Terms & Conditions
- Purpose and scope
- Sets out Health Edge Solutions Ltd.’s commitment to the confidentiality of personal information and its responsibilities with regard to the disclosure of such information.
- Aims to ensure that all staff, whether directly employed or contracted, are aware of their responsibilities towards the confidentiality of personal information.
- Applies to all Health Edge Solutions Ltd. staff including temporary and agency, contractors and volunteers and to personal information recorded in any format, including paper, electronic and any other medium.
All employees, contractors and associates share the responsibility for ensuring that information assets are handled in accordance with this policy.
Data: Information as defined by data protection law which is:
- processed electronically i.e. information systems, databases, and telephone logging systems
- recorded with the intention that it shall be processed by equipment
- recorded as part of a relevant filing system i.e. structured, either by reference to individuals or by reference to criteria relating to individuals which is readily accessible.
Data Controller: The individual, company or organisation who determines the purpose and the manner in which personal data may be processed.
Data Processor: Any person other than an employee of the Data Controller who process data on behalf of the organisation.
Data Subject: A living individual who is the subject of the processed personal data.
Disclosure: The divulging or provision of access to data.
Personal confidential data: This term describes personal information about identified or identifiable individuals, which should be kept private or secret. Personal includes the General Data Protection Regulations definition of personal data, but it is adapted to include dead as well as living people and ‘confidential’ includes both information ‘given in confidence’ and ‘that which is owed a duty of confidence’ and is adapted to include ‘sensitive’ as defined in data protection law.
Personal Information: Information which relates to a living individual who can be identified from that information or from that information and other information which is in the possession of, or likely to come into the possession of the data controller.
Processing: Using information in the following ways:
Special category Personal Data: (formally known as sensitive personal data): is any information about a person relating to their:
- ethnic origin
- trade union membership
- biometrics (where used for ID purposes)
- sex life or
- sexual orientation
Third Party: Any person other than:
- The data subject
- The data controller
- Any data processor or other person authorised to process for the data controller
- Data Protection
The Principles of Data Protection
Data protection law sets out the following principles to support good practice and fairness in processing personal information. These principles stipulate that:
- Personal data must be processed lawfully, fairly and transparently.
- Personal data can only be collected for specific, explicit and legitimate purposes.
- Personal data must be adequate, relevant and limited to what is necessary for processing.
- Personal data must be accurate and kept up to date with every effort to erase or rectify without delay.
- Personal data must be kept in a form such that the data subject can be identified only as long as is necessary for processing.
- Personal data must be processed in a manner that ensures the appropriate security.
- The controller must be able to demonstrate compliance with the GDPR’s other principles (accountability) which are:
- The right to be informed.
- The right of access.
- The right to rectification.
- The right to erasure.
- The right to restrict processing.
- The right to data portability
- The right to object.
- Rights in relation to automated decision making and profiling.
In order to ensure the confidentiality of personal information, systems and procedures are required to control access to such information. Such controls are essential to ensure that only authorised persons have:
- physical access to computer hardware and equipment
- access to computer system utilities capable of overriding system and access controls e.g. administrator rights
- access to either electronic or paper records containing confidential information about individuals.
Health Edge Solutions Ltd.’s responsibilities for confidentiality and appropriate processing of personal data remain in place even if the processing is being undertaken by a third-party contractor.
Access to Personal Information
Individuals, or persons acting on their behalf with consent, have a right of access to data held about them. This includes access to audit trails and/or evidence of restrictions in place on protected personal data which indicate who has accessed their personal or confidential data. The subject access procedure is set out in Procedure document.
Duty of confidentiality
All staff and contractors must recognise that confidentiality is an obligation. Any breach of confidence, inappropriate use of records or abuse of computer systems may lead to disciplinary procedures and may result in legal proceedings.
Agency/temporary and voluntary staff are also subject to such obligations and must sign a confidentiality agreement as appropriate when working for or on behalf of Health Edge Solutions Ltd.
- Data Protection Impact Assessment
New initiatives which involve high risk processing of personal data will be subject to a Data Protection Impact Assessment, to ensure the privacy and security of personal confidential data is maintained.
- Information flow mapping
Flows of personal information into and out of Health Edge Solutions Ltd. will be mapped using DSP REC 1 DPIA Tool.
- Overseas data transfers
Person identifiable information must not be transferred outside of the EEA unless appropriate assessment of risk has been undertaken and mitigating controls put in place.
Health Edge Solutions Ltd. should review the flows of person identifiable information to understand whether information transferred to external organisations flows outside of the UK and the EEA.
Decisions on whether to transfer person identifiable information must only be taken by a senior manager that has been authorised to take that decision.
The Board of Directors is responsible for ensuring that relevant staff within Health Edge Solutions Ltd. have read and understood this document.
Document Owner and Approval
The Board of Directors is the owner of this document and is responsible for ensuring that this procedure is reviewed in line with the review requirements of the DSP Toolkit.
A current version of this document is available to all members of staff on Sharepoint and is published on the company web site.
This procedure was approved by the Board of Directors on 15/03/2019 and is issued on a version-controlled basis under his/her signature.