Leadership and Governance
The UK Information Commissioner wants us to make sure we have strong leadership and oversight ensure clear staff responsibilities for data protection at all levels, with senior management and the board setting the example for a proactive and positive approach to data protection, including the legal requirement for a DPO.
For your practice, this means ensuring that;
1. Data Protection is an agenda point on Senior Leadership Meetings
2. There is evidence that risks and issues are being escalated to Senior Leadership
Watch the video of the most recent Primary Care Quarterly Meeting here.
Training and Policies
The ICO wants us to make sure we have a solid training and awareness programme in place, that we are monitoring compliance and checking engagement with the materials.
It's important policies and procedures are in place. They are one of the first things the ICO asks for if there is an incident.
For your practice, this means ensuring that;
1. You have a training strategy in place
2. You keep a log of data protection and security training
3. You hold those whose training lapses accountable and move to disciplinary for continued non compliance
4. Your training includes Board members
5. You check, not only comprehension (tests), but also engagement - are people getting something out of it?
We renew our policy suite each year in February but you can download the policies at any time during the year.
Use this link and our team will send them over to you.
Information Rights and Transparency
The law requires that we have very specific things within our transparency materials so that patients and staff are aware of how we process their data and of their rights. When responding to rights requests, we must make sure that we maintain evidence, monitor trends and provide compliant responses.
Your your practice, this means;
1. Keeping an information rights / disclosures log
2. Ensuring all staff involved in information rights have had specialist training
3. Regularly submitting your PAL (which tells us what activities you perform with personal data) so Kafico can provide you with up to date transparency materials
4. Displaying the practice data protection poster
4. Performing a review of your information rights responses regularly to check your practice is complying
Record Keeping
The law requires that practices keep a "Processing Activities Log" or "Records of Processing Activities" (ROPA). This shows that the practice has good visibility of all the uses of personal data.
When you submit this (twice a year), Kafico will then send you your updated transparency materials.
Also, the practice should be aware of what records it keeps across the practice and ensure it does not keep them too long.
Your your practice, this means;
1. Checking when you last submitted your ROPA / PAL
2. Making sure your keep this on file
3. When transparency materials are sent to you, upload them to your site.
4. Putting a retention schedule in place
5. Periodically completing a records management audit
6. Making sure leavers clear down their NHS Mail accounts before they leave (this data cannot be taken to their new role)
Supply Chain
There is a big push nationally to ensure that organisations are managing the risk associated with their supply chain.
Data protection law requires that contracts with suppliers are checked to make sure they have the data protection clauses required by law. These are very specific.
Your your practice, this means;
1. Checking when you last submitted your ROPA / PAL
2. Making sure your keep this on file
3. When transparency materials are sent to you, upload them to your site.
4. If your suppliers have been alerted to us, we have done the due diligence. We raise any gaps or issues to you.