contact us

Use the form on the right to contact us.

You can edit the text in this area, and change where the contact form on the right submits to, by entering edit mode using the modes on the bottom right.

Lyes Farm Office, Cuckfield Road, Burgess Hill, West Sussex
RH15 8RG
United Kingdom

01444 616162

Occupational Therapy for children and young people living in the South East of England. Our dedicated assessment and sensory integration therapy centre is the first and only one of it's kind in Sussex.

Privacy Policy

Data Protection & Confidentiality Policy

Responsible Person (name): Dominic Simpson Date of last review:
Feb 2020

Responsible Person (job title): Director
Date of next review:
Feb 2023*

* Or if any changes occur which may affect the validity of the content including any significant incidents, accidents or

near misses.

1. Policy Statement

Jigsaw Occupational Therapy recognises its duties both in terms of confidentiality and data protection legislation and is committed to ensuring we are compliant with regard to all the ways in which we process, store, share and dispose of information. We endeavour to ensure that the proper management and appropriate levels of confidentiality and security are in place.

Jigsaw Occupational Therapy collects, holds and uses personal data about our employees and clients for a variety of purposes. This policy sets the framework by which we seek to protect personal data and ensure that employees understand the rules governing their use of personal data to which they have access in the course of their work.

2. Compliance

There are a range of statutory provisions that impact on the use and disclosure of personal and confidential information. These include but not limited to:

Common Law Confidentiality

This is built up from case law where practice has been established as a result of individual judgements. The key principle is that information confided should not be used or disclosed further, except as originally understood by the confider or with their subsequent permission.

General Data Protection Regulations (GDPR)

This governs the processing (which includes holding, obtaining, recording, using, sharing and disclosing) of information. It applies to all forms of media, paper, images, data, verbal disclosure etc.

The GDPR came into force on the 25th May 2018. In the full text of the GDPR there are 99 articles setting out the rights of individuals and obligations placed on organisations covered by the Regulation. These include allowing people to have easier access to the data organisations hold about them, a new fines regime and a clear responsibility for organisations to obtain the consent of people they collect information about.

The Human Rights Act (1998)

Article 8 of the Act establishes a right to ‘respect for private and family life’ and this underscores the duty to protect privacy of individuals and preserve the confidentiality of their records. Other elements of the Act mean that any other legislation must be compatible. The GDPR and Common Law Confidentiality satisfy this. In relation to disclosure and Article 8 - processing must be justified as being necessary to support legitimate aims and be proportionate to need.

3. Policy Scope

This policy is relevant to all Jigsaw Occupational Therapy staff, contractors, clients and any person(s) using or affected by its activities or services. Staff must be familiar with this policy and comply with its terms.

This policy is supplemented by other policies relating to internet and email use and covers all aspects of information within the company, including (but not limited to):

❖ Client information
❖ Personnel information
❖ Organisational information

4. Key Responsibilities

Employees have a responsibility to ensure that information is recorded accurately and in a timely manner and that information is only shared with those who need to know and is transmitted securely. Failure to do so may result in disciplinary action.

This responsibility is a contractual one, with confidentiality incorporated into the terms and conditions of all contracts of employment and contracts for services. Ongoing training and awareness will be provided to all staff. Awareness for new staff is provided through Jigsaw Occupational Therapy’s induction process.

Employees are responsible for
❖ ensuring that policies are understood, with issues being discussed with the Directors ❖ alerting the Directors should they be made aware of any data issue or breach.

5. Definitions

The words used in this policy are used in their ordinary sense and technical terms have been avoided.

Personal data

Personal data refers to all items of information in any format from which an individual (data subject) might be identified or which could be combined with other available information to identify an individual and is information which has a duty of confidence. This may include (but is not limited to):

❖ Name
❖ Date of Birth

❖ Post code
❖ Address
❖ National Insurance Number
❖ Photographs, digital images etc.
❖ Client identification documents
❖ Online identifiers and location data (such as IP addresses and mobile device IDs)

❖ Pseudonymised data

Special categories of personal data (sensitive data)

Categories of information are classified as special categories of personal data. In the event Jigsaw Occupational Therapy processes this type of data for any reason, additional safeguards must be adhered to in line with guidance and legislation. Special categories of data include (but are not limited to):

❖ Concerning health, sex life or sexual orientation ❖ Racial or ethnic origins
❖ Trade union membership
❖ Political opinions

❖ Religious or philosophical beliefs
❖ Genetic data
❖ Biometric data
❖ Records relating to criminal charges and offences

Confidential Information

Confidential information within Jigsaw Occupational Therapy can also include information that is private and not public knowledge or information that an individual would not expect to be shared. It can take many forms including Company information, employee records, client records etc.

