Data Protection Policy for Services
Data Protection Policy for Services
This page explains how we protect your data during processing of your order.
We are registered with the ICO and our reference no. is: ZA461452
Storage
a) We use encrypted devices (laptop, hard drive) to process your files and store your personal information.
b) We use the following applications to store and transfer your files:
I. Sync, a cloud-based storage solution with end-to-end encryption.
II. Microsoft Teams via a team channel hosted by the client.
c) Where it is not possible to use Sync or Microsoft Teams, we recommend file transfer via WeTransfer.
d) We use Office 365 to back-up your client data (those details that are used e.g. to invoice you).e) We use Zoho Invoice to generate month-end invoices for regular clients or end-of-task invoices for one-off customers.
f) Any paper copies you may supply are stored in a secure lockable box.
g) We will delete copies of your files we hold within a period of time we will agree with you, and no later than upon receiving payment for a final invoice. Where appropriate/suitable we are able to share a Sync folder with you or join a Team that you invite us to, then you remain in control of when your files are deleted.
h) We must retain invoicing records for a period of time that satisfies our financial obligations.
Processing
i) Our processing tools (laptop, transcription software) are for single-user use. i.e. not shared with other persons.
j) We will only process your data from our registered business address, unless you agree otherwise.
k) We will use secure passwords to administer devices and accounts wherein your data may be held.
l) We use an automatic screen lock to ensure privacy upon walking away from our desk.
Practice
m) We endeavour to honour the guidance provided by the Caldicott Principles (see over) and UK Data Protection Law to provide you with a professional service. Although the Caldicott Principles were produced as a guide to the responsible handling of health-related data, they are an easy to understand, sensible policy with which to approach the protection of any type of data; store only what you need to store to perform a purpose and only for as long as you need to do so.
Last Updated April 2022.
The Caldicott Principles
What are the Caldicott Principles?
The Caldicott Principles were developed in 1997 following a review of how patient information was handled across the NHS. The Review Panel was chaired by Dame Fiona Caldicott and it set out six Principles that organisations should follow to ensure that information that can identify a patient is protected and only used when it is appropriate to do so. Since then, when deciding whether they needed to use information that would identify an individual, an organisation should use the Principles as a test. The Principles were extended to adult social care records in 2000.
The Caldicott Principles revised 2013 are:
Principle 1 - Justify the purpose(s) for using confidential information
Every proposed use or transfer of personal confidential data within or from an organisation should be clearly defined, scrutinised and documented, with continuing uses regularly reviewed, by an appropriate guardian.
Principle 2 - Don't use personal confidential data unless it is absolutely necessary
Personal confidential data items should not be included unless it is essential for the specified purpose(s) of that flow. The need for patients to be identified should be considered at each stage of satisfying the purpose(s).
Principle 3 - Use the minimum necessary personal confidential data
Where use of personal confidential data is considered to be essential, the inclusion of each individual item of data should be considered and justified so that the minimum amount of personal confidential data is transferred or accessible as is necessary for a given function to be carried out.
Principle 4 - Access to personal confidential data should be on a strict need-to-know basis
Only those individuals who need access to personal confidential data should have access to it, and they should only have access to the data items that they need to see. This may mean introducing access controls or splitting data flows where one data flow is used for several purposes.
Principle 5 - Everyone with access to personal confidential data should be aware of their responsibilities
Action should be taken to ensure that those handling personal confidential data - both clinical and non-clinical staff - are made fully aware of their responsibilities and obligations to respect patient confidentiality.
Principle 6 - Comply with the law
Every use of personal confidential data must be lawful. Someone in each organisation handling personal confidential data should be responsible for ensuring that the organisation complies with legal requirements.
In April 2013, Dame Fiona Caldicott reported on her second review of information governance, her report "Information: To Share Or Not To Share? The Information Governance Review", informally known as the Caldicott2 Review, introduced a new 7th Caldicott Principle.
Principle 7 - The duty to share information can be as important as the duty to protect patient confidentiality
Health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by these principles. They should be supported by the policies of their employers, regulators and professional bodies.
