DATA PROTECTION POLICY

DATA PROTECTION POLICY for MEMBERS Version 1.0 Document control summary Title Data Protection Policy for Members Status Approved Version No. 0.1...
2 downloads 3 Views 517KB Size
DATA PROTECTION POLICY for MEMBERS Version 1.0 Document control summary

Title

Data Protection Policy for Members

Status

Approved

Version No.

0.1

Date of Approval Author(s)

24 April 2014 Idris Evans Information Security & Compliance Manager

Approved by

RCN Council

Circulated to

Members

Next Review Date

September 2015

VERSION CONTROL SUMMARY Version

Date

Summary

0.1

September 2013

Policy for Members/Activists and Council Members.

1

CONTENTS Section

Page

1

Introduction

1

2

Aims and Objectives

1

3

Definitions

1

4

Policy statement

3

5

Scope of the Policy

7

6

Roles and responsibilities

8

7

Relevant Policies, Procedures and Guidance – Legislative Framework

10

8

Review of the Policy

10

A

Appendix A. Guidance to sending sensitive personal information externally

11

1.

Introduction

1.1

The Royal College of Nursing (RCN) regards the lawful and correct treatment of personal and sensitive data as an integral part of its functions and vital for maintaining confidence between members, clients and staff whom we process information about and ourselves.

1.2

The Data Protection Act 1998, which became effective from 1 March 2000, gives every living person (or their authorised representative) the right to apply for access to their records, irrespective of when and how they were compiled, i.e. electronic and manual records. 2. Aims and Objectives

2.1

This Data Protection Policy aims to detail how the RCN will meet its legal obligations concerning confidentiality and information security standards. The requirements within the policy are primarily based upon the Data Protection Act 1998 which is the key piece of legislation covering information security and confidentiality of personal information.

2

3. Definitions 3.1

Personal information/data relates to a living individual who can be identified from the information. This includes: - Factual information; - Expressions of opinion about the individual; - Indication of the intentions of the Data Processor (the RCN); or - Any other person in relation to the individual concerned.

3.2

Sensitive personal information/ data attracts additional protection and is further defined in the Act to mean personal data consisting of information such as: - Racial or ethnic origin of the data subject; - His/her political opinions; - His/her religious beliefs or other beliefs of a similar nature; - Whether he/she is a member of the trade union; - His/her physical or mental health or condition; - His/her sexual life; - The commission or alleged commission by him/her of any offence; or; - Any proceeding for any offence committed or alleged to have been committed by him/her, the disposal of such proceedings and the sentence of court in such proceedings. Sensitive personal data must not be processed other than in limited circumstances that are described in the Data Protection principles; “personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless – (a) At least one of the conditions in Schedule 2 is met, and (b) In the case of sensitive personal data, at least on to the condition in Schedule 3 is also met.

3.3

A record can be in computerised and/or manual form. It may include such documentation as: - Hand written notes; - Letters to and from the RCN; - Electronic records; - Printouts; - Photographs; - Videos and tape recordings.

3

4.

Policy Statement The main focus of this policy is on providing guidance in relation to the protection, sharing and disclosure of member/staff information, but it is important to stress that maintaining confidentiality and adhering to data protection legislation applies to all users of personal data held by the RCN. To this end, the RCN fully endorses and abides by the principles of data protection. Specifically, the eight principles require that personal information: 1.

Shall be processed fairly and lawfully and, in particular, shall not be processed unless specific conditions are met;

2.

Shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes;

3.

Shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed;

4.

Shall be accurate and where necessary kept up to date;

5.

Shall not be kept for longer than is necessary for that purpose or those purposes;

6.

Shall be processed in accordance with the rights of data subjects under the Act: and that;

7.

Appropriate technical and organisational measures shall be undertaken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data;

8.

Data shall not be transferred to a country or territory outside the European Economic area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

4

4.1

Therefore the RCN will, through appropriate management, and strict application of criteria and controls: (a)

Observe fully the conditions regarding the fair collection and use of information;

(b)

Meet its legal obligations to specify the purposes for which information is used;

(c)

Collect and process appropriate information, and only to the extent that it is needed to fulfill operational needs or to comply with any legal requirements;

(d)

Ensure the quality of information used;

(e)

Apply strict checks to determine the length of time information is held;

(f)

Ensure that the rights of people about whom information is held can be fully exercised under the DPA: and

(g)

Ensure members are appropriately trained.

