GDPR Compliance
RDaSH takes your confidentiality and privacy rights very seriously, along with its responsibility to ensure compliance with the General Data Protection Regulation (GDPR) (2016).
In order to ensure compliance RDaSH has ensured that amongst other guidance, it has followed the information commissioner’s office (ICO) guidance of “preparing for the general data protection regulations, 12 steps to take now”.
This document outlines how the trust has met each of these standards and what it will do ensure compliance is maintained.
- Awareness
- Information you hold
- Communicating privacy information
- Individual rights
- Subject access requests
- Lawful basis for processing personal data
- Consent
- Children
- Data breaches
- Data protection by design and data protection impact assessments (DPIA)
- Data protection officer
- International
Awareness
RDaSH ensures that all staff within the organisation undertake annual mandatory data security awareness training; the minimum standard allowed for NHS organisations is 95% compliance in this area, with the remaining 5% allowed for staff absences as a result of sickness, maternity or paternity, secondments.
As part of the annual training there is an assessment at the end which each employee must undertake, as well reading and signing the trust’s staff code of conduct, before they are considered compliant.
As well as training, staff are regularly provided with updated information on data protection, best practice, information governance, etc, to ensure a high level of understanding throughout the organisation.
Training is closely monitored by senior management and the trust’s data protection officer. In addition to all of the above the trust’s data protection officer, senior information risk owner and Caldicott guardian receive annual expert training and advise ensuring that their knowledge is maintained at a higher level.
Information you hold
RDaSH undertakes a process which is referred to as data flow mapping. This process identifies:
- all data that flows in and out of the organisation
- for what legal purpose it is collected
- if it is processed securely
- if it is only processed for the purpose in which it was collected
- who data is shared with. This is also linked with information sharing agreements (ISAs)
Information sharing agreement
These agreements define the information that will be transferred between the organisations listed and arrangements for assisting compliance with relevant legislation and guidance. Agreements that set out the lawful basis for the use of personal data by the public sector, across traditional organisational boundaries, to achieve better policies and deliver better services.
The law, rightly, puts in place safeguards for the use of individuals’ data (the data protection act, human rights and common law) and there are organisational costs involved in meeting those conditions. It is important that those safeguards exist and are properly applied.
Data sharing can take place in a way that helps deliver the better services that we all want, while still respecting people’s legitimate expectations about the privacy and confidentiality of their personal information.
What’s next?
This process will continue to be reviewed annually. RDaSH is currently looking to publish this information as part of its openness and transparency, however will need to ensure that by doing so it does not compromise the security of the information held; therefore a summary of data processing activities maybe published. In the interim an outline of data that is processed is available within the trust’s privacy notice.
Communicating privacy information
RDaSH provides a privacy notice as part of it’s your information, your rights page, alongside other information which demonstrates our compliance with GDPR. This includes:
- leaflets and guidance
- individual rights and how these are adhered to
- information sharing agreements (to be published)
- data processing agreements (to be published)
- data protection impact assessments (to be published)
What’s next?
With regard to the documents identified above as “to be published”; RDaSH is currently looking to publish this information as part of its openness and transparency, however will need to ensure that by doing so it does not compromise the security of the information held; therefore a summary maybe provided as an alternative.
Individual rights
RDaSH has published individuals rights on it’s your information, your rights page, along with supporting guidance and leaflets advising on how we will adhere to these rights.
Subject access requests
RDaSH takes its responsibility to provide individuals with their information in accordance with law, very seriously and has a dedicated part of the Information Governance team in place to support this.
If you want to access your personal information, you can make subject access request verbally or in writing. Although if you make your request verbally, we recommend you follow it up in writing, as we have to be satisfied as to your identity, but it will also provide a clear trail of correspondence provide clear evidence of your actions.
Read more about the law and how to make a request.
Lawful basis for processing personal data
Organisations should identify the lawful basis for their processing activity. It should be documented and privacy notices updated. You will see that under the “information you hold” and “communicating privacy information” sections of this page, RDaSH has adhered to this requirement.
Consent
We do not rely on consent to use your information as a legal basis for processing.