Organisational and Employee Information

Describes the personnel, administrative, financial, regulatory, payroll and business development purposes for which we may use personal data:

These include the following:

❖  Compliance with our legal, regulatory and corporate governance obligations and good practice

❖  Gathering information as part of investigations by regulatory bodies or in connection with legal proceedings or requests

❖  Ensuring business policies are adhered to

❖  Operational reasons, such as recording staff communications; checking references; ensuring safe working practices; monitoring and managing staff access to systems and facilities; staff administration; monitoring staff conduct and disciplinary matters.

6. Legal Compliance

The GDPR retains the same core rules as the Data Protection Act (which is based on the EU Data Protection Directive) and continues to regulate the processing of personal data.

Those processing personal data do so as a Data Controller or a Data Processor. A Data Processor just acts on the instructions of the Data Controller.

Under the GDPR, processing must comply with six general principles and must satisfy a processing condition. Jigsaw Occupational Therapy will not only comply with the six general principles, but also be able to demonstrate we comply with them.

6.1 Six General Principles

We will process personal data fairly and lawfully in accordance with individuals’ rights. In most cases, this means that we will not process personal data unless the individual whose details we are processing has consented to this happening.

There are two constituent parts to this Principle that will apply to all of our routine service and business data processing activities:

Fairly:

Processing will be ‘fair’ – we must have a legitimate reason for collecting and using the data, betransparent about how we’ll use the it, handle the data in a way that would be reasonably expected and not use it in ways which would have an adverse effect on the individual.

Some of this can be achieved through the provision of our Fair processing information notice (Privacy Notice).

Lawfully:

We will ensure processing is undertaken in line with the requirements within the Regulation, plus any other legal / regulatory requirements, any contractual requirements, and any duty of confidentiality.

Principle 1
Personal information must be fairly and lawfully processed

Principle 2

Data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes

Specified:

Processing will be limited to the specific purpose communicated to the data subject

Explicit:

Where personal information is collected, we will communicate the purpose for collection and the type(s) of processing to the data subject. This includes any subsequent processing.

Legitimate:

We will ensure we have a legitimate reason for collecting and processing each aspect of the data.

Not Excessive:

We will minimise the collection and processing of data where possible

Adequate:

We will ensure that data is sufficient to fulfil our purposes (business need) of collection and processing.

Relevant:

When collecting personal information, we will only collect personal information that is absolutely required for the specified purpose. We will ensure we are able to justify the collection and processing of each element of data. For example, if collecting personal information for a mailing list, there would be no basis for our collecting date of birth data.

We will ensure as far as is reasonably practicable, the accuracy of data we collect and process.

Where we have shared data, we will, taking account of available technology and the cost of implementation, take reasonable steps, including technical measures, to inform those with whom we have shared that the data subject has requested erasure of their personal data.

Principle 3

Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed

Principle 4

Data must be accurate and where necessary kept up to date

Principle 5

Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed

We will define retention periods for every aspect of data held by us and delegate responsibilities for destruction. We will use data mapping and privacy impact assessments (where applicable) to understand our data flows so that data which is shared internally and externally can be updated and erased too.

