Data Protection legislation exists to protect individuals from the abuse of personal information. It covers both computerized and written information and the individual’s right to see such information.
The General Data Protection Regulation (GDPR) forms part of the data protection regime in the UK, together with the new Data Protection Act 2018 (DPA 2018). The main provisions of this apply, like the GDPR, from 25th May 2018.
Detailed information on the Act may be found at
The Palmer School of Excellence must identify valid grounds under the GDPR (known as a ‘lawful basis’) for collecting and using personal data, these are:
The Palmer School of Excellence CIC must ensure that they do not do anything with the data in breach of any other laws. This relates to statute and common law obligations, whether criminal or civil. If processing involves committing a criminal offence, it will obviously be unlawful. However, processing may also be unlawful if it results in:
The Palmer School of Excellence CIC must use personal data in a way that is fair. This means you must not process the data in a way that is unduly detrimental, unexpected or misleading to the individuals concerned.
BHB must be clear, open and honest with people from the start about how you will use their personal data.
The Palmer School of Excellence CIC is registered with the Information Commissioner’s Office (ICO) under the process formally known as ‘notification’.
The National Data Guardian for Health and Social Care is an independent, non-regulatory, advice giving body in England.
These Standards are clustered under three leadership obligations:
Leadership Obligation 1: People: ensure the staff and volunteers are equipped to handle information respectfully and safely, according to the Caldecott Principles.
Data Security Standard 1. All staff ensure that personal confidential data is handled, stored and transmitted securely, whether in electronic or paper form. Personal confidential data is only shared for lawful and appropriate purposes
Data Security Standard 2. All staff understand their responsibilities under the National Data Guardian’s Data Security Standards, including their obligation to handle information responsibly and their personal accountability for deliberate or avoidable breaches.
Data Security Standard 3. All staff complete appropriate annual data security training and pass a mandatory test, provided through the revised Information Governance Toolkit (NHS Data Security and Protection Toolkit).
Leadership Obligation 2: Process: ensure the organization proactively prevents data security breaches and responds appropriately to incidents or near misses.
Data Security Standard 4. Personal confidential data is only accessible to staff who need it for their current role and access is removed as soon as it is no longer required. All access to personal confidential data on IT systems can be attributed to individuals.
Data Security Standard 5. Processes are reviewed at least annually to identify and improve processes which have caused breaches or near misses, or which force staff to use workarounds which compromise data security.
Data Security Standard 6. Cyber-attacks against services are identified and resisted and advice from Crius Tech is responded to. Action is taken immediately following a data breach or near miss, with a report made to the Chair within 12 hours of detection.