Introduction
Sat Nam Therapy
Data Protection Policy May 2018
The Data Protection Act 1988 and the Data Protection (Amendment) Act 2003 govern the controlling and processing of personal data in Ireland. These Acts are in place to make sure personal data is collected, stored and used appropriately and in line with the existing and newly introduced Data Protection Regulations. This document is aimed at giving Sat Nam Therapy a guide to data protection and to help service users, employees and therapists (who work at the centre) a reference point.
āGDPR is the European General Data Protection Regulation which will be in effect from 25th May
2018. This new regulation has been put in place to encourage businesses all over Europe to really think about data and the protection of it. The idea behind the regulation affecting the data of all EU citizens, is to give control back to the public. It will ensure that individuals are aware of what data they are giving, and how it is shared. (Data Protection Commissioner, 2018)
The purpose of gathering data include determining the best therapeutic fit for service users, research activities, targeting advertisement, recruitment and selection of Therapists and Senior Trainees.
Policy scope
i. This policy applies to;
ā All Sat Nam Therapy Staff
ā Sat Nam Therapy Directors
ā Therapists and Senior Trainees connected with Sat Nam Therapy
ā Service Users
ii. This policy covers all personal information including employee information, Therapist/Senior Trainee information and Service User information generated in Sat Nam Therapy.
iii. It applies to all personal data collected and stored by Sat Nam Therapy. This policy applies to both soft and hard copy data held on Sat Nam Therapy systems, on network share drives, on cloud files and emails.
iv. Where data is being transferred to any third party it is the responsibility of the organisation to ensure contractual agreements are in place covering security and retention of data.
v. This data protection policy aims to ensure that Sat Nam Therapy adheres to data protection law and applies good practice. It protects the rights of the Directors and Staff and is transparent about how it stores and processes individualās data and mitigates from the risk of data breeches.
The 8 Data Protection Principles and How to Apply to Sat Nam Therapy
Policy
a) Obtain and process information fairly
i. The collection of data by Sat Nam Therapy includes a clear statement advising the service user and therapists/Senior Trainees of the identity of the controller, the purpose of collecting the data to
whom it may be disclosed and any other relevant information necessary to ensure that all processing meets the requirement of fair processing.
ii. Where Sat Nam Therapy collects sensitive data the data subject must give explicit consent to the processing. Appropriate security measures will be put in place to ensure confidentiality.
b) Sat Nam Therapy Policy ā Therapist Information
i. The data controller in Sat Nam Therapy is Alan Oates.
ii. The data collected on each therapist includes CVās, Garda Vetting, Emails, Phone numbers and Insurance Certificates.
iii. The purpose of holding CVās is done as part of the assessment for suitability. The CVās are kept so that Sat Nam Therapy directors can refer to these if any issues arise and/or references need to be checked.
iv. Emails and phone numbers of each therapistsā are kept as these are the two main points of contact when referring clients to therapists.
v. The data collected on Therapists is only disclosed to a third party i.e. EAP once the therapist has agreed to this. All mails to third parties containing therapist information are encrypted.
vi. All phone inquiries are asked for their consent before any information is passed on
c) Sat Nam Therapy ā Client Information
i. Information obtained from clients is only done so to ensure the ābest fitā when referring on to a therapist
ii. No identifying information (in the form of emails) is kept on the client once the client has been referred onto a therapist. All mails are deleted once the client has been placed with a therapist. Any mails that arekept a) while we are waiting for consent to pass the mail on b) until weknow client has been placed. In the case where a person has made an enquiry and we are waiting for consent (or a reply) we will only keep these mails for one month. After this the mail will be deleted.
iii. Consent is sought from all callers/mailers before any information is passed on (for referral purposes only)
iv. All information kept on clients is done so on email and is password protected.
d) Keep it only for one or more specified, explicit and lawful purposes.
