General Data Protection Regulation (GDPR) Policy

Alpine care, believe that all data, required for the delivery of the service and the lawful running of the organisation must be collected, handled, maintained andstored in accordance to the requirements of the Data Protection Act 2018.
The General Data Protection Regulations (GDPR) form the basis of the Act but in order to be effective and compliant with its requirements, the Related Policy list should be viewed as core to this policy, as should Section 2 and the Related Guidance links.
PLEASE NOTE:  All Guidance from the ICO should be considered “Live Documentation” and regularly checked until all Codes of Practice and Guidance are issued. Working Party 29 known as WP29 is a representative body from each of the EU member states who have developed and worked on the Act. WP29 still sits and meets in the European Parliament until all of the complexities of the Act have been clarified and amended into law.
Lawful Bases
After due consideration this organisation has determined that the following Lawful Bases are used in the collection of data
Consent: the individual has given clear consent for us to process their personal data for a specific purpose.
Contract: the processing is necessary for a contract you have with the individual, or because they have asked us to take specific steps before entering into a contract.
Legal Obligation: the processing is necessary for us to comply with the law (not including contractual obligations) and CQC regulations.
Vital Interests: the processing is necessary to protect someone’s life.
Public Task: the processing is necessary for us to perform a task in the public interest, or for official functions and the task or function has a clear basis in law.
Legitimate interests: the processing is necessary for our legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (Does not apply if a public authority is processing data to perform its official tasks).
Data Protection Principles
The Act sets out 8 Principles, which must be adhered to when processing data Please refer to the Related Guidance links for further information. The GDPR sets out the following principles for which this organisation is responsible and must meet. These require that personal data shall be:
Processed lawfully, fairly and in a transparent manner in relation to individuals;
Be collected for specified, explicit and legitimate purposes, and not further processed in a manner that is incompatible with purposes, further processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes shall not be considered to be incompatible with the initial purposes;
Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Accurate and where necessary, kept up to date, every reasonable step must be taken that personal data that is inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer purposes in so far as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to the appropriate technical and organisational measures required by the GDPR (the safeguards) in order to safeguard the rights and freedoms of individuals; and
Processed in a manner that ensures appropriate security of the personal data. Including protection against unauthorised or unlawful processing and against accidental loss. Destruction or damage, using appropriate technical or organisational measures.
Individual Rights
There are several changes here in particular the Right of Access in relation to timescales and fees. These must be fully understood in relation to anyone submitting a Subject Access request. Please refer to the related Guidance Link
The GDPR provides the following rights for individuals:
Right to be informed
Right of access
Right to rectification
Right to erasure
Right to restrict processing
Right to data portability
Right to object
Rights in relation to automated decision making and profiling

Each of the above rights has its own Best Practice Process which you will find here
https://ico.org.uk/media/for-organisations/guide-to-the-general-data-protection-regulation-gdpr-1-0.pdf
Privacy Notices
This is a new requirement for data processing, it is an accessible information declaration which should set out clearly how we will gather, use handle, store and process personal data.
The Code uses the term “Privacy Notice” to describe all the privacy information that you make available or provide to individuals when you collect information about them. It is often argued that people’s expectations able personal data are changing, particularly through the use of social media, the use of mobile apps and the willingness of the public to share personal information via these platforms.
However, Alpine care, are increasingly aware of the fragile trust which can be easily broken through data breaches and are therefore seeking transparency as a means of building trust and confidence with users of our services. It is the spirit of the Act that privacy, transparency and control become a given for users.
Being transparent by providing a privacy notice is an important part of fair processing. When planning a privacy notice, we need to consider the following:
What information is being collected?
Who is collecting it?
How is it collected?
Why is it being collected?
How will it be used?
Who will it be shared with?
What will be the effect of this on individuals concerned?
Is the intended use likely to cause individuals to object or complain?

The Privacy notice must be easily understood by users of the service and include all of the above, it must also be easily visible so in this organisation and issued at Assessment Stage for clients and Recruitment stage for employees.

