This web page is specifically to enable collaboration and information sharing for the purposes of ensuring compliance with the data protection legislation.
The text below contains links to the current drafts of these types of documents:
- Records of Processing Activities
- Data Audit (‘Information Asset Registry’)
- Policies
- Privacy Notices
- Processor Compliance
- Process Documents
- Forms
- Guidance
All answers, queries, comments or suggestions should be sent to me at davidcharity@gdparmour.co.uk
Areas in red text are work in progress.
Entities
‘Polish Group’ Companies:
Promedica Care Sp. z o .o. Sp.k.
UK24 DE Sp z.o.o Sp.k
Promedica24 Care Team DE Sp. z o.o. Sp. k
Promedica24 Staff EU Sp. z o .o. Sp.k.
Others?
‘UK Group’ Companies:
Promedica24 UK Ltd
Promedica24 (Wiltshire) Ltd
Promedica24 (Lancashire) Ltd
Promedica24 (West Midlands) Ltd
Promedica24 (Yorkshire) Ltd
Promedica24 (Scotland) Ltd
Key Personnel
Those with responsibilities for data protection compliance are below.
These individuals have responsibility for data protection in their respective areas specifically identified in their job descriptions. For suggested job description elements follow these links:
Data Protection Officer Job Description Elements
Data Security Officer Job Description Elements
Departmental Director / Manager Job Description Elements
Chief Director UK – Katarzyna Twardowska
Overall responsibility for compliance and for allocating data protection duties and responsibilities to departmental heads.
Quality Assurance Director – Paula Beaney
Responsibility for compliance oversight, advice and monitoring and fulfilling data rights requests.
Finance Controller – Grzegorz Wrzosek
Responsible for the personal data processing in the company’s finance and payroll functions.
HR Officer – Beryl Glynn
Responsibility for compliance in the company’s processing of personal data in its HR function.
IT Supplier – NAME
Responsibility for data security.
Very Significant Others
NAMES
Compliance Areas
Accountability
This requires us to have records of our processing activities (Information Asset Registry), to have adopted and published suitable policies, to have allocated responsibilities for data protection to suitable job holders and to have ensured our staff have been trained in data protection basics.
It also requires us to ensure that those who process personal data for us have the relevant data protection clauses in their supply contracts.
When we have completed the review process a tool to assess our compliance with the duty of accountability is linked >>here<<
Transparency
This requires us to provide all categories of data subjects for whom we process personal data with information about our processing activities.
When we obtain personal data from the data subject, we must provide this information when we collect the data. When we obtain it from a third party we must provide this information within 1 month.
We have complied with the duty of transparency by publishing suitable privacy notices on our website (i.e. a ‘data privacy page’ or similar) and providing a link to this page whenever we collect personal data. We also include this link in the text below email signatures.
Subject Rights
We are required to respond to data subjects’ request in relation to their rights within 30 days (in the majority of cases). These are the right to: (i) access, (ii) be informed of processing activities, (iii) rectification of inaccurate or incomplete data, (iv) erasure, (v) restriction of processing, (vi) portability and (vii) object to processing.
We have complied with this by adopting: a suitable policy regarding data subjects’ rights, data rights log, data access forms and template letters and by training.
Security
This requires us to adopt suitable security measures to avoid or minimise the risk of a data breach. The extent to which we are obligated to deploy security will depend on the level of risk of a breach and to data subjects’ rights are freedoms in the case of a data breach, and also the sensitivity of the data we process.
We have complied with this by adopting: suitable policies regarding data security and data breaches, by undertaking data protection impact assessments wherever the risk associated with processing is high, and by training.
Information Asset Registry (IAR)
The current draft of the IAR for Promedica24 UK Ltd is linked >>here<< and you can download the pdf file for ease or reference.
Please review the relevant pages and (i) provide any important missing information, (ii) indicate if a new data asset should be added, and (iii) respond to any queries in ‘notes’ or ‘advice notes’ at the bottom, and (iv) provide missing information where you see ‘TBA’ or otherwise.
If you wish to add a new data asset in your area, please follow the link >>here<< and complete the form.
Wherever the legal basis for processing is ‘legitimate interest’ we have assessed our interest in processing against the data subjects’ rights and freedoms. The legitimate interest assessments are linked >>here<<
Data Protection Policy
As part of our duty of accountability we explain our approach to all aspects of compliance in a single policy document.
This is an outward and inward facing document that is available to those external to the business. When we are asked by business partners or customers or other external stakeholders to show our compliance we will provide this document.
This policy also addresses our approach to data security.
The document is available >>here<< as a pdf file.
Data Subject Rights
Our approach to fulfilling data subject’s rights requests is set out in our Procedure for satisfying the rights of data subjects. This is an internally facing document designed to assist those who have responsibility for responding to data subjects’ rights requests.
The document is available >>here<< as a pdf file.*
The policy is supported by template letters and a data subject rights request form. These documents are available >>here<< as a pdf file and >>here<< as a Microsoft word download.
When a data subjects make an access request we use a suitable internal form. Our form can be viewed >>here<< as a pdf file and is available >>here<< as a Microsoft word download.
We keep a log of our responses to data subjects rights requests. A Microsoft excel spreadsheet designed for this purpose is linked >>here<<
For data subject access requests we have guidance for those who will handle requests.
Basic guidance is linked >>here<<
For more detailed guidance see the link >>here<<
Data Security
The Data Protection Policy outlines our approach to data security (see above).
We also have a Data Security Policy which provides guidance for UK Group. This policy is available >>here<<
These sections of the policy are internally facing to provide guidance to all staff.
