The General Data Protection Regulation (GDPR) contains six “Data Protection Principles” set out in Article 5. These specify that personal data must be:

1. Processed lawfully, fairly and in a transparent manner in relation to individuals;

2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;

3. Adequate, relevant and limited to what is necessary in relation to the purposes;

4. Accurate and, where necessary, kept up to date;

5. Kept in a form which permits identification of data subjects for no longer than is necessary;

6. Processed in a manner that ensures adequate security of the personal data, using appropriate technical or organisational measures.

Article 5(2) also sets out an overarching accountability principle ‘the controller shall be responsible for, and be able to demonstrate, compliance with the principles.’

Individual rights are set out in a separate part of the GDPR. In brief, the GDPR provides the following rights for individuals:

1. The right to be informed

2. The right of access

3. The right to rectification

4. The right to erasure

5. The right to restrict processing

6. The right to data portability

7. The right to object

8. Rights in relation to automated decision making and profiling.

This policy has been written within relevant Information Commissioner’s Office (ICO) guidelines.

Definitions and terms used in relation to the GDPR can be found at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/ 

This policy applies to all personal data and special categories of data (sensitive personal data) collected and processed by East West Healthcare in the conduct of its business, in electronic format in any medium and within structured paper filing systems.

This policy applies to all staff, whether permanent, temporary, contractors, or consultants.

Disciplinary action may be taken against staff failing to comply with this policy.

Alexander Brazkiewicz is the Data Controller of, and registered with, the Information Commissioner’s Office (ICO) for collecting and using personal data. Holos Healthcare and Training Limited is also a Data Controller for East West Healthcare. The registration reference for East West healthcare is ZA402456.  

In order to meet the requirements of the data protection principles and individual rights set out in the GDPR, East West Healthcare adheres to the following values when processing personal data:

The specific conditions contained in Article 6 and 9 of the GDPR regarding the fair collection and use of personal data will be fully complied with.

Individuals will be made aware that their information has been collected, and the intended use of the data specified either on collection or at the earliest opportunity following collection through relevant privacy notices.

Personal data will be collected and processed only to the extent that it is needed to fulfil business needs or legal requirements.

Personal data held will be kept up to date and accurate, where necessary.

Retention of personal data will be appraised and risk assessed to determine and meet business needs and legal requirements, with the appropriate retention schedules applied to that data.

Personal data will be processed in accordance with the rights of the individuals about whom the personal data are held.

It is important that there is a lawful basis for processing any personal data and East West Healthcare has documented this. A ‘cease processing request’ from an individual will be acknowledged within 3 working days, with the final response within 21 days. The final response will state whether East West intends to comply with the request and to what extent, or will state the reasons why it is felt the requestor’s notice is unjustified.

Staff will advise the Alex Brazkiewicz in the event of any intended new purposes for processing personal data, who will then arrange for a Data Protection Impact Assessment to be conducted. This is now a lawful requirement.

Appropriate technical, organisational and administrative security measures to safeguard personal data will be in place.

Staff will report any actual, near miss, or suspected data breaches to the Principal for investigation. Lessons learnt during the investigation of breaches will be relayed to those processing information to enable necessary improvements to be made. The Principal will report any ‘serious’ breaches to the Information Commissioner’s Office as necessary, within 72 hours of the breach being reported internally.

Any unauthorised use of corporate email by staff, including sending of sensitive or personal data to unauthorised persons, or use that brings East West into disrepute will be regarded as a breach of this policy.

Relevant Data Protection Awareness Training will be provided to staff to keep them better informed of relevant legislation and guidance regarding the processing of personal information. Data protection training will also promote awareness of East West's data protection and information security policies, procedures and processes. Staff are strongly encouraged to complete this training during induction and subsequently on an annual basis.

East West may routinely make certain personal information publicly available. Examples include publication of case studies and personal experences, contact details on the website etc. East West will undertake to cease such activity, where possible, for any data subject on the grounds of such disclosure causing damage and distress on application to, and agreement by, the Data Controller.

Regular information sharing with third parties, where there is a valid business reason for sharing information, shall be carried out under a written agreement setting out the scope and limits of sharing. Data Processing Agreements will be applied to all contracts and management agreements where East West is the data controller contracting out services and processing of personal data to third parties (data processors). These agreements will clearly outline the roles and responsibilities of both the data controller and the data processor.

All data processors shall agree to conform to this policy and the GDPR and as far as possible, indemnify East West against any prosecution, claim, proceeding, action or payments of compensation or damages without limitation and provide any personal information specified on request to the Data controller.

As part of all relevant privacy notices East West will inform individuals of the identity of third parties to whom we may share, disclose or be required to pass on information to, whilst accounting for any exemptions which may apply under the GDPR and other relevant legislation.

Personal data will not be transferred outside the European Economic Area unless that country or territory can ensure a suitable level of protection for the rights and freedoms of the data subjects in relation to the processing of their personal data.

Members of staff will have access to personal data only where it is required as part of their functional remit.

Staff are made aware that in the event of a Subject Access Request being received by East West, their emails may be searched and relevant content disclosed, whether marked as personal or not.

A relevant contact address will be made available on the internet for data subjects to use should they wish to submit a Subject Access Request, make a comment or complaint about how East West is processing their data, or about our handling of their request for information.

A Subject Access Request will be acknowledged to the data subject within 3 working days, with the final response and disclosure of information (subject to exemptions) within 1 calendar month.

A data subject’s personal information will not be disclosed to them until their identity has been verified.

Third party personal data will not be released by East West when responding to a Subject Access Request or Freedom of Information Request (unless consent is specifically obtained, obliged to be released by law or necessary in the substantial public interest).

All data subjects have a right of access to their own personal data. Advice will be provided to data subjects on how to request or access their personal data held by East West.

The Freedom of Information Act 2000 enables greater public access to information processed by public bodies such as East West. However, personal data continues to be protected by the GDPR, and is therefore exempt from disclosure under the Freedom of Information Act (Section 40).