Invatech Health has an obligation to meet UK (Data Protection Act 1998 - DPA1998) and EU (General Data Protection Regulation - GDPR) legislation for the protection of Personally Identifiable Information (Personally Identifiable Information) and Patient Identifiable Data (PID).
The Information Commissioners Office (ICO) is the UK Data Protection Authority (DPA) that oversees the management of all Personally Identifiable Information and PID activities through the Data Protection Act 1998 and EU General Data Protection Act Regulation (GDPR).
Effective security of the Personally Identifiable Information and PID Invatech Health has access to and manages is a business-wide effort involving the participation and support of every Invatech Health employee, contractor and consultant who deals with this information and/or has access to IT systems. It is the responsibility of controllers and processors of Personally Identifiable Information to know this Policy and to conduct their activities accordingly.
This Policy has been written to outline the scope, definitions and controls that will be applied to Personally Identifiable Information data and information. We will process information for the following purposes
1) To provide our care home and pharmacy IT services to you, including;
- processing staff, resident and prescription information;
- the fulfillment, tracking and delivery of orders for products and services;
- registering and supporting Invalife accounts and validating contact details;
- storing information about staff and residents;
- storing staff/resident profiles, prescription information and generating reports about residents’ medication through our Invalife portal.
2) To create and maintain records of the products we supply to you and residents.
3) To remember users who log on from the same device without having to re-submit their username.
4) To monitor the use of our services and to fix any issues affecting these services.
5) To respond to any messages, complaints or queries we may receive.
6) To offer support with any requests we receive in relation to staff or residents and the data/information we hold or process.
7) To maintain records of staff who have taken on and have completed online training.
8) To comply with any regulatory and legal requirements that apply to us and to comply with any legitimate requests from regulatory bodies.
9) To prevent crime and fraud and to comply with any legitimate requests we receive from law enforcement and crime prevention agencies.
10) To perform statistical analysis and to create reports and management information that help us understand the use of services and any trends.
11) To create and maintain records required for the operation of our business.
This Policy applies to care home and pharmacy services and all relevant and in-scope staff, contractors and consultants who use, or have access to, these systems. It covers the following data definitions:
1. Data Processor: In relation to personally-identifiable information or data, a Data Processor is any person (other than a Data Subject of the Data Controller) who processes the data on behalf of the Data Controller.
Invatech Health is a Data Processor. This means that we process data on behalf of our clients such as care homes and pharmacies. We are a Data Controller for our own information, which is covered under a separate internal staff policy.
2. Data Controller: A person who (either alone or jointly in common with other persons) determines the purposes for which, and the manner in which, any personal data are, or are to be, processed.
Pharmacies and care homes are Data Controllers and they are required to protect the data. Invatech Health, as a processor, can be jointly liable for managing this data and therefore take proactive steps to manage our controller relationships through contract.
3. Personal data means data relating to a living individual who can be identified:
(a) from the data, or
(b) from the data and other information which is in the possession of, or is likely to come into the possession of, the Data Controller or processor. This includes any expression of opinion about the individual and any indication of the intentions of the Data Controller or any other person in respect of the individual.
4. Sensitive personal data means personal data consisting of information pertaining to:
(a) the racial or ethnic origin of the Data Subject;
(b) political opinions;
(c) religious beliefs or other beliefs of a similar nature;
(d) whether they are a member of a trade union;
(e) physical or mental health or conditions;
(f) sexual life;
(g) the commission or alleged commission by the Data Subject of any offence;
(h) any proceedings for any offence committed or alleged to have been committed by the Data Subject and the disposal of such proceedings or the sentence of any court in such proceedings.
Invatech Health will have access to both personal and sensitive data about individuals (known as Data Subjects) and that Invatech Health systems and staff will have legitimate business and contractual access to such data.
The following data, often used for the express purpose of distinguishing individual identity is available on Invatech Health systems and will be clearly classified as Personally Identifiable Information and PID and covers users, customers and Data Subjects.
1) Names of staff and residents, including full names and ‘known by’ information:
2) Log-in names or usernames used to access systems and external portals.
3) Contact details:
- Home address.
- Email address.
- National Insurance number.
- Date of birth (age).
- Telephone number.
- Photograph of face.
4) Information from and about the device from which you access services, including the:
- IP address (when linked to an individual).
- NHS Digital identity.
- Medical health information.
- Medicines information.
5. Consent: Consent is a legally-binding expression of will, given voluntarily, in which the Data Subject declares his/her agreement to the processing of their data across the various systems and lifetime of this processing.
