specify different retention periods for each category of personal data. COTSWOLD COMMUNITY CARE LIMITED recognises that determining separate retention periods for each element of personal data is more likely to comply with UK GDPR.

 

However, COTSWOLD COMMUNITY CARE LIMITED also acknowledges that separating its HR records into different elements may not always be practical, and where it can determine a sensible period of time for which to keep the HR records in their entirety, it will follow this approach.

 

The period of time that is appropriate may depend on the likelihood of a claim arising in respect of that employee in the future. If, for example, COTSWOLD COMMUNITY CARE LIMITED is concerned that an employee may suffer personal injury as a result of their employment, it can choose to retain HR records for a significant period of time. If any such claim is unlikely, COTSWOLD COMMUNITY CARE LIMITED can choose to retain its files for six or twelve years (depending on whether the arrangement entered into between COTSWOLD COMMUNITY CARE LIMITED and the employee is a contract or a deed).

 

The approach taken by COTSWOLD COMMUNITY CARE LIMITED will be clearly documented within its data retention schedule.

1. For records relating to Service Users, COTSWOLD COMMUNITY CARE LIMITED will retain data in line with the retention guidelines provided by the NHS, where applicable. Those guidelines can be accessed by using the link in the Underpinning Knowledge section.

 

If the NHS guidelines do not apply to COTSWOLD COMMUNITY CARE LIMITED, COTSWOLD COMMUNITY CARE LIMITED will determine an appropriate retention policy for Service User personal data. COTSWOLD COMMUNITY CARE LIMITED may choose to retain personal data for at least six years from the end of the provision of services to the Service User in case a claim arises in respect of the services provided.

1. Irrespective of the retention periods chosen by COTSWOLD COMMUNITY CARE LIMITED, COTSWOLD COMMUNITY CARE LIMITED will ensure that all personal data is kept secure and protected for the period in which it is held. This applies in particular to special categories of data.

2. COTSWOLD COMMUNITY CARE LIMITED must record all decisions taken in respect of the retention of personal data. If the ICO investigates the policies and procedures at COTSWOLD COMMUNITY CARE LIMITED, a written record of the logic and reasoning behind the retention periods adopted must be available.

 

To support with this, a template Data Retention Schedule can be found in the Forms section of this policy.

1. COTSWOLD COMMUNITY CARE LIMITED must ensure processes for effectively and securely destroying and/or deleting personal data at the end of the relevant retention period are in place.

 

Where personal data stored on computers, including in emails, is automatically backed up, COTSWOLD COMMUNITY CARE LIMITED must ensure deletion of those backups or that the archived personal data is automatically deleted after a certain period of time.

 

COTSWOLD COMMUNITY CARE LIMITED will also circulate guidance internally to encourage staff to regularly delete their emails. Policies relating to the destruction of hard copies of documents, including using confidential waste bins or shredding them, must be in place at COTSWOLD COMMUNITY CARE LIMITED for staff.

​

4.10 Data Security

 

COTSWOLD COMMUNITY CARE LIMITED will take steps to ensure that the personal data it processes is secure, including by protecting the personal data against unauthorised or unlawful processing and against accidental loss, destruction or damage.

1. COTSWOLD COMMUNITY CARE LIMITED understands that all health and care organisations, as detailed below, are required to comply with the Data Security and Protection Toolkit. A link to an explanatory guidance note is included in the Underpinning Knowledge section. Compliance with the Data Security and Protection Toolkit facilitates compliance with UK GDPR.

 

COTSWOLD COMMUNITY CARE LIMITED understands that all organisations that have access to NHS patient data and systems must use the Data Security and Protection Toolkit to provide assurance that they are practising good data security and that personal information is handled correctly.

1. COTSWOLD COMMUNITY CARE LIMITED will implement and embed the use of policies and procedures to ensure that personal data is kept secure. The suggestions below apply in addition to the steps COTSWOLD COMMUNITY CARE LIMITED is required to take pursuant to the Data Security and Protection Toolkit, if the toolkit applies to COTSWOLD COMMUNITY CARE LIMITED.

