We are totally committed to protecting your privacy. Any information we collect about you is done so in accordance with the Data Protection Act (1998) and the General Data Protection Regulation (2018) . We collect information about you for two reasons: firstly, to provide you with a service and secondly, to provide you with the best possible service.
We will never collect sensitive information about you without your explicit consent. The information we hold will be accurate and up to date. You can check the information that we hold about you by emailing us at firstname.lastname@example.org. If you find any inaccuracies we will delete or correct it promptly. The personal information which we hold will be held securely in accordance with our internal security policy and the Web Trader Code. If we intend to transfer your information outside the EEA (European Economic Area) we will always obtain your consent first. We don’t share your information without your explicit consent. We may use technology to track the patterns of behaviour of visitors to our website. This can include using a “cookie” which would be stored on your browser. You can usually modify your browser to prevent this happening. The information collected in this way can be used to identify you unless you modify your browser settings. If you have any questions/comments about privacy, you should contact us.
For more detailed information please see our policies section below.
Website Terms & Conditions
‘Wheel of Health’ owns the website. The content, data and services on the website are delivered by Wheel of Health. You may access and use this website (www.wheelofhealth.co.uk) if you agree to be legally bound by the terms set out here. If you do not agree to be legally bound by these terms, please do not access and/or use www.wheelofhealth.co.uk.
Terms for access to and use of comments facility, if applicable, under which you can review, or comment on, articles, are set out in sections 7 to 10 below. If you agree to be legally bound by the terms you may use the comments facility. If you do not agree to be legally bound by these terms please do not use the facility to post comments.
1.3 www.wheelofhealth.co.uk is intended for use only by people who live in the United Kingdom and Ireland. Service descriptions, entitlements and costs refer to services in England and arrangements may differ elsewhere in the UK.
2 Changes to terms
We may make changes to www.wheelofhealth.co.uk, including these terms, at any time. You will be legally bound by the updated or amended terms from the first time that you use the website after we publish the changes on www.wheelofhealth.co.uk
3 Intellectual property rights
For non-commercial use, including personal use, or for use by a registered charity, a not-for-profit organisation or a public sector body including NHS organisations, you may copy, download, adapt or print off copies of the materials, information, data and other content included on our website, but note the exceptions detailed at 3.3 and 3.4, however you will need to obtain permission in writing from us in order to do this.
Under the Open Government Licence (OGL) commercial organisations may make use of our content on similar terms to those at 3.1. Note that any editing of clinical content may invalidate its formal approval; the organisation or individual amending the content will bear any risk associated with such amendment.
The rights in images, trademarks, trade names, logos and so forth included in ‘Wheel of Health’ are owned by Wheel of Health. You will need to obtain permission in writing from us before you may use these images, trademarks, trade names, logos in any way.
4 Medical information
Wheel of Health provides clinical information for use as information or for educational purposes. We do not warrant that information we provide will meet your health or medical requirements. It is up to you to contact a health professional if you are concerned about your health.
The Wheel of Health website does not give medical advice in relation to any individual case or client, nor does it provide medical or diagnostic services.
If you are a medical or health professional then you are encouraged to use the website for general information purposes. However, you should not rely on material included on the website and we do not accept any responsibility if you do.
5 Third party websites
We do not monitor the content of third-party websites. Any link provided on the website is solely for your convenience. We do not accept any responsibility for any third-party website. Where we provide links to third-party websites, that does not imply any association with or recommendation for those websites. See our External links policy.
We accept no liability to you should our website not be available at anytime.
We do not accept any liability to you for any of the following types of loss or damage (which you may suffer as a result of your use of the website) whether the losses were foreseen, foreseeable, unforeseen, unforeseeable, known, unknown or otherwise:
loss which arose when you first accessed the website (even if that loss results from our failure to comply with these terms or our negligence);
any business loss you may suffer, including loss of revenue, loss of profits or loss of anticipated savings (whether those losses are the direct or indirect result of our default);
loss which you suffer other than as a result of our failure to comply with these terms or our negligence or breach of statutory duty;
any loss suffered due to the default of any party other than us.
We do not warrant that the website or any content will be available uninterrupted or error free, that defects will be corrected, or that the website or its supporting systems are free of viruses or bugs.
We do not accept any liability to you if we fail, or are interrupted or delayed in the performance of any obligation because of:
the non-availability or failure of any telecommunications or computer services, systems, equipment or software operated or provided by you or any third party;
any other event not reasonably within our control.
We do not give any commitments or accept any liability to you in respect of content provided by other users of the website or third parties.
Terms set out here should be read in conjunction with our external links policy. You acknowledge and agree that we will not be responsible for any injury, loss or damage (whether direct or indirect) arising out of, or relating to the misuse of, or inappropriate reliance on the contents or advice provided via an external link on this website, except to the extent that such liability cannot be excluded by law.
7 Posting comments
To post comments on our website you must provide a valid e-mail address and any other information we request.
Terms set out here and at sections 8, 9, and 10 should be read in conjunction with our Comments policy.
Postings you make to our website shall not be treated as confidential.
You are legally responsible for the content of any material you submit for posting on our website.
Wheel of Health shall own any material posted its website.
We reserve the right (on behalf of ourselves and any moderator that we may appoint) to:
temporarily or permanently suspend your access to our comments facilities;
edit, not put on the website, or delete any posts you submit;
take any other action against your registration if, in our view, you have not complied with the rules of conduct set out below.
8 Online conduct
If you are under 16 you should seek your parent’s or guardian’s consent before you submit a comment to our website.
Comments posted should relate to your personal experience or that of someone close to you. You should not name any individuals (other than yourself) or include information through which someone else could identify an individual about whom you are writing. If you want to comment on someone else’s experience, (e.g. a relative or someone you care for) then you may do so if you ensure that you are not named in the posting and you state how the other person is connected to you (e.g. “my father”). You warrant that all statements of fact in any comment you submit are true, and that any expression of opinion is your honestly held opinion on those facts, or that of the person on whose behalf you are writing.
Postings should be constructive, truthful, and not abusive.
You should not use the comments facilities to make complaints about individuals or services. If you wish to complain please contact us through our complaints procedure.
If you find any comments offensive or objectionable you may make a complaint to the moderator using the ‘Report‘link provided at the foot of each published comment or contact us directly and we will deal with this.
