Our Commitment to Data Privacy and Confidentiality
We are committed to protecting your privacy and will only process personal confidential data lawfully and in accordance with the EU General Data Protection Regulation, the Common Law Duty of Confidentiality and the Human Rights Act 1998.
Outlook SW Ltd is a Data Controller under the terms of the Data Protection Act. We are legally responsible for ensuring that all personal information that we hold and use is done so in compliance with the law. All data controllers must register with the Information Commissioner’s Office (ICO). Our ICO Data Protection Register number is ZA152401 and our entry can be found in the Data Protection Register on the Information Commissioner’s Office website.
Everyone working for the NHS has a legal duty to keep information about you confidential. The NHS Care Record Guarantee, the NHS Constitution, the Health and Social Care Information Centre Guide to Confidentiality, and the NHS Confidentiality Code of Practice provide a commitment that all NHS organisations and those providing care on behalf of the NHS will use records about you in ways that respect your rights and promote your health and wellbeing.
If you are receiving services from the NHS, we share information that does not identify you (anonymised) with other NHS and social care partner agencies for the purpose of improving local services, research, audit and public health.
We would not share information that identifies you unless we have a fair and lawful basis
- You have given us permission;
- To protect children and vulnerable adults;
- When a formal court order has been served on us;
- When we are lawfully required to report certain information to the appropriate authorities e.g. to prevent fraud or a serious crime;
- Emergency Planning reasons such as for protecting the health and safety of others;
- When permission is given by the Secretary of State for Health or the Health Research Authority (HRA) on the advice of the Confidentiality Advisory Group to process confidential information without the explicit consent of individuals
All information that we hold about you will be held securely and confidentially. We use administrative and technical controls to do this. We use strict controls to ensure that only authorised staff are able to see information that identifies you. Only a limited number of authorised staff have access to information that identifies you where it is appropriate to their role and is strictly on a need-to-know basis.
All of our staff, contractors and committee members receive appropriate and on-going training to ensure they are aware of their personal responsibilities and have contractual obligations to uphold confidentiality, enforceable through disciplinary procedures.
In all circumstances we will only use the minimum amount of information necessary about you.
We will only keep information for as long as is necessary and in accordance with the retention periods set out in the Records Management Code of Practice for Health and Social Care 2016 – http://systems.digital.nhs.uk/infogov/iga/rmcop16718.pdf. When the retention period has expired and the information is no longer necessary for the stated purpose, the information will be destroyed. Personal confidential data held on paper is securely destroyed.
Privacy by design
Outlook South West confirms that since 2018 all new or updated procedures or processes involving personal information are subject to a Privacy Impact Assessment (PIA), now known as Data Privacy Impact Assessments (DPIAs) under GDPR. These help to identify and minimise the data protection risks.
The company is committed to protecting and respecting the privacy of individuals. We take our obligations under data protection legislation seriously. We already manage personal data in accordance with:
- NHS Code of Practice: Confidentiality
- Data Security and Protection (DSP) Toolkit and
- Information Governance statement of Compliance (IGSoC)
We also adhere to ISO 27000 and NHS Information Security Standards.
We understand and welcome the high standards that GDPR will promote and encourage across all organisations that process personal data on behalf of third party contractors and suppliers of service.
We regularly review all personal data we hold. We have a detailed data asset register which outlines where this data is held, why we hold it, and how long it must be kept for in line with the NHS Code of Practice: Records Management.
The Trust routinely anonymises, pseudonymises and encrypts personal identifiable data. This may be used as one measure within a suite of measures designed to reduce risk where deemed appropriate and as part of an overall risk-based approach to the management of personal data.
Under the GDPR, we must notify any data breach to the controller without undue delay. We have processes and procedures in place for identifying, reviewing and promptly reporting data breaches to the ICO.
Processing of personal information outside the UK
If personal information is transferred outside of the UK, we make sure that it is protected in line with the GDPR requirements.