i. Sat Nam Therapy will keep data for purposes that are specific, lawful and clearly stated. Primary purposes include:
ā The assessment and management of applications by Therapists/Senior Trainees to Sat Nam Therapy (CVās)
ā The creation of files for each Therapists for Transfer to EAPās (Therapist consent obtained)
ā The creation of files for each Therapist/Senior Trainee containing current Garda Vetting Certificates and Insurance Certificates
ā For the purpose of finding the best Therapeutic fit for a Service User
ā Compliance with regulatory, legal and tax laws and regulations
ii. Secondary purposes include information sharing to current to Therapists linked to Sat Nam Therapy. Marketing to existing and potential Service Users and Therapists. Where an individual gives Sat Nam Therapy their personal data for one purpose Sat Nam Therapy will get their consent if they want to use that
information for any other purpose.
e) Basis for Processing Personal Data is as follows:
i. Consent: the individual has given clear consent for you to process their personal data emails). We note that a person must give their consent and that āsilenceā or ānot saying noā does not mean
consent
ii. Legitimate interests: the processing is necessary for our legitimate interests or the legitimate interests of a third party unless outweighed by the data subjectās interests. It is likely to be most appropriate where you use peopleās data in ways they would reasonably expect, and which have a minimal privacy impact, or where there is a compelling justification for the processing.
f) Lawful Basis for Special Categories of Personal Data is as follows:
i. The data subject has given explicit consent to the processing of their personal data for one or more specified purposes.
ii. Processing is necessary for the purposes of preventive or occupational medicine (Under the Category of Health)
g) Use and disclose it only in ways compatible with these purposes
i. Sat Nam Therapy will ensure that any use and disclosure will only happen for the purposes or compatible with the purposes for which the data is collected or otherwise in compliance with Data
Protection legislation.
ii. Persons to whom data may be disclosed include the following:
ā Persons acting on the personās behalf e.g solicitors
ā The Service User whom the information concerns
ā One of the Therapistās linked to Sat Nam Therapy
ā An individualās General Practitioner in the case where a
Service User might disclose the intention to Self Harm, Harm another or Sexual Abuse of a minor. A contract of agreement is recommended standard practice for all therapists linked to Sat Nam Therapy to include the limitations of confidentiality.
ā The Garda Siochana, or any other person who is authorised by law to access serviceās records. Such requests must be in writing and quoting the basis on which access is sought.
h) Keep it safe and secure
i. Sat Nam Therapy will ensure that appropriate security measures are taken against unauthorised access to or alteration, disclosure or destruction of the data and against their accidental loss or destruction.
This will include appropriate procedures in relation to back up data. Particular focus will be placed on the security of personal data held on portable devices/cloud files, with appropriate security measures such as password protection/Encryption. To increase the safety and security of personal data Sat Nam Therapy are buying their own server/email which will be password protected/encrypted
ii. On a going forward basis developments of the Sat Nam Therapy IT systems will aim to ensure that access to personal data being logged can be audited. The aim is to include access on a read only basis. Suchlogs will be routinely checked on a random basis to ensure that access is appropriate. Our aim at Sat Nam Therapy is to ensure that robustprocedures for limiting access to personal data are in place, that staff are aware of these limits and that any breaches can be identified.
iii. Sat Nam Therapy has a confidentiality policy in place to the collection, processing, keeping and use of sensitive data. Access to sensitive data will be restricted to authorised staff. Some examples of good practice are shown below:
iv. Using password protected screensavers to hide any information on workstations whilst taking breaks.
v. Sat Nam Therapy email ālogged outā each evening
vi. Manual data kept in filing cabinet under lock and key with only one key holder
vii. Protecting manual files and to disallow any unauthorised access, destruction, modification or photocopying.
viii. Operate a āClean desk policyā to ensure no personal data is lying around for others to see
i) Keep it accurate, complete and up to date.
i. Sat Nam Therapy will keep data complete and up-to-date as it is given by the Therapists/Senior Trainees.
ii. Therapists can ask for their data to be corrected where it is found to be incorrect
iii. This will be achieved through the correction of incorrect data in line with the Data Protection Acts including where this is identified by the data subject to be the case in a verifiable way.
j) Ensure that it is adequate relevant and not excessive.
i. Sat Nam Therapy will only collect information that is necessary for the purposes needed. The method of seeking information from Service Users/Therapists/Senior Trainees will be checked on an ongoing basis to ensure that only relevant information is sought and provided.