Privacy and Electronic Communications Regulations (PECR)

This guide issued by the ICO covers specifically electronic marketing messages i.e. phone, fax, email or text, and includes the use of cookies. It introduces specific roles on the above keeping such communication services secure and user’s privacy in regard to traffic and location data, itemised billing, line identification and directory listings.
The Data Protection Act 2018 still applies if you are processing personal data. The PECR sets out some extra rules for electronic communications and please be mindful of electronic schedule systems which will also come under PECR.
File Retention
The GDPR sets out Guidance on files and retention including archiving, specifically Health and Social Care personal data is generally exempt.As a provider of services, file and retention guidelines are in place from our Regulator which includes CQC and the NHS as well as Local Authorities via the Service Specification within any contractual arrangements. A periodic check of the Regulator’s Guidance should be part of the review of this policy
Compliance
In order to meet the requirements of the Act a thorough knowledge of the Guidance should be the priority for the Data Controller. It is also important that the Act is placed in the context of other compliance requirements namely The Health and Social Care Act 2008 (Regulated Activities) (Regulations 2014) and all other lawful requirements such as Regulation 18 Staffing to name but one.
In recognition of the complexities of the Act, the ICO has set up an advice service for small organisations. https://ico.org.uk/global/contact-us/advice-service-for-small-organisations/

CCTV Policy
Definitions
Surveillance is the monitoring of a place, person, group, or ongoing activity in order to gather information.
Overt surveillance is where the individual being monitored would reasonably be aware of the surveillance occurring. For example, visible CCTV cameras with clear signs saying that they are in use.
Covert surveillance is where the individual being monitored would not reasonably be aware of the surveillance occurring. For example, the use of hidden audio recording devices for a time-limited and specific purpose.
Surveillance systems are the technology and equipment used to carry out surveillance, or to store and process the information gathered. Advances in technology mean that new systems or methods may become more commonplace. For simplicity in this information we will generally make reference to ‘surveillance’, which could encompass CCTV, Wi Fi cameras, audio recording, radio-frequency identification (RFID) tracking and many other types of system. This information sets out considerations that can be applied to these and any other existing or emerging technologies.
Privacy, in its broadest sense, is the right of an individual to be left alone. Intrusion into privacy can include the collection of information through surveillance or monitoring of how people act in public
POLICY STATEMENT
This policy is written to explain the response of Alpine Care to the use of closed-circuit television (CCTV) and similar devices such as webcams inside and/or outside the homes of its service users, which record the actions of its staff while working, including when entering and leaving the home.
It should be used with reference to the agency’s policies on Data Protection and Stress at Work.
Alpine Care understands that visual images such as photographs and video recordings are defined as data and are covered in the same way as written records by data protection principles in organisations, where the Data Protection Act 1998 applies. However it also understands that private dwellings are not covered by the Data Protection Act, which means that the guidance produced by the Information Commissioner’s Office on the use of CCTV does not extend to its use in private households.
Alpine Care recognises that it is providing a social service, which in line with its registration responsibilities, has a duty to make sure on the one hand that its service users are kept safe from harm and on the other that its staff are not subject to undue harassment or pressures that could impair the quality of their care and their welfare.
We are therefore aware that service users, relatives and representatives might seek to use CCTV and similar devices to record the care being given to service users as a protective measure, but this might also have the effect of increasing staff stress and be counterproductive in terms of achieving the standards of care that are expected of them.
We have therefore devised our own Code of Practice, which it applies in those homes where it knows that CCTV or similar devices have been installed (or are planned to be installed), which could record the actions of its staff while carrying out their caring duties. The code does not apply to houses where CCTV has been installed for external security purposes only and which would not record such as times of workers entering or leaving the house. It does apply where such actions are routinely recorded.
Code of Practice
The code is written to reflect the responsibilities of users of surveillance methods in their relationships with other parties who might wittingly or unwittingly be exposed to them as described in the Information Commission Office guidance on the use of CCTV in organisations where data protection principles apply.
Alpine Care follows the following principles.
We acknowledge that any CCTV and similar recording devices belong to the service user/representatives and it has no control over their use. It can, however, negotiate how they are used in relation to the services, which we have agreed to provide. We enter into any negotiations with a view to creating relationships with the service user and their representatives, which are based on mutual trust, openness and transparency.
We also recognize that video recording can be a useful tool to help protect a service user from harm and the risk of harm, to promote learning and development and to improve the quality of care if used appropriately.
We work on the basis that care practices must only be recorded on CCTV and similar devices with the express permission of the Manager of Alpine care and individual carers.
Service users/representatives who seek to make use of CCTV within the service delivery process must make this clear at the beginning of the service or when proposing it at any later stage so that its use and conditions of its use can be written into the service agreement.
Representatives of a service user who seeks to install or use CCTV on behalf of the actual service user must have obtained the latter’s permission or if the person lacks mental capacity to give their consent, the agency will insist that a “best interests” process is carried out.
Where any such agreement has been reached, Alpine care will then make the relevant staff aware of its use and obtain their written consent to their being recorded.
We will always seek to establish the purpose of the use of the CCTV (which might not always be directed at our staff, but a means, for example, of checking on the service user her or himself). It will then set out in writing the purpose and any specific objectives, which are relevant to the individual care and support plan.
Alpine care will not agree to the routine recording of any intimate personal care that invades the privacy of the service user and affronts their dignity.
Alpine Care Manager could agree to certain aspects of the care provided to be recorded (with consent) for a specific purpose, e.g. for problem-solving or learning, where there are benefits of recording the procedure for both service user and staff.
Alpine care will not seek to make use of the recording for its own internal monitoring purposes.
We will discuss with the service user/representatives as part of the agreement on the use of the CCTV how long the images of its staff will be retained, what access other people might have to those images and how they will be disposed of. These are all matters that could affect the rights of Alpine care’s employees.
We will also come to some agreement with the service user/representatives as part of the agreement the rights of access of its staff to any recorded images of them, as they would if the process was following data protection principles.
Alpine care will not tolerate the use of covert surveillance of its staff by a service user and/or their representatives, which implies lack of trust and confidence in both individual staff and the agency. If it discovers that covert surveillance methods are being used unilaterally and without adequate reasons it will discuss ending its services to that user.
Under some circumstances, however, it would accept the results of covert recordings if they provide clear evidence of malpractice or misconduct on the part of the staff member being recorded or to support a complaint.
In exceptional circumstances where, for example, there is prior evidence of an agency employee harming the service user in any way or putting the person at risk of harm or engaging in any other kind of possible misconduct it might agree with the service user/representatives to staff behaviour being recorded covertly. The evidence obtained could then be used to trigger the agency’s safeguarding procedures.
The agency accepts that each situation should be treated differently and the agreements reached will be on an individual basis.
Alpine Care staff will be advised of CCTV if there is any in the house they will be visiting.

