1.0 Introduction for Medical / Dental / Cosmetic / Clinical Clients
Law Med needs to keep certain information about its employees, suppliers and clients to allow it to monitor performance, achievements, ethnicity and health and safety. It is also necessary to process information so that the Firm can comply with its legal obligations and staff can be recruited and paid and professional development courses organised. To comply with the law, information must be collected appropriately and used fairly, stored safely and destroyed promptly and appropriately when no longer needed.
With regard to the data of our clients (whether they be dental, medical, surgical, clinical or cosmetic), we must ensure that we are only holding data that we have relevant permission for and that the request for that data is made in accordance with the use that we envisage for it. We must only hold that data appropriately in time until it is no longer needed and we must hold it thus securely and confidentially and ensure that the data is disposed of promptly when its use is no longer valid or appropriate.
To do this, the firm must comply with the Data Protection Principles which are set out within the General Data Protection Regulation which replaces the Data Protection Act 1998. Within the text of the GDPR there are 99 articles setting out the rights of individuals and obligations placed on organisations covered by the regulation. These include:
2.0 Data Protection Principles
Principle 1: Lawfulness, Fairness and Transparency
Personal Data shall be processed lawfully, fairly and in a transparent manner in relation to the Data Subject. This means Law Med must tell the Data Subject what Processing will occur (transparency), the Processing must match the description given to the Data Subject (fairness), and it must be for one of the purposes specified in the applicable Data Protection regulation(lawfulness).
Principle 2: Purpose Limitation
Personal Data shall be collected for specified, explicit and legitimate purposes and not further Processed in a manner that is incompatible with those purposes. This means Law Med must specify exactly what the Personal Data collected will be used for and limit the Processing of that Personal Data to only what is necessary to meet the specified purpose.
Principle 3: Data Minimisation
Personal Data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are Processed. This means Law Med must not store any Personal Data beyond what is strictly required.
Principle 4: Accuracy
Personal Data shall be accurate and kept up to date. This means Law Med must have in place processes for identifying and addressing out-of-date, incorrect and redundant Personal Data.
Principle 5: Storage Limitation
Personal Data shall be kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data is Processed. This means Law Med must, wherever possible, store Personal Data in a way that limits or prevents identification of Data Subjects.
Principle 6: Integrity & Confidentiality
Personal Data shall be processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorized or unlawful Processing, and against accidental loss, destruction or damage. Law Med must use appropriate technical and organisational measures to ensure the integrity and confidentiality of Personal Data is maintained at all times.
The Data Controller shall be responsible for, and be able to demonstrate compliance. This means Law Med must be able to demonstrate that the six Data Protection Principles outlines above are met for all Personal Data for which it is responsible.
The Information Commissioner’s Office (ICO) is responsible for upholding information rights in the public interest and enforcing the requirements of UK Data Protection Laws.
Law Med is a Data Controller in respect of our clients and employee’s data.
4.0 Status of this Policy
This policy does not form part of the formal contract of employment for staff, or the retainer with the firm’s clients however, it is a condition of employment, that staff are adherent to its policies as set out and that clients directly benefit from the rights that the GDPR imposes. The Policy is an attempt by the firm to ensure that obligations are met and the entitlements of our staff and clients can be met or enforced with the minimum of fuss.
Any information (including opinions and intentions) which relates to an identified or identifiable natural person.
Identifiable natural person
Anyone who can be identified, directly or indirectly, in particular by reference to an identifier such as name, and identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
A natural or legal person, Public Authority, Agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
The identified or identifiable natural person to which the data refers.
Process, processed, processing
Any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means. Operations performed may include collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
The process of safeguarding Personal Data from unauthorised or unlawful disclosure, access, alteration, Processing, transfer or destruction.
Data Protection Authority
An independent Public Authority responsible for monitoring the application of the relevant Data Protection regulations – in the UK this is the ICO.
A natural or legal Person, Public Authority, Agency or other body which Processes Personal Data on behalf of a Data Controller.
Any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the Processing of Personal Data relating to him or her.