ii. Sat Nam Therapy will only collect data that directly relates to the purposes for which it is being collected. Sat Nam Therapy will not ask for more information than needed.
k) Retain if for no longer that is necessary for the purpose or purposes.
i. Sat Nam Therapy has a data retention policy. Client information (held on site) will be held for a period of six years after the ending of the therapeutic relationship. Currently there is no need to hold client information on site.
ii. All Sat Nam TherapyTherapists will retain their own client information offsite and for a period outlined by their Insurers/Awarding Body.
iii. Where an individual inquiry about Sat Nam Therapy services but does not subsequently engage with the services or is referred on details will be kept on file for a period of one month to facilitate a subsequent engagement.
l) Give a copy of his/her personal data to that individual on request
i. Sat Nam Therapy has a procedure in place to ensure that subject access requests are dealt with in accordance with the Data Protection Acts.
ii. Service Users/Therapists/Senior Trainees have the right:
iii. To enquire if any information is held about them
iv. To request a copy of the information held
v. To have any inaccurate data corrected
vi. To have their names removed from any mailing lists etc. (Insurance Certificates/Garda Vetting/CVās will not be removed while a Therapist/Senior Trainee is still working with Sat Nam Therapy)
m) Enquiry Timescales
i. 21 days to respond to an enquiry as to whether information is held on computer or not (NO FEE)
ii. 40 days (from receipt of formal written request) to providecustomer with a copy of their information. Discretionary ā
donation to a charity
iii. Any inaccurate data corrected ā (NO FEE).
Data Retention
i. The purpose of a Data Retention policy is to ensure that Sat Nam Therapy have clear and enforceable instructions around how long to retain data. Having a data retention policy will enable the Sat Nam Therapy to be in compliance with the Data Protection Acts Rule 7 which states that in relation to Personal Data that the data shall not be kept for longer than is necessary for that purpose or those purposes.
ii. The objective of this policy is to ensure that;
ā Guidance exists so that retention limits can be set for data which complies with the Data Protection Acts and all other relevant legislation
ā Once retention limits are reached, the data is either automatically destroyed or reviewed for destruction
ā Retained data is held securely
ā All data marked for destruction is comprehensively and securely destroyed (Shredded)
ā All relevant staff are informed on how to comply with Data Retention policy
4. Considerations necessary prior to implementation of this schedule
i. If under investigation or if litigation is likely, retain files as they may be used as evidence.
ii. On-going legislative requirements.
Figure 1. Retention Limits
The below schedule is taken from the IACP Data Protection Policy and will be used as a guideline for Sat Nam Therapy.
Type of Record and Retention Period
Voice Recordings (for training 6 months from date call was recorded and/ or verification purposes)
Employee Paper Data Retention 7 years after employee has left the organisation
Memberās Data 7 years from the date the individualās membership has lapsed
Unsuccessful Application Data 7 years from date the application is deemed unsuccessful
Deceased Members Data 1 Year from the date Sat Nam Therapy are notified of the death
Payment Information Card payment details will be inputted to a secure online payment facility at the point of purchase
Complaints 7 years from the date the complaint is finalised
Minutes of Meetings (with IndefinitelyDirectors)
Garda Vetting Applications are kept for a one year period from the date they are approved.
Data Storage
i. All storage of data will be kept in line with the Data Protection guidelines.
ii. Notes belonging to clients will be kept by each individual therapist on their respective clients.
iii. It is recommended that these notes are coded with no identifying information (eg. Age, DOB, Phone, Email, Address).
iv. It is recommended that therapists keep client intake forms (with identifying information) separate to their client notes. Sat Nam Therapy recommends that Therapists keep their notes locked away in a room that is also locked.
v. Sat Nam Therapy does not keep any personal information on Service Users in a hard copy format on Site.
vi. Sat Nam Therapy will protect data according to the sensitivity of that information and will protect that information in line with that sensitivity.
vii. Sat Nam Therapy is aware that data retention guidelines apply to all data stored manually and electronically, the transfer of data internally and externally, and the protection from outside intrusion via internet and physical theft.
