GDPR Statement of Compliance.
Introduction
The General Data Protection Regulation (GDPR) came into force on 25th May 2018 and brought with it the most significant changes to data protection law in two decades.
Although every effort was already being made to keep personal information safe and secure, the GDPR has been designed to meet the requirements of the digital age. As a forward-thinking company, it is important that we embrace technological advances, whilst recognising the data protection risks associated with them.
Although every effort was already being made to keep personal information safe and secure, the GDPR has been designed to meet the requirements of the digital age. As a forward-thinking company, it is important that we embrace technological advances, whilst recognising the data protection risks associated with them.
Our Committment
The best way for us to demonstrate our commitment to protecting personal information, is to demonstrate our compliance with the legislation, which has been developed to protect individuals. We believe that implementing and maintaining GDPR compliance is everyone’s responsibility and will continue to encourage evidence-based compliance across the business.
Mountain Healthcare Ltd are committed to ensuring the security and protection of the personal information that we process, and to provide a compliant and consistent approach to data protection. We have always maintained a robust and effective data protection programme, which complies with existing laws and abides by the data protection principles. However, we recognised our obligations in updating and expanding this program to meet the demands of the GDPR and the UK’s Data Protection Bill, and made a number of changes/additions accordingly.
Mountain Healthcare Ltd are dedicated to safeguarding the personal information under our remit and have worked hard to develop a data protection regime that is effective, fit for purpose and demonstrates an understanding of, and appreciation for the new regulation. Our preparation and objectives for GDPR compliance have been summarised in this statement and include the development and implementation of new data protection roles, policies, procedures, controls and measures to ensure maximum and ongoing compliance.
Mountain Healthcare Ltd are committed to ensuring the security and protection of the personal information that we process, and to provide a compliant and consistent approach to data protection. We have always maintained a robust and effective data protection programme, which complies with existing laws and abides by the data protection principles. However, we recognised our obligations in updating and expanding this program to meet the demands of the GDPR and the UK’s Data Protection Bill, and made a number of changes/additions accordingly.
Mountain Healthcare Ltd are dedicated to safeguarding the personal information under our remit and have worked hard to develop a data protection regime that is effective, fit for purpose and demonstrates an understanding of, and appreciation for the new regulation. Our preparation and objectives for GDPR compliance have been summarised in this statement and include the development and implementation of new data protection roles, policies, procedures, controls and measures to ensure maximum and ongoing compliance.
How we prepared for the GDPR
Mountain Healthcare Ltd already had a consistent level of data protection and security across our organisation. However, it was our aim to be fully compliant with the GDPR by 25th May 2018.
Our preparation included: -
Our preparation included: -
- Information Audits - We carried out information audits in each area of the business, to identify and assess what personal information we hold, where it comes from, how and why it is processed and if and to whom it is disclosed. From these, we have developed Data Flow Maps for each of our areas.
- Policies & Procedures – We have reviewed and written new data protection policies and procedures to meet the requirements and standards of the GDPR and any other relevant data protection laws.
- Legal Basis for Processing - We have reviewed all processing activities to identify the legal basis for processing data and ensured that each basis is appropriate for the activity it relates to. Where applicable, we also maintain records of our processing activities, ensuring that our obligations under Article 30 of the GDPR and Schedule 1 of the Data Protection Bill are met.
- Privacy Notice – We have revised our Privacy Notice(s) to comply with the GDPR, ensuring that all individuals have been informed of why we need their information, how it is used, what their rights are, who the information is disclosed to and what safeguarding measures are in place to protect their information.
- Obtaining Consent - We have revised our consent mechanisms for obtaining personal data, ensuring that individuals understand what they are providing, why and how we use it, and giving clear, defined ways to consent to us processing their information. We have developed stringent processes for recording consent, making sure that we can evidence an affirmative opt-in, along with time and date records; and an easy to see and access way to withdraw consent at any time (should legal obligations allow).
- Data Protection Impact Assessments (DPIA) – Where we process personal information that is considered high risk, involves large scale processing, or includes special category/criminal conviction data; we have developed stringent procedures and assessment templates for carrying out impact assessments that comply fully with the GDPR’s Article 35 requirements. We have implemented documentation processes that record each assessment, allow us to rate the risk posed by the processing activity and implement mitigating measures to reduce the risk posed to the data subject(s).