Special Categories of Data
Personal Data pertaining to or revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, data concerning health or sex life and sexual orientation, genetic data or biometric data.
Any country not recognised as having an adequate level of legal protection for the rights and freedoms of Data Subjects in relation to the Processing of Personal Data.
Any form of automated processing of Personal Data where Personal Data is used to evaluate specific or general characteristics relating to an identifiable natural person. In particular to analyse or predict certain aspects concerning that natural person’s performance at work economic situations, health, personal preferences, interests, reliability behaviour, location or movement.
Personal Data Breach
A breach of security leading to the accidental or unlawful; destruction, loss, alteration, unauthorised disclosure of, of access to, Personal Data transmitted, stored or otherwise Processed.
The process of converting information or data into code, to prevent unauthorised access.
The General Data Protection Regulation
6.0 The Data Controller and the Designated Data Processors
The Firm as a body corporate is the Data Controller under the General Regulations, and the Directors are therefore ultimately responsible for implementation. However, the Designated Data Controllers will deal with day-to-day matters.
The Firm has one Designated Data Controller. That is the Head of Department Mr. Graham Balmforth.
7.0 The Basis on which we hold Data
With regard to our client data we acquire, hold and process this on the basis of full and lawful consent and or due to having a legal obligation to do so.
With regard to our staff and applicant data we acquire hold and process this on the basis of employment legislation and with regard to ethnic monitoring.
The periods which we hold data are reviewed annually in line with this policy and are reflected in the Data Retention policy.
8.0 Rectification of Data / Data Integrity
Any member of staff, supplier, applicant, client or other individual who considers that this Policy has not been followed in respect of personal data about himself or herself or that there has been in error in acquisition or an alleged error in integrity of the data we hold then the matter should be raised with the appropriate designated Data Controller (such notification can be by email or in writing) addressed to : Mr Graham Balmforth, Data Control Officer, Law Med, Blake House, York YO1 8QR 008000096312 . Any notification of data breach, policy breach or integrity should indicate and include as a minimum:
The Identification of the subject (full name, title dob, reference if appropriate)
The type of data held (supplier, client, employee, former employee, applicant etc~)
What the alleged data inaccuracy or breach is
What the appropriate data should be (in the case of data error).
if there is a clinical, medical , dental cosmetic record data processing error.
Responsibilities of Staff
All staff are responsible for:
Checking that any information that they provide to the Firm in connection with their employment is accurate and up to date.
Informing the Firm of any changes to information that they have provided, e.g. changes of address, either at the time of appointment or subsequently. The Firm cannot be held responsible for any errors unless the staff member has informed the Firm of such changes.
If the Staff member has responsibility for dealing with client files in any capacity then they must act in accordance with this policy and the obligations set out for such staff within the firm’s office procedures manual (the OPM can be found online in the firm’s cloud data drive).
Staff must report any data breaches, data loss or failures to adhere to promptly (within 72 hours) by reporting the matter to Mr Graham Balmforth –email@example.com any investigation into data breach or non-compliance will have regard to the promptness of that report when taking into consideration staff discipline.
Staff will ensure that the personal data they collect and process is complete and accurate in the first instance, and is updated to reflect the current situation of the Data Subject by:
Informing the firms officer Mr Graham Balmforth, firstname.lastname@example.org so relevant amendments can be actioned promptly
10.0 Client Responsibilities
Clients must ensure that all personal data provided to the Firm is accurate and up to date. They must ensure that changes of address etc. are notified to the Firms staff as soon as possible.
If Clients become aware that data being held is not accurate then this should be notified to the officer promptly. The appropriate officer is Mr Graham Balmforth,
11.0 Data Security
All staff are responsible for ensuring that:
Any personal data that they hold is kept securely.
Personal information is not disclosed either orally or in writing or via Web pages or by any other means, accidentally or otherwise, to any unauthorised third party.
Staff should note that unauthorised disclosure will usually be a disciplinary matter, and may be considered gross professional misconduct in some cases. Staff should be aware that in some circumstances data breaches may constitute a criminal offence and will render the individual liable for fine, imprisonment and disciplinary action by the professional regulator SRA.
