This policy sets out what systems and controls we have implemented to ensure that we mitigate the risks of customer data being lost / stolen’. This Policy covers the following key areas:

• Governance
• Systems and Controls
• Training and Staff Awareness
• Staff Recruitment and Vetting
• Physical Security
• Disposal of Customer Data
• Third Party Suppliers
• Compliance and Monitoring

• Each member of staff is made fully aware that they are equally responsible for the data security within Dunstone optometry.
• Derek Dunstone is overall responsible for the data security within Dunstone Optometry.
• Derek Dunstone acknowledges that data security is a key specific risk to the firm.
• Dunstone Optometry has an open and honest culture to encourage staff to report any data security concerns.
• Dunstone Optometry utilises the support and guidance about data security risks and implementing additional controls from The College of Optometrists and Association of Optometrists.
• Data loss has never occurred. However, if data loss occurs, we will contact our customers within 48 hours (either via letter or phone) and provide free guidance as to what actions they should take.

• All staff have access to the patient records and general documents for Dunstone Optometry. All PC’s are password protected. Passwords are privy to Derek Dunstone.
• The only company laptop is used for home visits and staff are aware that this must be used and secured appropriately (password protected and encrypted). Only minimal data is secured on this lap top and nothing of a sensitive nature and no addresses.
• The identity of a client is always confirmed / checked by staff before providing any personal data over the telephone.
• All paper client files are held in card folders or ring binders and are stored in the main reception. Visitors are not allowed access to the shelves and the area is attended when visitors are in the vicinity. Archived client files are held in an upstairs cupboard in a room which is not left unattended when visitors are present. Accounts are kept in filing cabinet in top office which is locked at all times when not in use.
• PC data is backed up on a daily basis. Internal back up is kept in the Practice in areas that are staff attended. External back up is provided by Optinet and encrypted.
• Any 3^rd party gaining partial access to data is checked to confirm their integrity and trustworthiness.
• Patient records held on computer can only be accessed by a password which is individual for that person. We do not use a ‘common’ password for patient records.
• Most computers held onsite, can only be accessed by a password which is individual for that person. We do use a ‘common’ password for reception PC’s although these are locked when left unattended.
• An anti-virus protection package is installed on all computers held onsite, which provides daily protection against viruses, the package is refreshed on a daily basis.
• A record of staff that has been issued with USB devices is held and maintained

• Data security training is given to all new recruits within the first month of their employment.
• Data security training is delivered by Derek Dunstone.
• Until data security training is delivered and understood, members of staff are not allowed unsupervised access to customer data.
• Regular and on-going data security training is delivered to all existing staff to maintain their awareness

• Derek Dunstone ensures that all new recruits are appropriately vetted prior to being allowed unsupervised access to any customer date. The vetting process includes obtaining references (especially from the previous employer).
• A vetting process is undertaken for all new recruits – including administrators, cleaners and temporary staff.

• All external doors and windows are lockable and remained locked when premises are not occupied.
• The reception area is staffed and all visitors report to reception upon arrival.
• All visitors are supervised throughout their visit and staff would identify any suspicious behaviour.
• Access to the (behind desk) reception area, which holds a large amount of customer data, is restricted to staff.
• We operate a clear desk policy when unattended.

• Dunstone Optometry has clear procedures for the disposal of customer data onsite and all staff are aware that any documents that are sensitive must only be shredded and not placed in the normal waste bins within the office.
• All client sensitive data, that is not required for retention on client files, is shredded on the premises.
• Any mass document clearing exercises which require large quantities of shredding is carried out by Derek Dunstone.

• Each 3^rd party supplier has been interviewed / vetted by Derek Dunstone to ensure that they are fit and proper to provide these services and are supervised on the premises as and when appropriate.
• 3^rd party providers (eg for IT support) are able to view limited information regarding patients at times.

• We carry out a risk assessment of our data security arrangements every 6 months.
• The risk assessments are carried out by Derek Dunstone.
• Any issues identified by a risk assessment are reviewed by Derek Dunstone and any actions required are addressed within 3 months from the date the assessments are conducted.

Data Quality Policy/Staff Guidance

Derek Dunstone

Introduction

Data quality is vitally important for the Practice to successfully delivering optical services to our patients. Poor data quality can lead to errors, wasted time, frustration and mitigate our clinical expertise. Excellent data quality, conversely, allows us to deploy our clinical expertise in a timely and efficient manner and deliver positive patient outcomes. Data quality is also essential for information governance management and continuous quality improvement. We pursue a policy of no data errors and any errors must be immediately rectified. 

The Practice adheres to the Data Protection Act 2018 incorporating GDPR requirements. We also adhere to the National Data Standards for Health and Social Care.

Purpose

The purpose of this policy/guidance is to ensure that our staff implement quality data controls in the course of the Practice’s service delivery.

Audience

The audience of this policy is our staff, commissioners and other stakeholders. 

Distribution Plan

This policy/guidance must be read and understood prior to the contract of employment or other confidentiality agreement being signed. Existing staff are also required to be fully familiar with this guidance.

Training Plan and Support

Practice management conduct the training and support programme. Familiarity with this policy/guidance forms part of training and support. In the event of new modules or technologies developed staff will be fully trained in usage and monitored as required by management. Training will constitute both individual and whole practice. 

Roles and Responsibilities

The Practice’s management is responsible for overseeing data quality and ensuring that staff understand their responsibilities. However, all staff have a role in ensuring that these are carried out promptly and effectively. The DPO will advise and monitor on GDPR issues as required

Process

All members of the Practice’s staff will ensure that they correctly take down patients’ details at the time of gathering. New members of staff will be initially scrutinised when data gathering to ensure accuracy. Where errors occur or are identified they should be identified to management and corrective action begin. Any data breach that constitutes a serious incident will trigger the Practice’s Serious Incident Management Policy. 