We have many measures in place to keep your information safe. But it is important that you also play your part – visit the government’s Get Safe Online website for advice on how to do this.
To the extent that we are practically able to do so, we may terminate your access to any part of our website at any time without notice if you breach any of the terms. You may terminate your account registration by contacting us. This will clear any personal information you have saved.
If any of these terms are determined to be illegal, invalid or otherwise unenforceable then the remaining terms shall remain in full force and effect.
These terms shall be governed by and interpreted in accordance with the laws of England.
www.wheelofhealth.co.ukis delivered by:
Wheel of Health Limited
17 Monks Wood Close
Personal data collected
- Navigation data: IP address and the website you came from;
- Personal information Includes your first name, last name, email address, postcode and other personal information you provide.
Use of personal data
- Analytics Uses navigation data in services provided through Wheel of Health and third parties. For more information see our cookies policy.
- Advertising Some pages are supplied with advertising data relating to approved equipment suppliers.
- Personalisation Uses navigation data and personal information to enable us, and third parties, to tailor the services provided to you.
- We will never share personal information with any third parties without your consent. Navigation data is shared with trusted third parties providing analytics or advertising.
- We want you to feel secure when using the website and associated services. We are committed to respecting your privacy. Below we give an overview of how we do that.
How do we use your information?
We analyse information to see what is most effective about our website and associated services to help us identify ways to improve it and to make it more effective. We may also use information for other purposes, which we would describe to you at the point when we collect the information.
What information do we collect when you use Wheel of Health?
We collect information indirectly and directly. When you use Wheel of Health we use technology to collect information indirectly – such as your internet address. This is commonplace across all internet services to enable the investigation of issues such as malicious use. This information is then kept in our secure internet access logs. We collect information directly from you in a number of ways. One way is by using cookies. Cookies are small files of information that save and retrieve information about your visit to our site, such as how you entered our site, how you navigated through the site and what information was of interest to you. This information is collected for a number of reasons, for example, to help develop the website and associated services.
See our Cookies policy for more information on the cookies we use. We also collect information when you give it to us. When we collect this type of information, we will notify you as to why we are asking for information and how this information will be used. It is completely up to you whether you provide it, but not providing information may affect our ability to provide services to you.
The social media sites that Wheel of Health links to are third-party sites and Wheel of Health does not control the way these sites use your information. If you choose to access these sites using the links provided, the operators of these sites may collect information from you that may be used by them in accordance with their privacy policies, which may differ from ours. You should read their privacy policies carefully to find out what happens to any information that is collected by these services when you use them.
Any videos from Wheel of Health – whether viewed on the website, in emails or embedded in third-party sites – are supplied (streamed) to users by the use of the website, YouTube or Microsoft Hub. Each product is able to compile statistics for Wheel of Health, such as what videos have been watched and when; it uses an anonymous tracking cookie and stores no personal data.
Use of Wheel of Health website on third-party sites will be tracked, i.e. Google Analytics. No personal data is collected by the tools. Information gathered by Wheel of Health includes the user’s IP address, the web page a tool is accessed from, and how many times it is accessed. In some cases, tracking is used to show user journeys through a tool. This information is the sole property of Wheel of Health and will not be shared with third parties. All tools store the number of times a user has visited the tool. Some tools also store ‘state’ information so that when a user returns to a tool it is in the ‘state’ they left it in.
How long do we hold this information?
We will hold the information for as long as we are providing you services. If you do not access the services provided by Wheel of Health, for instance, open or click through one of the emails for more than a year, we will send you an email asking you to confirm that you wish to continue receiving emails. If you do not respond to this email within one month we will unsubscribe you. We will remove all personal information we hold relating to you, which you registered with us, within six months of you unsubscribing from Wheel of Health. We hold this information for a further six months following unsubscription, as we may need to use it for statistical analysis or if you choose to resubscribe. Be assured that if you unsubscribe you will not receive further information from us.
Will we disclose your information to, or share it with, other organisations?
We do not share data with other organisations unless the law permits us to do so. We do not sell individuals’ information. We will share it only with our authorised Data Processors, who must act at all times on our instructions as the Data Controller under the Data Protection Act 1998 and EU General Data Protection Regulation (2018). Before you submit any information, we will notify you as to why we are asking for specific information and it is up to you whether you provide it.
We may give you access to your information
You are entitled to know whether we hold information about you and, if we do, to have access to that information and require it to be corrected if it is inaccurate.
You can do this by contacting our Data Protection Officer,
Wheel of Health Limited
17 Monks Wood Close
Your data is kept under secure conditions
We take appropriate steps to maintain the security of your data on our service. The open nature of the internet means that data may flow over networks without security measures and may be accessed and used by people other than those for whom the data is intended. Our intention is that this should not happen and we take measures to ensure that it does not.
Cookies – small information files placed on your device – are used to improve services for you by, for example:
- enabling the service to recognise your device so you do not need to give the same information repeatedly
- recognising when you have already given a username and password so that you do not need to do so for every subsequent web page you visit
- Improving services we provide by providing you with a personalised journey, where applicable
- measuring how many people are using the services we provide, so we can make them easier and faster to use
- analysing data, anonymously, to help us understand how people interact with government services
When we provide services, we want to make them easy, useful and reliable. Where services are delivered on the internet, this sometimes involves placing small amounts of information on your computer, mobile phone or whatever device you are using to access the internet. This information is held in cookies. You can learn more about cookies from the GOV.UK guidance on cookies.
For more information about how to remove cookies from your device, or how to block individual cookies from being received, please see the instructions and guidance at ico.org.uk.
Wheel of Health does, at times, allow you to contribute to the site through comments. If the comment facility is turned on to the relevant section this will be available to you. Contributions to this website will be moderated, that is, checked to make sure they don’t break our rules. You will need to keep your contributions constructive, relevant and civil. The rules and guidelines below are to protect both you and the company, and our moderators will remove contributions that break the rules. Should you have further questions and would like to contact us, please get in touch.
Commenting on services
The service you receive from Wheel of Health will never be adversely affected by your feedback, however you can’t comment anonymously. You should respect the anonymity of staff and associates at the service you are commenting on by not using their names.