Document Tracking/Record Keeping
Staff Documentation & Transporting Service User information
Re: Taking Hard Copy data away from Alpine care’s Premises.
While performing duties it is anticipated that data will be taken away from Alpine care’s offices, we need to ensure the below policies are considered and adhered to in order to comply with GDPR regulations.
This material should only be taken from Alpine care’s offices when it is a necessity This information must be kept confidential at all times.
Where data contained within paper records is needed to be taken from Alpine care’s office, this should be kept to a minimum both in terms of content and duration. Consider how much information is required for that particular service user or to complete the relevant task and avoid taking unnecessary information.
Where paper records are in transit from Alpine care’s office to another location i.e a service users address, they should be transported in a way that mitigates against the risk of confidential information being obtained by unauthorised parties.
If you become aware of any breach or potential breach you must inform Manager immediately.
Client Documentation
Due to the nature of the organisation, Alpine care’s staff are regularly required to transport documents such as care plans and communication books between locations which may include your personal data. We would therefore like to reassure you that Alpine care’s take data security very seriously and have a number of procedures in place to secure your data when it is being transported outside of Alpine care’s offices. In particular we have a document tracking log whereby staff are required to ensure that whenever data is taken from Alpine care’s office or your premises for any reason, it is logged in the document tracking log at all times so that the handler of those documents is known at all times. If you are at any point concerned about the security of your data, please do contact Manager.
Record Keeping
POLICY STATEMENT
Every care service is required to have systems and methods for keeping records that comply with its registration conditions as set out and specifically Regulation 16: Records of Personal Plans, Regulation 55: Records and Regulation 74: Duty to ensure there are systems in place for Keeping of Records and the General Data Protection Regulation (GDPR), which applies to all business and organisations that process personal data.
This policy is intended to set out the values, principles and policies underpinning Alpine care’s approach to record keeping, data protection and access to records.
The policy should be read and used in relation to policies on:
Applications for Access to a Deceased Service User’s Care Records
Confidentiality of Service Users’ Information
Protecting Personal Data under the General Data Protection Regulation
Service Users’ Access to Records
Records Kept in Service Users’ Homes
Alpine care’s works to the following principles of good record keeping.
Records required for the protection of service users and for the effective and efficient running of the care service are maintained, are up to date and are accurate.
Service users have access to their records and information about them held by the care service, as well as opportunities to help maintain their personal records.
Individuals’ records and other records that contain private, confidential personal data are kept in a secure fashion, are up to date and in good order, and are constructed, maintained and used in line with the applicable regulations and related policies (see above).
Record Keeping procedures
All Alpine care’s staff must do the following.
Ensure that all files or written information of a confidential nature are stored in a secure manner and are only accessed by people who have a need and a right to access them.(Where a service user keeps their own records at home the manner of safe storage is discussed with the person concerned and / or where appropriate, their relatives. Confidentiality aspects are discussed as part of the initial assessment process.
Be aware that the relatives of a service user do not have any automatic right of access to that service user’s files and need to have the service user’s permission to see any information on that person. If the service user lacks the mental capacity to give their permission a “best interests” procedure would then need to be followed in line with the Mental Capacity Act 2005.
Ensure that all files or written information of a confidential nature are not left where they can be read by unauthorised people.
Wherever practical or reasonable fill in all care records and service users’ notes in the presence of and with the co-operation of the person concerned.
Ensure that all care records and service users’ notes, including care plans, are signed and dated.
Check regularly on the accuracy of data being entered into computers.
Always use the passwords provided to access the computer system and not abuse them by passing them on to people who should not have them.
Use computer screen blanking to ensure that personal data is not left on screen when not in use.
Personal data relating to service users or staff should not be kept or transported on laptops, USB sticks, or similar devices, unless authorised by the branch manager.