We rely on specific provisions under article 6 and 9 of the general data protection regulation, such as either:
- ‘a task carried out in the public interest or in the exercise of official authority vested in the controller’
- ‘the provision of health or social care or treatment or the management of health or social care systems and services’
This means we can use your personal information to provide you with your care without seeking your consent. However, you do have the right to say no to our use of your information, but this could have an impact on our ability to provide you with care.
Where consent is required for data processing, we will ensure that this is explicit, freely given, specific, informed and unambiguous.
Children
For this requirement organisations should start thinking about whether it needs to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.
RDaSH has had a long history in ensuring that appropriate consent is obtained from children or their parents or guardians.
This is also regularly reviewed to assess that, if the child is considered competent enough, that they then become responsible for their own data and treatment.
Data breaches
RDaSH has systems and processes in place to manage the robust reporting and investigating of data breaches and Incidents. Evidence of this can be found in the trust’s data security and protection breaches or information governance incident reporting policy.
Data protection by design and data protection impact assessments (DPIA)
The General Data Protection Regulation (2016) (GDPR) introduced a new legal obligation to complete a data protection impact assessment (DPIA) before carrying out types of processing likely to result in high risk to individuals’ rights and freedoms. A DPIA is a process to help identify and minimise the data protection risks which requires the processing of personal data. It is also good practice to do a DPIA for any other major project which requires the processing of personal data.
Below is a log of our completed DPIAs, together with their reference number and name of the project, as part of our openness and transparency. To request a copy of the entire DPIA please apply via the FoIA process.
| Reference | Name |
|---|---|
| DPIA0001 | Q-interactive |
| DPIA0008 | Voice Recognition Second Pilot |
| DPIA0010 | ZOOM (conferencing) |
| DPIA0013 | Time and attendance |
| DPIA0032 | ORCHA health app library |
| DPIA0034 | PVP Suite Sinclair House |
| DPIA0036 | SLACK.COM |
| DPIA0038 | Serious Mental Illness Physical Health Checks |
| DPIA0039 | Lease 4000 Software |
| DPIA0040 | Flashback Express |
| DPIA0043 | Minddistrict (CCBT) |
| DPIA0044 | Service Management Replacement |
| DPIA0045 | Health Roster Optimisation |
| DPIA0046 | Rotherham Health Record |
| DPIA0047 | Uniqus App |
| DPIA0049 | Zoomtec magnifier |
| DPIA0050 | Axe the Fax |
| DPIA0051 | EHCP digital platform (ECG Machine Test Trial) |
| DPIA0053 | IESO |
| DPIA0054 | MD Calc app |
| DPIA0055 | SIGN app |
| DPIA0056 | TOXBASE app |
| DPIA0059 | Primera Doorset and Ligature Alarm System |
| DPIA0061 | Next Generation Text app |
| DPIA0064 | Video Interaction Guidance |
| DPIA0068 | ADOS (Autism Diagnostic Obs) |
| DPIA0073 | Serenity Integrated Mentoring (SIM) |
| DPIA0074 | Share Point |
| DPIA0076 | Individual Placement Support |
| DPIA0078 | Clinical Skills Ltd |
| DPIA0080 | Woodlands Camera |
| DPIA0087 | Stroke Association Connect |
| DPIA0091 | eConsent for School Vaccinations |
| DPIA0125 | Palo Alto |
| DPIA0128 | SystmOne |
| DPIA0134 | Office 365 |
| DPIA0136 | Speech Exec Pro Dictate Software |
| DPIA0140 | QUIT |
| DPIA0141 | Perfect Ward |