This is not a formal complaint procedure and if you wish to make a complaint you should read our Complaints Procedure. If you want a reply to your feedback you should contact us directly. This area is not suitable for making general political points about Wheel of Health. Feedback from staff, associates or trusted equipment suppliers will not be accepted. Any comments solicited by equipment providers or a related party are not permitted. Equipment providers should never post comments on behalf of clients, their friends or family members. Once a comment we’ve published is more than two years old, it is removed along with any associated information.
Complaining about another’s persons comments
If you think someone’s contribution to the website breaks our rules you can alert one of our moderators by contacting us directly. Reporting a comment will not delete it but will temporarily remove it and ensure we look at it as soon as possible. The moderators will then decide whether to remove it permanently or reinstate it.
Relevance, civility, and decency
- Relevance: comments must be relevant to the page they are to appear on.
- Be civil:please ensure that your contributions are respectful of others. We will remove contributions that are unlawful, harassing, abusive, threatening, obscene, sexually suggestive, racist, homophobic or sexist or that incite or promote hatred of any group or individual.
- Writing in capitals: do not write in capital letters – on the internet this is regarded as “shouting” and many people are offended by it.
- Be informative: ensure that your comment has enough information to describe your experience. If comments are deemed uninformative by our moderators, they may be removed.
- Abusive language: comments containing swearing will be removed. People of all ages use the website and language should be suitable for them.
- English: all comments on the website must be made in English. Comments in other languages will be removed.
- Stereotypes: comments that stereotype sections of society will be removed.
- Multiple posts: duplicate comments or repeats will be removed. Users should only post one review per experience.
Privacy and confidentiality
Whether you are speaking for yourself, a friend, or a family member, do not name the individuals you are talking about. If you are making a comment on another person’s behalf, it is best instead to talk of “my husband”, “my uncle” and so on to protect their privacy.
To protect your privacy, any information you contribute that reveals personal information, such as names, phone numbers, email addresses, twitter handles, addresses and so on will be removed. Any posts attempting to use the site to exchange personal information or arrange meetings with another user will also be removed.
Screennames, nicknames and impersonation
Screennames used on our website are moderated. When selecting a screenname make sure you choose one that is not rude, offensive or aimed at impersonating another person.
Please avoid naming businesses or commercial services in your comment. Any comments breaching this rule will be removed.
We ask that people under 16 get permission from a parent or guardian before posting on the website.
Health advice, medicinal products and commercial activity
Comments that glamorise smoking, drug use or drinking or that promote a poor moral example will be removed. Asking for and giving specific medical or health advice is not permitted. Comments deemed to be advertising a product or service will be removed.
We may remove references to specific medical products or medicines if the context is not appropriate. Irrespective of their contents, comments will be removed if they were, or might reasonably be suspected of being, made following financial or any other inducement.
Legal issues, criminal activity or negligence
- Current court cases and court injunctions: contempt of court rules mean you cannot make comments that could prejudice the outcome of a court case. Comments on something that subsequently becomes the subject of a court case or hearing will also be removed if they risk being in contempt of court. Contributions that break a court injunction will be removed.
- Clinical negligence or criminal activity: specific accusations of clinical negligence in which an individual is identified will not be published. If you have an allegation of clinical negligence by a particular clinician please use the complaints procedure. Accusations of specific criminal activity will not be published. If you believe that criminal activity is or has taken place, please contact Wheel of Health directly.
- Defamation: defamation is a complex area. Defamation may occur when someone makes a statement that causes serious harm to a person’s reputation. The law allows you to post comments containing your honestly held opinion, provided you identify the facts on which you are expressing your opinion. Posting untrue statements is against the law if they cause serious harm to a person’s reputation or are likely to do so. Comments deemed to contain defamatory statements will be removed.
- Disclaimer: this definition is not to be regarded as a statement of the law nor should it be relied upon to make any judgement as to whether content is potentially defamatory. It is up to you to decide whether to take specific legal advice.
- Threats: comments containing threats of public fear, terrorism or threats towards any individual are not permitted.
- Copyright: ensure that you own the copyright to any material you put on the site – especially if you have copied it from another source. If we are in doubt about the ownership of content we will remove it from the site.
When you make a comment you will be asked to provide a valid email address. Your details will only be used to contact you if you have expressed an interest in us doing so or to contact you about your comment should there be any concern about it. Wheel of Health will not pass on your details to any other party unless permitted or required by the 1998 Data Protection Act, 2018 GDPR or required by order of a court.
- Copyright of your contributions
Your contributions to the website are published to the general public. In submitting your comments, you assign all rights to Wheel of Health for use and publication of your contribution. If you are unwilling to grant Wheel of Health copyright to your contribution you should not submit it to the site.
- Action we may take
A breach of any of our rules can lead to your comment being rejected. Repeated or serious breaches of our rules may lead to Wheel of Health blocking contributions from your email address or suspending your account. We reserve the right to delete any content at any time for any reason and is under no obligation to publish any contributions. Wheel of Health reserves the right to alter or update the house rules or terms and conditions at any time.
Data Protection: An Introduction
The Data Protection Act (DPA) 1998 came into full force on the 1st March 2000. This supersedes the 1984 Act. It provides living individuals with a right of access to personal information held about them. The right applies to all information held in computerised form and also to non-computerised information held in filing systems structured so that specific information about particular individuals can be readily retrieved. Access to records of deceased individuals still falls within the scope of the Access to Health Records Act 1990.
The Data Protection Act places obligations on those who process information (data controllers) while giving rights to those who are the subject of that data (data subjects). Personal information covers both facts and opinions about the individual.
Data Protection Principles
The Data Protection Act 1998 contains eight Data Protection Principles.
- Data must be processed fairly and lawfully;
- Personal data shall be obtained only for one or more specific and lawful purposes;
- Personal data shall be adequate, relevant and not excessive in relation to the purpose(s) for which they are processed;
- Personal data shall be accurate and where necessary kept up to date;
- Personal data processed for any purpose(s) shall not be kept for longer than is necessary for that purpose;
- Personal data shall be processed in accordance with the rights of data subjects under the 1998 Data Protection Act;
- Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data;
- Personal data shall not be transferred to a country outside the EEA, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
The Information Commissioner’s Office (ICO) has specific responsibilities for the promotion and enforcement of the DPA. Under the DPA, the Information Commissioner (IC) may:
- Serve information notices requiring data controllers to supply the IC with the information needed to assess compliance
- Where there has been a breach, serve an enforcement notice which requires data controllers to take specified steps or to stop taking steps in order to comply with the law.
