The Information Commissioner s Office, the Information Governance Alliance and several other organisations are issuing guidance on an on-going basis.

Transcription

1 MARCH 2017 GENERAL DATA PROTECTION REGULATION ROTHERHAM CCG ACTION PLAN Themes of the GDPR: Refining/tightening up of existing concepts Standardised law across the EU New concepts in regulation; accountability, demonstrating compliance, designing compliance Increased regulation/enforcement by ICO and data subjects Enhanced rights for data subjects Expectations of uniformity and portability GDPR comes into force on the 25 th May 2018 and the UK will still be a member state of the EU at that time. The Information Commissioner s Office, the Information Governance Alliance and several other organisations are issuing guidance on an on-going basis. This action plan will start to address the main issues and map out where changes need to be made. 1

2 Steps to take now 1. Raising Awareness Action Owner Target Date Status Comments 1.1 Action plan to be presented to CCGs via IG Groups or other formal committees embed to produce April 2017 Complete 1.2 Add update to regular IG reports CM On-going On track GDPR updates added to IG section of the quarterly Corporate Governance reports 1.3 Comms to staff embed to produce On-going On track Comms plan underway, briefing to all staff has been sent to CCGs to be sent out to staff. Targeted briefings on specific areas of GDPR have been sent (eg Subject Access Requests, Data Protection Impact Assessments etc) 1.4 Ensure accountability can be proven Maintain records of processing activities ongoing monitoring, reviewing and assessing processing activities to ensure compliance 2 GDPR sessions to be arranged in Jan/Feb for all staff alongside dedicated sessions for CHC, Complaints staff. AC/CM September 2017 On track Existing Dataflow mapping and Information Asset Register work is being converted in to new templates compliant with the requirements of GDPR

3 2 Information you hold 2.1 Record processing activities of the CCG these must be disclosed to the ICO on request. Ensure the following are kept up to date: Data Flow Mapping Info Asset Register PIAs Privacy Notices 2.2 Comprehensive data flow mapping to include: What you hold Where it came from Who you share it with Legal basis for processing 2.3 Information Asset Register developed to include GDPR requirements AC/CM On-going On track As above at 1.4. This work takes places within the organisation currently. Data Flow Mapping, Information Asset Register, and PIA Procedure have been reviewed and amended against the requirements of GDPR to ensure compliance. See section 13 on Privacy Notices - review for GDPR compliance is planned. AC/CM December 2017 On track Existing Data Flow Risk Assessment templates have been amended to comply with all requirements of GDPR. Existing dataflows have been mapped across to the new templates CM September July 2017 On track awaiting risk assessments. Deferred to September due to RHR commitments Information Asset Template developed and existing Information Assets have been mapped across to the new template awaiting 3

4 review and risk assessments. 3 Individuals rights 4 Subject Access Requests (SARs) 2.4 Ensure that all Information Asset Owners are updating the register and risk assessing existing and new assets on an on-going basis 3.1 Check procedures and policies and systems to ensure all the rights individuals have are covered including how to delete personal data or providing data electronically. 4.1 Review and update Subject Access Procedures no fees, time reduced to 1 month to respond 4.2 Ensure all staff dealing with SARs are aware of the new procedures IA/AC/CM December 2017 On track Meeting to be arranged with IG Specialist, IA as SIRO and AC to discuss CCG approach to Information Asset Owners and their responsibility under GDPR. CM January 2018 On track Policies currently under a programme of review for compliance with GDPR, staggered to ensure that OE, AQuA and GB are not swamped with multiple policies at once. CM November 2017 On track Data Protection and Access to Records Policy scheduled for review in November AC November 2017 On track Staff briefing on Subject Access Requests under GDPR have been circulated to those staff dealing with SARS. Staff will be directed to the reviewed policy once completed and ratfified. 4

5 5 Legal basis for processing personal data 4.3 Template response letter to cover requirements under GDPR (legal basis for processing information and retention periods) 5.1 Ensure all processing of data has a legal basis CM November 2017 On track Template response letter has been developed this will be appended to the Data Protection and Access to Records Policy under the review. IA/AC/CM On-going On track All Dataflows already have a documented legal basis as a requirement of the IG Toolkit. See 2.2 for progress on current Data Flow Mapping activity. 6 Consent 6.1 Review of all areas where consent is used as the legal basis for processing and ensure adequate processes are in place to meet GDPR standard 7 Children 7.1 Ensure that processes are in place for recording consent of parent or guardian where appropriate (children under 13) AC/CM December 2017 On track To assess where consent is currently used as a legal basis under the Data Protection Act/GDPR, whether there is a suitable alternative under GDPR. IA/AC March 2018 On track Under GDPR this applies to the processing of children s personal data for information society services (social media) so not directly applicable to CCGs. Consent process for children for other services is as exists currently to check that processes at 5

6 the CCG are appropriate 8 Data breaches 7.2 Add in section to Privacy Notice in a clear, plain way that a child can understand about their consent or produce separate notice for children 8.1 Review and amend incident reporting policy and procedure to cover GDPR requirements for data breaches, including new timescale for reporting 8.2 Ensure that all staff are aware of new requirements 8.3 Ensure incident reporting policy and procedures are clear and well-practised to ensure quick response to any breaches AC/CM March 2018 On track See section 13. Layered approach to Privacy Notices is being developed to ensure all requirements covered this will include a section aimed specifically at children. CM March 2018 Complete IG incident reporting section reviewed and updated against requirements of GDPR and included in current draft organisation wide Incident Reporting policy CM March 2018 On track Awaiting final Incident Reporting policy will be posted on Intranet staff to be signposted to revised policy. AC March 2018 On track CCG to consider how this will be achieved. 9 Data Protection by Design and Data 9.1 Embed the Privacy Impact Assessment process within the organisation - the Data Protection Officer is consulted as a matter of IA/AC/CM DPO once appointed Ongoing On track Privacy Impact Assessment procedure has been revised and updated to meet the 6

