GDPR PrinciplesArticle 5 of the GDPR requires that personal data shall be: (a) processed lawfully, fairly and in a transparent manner in relation to individuals; (b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes; (c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed; (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay; (e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and (f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.” Article 5(2) requires that: “the controller shall be responsible for, and be able to demonstrate, compliance with the principles.” Care Services will need to register with the Information Commissioners Office(ICO). As can be seen the data controller will need to have systems and documentation in place to address the principles and requirement of GDPR. Data Controllers will need to demonstrate that:
they have a legal right to hold information on service users;
they are aware of the kinds of information they hold on services user’s staff and volunteers;
the information they hold is accurate and up to date;
personal data collected is adequate relevant and limited to the purpose for which it is being processed;
people are aware of their rights to access information that is being held about them;
appropriate security measures are used with the processing and storage of people’s personal data.
Bettal GDPR Compliance Tool The Bettal GDPR Compliance Tool designed specifically for social care services has taken months to develop. The Tool draws heavily on the GDPR Principles, compliance guidance produced by the Information Commissioners Office and their own Self-assessment (ICO). The Tool is designed to:
Enable managers to understand their obligations to the GDPR.
Provide you with the documentation you require and guidance to meet the GDPR.
Audit and check your compliance to GDPR.The Tool includes:
An Implementation Plan.
Data Processing Audit Register (Form).
Example Privacy Impact Assessment (Form).
Example Privacy Impact Assessment (Form).
Obtaining Consent (Policy).
Information Governance (Policy).
Data Breech (Policy).
Security of Personal Data (Policy).
GDPR Staff Training (Policy).
Duties of senior Person Responsible for Compliance to GDPR (Guidance). Overall the contents of the Bettal GDPR Compliance Tool includes over 30 documents. Please click here for further information on the Bettal GDPR Compliance Tool where you can download free samples and purchase the full package. Albert Cook BA, MA & Fellow Charted Quality Institute Managing Director Bettal Quality Consultancy