The Company Data Protection lead is Simon Weech, Director.
Access to personal data is a right under the Data Protection Act. Any request for access to data must be made in writing to:
Wheel of Health Limited
17 Monks Wood Close
TheGeneral Data Protection Regulation (GDPR)
The GDPR is a European-wide regulation that comes into force on 25 May 2018. The legislation is designed to protect people’s personal data from being stolen or exploited by companies. Central to the new regulation is the idea of keeping people’s personal data safe and accurate, obtaining consent to collect it, and having a business purpose to hold on to it. Current data-protection legislation goes some way towards this, but the GDPR goes further.
What is personal data?
Personal data is any information that can be used to identify an individual, such as name, postal address, email address, date of birth, gender, National Insurance number, NHS number, bank details, credit card details and so on. Often it is information that will be collected as part of marketing activity or held about customers that you’ve worked with. Some personal data is classified as sensitive and requires particularly careful handling. This includes data on an individual’s ethnicity, religion, political affiliation, sexual orientation, trade union membership, previous criminal convictions, biometric data (such as fingerprints or eye scans), physical or mental health.
The GDPR broadens out the definition of personal data from the existing Data Protection Act. It now includes almost any information that can be used to identify an individual when combined with other elements of personal data. For example, items such as IP addresses (for individual computers) or physical records, such as business cards, record cards and manual filing systems, can now be classed as personal data. Also, businesses that use fingerprint recognition to gain access to a building or a locker (as in a gym) will also be subject to the regulations.
Why does any of this matter?
There are large fines for failing to comply with the collection and management of data as specified by the GDPR. The most serious cases can incur fines of up to 4% of global turnover or €20m, whichever is bigger.
Will this still apply after Brexit?
Yes. Brexit will not stop UK businesses having to comply with the new regulations – the UK will still be part of the EU when they come into force in May 2018. The GDPR will continue to apply until it is specifically repealed or overtaken by new legislation.
What are the new areas of regulation?
The GDPR contains a principle of accountability for all businesses that collect personal data (controllers) and process it (processors). Your business is accountable for the data it collects and processes. In practice, this means you must provide evidence of complying with the GDPR in the form of documented policies and procedures to deal with collecting and processing personal data. You will need to document what personal data you hold, what you do with it, and if you share it with any other organisations: who, what and why. Your business will be held responsible for the accuracy of the data you hold. This means checking that it’s up to date. If you share data and it turns out to be inaccurate, it’s up to you to contact other organisations you shared it with, to get it updated.
Under GDPR, you must report any significant personal-data breaches within 72 hours of their discovery to the relevant authority – in the UK, that’s the Information Commissioner’s Office (ICO). In the most serious cases you must report it to the individuals concerned too. The ICO defines a personal data breach as ‘a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.’ This means that a breach is more than just losing personal data.
Collecting data and privacy notices
Under current legislation, before you collect any personal data, you need to give your customers information about:
- who you are
- why you are collecting their data
- how you will use this information
- whether you will share it with any third parties.
This information is usually shared in a privacy notice,which often takes the form of a few lines of text near a tick box, to allow customers to give their consent. Under the GDPR you will need to update your privacy notice. As well as the existing points, you will need to explain:
- your lawful basis for processing the data
- for how long you will keep the data
- the individual’s right to complain to the ICO if they think there’s a problem with how you’re handling their data.
The GDPR emphasises the need for clear, transparent communication. It says the information you supply about the processing of personal data must be:
- concise, transparent, intelligible and easily accessible
- written in clear and plain language, particularly if addressed to a child
- free of charge.
The GDPR imposes restrictions on transferring data outside the EU. Even if you think this doesn’t apply to you, be careful – if you store data with a third-party company and it has servers outside the EU, then you would be in breach of the GDPR if it moved personal data you collect to those servers.
Many of the individuals’ rights are similar to the current Data Protection Act. People have the right to request access to any personal data you hold on them, under a subject access request. Under the GDPR you must provide this free of charge, if it is a ‘reasonable’ request i.e. not one that has been made repeatedly and not for volumes of information that it would be impossible to produce within the time allowed. The deadline to provide the information has also been reduced to 30 days. Individuals are allowed to object to how you use their data. If you process data for direct marketing, you must stop using the person’s data as soon as you receive an objection, until either the objection is resolved, or the data is removed. People have the right to request that you delete their personal data if:
- it’s no longer needed for the purpose it was originally collected or processed
- they withdraw consent
- they formally object to its being used and there’s no overriding legitimate reason to continue using it
- it was processed unlawfully (in breach of the GDPR)
- there is a legal need to erase it.
Preparing for and Implementing General Data Protection Regulations (GDPR) (2018)
General Data Protection Regulations (GDPR): Setting the Scene
The General Data Protection Regulation (GDPR) will apply in the UK from 25 May 2018. The UK Government has confirmed that Brexit will not affect the implementation of the GDPR, the Great Repeal Act means it is likely to be converted into British Law.
The GDPR is applied to organisations that are either controllers of the data or those processing the data. As in the current DPA as we are a controller we are responsible for how and why personal data is processed and as a processor staff and associates are responsible to act on the controller’s behalf. However, in the GDPR the processor now has a specific legal obligation to maintain records on what personal data they are processing and the processing activities. Therefore, under GDPR both the controller and processor now have defined legal responsibilities. For most companies, they are both the controller and owner.
There has been a lot in the press about the scale of the fines that can be levied against organisations. Whilst true, they are mainly referring to large corporations, however the Information Commissioner’s Office (ICO) do fine companies and charities and in April 2017, they announced that they had fined 11 charities between £6,000 and £18,000. These were ‘significantly reduced’ so as not to cause stress to donors, but under the GDPR it is said to increase substantially.