The Practice uses specialist clinical management software to minimise the requirement for free text entry. Our clinical management software incorporates specific modules for individual services in order to minimise the chances of errors and allow for accurate first-time data gathering. 

Staff will respect the privacy and confidentiality of data subjects in accordance with our data and confidentiality policies. Staff will only ask patients the questions necessary for their treatment and as part of our commitment to equal opportunities. The Practice holds a separate Safeguarding, Mental Capacity and Deprivation of Liberties Policy.

We ensure the continuous quality of our data through clinical audits. Clinical audits help us to ensure that the data we hold is accurate. 

The Practice will work with commissioners to implement reasonable data requirements as necessary. 

Monitoring of compliance and effectiveness of implementation

Maintaining excellent data quality is a task that requires continual monitoring. Practice management will conduct spot checks of data to ensure that it is being correctly gathered, liaising with the Practice’s management as required. Following initial training of new staff, staff recognise that they will be subject to monitoring throughout their tenure at the practice.  

Data Protection Impact Assessment, Staff Procedure

Introduction

The Practice will ensure that we carry out Data Protection Impact Assessments (DPIAs) as necessary. We will carry out a DPIA before we begin any type of processing likely to result in higher risk. We understand that the ICO defines DPIAs as ‘a way for us to systematically and comprehensively analyse our processing and help us identify and minimise data protection risks. We will conduct DPIAs when we plan to:

• use systematic and extensive profiling with significant effects
• process special category or criminal offence data on a large scale
• systematically monitor publicly accessible places on a large scale
• use new technologies
• use profiling or special category data to decide on access to services
• profile individuals on a large scale
• process biometric data
• process genetic data
• match data or combine datasets from different sources
• collect personal data from a source other than the individual without providing them with a privacy notice (‘invisible processing’)
• track individuals’ location or behaviour
• profile children or target marketing or online services at them
• process data that might endanger the individual’s physical health or safety in the event of a security breach.

Purpose

This purpose of this procedure is to ensure that our staff are able to carry out Data Protection Impact Assessments (DPIAs) where required by GDPR/DPA 2018.

Audience

The audience of this policy is our staff, commissioners and other stakeholders.

Distribution Plan

This procedure must be read and understood prior to the contract of employment or other confidentiality agreement being signed. Existing staff are also required to be fully familiar with this guidance.

Training Plan and Support

The Practice’s DPO conducts training and support programme. Familiarity with this code forms part of training and support.

Roles and Responsibilities

The Practice’s DPO is responsible for organising and conducting DPIAs. However, all staff have a role in ensuring that these are carried out promptly and effectively.

Process

Before we begin a new technology project we will undertake a DPIA to run in conjunction with the project once it begins. 

Monitoring of compliance and effectiveness of implementation

Practice management will ensure that the DPO conducts DPIAs. The DPO will ensure that relevant staff are aware of their responsibilities and input required. We will contact the ICO where necessary (where our DPIA identifies a high risk and we cannot take measures to reduce that risk) although we understand that we do not need to so uniformly when undertaking DPIAs. 

Data Protection Impact Assessment, Staff Procedure

Introduction

The Practice will ensure that we carry out Data Protection Impact Assessments (DPIAs) as necessary. We will carry out a DPIA before we begin any type of processing likely to result in higher risk. We understand that the ICO defines DPIAs as ‘a way for us to systematically and comprehensively analyse our processing and help us identify and minimise data protection risks. We will conduct DPIAs when we plan to:

• use systematic and extensive profiling with significant effects
• process special category or criminal offence data on a large scale
• systematically monitor publicly accessible places on a large scale
• use new technologies
• use profiling or special category data to decide on access to services
• profile individuals on a large scale
• process biometric data
• process genetic data
• match data or combine datasets from different sources
• collect personal data from a source other than the individual without providing them with a privacy notice (‘invisible processing’)
• track individuals’ location or behaviour
• profile children or target marketing or online services at them
• process data that might endanger the individual’s physical health or safety in the event of a security breach.

Purpose

This purpose of this procedure is to ensure that our staff are able to carry out Data Protection Impact Assessments (DPIAs) where required by GDPR/DPA 2018.

Audience

The audience of this policy is our staff, commissioners and other stakeholders.

Distribution Plan

This procedure must be read and understood prior to the contract of employment or other confidentiality agreement being signed. Existing staff are also required to be fully familiar with this guidance.

Training Plan and Support

The Practice’s DPO conducts training and support programme. Familiarity with this code forms part of training and support.

Roles and Responsibilities

The Practice’s DPO is responsible for organising and conducting DPIAs. However, all staff have a role in ensuring that these are carried out promptly and effectively.

Process

Before we begin a new technology project we will undertake a DPIA to run in conjunction with the project once it begins. 

Monitoring of compliance and effectiveness of implementation

Practice management will ensure that the DPO conducts DPIAs. The DPO will ensure that relevant staff are aware of their responsibilities and input required. We will contact the ICO where necessary (where our DPIA identifies a high risk and we cannot take measures to reduce that risk) although we understand that we do not need to so uniformly when undertaking DPIAs. 

Personal Information Register, Dunstone Optometry

Derek Dunstone

The Practice records each use or sharing of personal information, including the legal basis for the processing.

[1] http://www.opticalconfederation.org.uk/downloads/data-protection-and-gdpr-guidance-version-15-december-final.pdf.