Destruction Policy
i. The destruction of records in relation to Sat Nam Therapy will take place as part of a managed process and documented. Sat Nam Therapy does not take responsibility for documents held by Therapists working at Sat Nam Therapy and leaves the destruction of client documents up to the individual Therapists.
ii. A clearly defined procedure for reviewing and selecting records for disposal and must ensure:
ā All records held are retained in accordance with the Data protection guidelines.
ā Records are disposed of in line with the level of detail contained in them.
ā Data remaining is organised and labelled to maintain the integrityof the filing system.
Training and Awareness
i. All employees of Sat Nam Therapy will be made aware of the impact of the Data Retention policy on their day-to-day interaction with service user information.
ii. All Therapists linked to Sat Nam Therapy will be made aware that the GDPR polices apply to them as individual practitioners and that they are asked to act in line with these.
Data security breach
i. Occurs when there is unauthorised access to, collection, use, disclosure or disposal of personal information.
ii. This type of breach can occur for several reasons including:
o Loss or theft of data or equipment on which data is stored;
o Inappropriate access controls allowing unauthorised use;
o Equipment failure;
o Human Error;
o Unforeseen circumstances such as a flood or fire;
o A hacking attack;
o Access where information is obtained by deceiving the organisation that holds it.
iii. A record is defined under the Freedom of Information Acts 1997 and 2003 as āany memorandum, book, plan, map, drawing, diagram, pictorial or graphic work or other document, any photograph, film or recording (whether of sound or images or both), any form in which data (within the meaning of the Data Protection Act, 1988 and 2003) are held, any other form (including machine-readable form) or device in which information is held or stored manually, mechanically or electronically and anything that is a part or a copy, in any form of any of the foregoing or is a combination of two or more of the foregoingā (Freedom of Information Act, 1997, 2003)
a) Data Security Breach Guidelines
i. As a data controller, Sat Nam Therapy processes personal data and appropriate measures require to be taken against the unauthorised or unlawful processing and accidental loss, destruction of or damage to personal data. It is, therefore, essential that in the event of a data security breach, appropriate action is taken by Sat Nam Therapy to minimise any associated risks as soon as possible.
ii. The purpose of these guidelines is to set out the processes that represent best practice in the event of a data security breach involving personal data or sensitive personal data. These guidelines are a supplement to Sat Nam Therapyās Data Protection Policy which affirms its commitment to protect the privacy rights of individuals in accordance with Data Protection legislation.
b) Responding to a Potential Data Security Breach
i. In line with best practice, these guidelines outline five stages to managing a response to a breach:
Stage 1: Identification and Classification
i. If a data security breach has occurred, this must be reported immediately to the staff member responsible for data protection.
Stage 2: Containment and Recovery
i. The aim of the Sat Nam Therapy staff member is to limit the scope and impact of the data security breach. If a breach has occurred, appropriate action will be taken by the relevant Sat Nam Therapy staff to minimise any associated risks which may include:
ā Establishing who within Sat Nam Therapy needs to be made aware of the breach and ensuring relevant staff/Directors are informed what is required to assist in the containment exercise;
ā Establishing whether there are any actions which may recover losses and limit the damage the breach can cause;
ā Where appropriate, informing the GardaĆ.
Stage 3: Risk Assessment
i. In assessing the risk arising from a data security breach, the relevant Sat Nam Therapy staff are required to consider the potential adverse consequences for individuals, i.e. how likely are adverse consequences to materialise and, if so, how serious or substantial are they likely to be. The information provided by the individual reporting the breach can assist with this stage.
Stage 4: Notification of Breaches
i. In accordance with the Office of the Data Protection Commissionerās (ODPC) āPersonal Data Security Code of Practiceā, all incidents in which personal data has been put at risk must be reported to the ODPC within 2 days of Sat Nam Therapy becoming aware of the incident, however, incidents do not have to be reported to the ODPC when:
ā the full extent and consequences of the incident has been reported without delay directly to the affected data
subject(s) and
ā it affects no more than 100 data subjects and
ā it does not include sensitive personal data or personal data of a financial nature.
Stage 5: Evaluation and Response
i. Subsequent to a data security breach, a review of the incident by the staff member responsible for data protection and Management will occur to ensure that the steps taken during the incident were appropriate and to identify areas that may need to be improved.