In the GDPR, personal data has been redefined and now covers a much wider scope, including new areas such as IP addresses, CCTV and biometrics. The GDPR also covers a ‘special’ category of personal data, referred to as sensitive data and may only be processed within a limited number of circumstances. The principle that underpin the GDPR are ones that we would all hope that people will carry out with our own data. From Article 5, personal data shall be (paraphrased):
- processed lawfully, fairly and in a transparent manner;
- collected for specified, explicit and legitimate purposes;
- adequate, relevant and limited to what is necessary;
- accurate and, where necessary, kept up to date;
- kept for no longer than is necessary;
- processed in a manner that ensures appropriate security of the personal data.
Buried in these principles are some very important new requirements. For example, Informed consent, that the information on which the consent was given is informative, unambiguous, and is given freely. In addition, consent can be withdrawn. Data from children (under 16) requires authorisation from a parent or guardian, and the controller and/or processor is to make all reasonable efforts to obtain this.
There are now a number of rights of the individual:
- Right to be informed: we must provide ‘fair processing information’,
- Right to Access: confirmation that their data is being processed
- Access to their personal data; and other supplementary information
- Right to rectification: people can correct incorrect information.
- Right to erasure: that is to be forgotten.
- Right to restriction of processing: we can store but not process the data
- Right to portability: to take and reuse their personal data across a range of services
- Right to object.
- Right to decision making: people can object if a human is not in the loop on a decision about them.
As part of the GDPR, the company must provide a Data Protection Impact Assessment (DPIA). The DPIA identifies the specific risks to personal data as a result of processing activity and must be undertaken whenever there is a change in processes, technology, or new activity within the organisation.
There are two interrelated processes required for the implementation of the GDPR.
- Design of systems and processes which secure the data
- Design of systems and processes, which ensure that data is managed properly.
The ICO will accept an organisation complying with Cyber Essentials as meeting the requirement for securing the data. Cyber Essentials is a scheme developed by the UK Government (with advice from GCHQ) and industry to give a clear statement of the basic controls to mitigate against internet based threats.
The Information Assurance for Small and Medium Enterprises (IASME) Governance standard was developed in order to create a cyber security standard which would be an affordable and achievable alternative to the international standard, ISO27001. IASME Gold has been used by many organisations to demonstrate that they have the systems and processes, which ensure that data is managed properly. Included in this standard is the assessment against the GDPR requirements, enables companies to say they are GDPR READY.
What’s the current legal framework? The Data Protection Act 1998. This will be superseded by General Data Protection Regulation (GDPR) which comes into force on May, 2018.
What’s the significance of GDPR? It’s not in fact a huge departure from the Data Protection Act; rather it updates and adds to the existing framework. The major changes are:
Requirements for consent are more rigorous
Consent is a very hot topic, especially within organisations such as Wheel of Health Limited. The GDPR seeks to ensure that consent is given and given freely, which means the subject must have a choice and isn’t forced to give unnecessary details in the process of undertaking Wheel of Health business. Consent must be informed and specific, with clarity on how to opt in and out, and about how the data will be used. Lastly, a subject must actively confirm that they provide consent. As noted above, in the event that individuals do not have capacity to provide their consent, consent can be given by their advocate.
Requirement to delete data at the subject’s request
GDPR implementation will bring with it the ‘right to be forgotten’ and the ‘right to object’. All organisations must understand these rights and have processes in place to react to subjects invoking their rights, including, but not limited to, removing their consent and securely deleting their data.
Requirement to notify authorities within 72 hours of any data breach
There will be a requirement of all organisations to report any personal data breach to the relevant authorities and, in some cases, to the individuals affected by the breach. The requirement to notify is for breaches that may result in a risk to the rights and freedoms of individuals and this includes events that, for example, may lead to financial loss, discrimination or loss of confidentiality. This means you will need to think carefully about how you store data.
Increased fines for failure to comply
There are two tiers of fines: 2% of total annual turnover or €10 million (whichever is higher) and, for the more serious infringements, 4% of annual turnover or €20 million (again, whichever is higher).
GDPR will apply to all organisations, no matter where they are based and their size, if they offer goods or services (even if free) to individuals in the EU. In addition, despite Brexit, the ICO have confirmed that they are likely to implement similar rules after we have left the EU, to allow the United Kingdom to operate on a level playing field with the continent. All organisations should plan for, and be ready to comply with, the GDPR.
Subject Access Requests (SARs)
What is a SAR?
A SAR is a request for personal information that the company may hold about a data subject i.e. an individual. If an individual wishes to exercise their subject access right, the request must be made in writing. The purpose of a SAR is to make individuals aware of and allow them to verify the lawfulness of processing of their personal data. Under the GDPR and the current Data Protection Act (DPA), individuals have the right to obtain confirmation as to whether personal data about them is being processed by the company. If personal information is being processed, they are entitled to access:
- the reasons why their data is being processed;
- the description of the personal data concerning them;
- A copy of all records including e-mails where they are mentioned (see Appendix);
- information about anyone who has received or will receive their personal data;
- details of the origin of their data if it was not collected from them.
Wheel of Health need to be mindful that the rules on subject access apply to any individual. Wheel of Health are likely to hold and process personal data about its staff; its associates; service users; clients; equipment suppliers, case managers and many others. Each category will have the same access rights.
Key Changes to SARs under GDPR
Under the GDPR, the procedure for making a SAR is similar to the procedure under the DPA. However, there are some key changes Wheel of Health need to be aware of which may require us to make changes to our procedures:
Under the DPA, Wheel of Health can charge up to £10 for a SAR. Under the GDPR, a request for personal information is free unless the request is ‘manifestly unfounded or excessive.’ Wheel of Health can charge a ‘reasonable fee’ for multiple requests.
Impact: This may have a significant effect where we receive large volumes of requests and this may result in an increase in administrative costs to our company.
Under the DPA, we must respond to SARs within 40 days of receipt of the written request. Under the GDPR, we must respond to SARs within one month of receipt. This deadline can be extended by a further two months where there are a number of requests or the request is complex but we must contact the individual within a month of receipt, explaining why the extension is necessary.
Impact: We will have a shorter time to deal with SARs; therefore, having an effective procedure in place will ensure that we are able to comply with the new reduced timescales. Being able to recognise a subject access request and pass it to the correct person in the company will be critical if we are to comply with the reduced timescales. Remember, for it to be a valid request, it doesn’t need to say it is a subject access request or even mention the DPA.