Staff should promptly report any data breaches, losses or failures to adhere to policy to Mr Graham Balmforth – email@example.com
Personal information should: In the case of staff or applicant data;
Be kept in clearly labelled closable folders – which disclose no information other than identification information externally.
Be held only for as long as is required by this policy.
Or if it is computerised, be password protected and held only on a remote access ms cloud server in a folder that is also password protected. If a copy is kept on a diskette or other removable storage media, that media must itself be kept in a locked filing cabinet, drawer, or safe. Further information on data security is given in the Office Procedure Manual.
In the case of client data
Should be held in clearly labelled Lexcel compliant folders in approved cabinets with closable drawers or doors.
Client files should when not in use be kept in cabinets
Cabinets are to be kept in lockable rooms
Rooms are to be accessible only by approved personnel.
Electronic Files are to be kept only on the cloud hosted desktop environment.
12.0 Rights to Access Information
All staff, clients, suppliers and applicants (“data subjects”) are entitled to obtain based upon a request made in writing, and upon successful verification of their identity, the following information about their own Personal Data:
The purpose of the collection, Processing, use and storage of their Personal Data
The source(s) of the Personal Data, if it was not obtained from the Data Subject
The categories of Personal Data stored for the Data Subject
The recipients or categories if recipients to whom the Personal Data has been or may be transmitted, along with the location of those recipients
The envisaged period of storage for the Personal Data or the rationale for determining the storage period
The use of any automated decision-making, including profiling
13.0 Subject Access Requests
This Policy document and the Firms Office Procedure Manual address in particular the points above. To address the first point, the Firm will, upon request, provide all staff and suppliers, applicants and clients and other relevant users with a statement regarding the personal data held about them. This will state all the types of data the Firm holds and processes about them, and the reasons for which they are processed.
Applications for the same should be made to Mr Graham Balmforth- Data protection officer Law Med firstname.lastname@example.org.
Such applications (subject access requests) should be on the form set out at the bottom of this policy and be filled in with Black ink in Block Capitals. Any letter accompanying should be firmly attached and state in the title “subject access request”.
The Firm will not make a charge to access this information however the firm reserves the right to assess whether such requests are reasonable and proportionate.
The Firm aims to comply with requests for access to personal information as quickly as possible, but will ensure that it is provided within 30 days.
14.0 Law Enforcement Requests & Disclosures
In certain circumstances Law Med will be required share Personal Data without the knowledge or Consent of a Data Subject. This is the case where the disclosure of the Personal Data is necessary for any of the following purposes:
The prevention or detection of crime
The apprehension or prosecution of offenders
The assessment or collection of a tax or duty
By the Order of a court or by any rule of law
If we process personal data for one of these purposes then it may apply an exception to the processing rules outlined in this policy but only to the extent that not doing so would be likely to prejudice the case in question.
If any employee receives a request from a Court or any regulatory or law enforcement authority for information relating to a customer this must be immediately brought to the attention of the DPO.
15.0 Data Subject Notification/External Privacy Notices
Law Med will, when required by applicable law, contract, or where it considers that it is reasonably appropriate to do so, provide Data Subjects with information as to the purpose of the Processing of their Personal Data. We will do this through our Privacy Notice. The most up to date version of our Privacy Notice can be found on our website.
When a Data Subject is asked to give Consent to the Processing of Personal Data and when any Personal Data is collected from the Data Subject, all appropriate disclosures will be made, in a manner that draws attention to them, unless one of the following apply:
The Data Subject already has the information
A legal exemption applies to the requirements for disclosure and/or Consent
16.0 Subject Consent
In many cases, the Firm can only process personal data with the consent of the individual. In some cases, if the data is sensitive, express consent must be obtained. Agreement to the Firm processing some specified classes of personal data is a condition of acceptance of a client’s instructions and a condition of employment for some staff. This includes information about previous criminal convictions.
It is possible that some jobs will bring the applicants into contact with children, including young people between the ages of 16 and 18. The Firm has a duty under the Children Act 1989 and other enactments to ensure that staff are suitable for the job. The Firm also has a duty of care to all staff and clients and must therefore make sure that employees and those who use Firm facilities do not pose a threat or danger to other users.