7 Protection Impact Assessments routine on the need for data protection impact assessment and other governance matters 9.2 Review Project and transformation processes to include data protection by design and data protection by default 9.3 Any new systems or processes should be commissioned and built using data protection by design and by default 9.4 Consult with the ICO in advance where a data impact assessment indicates that the processing would result in a high risk if measures are not taken to mitigate that risk IT, project teams and commissioning teams need to be aware IT, project teams and commissioning teams need to be aware embed to advise on any high risk processing DPO to consult (once appointed) requirements of GDPR. IA and AC to recommend PIAs when new projects/proposals are brought to OE. March 2018 On track Ensure reviewed PIA procedure is included within Project Management Toolkit As required On track See 9.1 above IA and AC to signpost staff of need to undertake PIAs when necessary. As required On track Any high risks identified by PIAs which are not reduced will need to be discussed with ICO in advance of processing personal data. 10 Data Protection Officers i 10.1 Appoint a DPO whose job description is compliant with GDPR requirements embed to advise on the requirements of the role CCG to decide on approach May 2018 On track Awaiting CCG decision on appointment of DPO consideration of DPO across the Place (Rotherham) but note requirements of DPO role (see footnote (i) below). Large organisations such as Acute Trusts and Local Authorities most likely will need their own DPO given the amount of processing 7

8 10.2 Revision of IG and related policies to address organisational accountability, Data Protection Officer reporting arrangements within the organisation, and statutory reporting requirements 10.3 Assessment and allocation of resources needed to support the Data Protection Officer role 11 Contracts 11.1 Review of contracts on renewal / new contracts (including liability for fines in the event of a serious breach) to ensure compliance with GDPR undertaken by those organisations. embed currently drafting a proposal to offer a shared service across CCGs. AC/CM March 2018 On track IG Policy review programme underway for compliance with GDPR. Need to consider other policies in relation to organisational accountability and DPO reporting arrangements once role has been appointed. CCG On track CCG to make a decision on the appointment of a DPO CCG/Contracting teams Ongoing On track Contracts to be reviewed on renewal (or new) need to identify who will undertake this review. 12 New duties for data processors ii 12.1 Check all existing data processor contracts for compliance. Contracting leads/ac/cm September 2017 On track Where Data Processors are used by the CCG need to ensure contracts are in place. Need to identify the Processors used by the CCG. 8

9 12.2 Organisations to ensure all data processors have contracts in place and are IGT level 2 compliant AC/CM September 2017 Once identified, Data Processors will be checked for IG Toolkit compliance using the Toolkit search. 13 Privacy Notices 13.1 Review Privacy Notice and amend to include requirements under GDPR (to provide full disclosure of what personal data is used, for what purpose, who it is shared with and the legal basis for doing so and how long it will be retained) 13.2 Check data retention periods where records are held to include in Privacy notice 13.3 Review whether separate privacy notice is required for children CM CM September November 2017 September November 2017 On track Awaiting IGA template layered Privacy notice considered (section for children, risk strat etc) On track Data retention periods will be in line with the Records Management Code of Practice for Health and Social Care AC/CM September 2017 Complete See 13.1 section in layered privacy notice will be drafted for children 13.4 Review Privacy notice for staff HR/CM September November 2017 On track See 13.1 will include section for staff in layered privacy notice 14 Audits iii 14.1 Ensure that CCG can demonstrate compliance in all areas of the GDPR with evidence that it is meeting its obligations IA/AC On-going On track Data Flow Mapping register, Information Asset Register and Privacy Notice will document all processing activities undertaken by the CCG and the associated legal basis for each. These will 9

10 13.2 Collate comprehensive documentation of advice given by the DPO, independent risk assessments and management response to provide evidence of compliance with the GDPR be stored centrally at the CCG so that they can be produced on request by the ICO. Regular reviews of the Information Asset Register and Data Flows will need to take place with Information Asset Owners reporting directly to the SIRO. TBC On-going On track Once appointed, DPO will need to record any advice provided to the CCG, all risk assessments undertaken and the response from management of decisions taken to demonstrate compliance with GDPR. Organisations must ensure all the above actions are completed before May 2018 i All public bodies must have a data protection officer who takes responsibility for data protection compliance Must have expert knowledge Must be independent (can be a contractor) a group of public authorities may collectively appoint a single DPO (as long as the DPO is accessible to all) To inform and advise the organisation and its employees about their obligations to comply with the GDPR and other data protection laws. To monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits. To be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc). The DPO reports to the highest management level of your organisation and how this role fits with the wider Group responsibilities to employees The DPO operates independently and is not dismissed or penalised for performing their task. 10

11 Adequate resources are provided to enable DPOs to meet their GDPR obligations. ii Data processors become data controllers if they act beyond instructions; Restrictions on sub-contracting by data processors; Must have clear contractual provisions; Data processors can now be fined iii Additional powers granted to the ICO will allow them to: Carry out audits Issue orders to cease operations Notify data subjects of a breach Restrict or erase data Suspend or prohibit processing or order suspension of data flows to third countries 11