These include: (h)

The right to be informed that processing is being undertaken:

(i)

The right of access to one’s personal information;

(j)

The right to prevent processing in certain circumstances;

(k)

The right to correct, rectify, block or erase information which is regarded as wrong information;

(l)

Take appropriate technical and organisational security measures to safeguard personal information;

(m)

Ensure that personal information is not transferred abroad without suitable safeguards.

5

4.2

In addition, the RCN will ensure that: (a)

There is a member of staff with specific responsibility for Data Protection in the RCN (the Information Security and Compliance Manager is accountable to the Director of Legal Services for the coordination and management of DPA);

(b)

Everyone managing and handling personal information understands that they are contractually responsible for following good Data Protection practice;

(c)

Everyone managing and handling personal information is appropriately trained to do so

(d)

Anyone wanting to make enquiries about handling personal information knows what to do;

(e)

Queries about the handling of personal information are promptly and courteously dealt with;

(f)

A regular review and audit is made of the way personal information is managed;

(g)

Methods of handling personal information are regularly assessed and evaluated;

6

4.3

4.4

Rights of Access by Individuals (a)

Under the Data Protection Act 1998, any living person, who is the subject of personal Information held and processed by the RCN, has a right to apply for access to that information. This is known as a subject access request.

(b)

An individual does not have the right to access information recorded about someone else, unless they are an authorised representative.

(c)

It is important that the Data Processor (the RCN) ensures that third party information is removed from the record prior to release to the applicant unless the third party has given their consent to the release of the information.

Denial of Access Access can be refused if the RCN has previously complied with an identical or similar request in relation to the same individual, unless a reasonable interval has elapsed between compliance with one request and the receipt of another. There are a number of other instances when the RCN may refuse access.

4.4.1 Access to all or part of a record will be denied if:(a)

In the opinion of the relevant professional the information to be disclosed would be likely to cause serious harm to the physical or mental health of the applicant or any other person.

(b)

The obligation to consult does not apply where the data subject has already seen or knows about the information that is the subject of the request, nor in certain limited circumstances where consultation has occurred prior to the request being made.

(c)

If the information forms part of legal advice given to the member by an RCN solicitor or a solicitor acting on behalf of the RCN.

7

4.4.2 Notification of refusal to grant access will be given as soon as possible, in writing. The RCN will record the reason for this decision, and will also fully explain the reason to the applicant. 4.4.3 Even if the RCN is aware that the applicant has received a copy of the information from another source, it must provide a copy of the information if held. 4.5

Exemptions If the release of personal data would reveal information, which related to and identified another person (third party) for example, where a relative has provided certain information, this information will be withheld unless consent from the individual is obtained. If the release of personal data is likely to cause serious harm to the data subject’s physical or mental health or of any other person. There is an exemption in the Data Protection Act 1998 that allows personal information to be disclosed for the purposes of preventing or detecting fraud and for attempting to secure the apprehension of offenders (Section 29 – Crime and Taxation), but there are limits on what can be released. 5. Scope of the Policy The scope of this policy extends to:  Corporate and administrative records  Human Resource records  Financial Records  Call recordings made to RCN Direct

It should be noted that there is a separate policy for staff members.

8

6. Roles and Responsibility The RCN has a duty to ensure that the requirements of the Data Protection Act 1998 are upheld. 6.1

Responsibility of Chief Executive The RCN’s Chief Executive has overall responsibility for Data Protection within the RCN.

6.2

Director of Finance The Chief Executive has nominated the Director of Finance to ensure that the RCN complies with the requirements of the legislation.

6.3

Data Protection Co-ordinator The Information Security and Compliance Manager has been appointed to the post of Data Protection Co-ordinator. Responsibilities include:  Ensuring compliance with legislation principles;  Progressing the Data Protection Action Plan;  Ensuring notification of processing of personal data to theInformation Commissioner is up to date;  Providing guidance and advice to members in relation to compliance with legislative requirements;  Reporting via the Incident Reporting process on any breaches of Data Protection legislation.

