Data Protection Policy



1.      This data protection policy is designed to ensure that the rights to privacy of individuals are protected. In Fine Fettle is committed to the principles set out in the General Data Protection Regulation and has reviewed its personal data processing activities so as to carry on its business as a Business in compliance with the provisions of the Regulation.


2.      Data protection lead: this person is responsible for ensuring compliance with policies and procedures on data protection, for providing any staff training, for conducting audits, risk assessments and data protection impact assessments, for responding to requests from data subjects and dealing with data breaches. He or she also handles queries and complaints from data subjects about the processing of their data, including from any members of staff, in the future. As a sole trader the name of the data protection lead is Angela Brown.


3.      Data subject: an individual whose personal data is processed.


In Fine Fettle processes personal data belonging to those people who contact the company regarding a request for assessment, intervention or advice relating to Occupational Therapy, Mickel Therapy, Mindfulness, and legal input acting as an expert in Paediatric Occupational Therapy. We also process data relating to individuals linked to any of the business of the company outlined above. The personal data of any members of staff, when appropriate, is also processed.


4.      Personal data: any information from which a living individual can be identified, either directly or indirectly. It is not limited to names and identification numbers, or to photographs or addresses.


The categories of personal data In Fine Fettle processes include:


Therapy cases


·               Names, addresses, dates of birth and other personal data provided on the referral form for anyone referred to the service. This may come from the client/patient directly. From a family member, from a school, college or other establishment or from another professional;


·                Health and medical information relating to the client/patient as well as relating to other family members. This may be from medical records provided from a third party of from direct information provided by a client/patient, referrer or family member;


·                Information relating to gender, race and ethnic origin;


·                Personal data on invoices and receipts as well as accounting records;


Expert witness cases


·               Names, addresses, dates of birth and other personal data contained in witness statements and other evidence relevant to the legal issues;


·               Health information contained in medical records, together with information on sex, race and ethnic origin;


·               Personal data in invoices and copy receipts, accounting records, tax and VAT returns and related information;


·               Copy passports, driving licenses, utility bills and other documents used to check identity;


Members of staff – including those whose details are provided for recommendation to a third party relating to work that cannot be undertaken by In Fine Fettle


·               Names, addresses, dates of birth, personal email addresses and telephone numbers;


·               CVs, CRB checks, contracts of employment, references, appraisals and salaries;


·               Bank details and pay slips;


·               Health information;


5.      Special category data: information revealing an individual's racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic and biometric data, health information and data in relation to a person' s sex or sexual orientation.


The special category personal data In Fine Fettle holds includes:


·               Medical and other health records


·                Race / ethnicity


6.      Processing: covers any activity involving personal data, including holding, storage and destruction. The Information Commissioner says it is difficult to image an activity involving personal data that does not fall within the definition.


7.      In Fine Fettle processes personal data in order to carry out its work as an Occupational Therapist, Mickel Therapist, trainer and expert witness and when carrying out other functions necessary to its business.


8.      The data processing activities include, but are not limited to:


·                Completing assessment reports


·                Compiling expert witness reports


·                Completion of records relating to intervention provided in a therapy session / liaison etc


·                Sending and receiving emails internally and externally


·                Submitting invoices and providing receipts


·                Use of the cloud to upload documents for internal and external use


·                Use of an electronic record keeping system (Qunotes)


·                Taking copies of identity documents and storing them in files or online, holding staff details on hard copy/electronic personnel files, archiving and destroying information.


9.      Sharing of personal data: In Fine Fettle shares personal data internally and externally only when necessary to achieve its business purposes. In particular, it shares data with the following:


·               Nurseries, schools and colleges which a client/patient attends, has previously attended or is going to or may attend


·               Representatives and administrators from equipment companies when arranging for assessments/ quotes etc. for specialist equipment (please refer to specific companies for their Data Protection Policy)


·               Other professionals involved in the care of the client/patient when multi-disciplinary sharing of information is required (including but not limited to healthcare, independent practitioners, education staff, social services staff, police, care agencies)


·               For purposed of clinical supervision with an external supervisor


·               Nominated person in relation to lone working safety policy


·               Confidential waste disposal companies


·               Digital typing services


·               Website providers


·               Cloud storage providers


·               IT support providers


·               Accountants and other professional advisers


·               HMRC


·               VAT Commissioner


Special category data is encrypted before it is shared. Where possible, data shared which allows for identification will be shared in an encrypted format which will be password protected.


10.    Data controller: decides the why and the how of personal data processing. A controller can be a sole trader, a partnership, a private or public limited company or a large multi-national organization. It decides why it needs to collect personal data and how to process it. As a sole trading company, Angela Brown is a data controller for the purposes of this policy.