If staff or associates have personal e-mail accounts where a SAR could be made, these should be monitored when the member of staff is out of the office (for example when on holiday or on secondment) to ensure that SAR’s are dealt with quickly. Remember you will only have up to one month to respond, Wheel of Health needs to have good procedures to make sure it complies on time and is able to provide the information that it needs to. The ICO will take a serious view of any delay in providing the information if a complaint is made either to us or to the ICO.
Provision of Information:
Individuals can make a SAR electronically. If they do so, the information provided should be in a commonly-used electronic format, unless otherwise requested. But remember Wheel of Health must verify the individual’s identity prior to granting access to information. This can sometimes take a little time especially if it is a guardian or someone acting under a power of attorney who are seeking the information about a data subject.
In responding to a subject access request, the organisation will need to advise the data subject of:
- the purposes of the processing;
- the categories of personal data concerned;
- who are the recipients to whom we disclose the information;
- where possible, how long you will hold onto the information or what categories we use to decide how long the personal information will be held for;
- the right to request rectification, erasure or restriction of the processing,
- the right to lodge a complaint to the ICO;
- where the personal data are not collected from the data subject, the source from where Wheel of Health obtained the data;
- and finally, the existence of any automated decision-making.
Impact: Where Wheel of Health doesn’t already have a procedure for staff or associates to identify a SAR and/or know how to escalate this to be dealt with – we will put a procedure in place and train staff accordingly.
A data retention policy is a requirement of the GDPR. Please refer to our Data Retention Policy (2018).
Right to withhold Personal Data:
Under the GDPR, Wheel of Health can withhold personal data if disclosing it would ‘adversely affect the rights and freedoms of others.’ It will be up to the UK government to introduce any further exemptions to SARs such as for national security, defence and public security. We should take advice if they are proposing to withhold information on this basis as Wheel of Health will need to carefully consider its applicability and its use should not act to result in a refusal to provide all information.
How should the information be given to the applicant?
A person making a subject access request only has the right to see their own personal data, rather than a right to see copies of the documents that contain their personal data. Often, the easiest way to provide the relevant information is to supply copies of original documents, but we are not obliged to do this.
Once the personal data that is relevant to the request has been located and retrieved, it must be communicated to the applicant in intelligible form. In most cases, the information must be supplied in permanent form.
Searching for Information
The ICO has given guidance on specific types of records and how the duty to locate personal data in response to a subject access request applies in these contexts:
Archived information and back-up records in electronic form:
To the extent that Wheel of Health search mechanisms allow it to find archived or backed-up data for its own purposes, the same effort should be used to find information in order to respond to a subject access request.
Information contained in emails:
The contents of emails stored on computer systems are a form of electronic record to which the general principles apply. For the avoidance of doubt, the contents of an email should not be regarded as deleted merely because it has been moved to a user’s ‘Deleted items’ folder.
Information is ‘deleted’ when we try to permanently discard it and we have no intention of ever trying to access it again. If personal data held in electronic form is deleted by removing it (as far as possible) from our computer systems, the fact that expensive technical expertise might enable it to be recreated does not mean we must go to such efforts to respond to a subject access request.
Information stored on personal computer equipment:
If staff or associates hold personal data on their own devices, they may be processing that data on behalf of Wheel of Health, in which case it would be within the scope of a subject access request. In general, associates do not need to be asked to search their private emails or personal devices in response to a subject access request unless there are good reasons to believe they are holding relevant personal data
Whether information in hard-copy records is personal data accessible via the right of subject access will depend primarily on whether the non-electronic records are held in a ‘relevant filing system’. Broadly speaking, a relevant filing system exists where information about individuals is held in a sufficiently systematic, structured way as to allow ready access to specific information about those individuals.
1. The End of Passive Consent
1.1 One of the most significant impacts is the strengthened requirement for getting consent from someone to hold their data. Previously, consent was defined as any freely given specific and informed indication of their wishes. In practice companies often relied upon the person’s failure to opt out as evidence of his consent.
1.2 GDPR requires a positive, unambiguous, affirmative action. Anything less won’t be acceptable. A ticked box will still work (not a pre-ticked box!), as will an active opt in. Consent must be capable of being withdrawn at any time.
1.3 Data controllers must now capture each consent, together with the version of the privacy notice that accompanied the consent, and hold it on file for later inspection. If only partial consent is given, the system must be capable of screening out any unauthorised use.
1.4 Note that ‘Grandfather’ consents won’t be allowed, so any existing consents that don’t meet GDPR requirements won’t be valid after May 2018 and must be re- acquired.
1.5 Consents which depend on services which are conditional on the giving of consents will not be valid.
2. Legitimate Interests
2.1 As the consent rules become more stringent companies are likely to want to consider whether they can capture the data under the banner of legitimate interests. GDPR does allow legitimate interest processing but the tests are more stringent than before. For example, is it necessary for the performance of a contract or to comply with the law. It’s a balancing act between the subjects right to privacy and the companies interests.
2.2 GDPR adds 2 requirements; transparency and internal documentation. The subject must be explicitly informed at the time of the purpose for which the data is collected and the legitimate interest which pertains. This must be embodied in the privacy notice. All this must be documented and kept as in 1.3 above together with the rationale for using a legitimate interest as the lawful basis for collecting the data.
Someone to be designated to take responsibility for compliance. Responsibility can be delegated but ultimate accountability will be held by the company. The person needs to be sufficiently competent and have sufficient independence to be able to be effective.
3.1 GDPR focuses on the importance of transparency. Consent must be based on a written explanation couched in clear and plain language in an accessible form.
3.2 This is a list of information to be included:
- The controller’s identity and contact information;
- The Data Protection Officer’s (DPO) contact information;
- The purposes and legal basis of the processing;
- Details of the legitimate interests (if relied upon);
- Recipients of the personal data;
- Any intended transfer to a non-EU country and why;
- How long the data will be stored;
- Data subject rights;
- Ability to withdraw consent;
- Right to lodge a complaint and who to go to;
- Whether provision of data is required and consequences for failure;
- Whether automated decision-making is involved and the consequences to the data subject.
- Subject rights
4.1 Existing rights
- Right of access;
- Right of rectification;
- Right to object;
- Right to object to direct marketing;
- Right not to be subject to automatic processing (Unless necessary to fulfil a contract or required by law).