9

6.4

Data Owners Directors and Seniors Managers are responsible for information held manually and electronically within the Directorate areas and for development of procedures in relation to same. As Data Owners their responsibilities include:  Informing the Data Protection Co-ordinator of any changes in the processing of personal data;  Identifying and justifying how sets of data are used;  Identifying all personal data for which they are responsible and;  Agreeing who can have access to the data.

6.5

All Members Maintaining confidentiality and adhering to data protection legislation applies to all users of personal data held by the RCN. The RCN will take all necessary steps to ensure that everyone managing and processing personal data understands that they are contractually responsible for following good data protection practice and where appropriate, bound by a common law duty of confidence. These responsibilities and common law duties apply equally to all transient staff including trainees, council members, accredited representatives, stewards and professional advisors. Further responsibilities include:  Observing all guidance and codes of conduct in relation to obtaining, using and disclosing personal data;  Observe all information sharing protocols in relation to the disclosure of information to provide care for individuals; Obtaining and processing personal information only for specified purposes;  Only accessing personal information that is specifically required to carry out their work;  Recording information correctly in both manual and electronic records;  Ensuring any personal information is held is kept secure;  Ensuring that personal data is not disclosed in any form to any unauthorised third party.  Ensuring sensitive personal information is sent securely. Please see Appendix A Guidance for sending sensitive personal information externally. Failure to adhere to any guidance in this policy could result in members being personally liable under the Data Protection Act 1998 and may result in access being removed.

10

7. Relevant Policies, Procedures and Guidance – Legislative Framework Members must comply with relevant legislation, professional standards and guidance as follows:  Data Protection Act 1998  Computer Misuse Act 1990  The Common Law Duty of Confidentiality 8. Review of Policy This policy will be reviewed in three years from the date of issue or as required with legislative or good practice recommendations.

11

Appendix - Guidance for sending personal sensitive information externally 1. Introduction The Royal College of Nursing Information Systems uses sensitive personal information daily to assist, protect and promote its members rights. Any information relating to trade union membership is classed as sensitive personal data under the Data Protection Act (1998). As such the RCN processes sensitive personal information throughout the organisation and has an obligation to comply with legislation to protect both member and staff information. The Data Protection Act requires that all organisations have appropriate security in place to protect personal information against unlawful or unauthorised use or disclosure, and accidental loss, destruction or damage. The following guidance, sets out how personal or sensitive information should be processed to ensure our data is properly secured. This includes the transferring, storage and disposal of information and information held on our behalf by contractors. If you have personal information that is currently stored or transferred insecurely, you must secure it immediately. All members handling personal information about members, staff, or individuals from other organisations are required to complete the online data protection training. 2. Confidentiality All members have a duty to ensure that information about members, staff and sensitive non-personal information is handled appropriately. Sensitive information should only be made available to people authorised to view it. The following principles should be followed wherever you communicate sensitive personal information: • • • •

justify the purpose for sharing the information don’t use information that personally identifies individuals unless necessary information should be disclosed on a ‘need to know’ basis if unsure then seek guidance on appropriate action from the Information Security & Compliance Officer.

3. Face to face Take into account that the person you are speaking to may not wish their 12

personal information to be shared in front of others. Please ensure that: •

you are not disclosing or requesting the other person to disclose sensitive information about themselves in front of others, e.g. in reception areas or open-plan offices personal information, in any format, cannot be viewed by others

4. Telephone Personal information should only be disclosed over the telephone to a third-party where the following procedure has been adhered to: • the identity of the other party has been confirmed by verification. The type of verification will differ by service and the sensitivity of the information being disclosed. For queries by members we require their name, address, post code and place of work. For third parties we require consent from the member before releasing / confirming that they are a member. • the reason for requesting the information has been established and is appropriate • where appropriate, contact details have been requested and their identity checked by calling the person back via the main switchboard of the organisation that they represent and asking for the person by name • provide personal information only to the person who requested it • do not leave any confidential information on voicemail or answering machines as it may be accessible by others. Please remember that by confirming an individual is a member of the RCN you are releasing sensitive personal information as defined by the Data Protection Act. • when in conversation take precautions to ensure that information is not shared inappropriately with others, e.g. when using mobile phones, travelling on trains, etc. • sensitive personal information should not be sent via text messaging as it may be accessible by others. • for more information please see the Telephony Policy here 5. Email Email services should be used as follows: •