 

COTSWOLD COMMUNITY CARE LIMITED must ensure the following principles are in place when ensuring that personal data is kept secure:

Confidentiality - ensuring that personal data is accessible only on a need-to-know basis

Integrity - ensuring that there are processes and controls in place to make sure personal data is accurate and complete

Availability - ensuring that personal data is accessible when it is needed for business purposes of COTSWOLD COMMUNITY CARE LIMITED

Resilience - ensuring that personal data is able to withstand and recover from threats

For paper documents, these will include, where possible:

Keeping the personal data in a locked filing cabinet or locked drawer when it is not in use

Adopting a 'clear desk' policy to ensure that personal data is not visible or easily retrieved

Ensuring that documents containing personal data are accessible only by those who need to know/review the documents and the personal data contained within them

Redacting personal data from documents where possible

Ensuring that documents containing personal data are placed in confidential waste bins or shredded at the end of the relevant retention period

Minimising the transfer of personal data from outside of business premises and, where such transfer cannot be avoided, ensuring that the paper documents continue to be kept confidential and secure

For electronic documents, the measures taken by COTSWOLD COMMUNITY CARE LIMITED will include, where possible:

Password protection or, where possible, encryption

 

Adopting a 'clear screen' policy where users lock screens when they are away from their computers

Ensuring that documents containing personal data are accessible only by those who need to know/review the documents and the personal data contained within them

Ensuring ongoing confidentiality, integrity and reliability of systems used online to process personal data (this may require a review of IT systems and software currently used by COTSWOLD COMMUNITY CARE LIMITED)

The ability to quickly restore the availability of, and access to, personal data in the event of a technical incident (this may require a review of IT systems and software currently used by COTSWOLD COMMUNITY CARE LIMITED)

Taking care when transferring documents to a third party, ensuring that the transfer is secure and the documents are sent to the correct recipient

All business phones, computers, laptops and tablets will be password protected at COTSWOLD COMMUNITY CARE LIMITED.

 

COTSWOLD COMMUNITY CARE LIMITED will encourage staff to avoid storing personal data on portable media such as USB devices. If the use of portable media cannot be avoided, COTSWOLD COMMUNITY CARE LIMITED will ensure that the devices it uses are encrypted or password protected and that each document on the device is encrypted or password protected.

1. COTSWOLD COMMUNITY CARE LIMITED will implement guidance relating to the use of business phones and messaging apps. COTSWOLD COMMUNITY CARE LIMITED understands that all personal data sent via business phones, computers, laptops and tablets may be captured by UK GDPR, depending on the content and context of the message. As a general rule, COTSWOLD COMMUNITY CARE LIMITED will ensure that staff members only send personal data by text or another messaging service if they are comfortable that the content of the messages may be captured by UK GDPR and may need to be provided pursuant to a Subject Access Request (staff should refer to the Subject Access Requests Policy and Procedure at COTSWOLD COMMUNITY CARE LIMITED for further details).

2. COTSWOLD COMMUNITY CARE LIMITED will ensure that all staff are aware of the importance of keeping personal data secure and not disclosing it on purpose or accidentally to anybody who should not have access to the information. To achieve this, COTSWOLD COMMUNITY CARE LIMITED will:

Provide training to staff, where necessary, on security of personal data

Consider, in particular, the likelihood that personal data (including special categories of data) will be removed from the premises of COTSWOLD COMMUNITY CARE LIMITED and taken to, for example, Service Users' homes and residences

Control access to premises

Ensure that all staff understand the importance of maintaining the confidentiality of personal data away from the premises

Take care to ensure that the personal data is not left anywhere it could be viewed by a person who should not have access

​

4.15 Special Category Data

 

Where COTSWOLD COMMUNITY CARE LIMITED handles special category data, including all health and medical information relating to Service Users and staff, this requires enhanced protection due to its sensitive nature.