| DPIA0142 | Children’s post screening vision screening service |
| DPIA0147 | Oxehealth |
| DPIA0152 | Survey Monkey |
| DPIA0154 | Rotherham Health App, Subtrakt Health |
| DPIA0155 | Portacount FFP3 Fit Testing Machine |
| DPIA0156 | CGL framework, inpatient detox and residential rehabilitation services |
| DPIA0157 | NVIS staff flu submission |
| DPIA0158 | IAPT online referral |
| DPIA0159 | CEC Healthcare Coding Ltd. |
| DPIA0160 | ECG interpretation service |
| DPIA0161 | Lateral flow reporting service |
| DPIA0162 | Account self service |
| DPIA0165 | Use of Eventbrite for the booking of staff events |
| DPIA0170 | Covid-19 vaccination |
| DPIA0176 | Govroam |
| DPIA0177 | Children’s care group eClinic |
| DPIA0189 | Palo Alto Global Protect VPN |
| DPIA0191 | Gait Pressure Plate |
| DPIA0214 | Akrivia Health Platform |
| DPIA0216 | VMware Horizon VDI platform |
| DPIA0220 | Medical e-Job Planning |
| DPIA0221 | Technical data room or externally shared file with Hill Dickinson LLP |
| DPIA0224 | Rotherham CAMHS, automated booking system |
| DPIA0225 | BarCo ClickShare, hybrid meeting room trollies |
| DPIA0226 | Block contract inpatient beds, consortium DMBC |
| DPIA0228 | S12 Solutions app |
| DPIA0229 | Newly Qualified Nurse Standardised Recruitment |
| DPIA0231 | YOC Form Link in SMS |
| DPIA0232 | C19-YRS COVID-19 Yorkshire Rehabilitate Scale app |
| DPIA0238 | Staff Portal, booking procedure for staff training |
| DPIA0242 | Remote ECG Service CAMHs and Eating Disorder Service (CEDS) |
| DPIA0243 | Intellectual Disabilities Referral Form |
| DPIA0245 | Formeo Implementation |
| DPIA0254 | Salary Finance Portal |
| DPIA0255 | Fresh Street Food and Health Pilot Study |
| DPIA0256 | Akrivia Health Platform UK CRIS |
| DPIA0257 | SYA Finance Together |
| DPIA0258 | Just In Time Adaptive Interventions (JITAI) for Suicide and Self-Harm |
| DPIA0259 | Perinatal Mental Health Feedback with LIGHT |
| DPIA0265 | Deloitte Connect |
| DPIA0266 | Grammarly |
| DPIA0268 | Fresh Street Food and Health Pilot Study, Smart Survey |
| DPIA0281 | Canon Digital Store Front |
| DPIA0283 | Health roster optimisation loop app |
| DPIA0285 | ISOSEC Virtual smart card pilot |
| DPIA0292 | LOLIPOP study |
| DPIA0296 | Technical data room or shared file with Hempsons Solicitors |
| DPIA0298 | Neurodevelopment online referral form |
| DPIA0299 | Doncaster crisis pathway |
| DPIA0313 | Refill |
| DPIA0314 | Total ESR access for executive PAs and CAST |
| DPIA0323 | SystmOne communications annexe |
| DPIA0324 | Wagestream |
| DPIA0328 | Agiito train ticket and hotel booking platform |
| DPIA0336 | Brigid UK app |
| DPIA0340 | Flourish online referral system |
| DPIA0343 | Star online tool |
| DPIA0345 | Dragon Software |
| DPIA0349 | SMI physical health checks |
| DPIA0350 | Peer support |
| DPIA0351 | IAPT (Talking Therapies) eClinic |
| DPIA0352 | PAM occupational health system interface with ESR |
| DPIA0353 | Zone 5 to 19 website live chat functionality |
| DPIA0354 | Youth offending service and Zone 5 to 19 partnership |
| DPIA0355 | Canva |
| DPIA0358 | North Lincolnshire CAMHS neurodevelopmental service inclusion |
| DPIA0359 | SystmOnline |
| DPIA0360 | CCTV, gym facility, Swallownest Court |
| DPIA0361 | Oceans Blue, eRostering with Allocate |
| DPIA0362 | Individual placement scheme |
| DPIA0363 | EQUITy trial |
| DPIA0364 | Samsung transfer app |
| DPIA0366 | Humber and North Yorkshire keyworker service |
| DPIA0367 | NuRS |
| DPIA0370 | Audacity software |
| DPIA0371 | IGLOo research trial |
| DPIA0374 | Stroke associate 6 month review |
| DPIA0376 | Space utilisation monitoring |