• •

sensitive information relating to a single individual can be sent via email to the subject of the information if they have requested it to be sent by email or with their agreement and it is encrypted. The exception for this is when a member has stated that they want to receive the information without encryption. A record must be kept of this. Documents containing sensitive personal information cannot be sent to third parties without encryption. care should be taken when addressing email messages to ensure a correct, current address is used and the email is only copied to those with a legitimate interest if information is transmitted and not received by the intended recipient, check that contact details and email address are correct for the receiving party 13



• • • 6.0

before re-sending consider the impact on individuals of the data being lost or misdirected. Where information is provided in bulk or where the information is of a sensitive nature make an assessment on the protection to be applied. If in doubt, err on the side of caution and send information in an encrypted attachment to the email (please refer to the encryption procedures below) avoid putting sensitive personal information about more than one person in an email as this will lead to difficulties in maintaining accurate and relevant individual client or staff records. when transferring data be aware of who has permission to view your emails or who might be able to view your recipient’s inbox. For more information please see the Member IT Policy here Bulk Email

6.1 Bulk e-mail, by definition, is unsolicited e-mail sent quickly in large quantities, and is recognized as an efficient, cost-effective, and environmentally-friendly use of email for facilitating communication within the RCN membership and wider. The potential misuse of bulk e-mail is also recognised. The purpose of this guideline is to instruct users on appropriate use of bulk e-mail and to provide recommendations on how to properly send bulk e-mail messages in order to reduce recipient complaints and confusion. 6.2 Generally speaking, bulk e-mail is appropriate for: • Messages that directly relate to carrying out the business of the RCN. • Messages that relate to changes in RCN policy or time sensitive issues. • Messages that inform a select group of people (e.g. members, staff, interested parties etc.) of an announcement or event related to the RCN. Announcements that do not meet these criteria must seek approval of the Communication Department.

6.3 Inappropriate use of Bulk Email includes, but is not limited to: • Messages that are not in line with the aims and objectives of the RCN • Messages that are personal in nature • Messages that have not been approved by a member of the SMT. 6.4 Sending Bulk E-mail Sending Bulk Email is intended to allow the RCN to meet its obligations under the Data Protection Act 1998 and the Privacy of Electronic Communications (EU Directive) Regulations 2003. The policy ensures that bulk member communications are co-ordinated centrally by Digital Communications and limits how many can be sent in a given time frame. It is primarily aimed at limiting marketing and member services communications. • a bulk email is defined as an email with more than 20 member recipients where some or all of those members are not personally known to the sender • no more than two emails may be sent to a basic member in a period of 14

one week • there are no restrictions on sending bulk emails to people in their capacity as activists, providing that they are not intended for advertising a product, event or service and these will not count toward the two email limit • A bulk message should be brief, self-explanatory, clear, and concise, and should only be used for important messages relevant to all recipients. • Avoid sending frequent or repeated messages. 6.5 To request a Bulk Email request, please click here

7. Suitable passwords for routine transactions It is recognised that encrypting documents changes the way we work with members. Members need guidance on suitable passwords. If members are required to routinely create new encrypted documents they will forget passwords or simply choose one password and continue to use that for all documents. For that reason it is the recommendation of the Information Security & Compliance Manager that a standard is used for setting passwords when sending documents to third parties. For setting passwords for emails to members / solicitors or other third parties a password should be made up of the postcode for the office that you work along with the members name that you are representing. An example could be that email containing case notes needs to be sent to a member whose name is Joe Blogs and the office worker is based at Cardiff Gate the password would be BloggsCF238XG. Instructions to encrypt a word / excel document

15

1. Open or amend a Word / Excel document.

2. Click on the office button and select “Prepare Encrypt Document”

3. You will then be asked to enter and confirm the password required to open the document.

16

4. Then save the document in the normal manner. You have now password protected this document and the password will be required every time the document is opened.

Data Protection Policy for Members - Acknowledgement

Full Name: _____________________________________________________________ (Last) (First) (MI)

Phone Number: _____________________

Branch:__________________________________

17

Signature: _____________________________________________________________

Date: ______/____/_______________

18