The Firm may also ask for information about particular health needs, such as allergies to particular forms of medication, or any medical condition such as asthma or diabetes. The Firm will only use this information in the protection of the health and safety of the individual, but will need consent to process this data in the event of a medical emergency.
Therefore, the application forms that all prospective staff are required to complete will include a fair use notice requiring consent to process the applicant’s personal data. A refusal to sign such a form will prevent the application from being processed.
17.0 Processing Sensitive Information
Sometimes it is necessary to process information about a person’s health, criminal convictions, race, and trade union membership. This may be to ensure that the Firm is a safe place for everyone, or to operate other Firm policies, such as the sick pay policy or the equal opportunities policy. Because this information is potentially sensitive, staff will be asked to give their express consent for the Firm to process this data.
18.0 Transfers to Third Parties
Law Med will only transfer Personal Data to, or allow access by, Third Parties when it is assured that the information will be Processed legitimately and protected appropriately by the recipient. Where Third Party Processing takes place, we will first identity if, under applicable law, the Third Party is considered a Data Controller or a Data Processor of the Personal Data being transferred.
Where the Third Party is deemed to be a Data Controller we will enter into an appropriate agreement with the Controller to clarify each party’s responsibilities in respect to the Personal Data transferred. Where the Third Party is deemed to be a Data Processor we will enter into an adequate Processing agreement with the Data Processor. The agreement must require the Data Processor to protect the Personal Data from further disclosure and to only Process Personal Data in compliance with our instructions. In addition, the agreement will require the Data Processor to implement appropriate technical and organisational measures to protect the Personal Data as well as procedures for providing notification of Personal Data Breaches.
19.0 Publication of Firm Information
The firm’s website www.law-med.co.uk contains information about the ownership staffing and management of the firm together with the firm’s regulatory details.
Certain items of information relating to key staff biographies will be made available via searchable directories /social media and on the public Law Med web site www.law-med.co.uk, in order to meet the legitimate needs of researchers, clients and enquirers seeking to make contact with appropriate staff.
The Firms Office Procedure manual sets out these areas / directories and on termination of employment the staff have unique responsibility for ensuring that their own social media accounts are kept up to date with employment dates.
20.0 Retention and Destruction of Data
The Firm has a duty to retain some staff and applicant personal data for a period of time following their departure from the firm, mainly for statutory reasons, but also for other purposes such as being able to provide references and confirmation of service dates and duties, ethnicity monitoring or for financial reasons, for example relating to pensions and taxation. In all cases retention of this staff data will not exceed the maximum period for which the data should be held to account for these statutory impositions. In all cases no data will be held for longer than 15 years.
With reference to client data, and data held on client files regarding personal injury; clinical negligence, industrial disease or other tortious liability claims; either paper or electronic, no data will be held for a period exceeding 6 years following administrative closure (as opposed to file closure or matter conclusion). The regulatory imposition for other actions involving professional services for example wills and probate and conveyancing will be held for a maximum of 15 years in paper form and 6 years in electronic.
All paper held data will be destroyed by reference to a schedule maintained by the firm and controlled by the DPO which details the archive and destruction date. All paper data will be destroyed by high security graded mechanical cross shredding and bleached pulp recycling of the shredded material.
Electronic data will be destroyed by deletion and overwriting / defragmentation software.
The periods for which data is held is reviewed annually along with this policy.
All employees will have their responsibilities under this policy outlined to them as part of their induction training. All employees will complete an annual refresher of this training. Law Med will provide further training and guidance if there are any updates made to this policy and/or the associated policies and procedures.
Compliance with Data Protection legislation is the responsibility of all members of the firm. Any deliberate breach of the data protection policy may lead to disciplinary action including dismissal being taken, even thereafter to a criminal prosecution. Any questions or concerns about the interpretation or operation of this policy should be taken up with the appropriate Designated Data Controller Mr Graham Balmforth.
This policy is owned by DPO and will be reviewed at least annually. We will provide information and/or training on any changes we make.