Our IAR makes an initial assessment of processing risks for each data asset; if the risk is assessed as high (i.e. 20 or more) we will undertake a Data Protection Impact Assessment.
A suitable form for undertaking this assessment is available >>here<<
Data Breach
As a data controller we are under very stringent reporting requirements when we became aware of a data breach or ‘near miss’. We have only 72 hours to investigate and notify the ICO. In more serious cases we may also have to notify the data subjects who are affected. This is the area that carries the most significant risk for the business.
We have implemented procedures to ensure we can fulfil our duties within the requisite timescale.
The UK Group Data Breach Policy is available >>here<<
This is an internally facing document designed to provide a framework for staff to report suspected breaches or near misses and to ensure due process is followed when we investigate and consider whether or not we have a duty to report a breach.
The Polish Group breach notification procedure is available >>here<<. The process document contains a breach notification form, which is available >>here<<. It also contains a form to be entered in the register of breaches, which is available >>here<<
Where Polish Group acts as data processor for UK Group (i.e. in relation to client personal data) the data sharing agreement requires data breaches to be notified using a Form for Reporting Personal Data Protection Violations which is available >>here<<
A data breach reporting form designed to capture all of the elements in the Data Breach Policy is available >>here<<
For more information follow these links to ICO’s guidance and the European Data Protection Board’s guidance.
Also note this link to the ICO’s security breach notification form.
Retention
Data protection compliance under the GDPR means complying with the principle of data minimisation; we will do this in two ways.
By keeping our audit of data processing activities (IAR) under careful review we will be able to identify personal data categories that we no longer need, or can justify processing.
We must also set and abide by suitable retention periods for the personal data we process. Our approach to retention periods is set out in a suitable policy document. The document is available >>here<< as a pdf file and >>here<< as a Microsoft word download. [DMC: links to be added]
This is an internally and externally facing document to fulfil our duty of transparency to those whose data we process.
The retention schedule that accompanies the policy will be updated when we have finalised the 2019 review of our data audit (IAR).
Processor Compliance
Wherever we share personal data with a contractor, supplier or other business partner we must ensure that GDPR article 28 terms are either incorporated into the terms of business, or that they have been agreed separately.
For inter group transfers data sharing agreements are in place; these contain article 28 terms:
- For the agreements between the UK Group companies and Care UK DE Sp z.o.o click >>here<<
- [DMC: are there any other data sharing relationships between group companies?]
We use a processor compliance form to verify compliance. The document is available >>here<< as a pdf file and >>here<< as a Microsoft word download.
If a processor’s terms do not include the article 28 terms we remedy this by sending the addendum to contract terms and asking that these be signed off or incorporated into the main contract. The document is available >>here<< as a pdf file and >>here<< as a Microsoft word download.
If the processor is contracting on our standard terms we ensure these incorporate the article 28 terms.
We also demonstrate that processing undertaken on our behalf is lawful by recording external processors in the audit (IAR) and noting where we are satisfied that the article 28 terms are incorporated into the relevant terms of business.
Privacy Notices
We have privacy notices for all categories of data subject on our website >>here<<.
- Customers
- Marketing Leads
- Franchise Partners
- Applicants
- Employees Workers & Contractors
- Live-In Care Ambassadors
The privacy page on our website carries links to all privacy notices and we provide a link to this wherever we collect personal data (e.g. application forms, order forms, promotional materials, online forms, etc).
We also use this wording in place of long and inconvenient scripts used where we collect personal data in sales and marketing telephone calls.
The text for this will be along these lines:
‘Please refer to the Promedica24 Data Privacy webpage for details of our processing of your personal data and your rights as a data subject -https://www.promedica24.co.uk/gdpr-privacy-notices‘
Data Flows
Potential Customer via website / Live in Care Ambassador
[1] Initially a customer will have been provided with a link to the >>privacy notice portal<<, this notifies them that basic personal data (contact details, etc) is processed on the ground of legitimate interest until a GDPR compliance consent has been obtained.
Potential Customer via telephone enquiry
A link to the >>privacy notice portal<< is provided by the recorded message:
“Welcome to Promedica24 Group, we record calls to ensure exceptional service and invite you to visit the Promedica24 website for full details of our data processing.”
Customers
See [1] above.
If the customer is interested in our services the case proceeds to Initial Enquiry stage.
At this point initial details are obtained including personal data and medical information. The Initial Enquiry form is >>here<<
This form is completed in two ways:
(1) By a Franchise Partner or Care Manager (with the customer or POA, or in a ‘best interest’ meeting)
This form concludes with a Personal Data Collection Statement that provides article 13 privacy notice information and a GDPR compliant consent to processing of all personal data collected (i.e. including medical information). The document is >>here<<
(2) By a Sales Representative (who completes the form with the customer or POA on the phone)
Where a Sales Representative collects the data this person obtains consent during their initial call with the customer or POA. A copy of the script is >>here<<
Where the customer or POA provides an email address, the Sales Representative emails them to confirm consent and again provide access to the privacy portal (which explains how to withdraw consent).
Thereafter if the customer decides to proceed a detailed care assessment is completed that captures personal data including medical information. The care assessment documentation is >>here<<
This form concludes with a Personal Data Collection Statement that provides article 13 privacy notice information and a GDPR compliance consent to processing of all personal data collected (i.e. including medical information). The document is >>here<<
[DMC: note that a contract will also be signed, need a copy of this]
Care Workers
[DMC: to be added]
Live in Care Ambassadors
[DMC: to be added]
Franchise Partners
[DMC: to be added]
UK Group Employees
[DMC: to be added]
Others?
Training
[DMC: to be added]
Additional Guidance
Additional guidance on data protection compliance can be found on these links:
Compliance essentials speed read