- Formal Agreements – We have requested GDPR Statements of Compliance, as well as Data Protection Addendums from each of our Commissioning authorities, and we are reviewing our Information Sharing Agreements in line with GDPR requirements. We have also developed Data Processing Contractual Agreements for each of our Data Processors.
- Special Categories Data - Where we obtain and process any special category information, we do so in complete compliance with the Article 9 requirements and have high-level encryptions and protections on all such data. Special category data is only processed where necessary and is only processed where we have first identified the appropriate Article 9(2) basis or the Data Protection Bill Schedule 1 condition. Where we rely on consent for processing, this is explicit and is verified by a signature, with the right to modify or remove consent being clearly signposted.
Data Subject Rights
In addition to the policies and procedures we have reviewed/written, which ensure individuals can enforce their data protection rights, we provide easy to access information (via our website(s) and in each SARC/Custody Suite), of an individual’s right to access any personal information that Mountain Healthcare processes about them and how to request information about: -
We have sought guidance, from our Commissioning authorities, on any exemptions we should exercise regarding our clients’ rights to data access, erasure, rectification and to be forgotten, due to our legal obligations as data processors to the Police.
- What personal data we hold about them
- The purposes of the processing
- The categories of personal data concerned
- The recipients to whom the personal data has/will be disclosed
- How long we intend to store their personal data for
- If we did not collect the data directly from them, information about the source
- The right to have incomplete or inaccurate data about them corrected or completed and the process for requesting this
- The right to request erasure of personal data (where applicable) or to restrict processing in accordance with data protection laws (and legal obligations)
- The right to lodge a complaint or seek judicial remedy and who to contact in such instances.
We have sought guidance, from our Commissioning authorities, on any exemptions we should exercise regarding our clients’ rights to data access, erasure, rectification and to be forgotten, due to our legal obligations as data processors to the Police.
Information Security, Technical & Organisational Measures
Mountain Healthcare Ltd takes the privacy and security of individuals and their personal information very seriously and take every reasonable measure and precaution to protect and secure the personal data that we process. We have robust information security policies and procedures in place to protect personal information from unauthorised access, alteration, disclosure or destruction and have several layers of security measures, including: -
- Various relevant policies and procedures
- Mandatory Data Security Awareness training for all staff
- Cyber Insurance
- Secure server – monitored by IT Manager
- Secure email usage (NHS/PNN)
- Code/Fob access to all buildings
- Logins issued to each staff member for IT
- Anonymisation/Pseudonymisation of clients
- Secure storage facilities
- Regular Information Governance audits
- Regular Risk Management & Quality Assurance, and Integrated Governance meetings.
GDPR Roles and Employees
Mountain Healthcare Ltd has recruited a Data Protection Officer (DPO) and has appointed a Data Privacy Team to assist with ensuring compliance with the new data protection regulation. The team are continuing to raise awareness of the GDPR across the organisation, assessing our GDPR compliance, identifying any gap areas and implementing the new policies, procedures and measures.
Mountain Healthcare Ltd understands that continuous employee awareness and understanding is vital to the continued compliance of the GDPR and have involved our employees in our preparation plans. We have implemented an employee training program specific to the GDPR, which was issued to our existing employees before May 25th, 2018, and forms part of our induction and annual training program.
We also have an Information Governance Management team in place to assist our new Data Protection Officer, consisting of our; Caldicott Guardian, Information Governance Officer, Senior Information Risk Owner, Senior Management Team, HR Manager and IT Manager.
Mountain Healthcare Ltd understands that continuous employee awareness and understanding is vital to the continued compliance of the GDPR and have involved our employees in our preparation plans. We have implemented an employee training program specific to the GDPR, which was issued to our existing employees before May 25th, 2018, and forms part of our induction and annual training program.
We also have an Information Governance Management team in place to assist our new Data Protection Officer, consisting of our; Caldicott Guardian, Information Governance Officer, Senior Information Risk Owner, Senior Management Team, HR Manager and IT Manager.
Any Questions?
If you have any questions about our GDPR compliance, please contact our Data Protection Officer via the form on our 'Protecting Your Information' page.