When setting retention periods, we will consider:

❖ Any statutory requirement to retain information ❖ Industry guidelines and standards
❖ The value of the information
❖ The risks of retaining the information

❖ The need to keep the information accurate and up to date

We are accountable for the security, confidentiality, integrity and availability of all personal data for the entire period of time that we retain it. Some of the following are tools we will use to ensure this can be achieved: include this policy, our Employee Confidentiality Code of Conduct, Employee Training and Privacy Impact Assessments (PIAs) which are carried out for changes and significant projects

Principle 5

Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures

6.2 Conditions for personal data processing

We will determine the lawful bases for all of our personal data processing activities and document these. All personal data processing activities will be justified by one or more of the following available lawful bases:

1 Consent of the data subject

2 Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract

3 Processing is necessary for compliance with a legal obligation

4 Processing is necessary to protect the vital interests of a data subject or another person

5 Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

6 Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject

1.1 Special Categories of Data (Sensitive Data)

We will document the additional justification for the processing of sensitive data, using the conditions for special categories of data set out within the GDPR (we must meet at least one lawful processing condition whenever we process personal data. However, if the information is sensitive personal data, we will meet at least one of several other conditions to ensure the data is lawfully processed):

1 The individual whom the sensitive personal data is about has given explicit consent to the processing.

2 The processing is necessary to comply with employment law

3 The processing is necessary to protect the vital interests of:

  • the individual (in a case where the individual’s consent cannot be given or

    reasonably obtained), or

  • another person (in a case where the individual’s consent has been

    unreasonably withheld).

4 The processing is carried out by a not-for-profit organisation (where processing relates solely to the members , former members or to persons who have regular contact with it in connection with its purposes. Must not be disclosed to third party without consent)

5 The individual has deliberately made the information public

6 The processing is necessary in relation to legal proceedings; for obtaining legal advice; or otherwise for establishing, exercising or defending legal rights.

7 The processing is necessary for administering justice, or for exercising statutory or governmental functions.

8 The processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services and is undertaken by a health professional or by someone who is subject to an equivalent duty of confidentiality.

9 The processing is necessary for monitoring equality of opportunity, and is carried out with appropriate safeguards for the rights of individuals.

6.3 Confidentiality

All employees and contractors working for Jigsaw Occupational Therapy are bound by a legal duty of confidence to protect personal information they may come into contact with during the course of their work. This is not just a requirement of their contractual responsibilities but also a legal requirement within the common law duty of confidence.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information will not normally be disclosed without the individual’s consent.

In practice, this means that all confidential information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without having a legitimate processing condition(s).

Information is categorised as confidential if it contains personal details of employees, clients or service users. Non-confidential information would, for example, be approved policies or information that the individual has already put into the public domain.

Care will be taken that information is only disclosed to employees who have a demonstrable need to have access to it and limited to the minimum information required for that purpose as per the Information Commissioners Office Data Sharing Checklist.

6.4 Privacy by Design

We will ensure that privacy by design takes place at the start of any significant change or project. A Privacy Impact Assessment, or PIA, is an analysis of how personally identifiable information is collected, used, shared, and maintained. PIAs will be incorporated into project plans and documents completed as part of this process will be reviewed and signed off by the Information Governance Lead.

6.5 Privacy Notice

Our Privacy Notice will be clear and understandable. We will give clear information about how we use personal data for different groups (for example, employees and clients).

When we obtain data we will (at or before the point of obtaining information):

❖  Provide our Company details, including how to contact the person who is responsible for data protection (the Directors)

❖  Be clear whether data will be shared with or disclosed to others / other organisations

❖  Be clear about why we are collecting the data, how we will use it and the legal basis for

these activities

❖  Be clear how long we will keep the data or how we will decide the retention period

❖  Make people aware of their rights in relation to the data and make clear that they can withdraw their consent at any time (if consent used as the processing condition)

❖  Be clear about any existence of automated decision making, including profiling and information about how decisions are made, the significance and the consequences (this is particularly relevant for anti-money laundering checks we undertake)

❖  Provide clear details on how to view or obtain our Privacy Notice

6.6 Data portability

  • We will provide data subjects with a copy of their data in a structured format upon request. These requests will be processed within one month, provided there is no undue burden and it does not compromise the privacy of other individuals. Where data subjects may request that their data is transferred directly to another system, we will accommodate free of charge.

    6.7 Right to be forgotten

    We will comply with any request from a data subject to delete or remove any information held on them (except in cases where an exemption applies), and ensure any third parties who process or use that data must also comply with the request.

6.8 Consent

We will ensure consent given under the GDPR as a lawful basis for processing personal data is a freely given, specific, informed and unambiguous indication of the individual’s wishes. We will ensure there is some form of clear affirmative action – or in other words, a positive opt-in and that consent is not inferred from silence, pre-ticked boxes or inactivity. Consent will be separate from other terms and conditions, and we will provide simple ways for people to withdraw consent.