Where personal data is recorded on any such device it should be protected by:
ensuring that data is recorded on such devices only where absolutely necessary
using an encrypted system — a folder should be created to store the files that need extra protection and all files created or moved to this folder should be automatically encrypted
ensuring that laptops or USB drives are not left lying around where they can be stolen.
RECORDS KEPT IN SERVICE USERS’ HOMES POLICY
POLICY STATEMENT
This policy is intended to set out the values, principles and policies underpinning Alpine care’s approach to record keeping, data protection and access to records in respect of those records that are kept in service users’ homes.
This policy is written to achieve National Minimum Standard.
Alpine care believes that all records required for the protection of service users and for the effective and efficient running of Alpine care’s should be maintained accurately and should be up to date, that service users should have access to their records and information about them and that all individual records and agency records are kept in a confidential and secure fashion.
PROCEDURES
With the service user’s consent, care workers should record, in records kept in the homes of service users, the time and date of every visit of to the home, the service provided and any significant occurrence.
Where appropriate, records should include:
assistance with medication — including time and dosage
financial transactions undertaken on behalf of the service user
details of any changes in the service user’s or carer’s circumstances, health, physical condition or care needs
any accident, however minor, to the service user and/or care or support worker
any other untoward incidents
any other information that would assist the next health or social care worker to ensure consistency in the provision of care.
Alpine care’s staff should ensure that all written records are legible, factual, signed and dated by the person making the record, and kept in a safe place in the home, as agreed with the service user and their carer, relatives or representative.
Alpine care’s will ask any service user or their carer, relative or representative on his or her behalf, who refuses to have records kept in their home to confirm the refusal in writing and a record of this is kept on the user’s personal file at Alpine care’s.
Service users should have access to their records and information about them held by Alpine care’s; they should also be given opportunities to help maintain their personal records.
Other records required for the protection of service users and for the effective and efficient running of Alpine care’s are maintained in an up-to-date and accurate fashion by all staff.
Individual records and Alpine care’s records are always kept in a secure fashion, are up to date and in good order; and should be constructed, maintained and used in line with the Data Protection Act 1998 and other statutory requirements.
Alpine care’s policy is to keep the ongoing records in the service user’s home for an agreed period (usually one month or until the service is concluded) depending on the frequency of the visits, nature and intensity of the care provided. After the agreed time they are transferred with the permission of the service user, to the office for safe keeping and agency monitoring and reviewing purposes.

Alpine care staff should:
wherever practical or reasonable, fill in all care records and service user notes in the presence of and with the co-operation of the service user concerned
ensure that all care records and notes, including service users’ plans, are signed and dated
Ensure that all files or written information of a confidential nature are stored in a secure manner wherever possible.
Inform the office where a file falls below the standards required (such as tattered or broken folder), where a replacement and updated file will be provided.