4.2 New or expanded rights
- Right to be forgotten without undue delay;
- Right to restrict processing, especially where accuracy of data is contested, or no longer needed;
- Right of data portability (in a commonly used format);
- Right to object to processing for scientific, historical, or statistical processes.
5. Accountability and Requirement of a Data Governance Programme
5.1 Whereas the concept of accountability has until now been implied, it must now be evidenced. The evidence must be kept and available for inspection.
5.2 Every consent must be kept and available for inspection (1.3 above.) The record keeping will need to be extensive.
5.3 Data Protection Officer (DPO)A formal DPO must be appointed as the core activity of the company consists of regular and systematic monitoring or processing of sensitive or criminal data on a large scale. (What is large scale is not defined but some authorities believe 500 entries to be ‘large’). DPOs must have appropriate knowledge and skills and sufficient independence to perform their duties. Their duties will consist of advising colleagues, performing PIAs (Privacy Impact Assessments) and audits, monitoring compliance, cooperating with DPAs and serving as a contact point for data subjects.
5.4 The Data Controller (DC) must conduct a PIA for any processing that is likely to pose a high risk to individuals’ rights. This must include a description of the planned processing, an analysis of the necessity for it, an assessment of the risks to privacy, and the measures that may be put in place to mitigate the risks to the rights and freedoms of the data subjects. If the risk is high the DPO must be consulted before any processing.
5.5 Privacy must be built into the design of the companies products and services.
5.6 GDPR record keeping requirements are strict. They must include:
- Names and contact details of officials involved – DPO and DC;
- Categories of processing;
- Purposes of processing;
- Who will see the data;
- Retention periods;
- Description of security measures in place;
- Details of any cross-border transfers of information.
6. Data Breach Notifications
6.1 Under GDPR a data breach must be reported within 72 hours unless the controller can demonstrate that it’s unlikely to result in risk to data subjects.
6.2 If there’s a serious risk to data subjects they must also be notified. The risk would be the likelihood of fraud, or extreme distress or embarrassment.
6.3 Encryption is a likely panacea for breach notification obligations. If all breached data is encrypted the controller would not normally need to report it.
7.1 For the first time data processors have specific obligations. These will include the requirement to implement appropriate security measures and keep detailed records.
7.2 Under GDPR and violations carry the risk of fines and private rights of action.
Subject Access Requests
- This document sets out our policy for responding to subject access requests under the Data Protection Act 1988 (DPA). The Act took effect from 24 October 1998 and the General Data Protection Regulation, effective 25th May 2018.
- It is the legislation in the UK that explains the rights and responsibilities of those dealing with personal data. All staff are contractually bound to comply with this legislation and other relevant the Authority policies.
- Introduction – What is the DPA?
- The DPA gives individuals the right to know what information is held about them. It provides a framework to ensure that personal information is handled properly.
- The Act works in two ways. Firstly, it states that anyone who processes personal information must comply with eight principles, which make sure that personal information is:
- Fairly and lawfully processed
- Processed for specific and lawful purposes
- Adequate, relevant and not excessive
- Accurate and up to date
- Not kept for longer than is necessary
- Processed in line with the individuals’ rights
- Not transferred to other countries without adequate protection
- Secondly, it provides individuals with important rights, including the right to find out what personal information is held on computer and most paper records.
- What is the Authority’s general policy on providing information?
- We welcome the rights of access to information that are set out in the DPA. We are committed to operating openly and to meeting all reasonable requests for information that are not subject to specific exemption in the Act
- How do you make a subject access request?
- A subject access request is a written request for personal information (known as personal data) held about you by the Authority. Generally, you have the right to see what personal information we hold about you, you are entitled to be given a description of the information, what we use it for, who we might pass it onto, and any information we might have about the source of the information. However, this right is subject to certain exemptions that are set out in the Data Protection Act.
- What is personal information?
- Personal data is information which is biographical or which has the individual as its focus.
- Further information on what amounts to personal data can be found at appendix A.
- What do we do when we receive a subject access request?
- Checking of identity
- We will first check that we have enough information to be sure of your identity. Often we will have no reason to doubt a person’s identity, for example, if we have regularly corresponded with them. However, if we have good cause to doubt your identity we can ask you to provide any evidence we reasonably need to confirm your identity. For example, we may ask you for a piece of information held in your records that we would expect you to know: a witnessed copy of your signature or proof of your address.
- If the person requesting the information is a relative/representative of the individual concerned, then the relative/representative is entitled to personal data about themselves but must supply the individual’s consent for the release of their personal data. If you have been appointed to act for someone under the Mental Capacity Act 2005, you must confirm your capacity to act their behalf and explain how you are entitled to access their information. If you are the parent/guardian of a child under 16, we will need to consider whether the child can provide their consent to you acting on their behalf.
- Should you make a data subject access request but you are not the data subject, you must stipulate the basis under the Data Protection Act that you consider makes you entitled to the information.
- Checking of identity
- Collation of information
- We will check that we have enough information to find the records you requested. If we feel we need more information, then we will promptly ask you for this. We will gather any manual or electronically held information (including emails) and identify any information provided by a third party or which identifies a third party.
- If we have identified information that relates to third parties, we will write to them asking whether there is any reason why this information should not be disclosed. We do not have to supply the information to you unless the other party has provided their consent or it is reasonable to do so without their consent. If the third party objects to the information being disclosed we may seek legal advice on what action we should take.
- Before sharing any information that relates to third parties, we will where possible anonymise information that identifies third parties not already known to the individual (e.g. the Authority employees), and edit information that might affect another party’s privacy. We may also summarise information rather than provide a copy of the whole document. The DPA requires us to provide information not documents.
- Issuing our response
- Once any queries around the information requested have been resolved, copies of the information in a permanent form will be sent to you except where you agree, where it is impossible, or where it would involve undue effort. In these cases, an alternative would be to allow you to view the information on screen at the Authority.
- We will explain any complex terms or abbreviations contained within the information when it is shared with you. Unless specified otherwise, we will also provide a copy of any information that you have seen before.
- Will we charge a fee?
- Under the GDPR we don’t charge a fee for a SAR.