| DPIA0377 | Predictix |
| DPIA0378 | Minddistrict |
| DPIA0379 | Patient level costings power BI dashboards |
| DPIA0380 | TextHelp read and write gold |
| DPIA0382 | BBC news app |
| DPIA0385 | Acacium |
| DPIA0388 | ER tracker by Allocate |
| DPIA0389 | BookWhen |
| DPIA0390 | EPRR mapping |
| DPIA0391 | Primary care mental health clinical documentation survey |
| DPIA0392 | Qualtrics |
| DPIA0393 | Philips SpeechLive web dictation and transcription |
| DPIA0394 | Learning from patient safety events (LFPSE) |
| DPIA0399 | Installation of Physitrack PLC software |
| DPIA0401 | Charitylog |
| DPIA0405 | Third party security and feature patching |
| DPIA0406 | Surviving crying research trial |
| DPIA0409 | CPM-2 trial, Med-Q |
| DPIA0410 | Speak Up, peer support workers |
| DPIA0411 | Dysphagia app |
| DPIA0412 | Graylog |
| DPIA0413 | Hepatitis C operational delivery network |
| DPIA0415 | SMS, survey patient feedback |
| DPIA0416 | TPP SystmOne client listener |
| DPIA0416 | TPP SystmOne client listener |
| DPIA0418 | RDaSH staff app (MyArk) |
| DPIA0419 | RDaSH and SYHA stroke service |
| DPIA0421 | Crisis transformation |
| DPIA0423 | Estates helpdesk software, Evolution FM helpdesk system |
| DPIA0427 | Smart locker pilot |
| DPIA0430 | QLOG, resuscitation service module and other quality assurance verticals |
| DPIA0437 | Decision-making involving people with memory problems |
| DPIA0438 | WRAP pack trial |
| DPIA0441 | Voluntary action Rotherham Partnership |
| DPIA0443 | Therapy Match-D trial |
| DPIA0444 | Kahoot! 360 Pro |
| DPIA0445 | RDaSH Grounded Research identifying and contacting potential research participants |
| DPIA0448 | Fundraising form for Light up a Life Campaign |
| DPIA0451 | Social work CPD toolkit |
| DPIA0453 | IPS, with changing lives |
| DPIA0454 | Recording of softphone calls into the service |
| DPIA0455 | Our Space Rotherham |
| DPIA0456 | Allocate LOOP application |
| DPIA0461 | JAMOVI |
| DPIA0462 | HaSB-IDD trial |
| DPIA0463 | Roger On system |
| DPIA0464 | Oracle field-test |
| DPIA0465 | Environmental factors on DFUs incidence, a mixed-mode survey |
| DPIA0466 | Monday.com |
| DPIA0468 | DIAMONDS randomised control trial |
| DPIA0469 | Relational approach to treating self-harm (RelATe) |
| DPIA0478 | SH24 online provider of sexual health testing and contraception |
| DPIA0480 | Redbox recording functionality on the Maintel phone system |
| DPIA0488 | Skills development network app |
| DPIA0489 | Jamovi |
| DPIA0490 | Kahoot! |
| DPIA0492 | Characterisation of negative symptoms in Schizophrenia (CHANSS project) |
| DPIA0493 | Predictix case management pilot |
| DPIA0494 | COMP006 |
| DPIA0500 | Page Tiger |
| DPIA0501 | Implementation of new roles in mental health trusts (phase 2) |
| DPIA0502 | Ekahau AI Pro |
| DPIA0509 | Healthy hospital and community programme, community swop to stop project |
| DPIA0510 | Medii app |
| DPIA0514 | Cleansing of GP records to identify coding errors in relation to dementia |
| DPIA0518 | Adult CMHT peer support pilot |
| DPIA0520 | Family Hub start for life programme |
Data protection officer
This trust has appointed a qualified data protection officer:
Caroline J Britten, Data Protection Officer and Head of Information Governance:
- Email: rdash.dpo@nhs.net
International
This trust does not process the majority of its data outside the EU or EEA.
Where this occurs appropriate checks are undertaken, and privacy notices will be updated accordingly.
Page last reviewed: November 19, 2024
Next review due: November 19, 2025
Problem with this page?
Please tell us about any problems you have found with this web page.
Report a problem