 

The risks associated with processing special category data must be known and a data protection impact assessment (DPIA) completed for any type of processing which is likely to be high risk. A template data protection impact assessment is available within the Data

 

Protection Impact Assessment (DPIA) Policy and Procedure at COTSWOLD COMMUNITY CARE LIMITED.

 

Only staff with a direct need for the information to perform their duties will have access to special category data. This access will be logged and will be regularly reviewed by the person at COTSWOLD COMMUNITY CARE LIMITED with overall responsibility for the management of personal data and compliance with UK GDPR or the Data Protection Officer.

1. COTSWOLD COMMUNITY CARE LIMITED will adopt policies and procedures in respect of recognising, resolving and reporting security incidents including breaches of UK GDPR. COTSWOLD COMMUNITY CARE LIMITED understands that it may need to report breaches to the ICO and to affected data subjects, as well as through 'Respond to an NHS Cyber Alert' if it is required to comply with the Data Security and Protection Toolkit.

2. COTSWOLD COMMUNITY CARE LIMITED will adopt processes to regularly test, assess and evaluate the security measures it has in place for all types of personal data.

 

4.18 Privacy by Design

 

COTSWOLD COMMUNITY CARE LIMITED will take into account the UK GDPR requirements around privacy by design, particularly in terms of data security.

1. COTSWOLD COMMUNITY CARE LIMITED understands that privacy by design is an approach set out in UK GDPR that promotes compliance with privacy and data protection from the beginning of a project. COTSWOLD COMMUNITY CARE LIMITED will ensure that data protection and UK GDPR compliance is always at the forefront of the services it provides, and that it will not be treated as an afterthought.

2. COTSWOLD COMMUNITY CARE LIMITED will comply with privacy by design requirements by, for example:

Identifying potential data protection and security issues at an early stage in any project or process, and addressing those issues early on

Ensuring that the default position in projects involving personal data is privacy centred, i.e. privacy by default; and

Increasing awareness of privacy and data protection across COTSWOLD COMMUNITY CARE LIMITED, including in terms of updated policies and procedures adopted by COTSWOLD COMMUNITY CARE LIMITED

1. COTSWOLD COMMUNITY CARE LIMITED will conduct data protection impact assessments to identify and reduce the privacy and security risks of any project or processing carried out by COTSWOLD COMMUNITY CARE LIMITED. A template data protection impact assessment along with the circumstances in which a data protection impact assessment should be conducted is available within the Data Protection Impact Assessment (DPIA) Policy and Procedure at COTSWOLD COMMUNITY CARE LIMITED.

 

 

 

           5. Procedure                                                      

 

1. COTSWOLD COMMUNITY CARE LIMITED must ensure data retention and data security issues and concerns are considered at the beginning of any project (whether the project is the introduction of a new IT system, a new way of working, the processing of a new type of personal data or anything else that may affect the processing activities at COTSWOLD COMMUNITY CARE LIMITED). COTSWOLD COMMUNITY CARE LIMITED appreciates that this is key for complying with the privacy by design requirements in UK GDPR.

 

1. COTSWOLD COMMUNITY CARE LIMITED will review the periods for which it retains all the personal data that it processes and have a clear data retention schedule in place.

 

Responsibility for each area of the data retention schedule and any data retention and data security issues or concerns at the beginning of any projects must also be assigned to the relevant person within COTSWOLD COMMUNITY CARE LIMITED and clearly documented.

1. COTSWOLD COMMUNITY CARE LIMITED will, if necessary, adopt new policies and procedures in respect of data retention and will circulate those policies and procedures to all staff.

 

COTSWOLD COMMUNITY CARE LIMITED must ensure training is provided to staff in respect of data retention.

1. COTSWOLD COMMUNITY CARE LIMITED will review the security measures currently in place in respect of all the personal data it processes.

2. COTSWOLD COMMUNITY CARE LIMITED must document the decisions it takes, and the logic and reasoning behind those decisions, in respect of both data retention and data security. COTSWOLD COMMUNITY CARE LIMITED will retain a record of all policies and procedures it implements to demonstrate its compliance with UK GDPR.