As part of our business, staff may be required to handle data on our behalf of for our customers. This procedure sets down the basic rules for our staff performing these functions. Staff not following these processes will be subject to disciplinary action and possible legal action.
All data must be used ONLY for the purpose for which it was supplied to us. The only time an exception to this rule may apply is if there is:
- A serious risk in not reusing the information to the data subject or others which may result in harm, e.g. protecting the vital interests of a person
- There is a legal requirement to do so e.g. a court order
Staff MUST consult the SIRO in the event this issue arises.
Staff must NOT discuss any data received in the course of business with any person outside the business.
Staff leaving the business must NOT copy any data outside the organisation unless agreed with the SIRO.
All data is to be stored only on company equipment or approved mobile/home use devices. These are required to be encrypted to a minimum standard defined by the company.
Data sent by email must also be encrypted if it contains personal data. Selecting a classification of EXTERNAL OFFICIAL-SENSITIVE (for our mail system) and putting “[secure]” in the subject line (where NHS mail accounts are used) ensure appropriate security.
Multi-factor authentication is required for access to all devices and systems storing sensitive personal information.
Passwords for administrator and corporate social media accounts must be chosen based on the “3 words” guidance i.e. three random words from any language, in mixed case, separated by random punctuation characters.
Staff must check data before input and at any opportunity to ensure correctness. This includes confirming, for example, contact details with customers at suitable points e.g. an annual review.
Systems are designed to reduce errors by ensuring validation of fields and data, but it remains a staff responsibility to work at all times to minimise error.
In the event of a data breach being discovered, the SIRO must be involved at once. Data breaches will be recorded on the NHS DSP Toolkit, even if not related to NHS data.
Spot checks and Monitoring
Spot checks on compliance are carried out quarterly by the SIRO. All data use is logged, audited and subject to random or targeted checks.
Administration access to systems is limited to the SIRO. The SIRO undertakes to ensure that this access is not abused and all use of administrator rights follows our policies. All administrator access use is logged.
National Data Opt-Out
The NHS National data opt-out policy requires that we do not use NHS data for non-care uses where people have opted out. We do not have any such uses, but staff are made aware of this as policy and procedure change will be required if at any time if the future this occurs.
This policy is reviewed annually. The last review date was 1 May 2021.