Appendix 1:
Potential Data Security Breach Report (Taken from IACP) Please complete the following questions in order to ascertain if a data security breach has occurred and return the completed form the staff member responsible for data protection.
What type of data is involved? _________________________________________________________
Does it fall under the definitions of personal data and/or sensitive personal data outlined
above? ________________________________________________________________________________
If so, the following information must be provided
Details of the breach ___________________________________________________________________
Date and time incident occurred (if known) _____________________________________________
Date and time incident detected _______________________________________________________
Name of person reporting incident_____________________________________________________
Details on how the data was held, e.g. laptop,
memory stick, personal digital assistant etc. ___________________________________________
Details of safeguards (e.g. encryption), if any, that would mitigate the risk if data has been
lost or stolen ___________________________________________________________________________
Are there any reasons to suspect that the passwords used to protect the data may have been compromised? (e.g. password stored with mobile device or weak password used)
_________________________________________________
Details of the number of individuals whose information is at risk, i.e. how many individualās personal data are affected by the breach? _______________________________________________
Who are the individuals whose data has been breached ā are they staff, students, suppliers, third parties etc? ________________________________________________________________________
What could the data tell a third party about the individual? ______________________________________________________________________________
Any other information ___________________________________________________________________
Appendix 2: Personal Data Request Form
Sian Williams
21 Fairview
Clontarf, Dublin 3, D03 K4H0
Dear Sir/Madam,
I wish to make an access request under the Data Protection Acts 1988 and 2003 for a copy of any information you keep about me, on computer or in manual form. I am making this request under section 4 of the Data Protection Acts.
Regards,
Signed: ______________________________________________
Full Name: ___________________________________________
Date: _______________________________________________
Name (please print): ___________________________________________
Address: _____________________________________________________
Date when (if ever) you last made a request of this nature to Sat Nam Therapy:
Please Note:
Request in writing should be made and signed by the applicant in person.
Within the terms of the Data Protection Act 1988/2003, Sat Nam Therapy will respond to your request for personal data within 40 days.
In order for us to protect the security of personal data, it is necessary for you to provide
proof of your identity. Please contact the Sat Nam Therapy to receive a list of acceptable documents.
Requests should be submitted to: Sian Williams, 21 Fairview Clontarf, Dublin 3, D03 K4H0
Appendix 3: Glossary of Terms
As with any legislation, certain terms have particular meaning. The following are some useful definitions:
Data means information in a form which can be processed. It includes both automated data and manual data.
Automated data means, broadly speaking, any information on computer, or information recorded with the intention of putting it on computer.
Manual data means information that is kept as part of a relevant filing system, or with the intention that it should form part of a relevant filing system.
Relevant filing system means any set of information that, while not computerised, is structured by reference to individuals, or by reference to criteria relating to individuals, so that specific information is accessible.
Personal data means data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller. This can be a very wide definition depending on the circumstances.
Processing means performing any operation or set of operations on data, including: ā
obtaining, recording or keeping data, ā collecting, organising, storing, altering or adapting the data, ā retrieving, consulting or using the data, ā disclosing the information or data by transmitting, disseminating or otherwise making it available, ā aligning, combining, blocking, erasing or destroying the data.
Data Subject is an individual who is the subject of personal data. Data Controllers are those who, either alone or with others, control the contents and use of personal data. Data Controllers is a body that, either alone or with others, controls the contents and use of personal data. It can be either legal entities such as companies, Government
Departments or voluntary organisations, or they can be individuals such as G.P.ās, pharmacists or sole traders.
Data processor is a person who processes personal data on behalf of a data controller, but does not include an employee of a data controller who processes such data in the course of his/her employment. Again individuals such as G.P.ās, pharmacists or sole traders are considered to be legal entities.
Sensitive personal data relates to specific categories of data which are defined as data relating to a personās racial origin; political opinions or religious or other beliefs; physical or mental health; sexual life; criminal convictions or the alleged commission of an offence; trade union membership. You have additional rights in relation to the processing of any such data.
Copyright Ā© 2024, All rights reserved.