In England, Wales and Northern Ireland there is no set age at which a child is generally considered to be competent to provide their own consent to processing. We will consider the competence of the child (whether they have the capacity to understand the implications of the collection and processing of their personal data). If they do have this capacity then they are considered competent to give their own consent to the processing, unless it is evident that they are acting against their own best interests.

We will also take into account any imbalance of power in our relationship with the child, to ensure that their consent is freely given. Where the child is not competent then, in data protection terms, their consent is not ‘informed’ and it therefore isn’t valid. If we wish to rely upon consent in this situation, we will seek the consent of a person with parental authority over that child.

6.9 When is there a duty for us to share?

The need to share confidential information may become a duty in cases involving safeguarding or threat to the safety of individuals. This may necessitate the sharing of confidential information with regulators, police or social services.

6.10 External Data Sharing

There is an important obligation on all organisations sharing confidential information to ensure that recipients can demonstrate that they can be trusted to handle it in accordance with the confidentiality rules.

Data sharing contracts must be in place when data is shared externally that make clear the data protection arrangements that must be in place for each party.

6.11 Privacy Notice

Our Privacy Notice

❖  sets out the purposes for which we hold personal data on service users, clients and employees

❖  makes clear that individuals have a right of access to the personal data that we hold about them and a right to have information corrected

❖  provides information on how and who to contact if an individual would like to correct or request information that we hold about them (subject access request).

6.12 Employee Records

Employees must take reasonable steps to ensure that personal data Jigsaw Occupational Therapy holds about them is accurate and updated as required. For example, if their personal circumstances change, they must inform the Directors so that their records can be updated.

6.13 Data security

Employees must keep personal data secure against loss or misuse and must adhere to the following:

❖  In cases when data is stored on printed paper, it must be kept in a secure place where unauthorised personsl cannot access it.

❖  At the end of the working day staff must tidy away all office papers into locked desk drawers and filing cabinets.

❖  Client records must be inputted to the database and hard copy information securely filed or shredded

❖  Data stored on a computer must be protected by strong passwords that are changed regularly

❖  Data stored on CDs or memory sticks must be locked away securely when they are not being used. CDs or memory sticks must not be removed from the place of work without express permission

❖  The Directors must approve any cloud used to store data, first seeking advice and assurances from Jigsaw Occupational Therapy IT contractors as to potential risks and security features

❖  All servers containing sensitive data must be approved and protected by security software and strong firewall.

❖  Client personal data must never be forwarded to personal email addresses unless permission is granted and risks explained. Access to organisational data should not be accessed off site via mobile devices such as laptops, tablets or smartphones without express permission from the Directors

6.14 Audit of Records/Information Asset Management

We will periodically, complete an audit of our records. This will involve knowing ❖ what series of records we hold
❖ that they are being held under the correct security conditions
❖ to identify any records for destruction under retention guidelines

6.15 Data retention

We will not retain personal data for longer than is necessary. What is necessary will depend on the circumstances of each case, taking into account the reasons that the personal data was obtained.

6.16 Subject Access Requests

Individuals are entitled, subject to certain exceptions, to request access to information held about them. Subject access requests will be referred immediately to the Directors.

Appendix 1: Data Retention Schedule

Record type

Retention start

Retention period

Action at end of retention period

Notes

Organisational information

Accident / Incident Records

Creation

3 years from date of last entry*

Shred / delete

Accounting Records Creation 3 years private Shred / companies, delete

Client Records

Creation

Until the child's 25th birthday, or 26th if an entry was made when the young person was 17; or 3 years after death of the client if sooner

Shred / delete

Personnel information

Income tax and NI returns, income tax records and correspondence with HMRC

Creation

not less than 3 years after the end of the financial year to which they relate

Shred / delete

National minimum wage records

Creation

3 years after the end of the pay reference period following the one that the records cover.

Shred / delete

Statutory Maternity Pay records, calculations, certificates (Mat B1s) or other medical evidence

Creation

6 years

Shred / delete

Wage/salary records (also overtime, bonuses, expenses)

Creation

6 years.

Shred / delete

14