- What is the timeframe for responding to subject access requests?
- We have one calendar month starting from when we have received all the information necessary to identify someone, to identify the information requested, to provide someone with the information or to provide an explanation about why we are unable to provide someone the information. In many cases, it will be possible to respond in advance of the target and we will aim to do so where possible
- Are there any grounds we can rely on for not complying with a subject access request?
- Previous request
- If someone has made a previous subject access request we must respond if a reasonable interval has elapsed since the previous request. A reasonable interval will be determined upon the nature of the information, the time that has elapsed, and the number of changes that have occurred to the information since the last request.
- The Act contains a number of exemptions to our duty to disclose personal data and we may seek legal advice if we consider that they might apply. Possible exemptions would be: information covered by legal professional privilege, information used for research, historical and statistical purposes, and confidential references given or received by the Company.
- What if there is an error in our records?
- If the information is inaccurate, we will correct it and where practicable, destroy the inaccurate information. We will consider informing any relevant third party of the correction. If we do not agree or feel unable to decide whether the information is inaccurate, we will make a note of the alleged error and keep this on file.
- Previous request
- What if someone wants the company to stop processing their data?
- Under section 10 of the DPA, someone can object to the company processing thier data altogether, in relation to a particular purpose or in a particular way through a data subject notice. However, this only applies to certain processing activities and there is a process that someone must follow when making such an objection. We must then give you written notice that either we have complied with your request, intend to comply with it or state the extent to which we will comply with it and why. This information will be given to you within 21 days of the company receiving the data subject notice. Further information on this, can be found at informationcommissioner.gov.uk.
- Our complaints procedure
- If someone is not satisfied by our actions, they can seek recourse through our internal complaints procedure, the Information Commissioner or the courts.
12.2 The company director will deal with any written complaint about the way a request has been handled and about what information has been disclosed. The director can be contacted at:
Wheel of Health Limited
17 Monks Wood Close
T: +44 (0) 23 8076 8583
M: +44 (0) 7830 072 700
If someone remains dissatisfied, they have the right to refer the matter to the
Information Commissioner. The Information Commissioner can be contacted at:
Information Commissioner’s Office
Telephone: 01625 545 745| Fax: 01625 524 510|Email: enquiries @ico.gsi.gov.uk
Personal data is information that relates to a living individual who can be identified from the information and which affects the privacy of that individual, either in a personal or professional capacity. Any expression of opinion about the individual or any indication of the intentions of any person in respect of the individual will be personal data.
Provided the information in question can be linked to an identifiable individual, the following are likely to be examples of personal data:
- an individual’s salary or other financial information
- information about an individual’s family life or personal circumstances, employment or personal circumstances, any opinion about an individual’s state of mind
- sensitive personal information – an individual’s racial or ethnic origin, political opinions, religious beliefs, physical or mental health, sexual orientation, criminal record and membership of a trade union.
The following are examples of information, which will not normally be personal data:
- mere reference to a person’s name, where the name is not associated with any other personal information
- incidental reference in the minutes of a business meeting of an individual’s attendance at that meeting in an official capacity
- where an individual’s names appears on a document or email indicating only that it has been sent or copied to that particular individual
- the content of that document or email does not amount to personal data about the individual unless there is other information about the individual in it.
If a document has been sent by a third party, that contains information about an individual, which relates to their personal or professional life, it is personal data. An outline of an organisation’s standard procedure, relevant to an individual’s complaint/s29 case will not be personal data.
Further information can be found here; https://ico.org.uk/media/for-organisations/documents/1554/determining-what-is-personal-data.pdf
The purpose of this policy is to detail the procedures for the retention and disposal of information to ensure that we carry this out consistently throughout the company and that we fully document any actions taken. Unless otherwise specified the retention and disposal policy refers to both hard and soft copy documents, and the application of a retention policy within the office365 suite.
Review is the examination of closed records to determine whether they should be destroyed, retained for a further period or transferred to an archive for permanent preservation.
How long we should keep our paper records
- Records should be kept for as long as they are needed to meet the operational needs of Wheel of Health, together with the legal and regulatory requirements imposed on the company.
- We have assessed our records to:
- determine their value as a source of information about the company, its operations, relationships and environment,
- assess their importance as evidence of business activities and decisions
- establish whether there are any legal or regulatory retention requirements (including: Data Protection Act 1988, EU General Data Protection Rule, the Freedom of Information Act 2000).
- Where records are likely to have a historical value, or are worthy of permanent preservation, we will transfer them to our online Archives after 25 years.
A disposal schedule is a key document in the management of records and information. It is a list of series or collections of records for which predetermined periods of retention have been agreed between the company directors.
- Records on disposal schedules will fall into three main categories:
- Destroy after an agreed period – where the useful life of a series or collection of records can be easily predetermined (for example, destroy after3 years; destroy 2 years after the end of the financial year).
- Automatically select for permanent preservation – where certain groups of records can be readily defined as worthy of permanent preservation and transferred to an archive.
- Review – see 2 above
- Records can be destroyed in the following ways:
- Non-sensitive information – can be placed in a normal rubbish bin
- Confidential information – cross cut shredded and pulped or burnt.
- Electronic equipment containing information – destroyed using killdisc and for individual folders, they will be permanently deleted from the system.
- Archival transfer
- This is the physical transfer of physical records to a permanent custody.
- Destruction of electronic records should render them non-recoverable even using forensic data recovery techniques.
Sharing of information
- Duplicate records should be destroyed. Where information has been regularly shared between business areas, only the original records should be retained in accordance with the guidelines in section 2 above. Care should be taken that seemingly duplicate records have not been annotated.
- Where we share information with other bodies, we will ensure that they have adequate procedures for records to ensure that the information is managed in accordance with the relevant legislation and regulatory guidance.
An audit trail
- You do not need to document the disposal of records which have been listed on the records retention schedule. Documents disposed of outwit the schedule either by being disposed of earlier or kept for longer than listed will need to be recorded for audit purposes.
- This will provide an audit trail for any inspections conducted by the Information Commissioner and will aid in addressing Subject Access Requests, where we no longer hold the material.
- Responsibility for monitoring the disposal policy rests with the Data Protection Officer and the Directors of the company. This policy should be reviewed according to the agreed schedule in the title.