11.    Data processor: processes personal data in accordance with the written instructions of the data controller. Most of the organisations that In Fine Fettle shares personal data with are processors.


12.    Legitimising conditions: The processing of personal data is unlawful unless a legitimising condition, or lawful basis, applies. In Fine Fettle generally relies on the following legitimising conditions:


·               Legitimate interest as a business


·               Contract (with employees)


·               Consent


When processing special category data, In Fine Fettle generally relies on one of the following additional legitimising conditions


·               Legal claims


·               Explicit consent


In Fine Fettle requires that written consent is given prior to the commencement of any therapeutic input. This consent is provided by the client/patient or their parent, guardian or legally identified representative. In order to be valid, consent must be freely given and as easily withdrawn as it was to give it.


13.    Data protection principles: Where there is a lawful basis for processing personal data, In Fine Fettle takes proportionate steps to ensure it carries out its personal data processing activities in accordance with the various conditions or principles contained in the GDPR.


14.    Accountability: This principle is designed to ensure that data protection is embedded in an organisation at all levels of decision making and becomes fundamental to its culture. Not only must In Fine Fettle comply with the General Data Protection Regulation but it must be able to show it complies. It is for this reason that this policy, and the appended policies have been written. In Fine Fettle ensures that these policies are implemented and they are provided for any staff now or in the future who will work as a direct employee or as an associate. Compliance with these policies will be closely monitored.


15.    Data protection by design: This is an aspect of the accountability principle. It means that data protection risks are evaluated and eradicated and reduced at the very earliest stage, whenever there is a significant change in processes or procedures which entail a risk to data subjects. Examples: a substantial upgrade to an IT system, the introduction of CCTV cameras, outsourcing such as engaging a new cloud provider. Data Protection Impact Assessments are carried out by the data protection lead in these and other circumstances where there is likely to be a high risk to data subjects.


16.    Data protection by default: minimisation: Another important principle is data minimisation. In other words, no more data should be collected, shared and stored than is strictly necessary. The retention periods for the personal data In Fine Fettle stores are up to the person reaching 25 years of age for any child and for seven years for any adult following cessation of involvement.


17.    Security: In Fine Fettle takes the security of the information which is held very seriously. All data, hard copy and electronic, will be stored in line with In Fine Fettle’s security policy.


18.    It is important that all members of staff (including associates) comply with the security policy. Failure to do so is a disciplinary offence that may result in dismissal.


19.    Personal data breach: The data protection lead is responsible for responding to personal data breaches. He or she notifies the Information Commissioner as necessary, and also data subjects where the risk to them is high.


20.    Breaches which carry any risk to data subjects must be reported to the Information Commissioner's Office (ICO) within 72 hours, together with a summary of the nature of the breach, the steps taken to reduce the risk to data subjects, and measures to prevent the breach from happening again. In Fine Fettle's data breach policy is attached.


21     Rights of data subjects: Data subjects have eight rights which include:


·               Right to be informed about what In Fine Fettle does with personal data;


·               Right of access to personal data by means of a subject access request;


·               Right to rectification of inaccurate data, and to add to the information In Fine Fettle holds about the data subject if it is incomplete;


·               Right to erasure, otherwise known as the right to be forgotten;


·               Right to restrict the processing of personal data;


·               Right to object to the processing In Fine Fettle carries out based on its legitimate interest.


In Fine Fettle must respond to requests from data subjects within one month. The procedure for responding to requests is appended to this policy.


22.    Human Resources: As a sole trader company In Fine Fettle has no specific Human Resources staff. All data relating to human resources is stored in hard copy files that are stored securely/electronic files stored securely in the cloud. Access to these files is restricted. Special category data, such as medical records, is further restricted as appropriate. Special category data stored electronically are encrypted. No personal data is shared without consent from the individual.


23.    All members of staff will receive training in data protection, including associates.


24.    Data Protection Risk Register: All personal data processing activities are recorded in the data protection risk register.


25.    Personal data breaches are recorded in the risk register, whether they are reportable or not.


26.    The risk register contains a copy of all audits, risk assessments and Data Protection Impact Assessments.


27.    The data protection lead holds the risk register.


28.    Enforcement and disciplinary action: Failure to comply with the General Data Protection Regulation is a criminal offence in many cases and can result in large fines. It is important that all staff are aware of this policy, receive training in data protection, and that this policy is properly implemented.


29.    Any staff or associate failure to comply with this and its associated policies is a disciplinary offence which may lead to disciplinary action and dismissal.