Principles of personal privacy
On an annual basis, the Invatech Health Data Protection Officer shall update all relevant Invatech Health external and internal privacy policies and, if applicable, outline any substantive changes in an accompanying communication and awareness training program.
The principles of Invatech Health’s privacy process are;
1) Fairness and lawfulness: In processing personal data, the individual rights of the Data Subject shall be protected. Personal data shall be processed fairly and in accordance with legal provisions.
2) Restriction to a specific purpose: Personal data may be processed only for the purposes for which they were originally collected. Changes to information may take place by virtue of a contractual agreement with the Data Subject or Controller concerned, collective agreements, consent given by the Data Subject, a legitimate business interest to do so, or through national legislation.
3) Transparency: Data Subjects shall be informed of how their data is being handled. Personal data shall be collected directly from the Data Subject concerned. When collecting the data, the Data Subject shall either be aware of, or be informed of, the following:
- The identity of the Data Controller.
- The purpose for which the data is being processed.
- Third parties or categories of third parties to whom the data may potentially be transmitted.
- National legislation or collective agreements that may impose additional or differing requirements regarding the content and scope of this information.
4) Data Economy: Before any step is taken to process personal data, it shall be checked whether, and to what extent, the processing of personal data is necessary in order to achieve the purpose for which it is undertaken. Where the purpose allows, and where the expense involved is in proportion with the goal being pursued, anonymised or statistical data shall be used. Personal data may not be collected in advance and stored for potential future purposes. Data that are no longer needed shall be deleted in compliance with existing destruction requirements.
5) Factual accuracy and timeliness of data: Personal data shall be correct and up-to-date when stored. Suitable steps shall be taken to ensure that inaccurate or incomplete data are deleted, corrected, or supplemented.
6) Data requiring special protection: Personal data requiring special protection may be processed only under certain conditions. This includes racial or ethnic background, political views, religious or philosophical convictions, trade union membership, health, or sexual orientation of the Data Subject. Further data categories may be classed as requiring special protection.
Need-to-know principle: Data Subjects have access to personal data on a need-to-know basis only. The need-to-know principle means that Data Subjects may have access to personal information only as is appropriate for the type and scope of the task in question.
7) Automated individual decisions: Automated processing of personal data intended to evaluate certain personal aspects of the Data Subject (e.g. historic medicines information) shall not form the sole basis for decisions that have negative consequences or result in significant detriment to the Data Subject concerned. Data Subjects shall be informed of the fact that an automated decision-making procedure is carried out, and of its result, and he/she shall be given the opportunity to respond.
Data Subject rights
Every Data Subject has the following rights. A Data Subject may not suffer any disadvantage as a consequence of asserting his/her rights:
- The Data Subject may request information on which personal data relating to him/her have been stored, how the data were collected, and for what purpose.
- If personal data are transmitted to third parties, the Data Subject concerned shall also be informed of the recipient’s identity, or of the category of recipients.
- If personal data are incorrect or incomplete, the Data Subject may request for them to be corrected or supplemented.
- The Data Subject may request his/her data to be deleted if the processing of such data has no legal or legitimate business interest basis, or if both have ceased to apply. The same applies if the purpose behind the data processing activity has lapsed or ceased to be applicable for other reasons. Existing archival requirements shall be observed.
- The Data Subject generally has a right to object to his/her data being processed, and this shall be taken into account if the protection of his/her interests takes precedence over the interests of the Data Controller owing to a particular personal situation. This does not apply if a legal provision requires the data to be processed.
Data Processing security
Appropriate technical and organisational measures are implemented in order to provide data security. These measures safeguard personal data from unauthorised access and unlawful processing or disclosure, as well as accidental loss, modification, or destruction. These measures relate to the security of data which merit protection, whether processed electronically or in paper form.
These technical and organisational measures form part of an Information Security Management System (ISMS) and are constantly revised in accordance with technological developments and organisational changes.
Responsibilities and sanctions
Management is responsible for ensuring that organisational and technical measures are in place so that any data processing undertaken is carried out in accordance with regulations and with due regard for data protection. Compliance with the data protection policies and the applicable data protection laws is controlled by regular data protection audits.
Abusive processing of personal data or other violations of data protection laws may lead to criminal proceedings and claims for damages. In principle, contraventions for which individual Data Subjects can be held responsible are subject to employment law sanctions in accordance with the applicable national legislation.
In order to meet its UK Data Protection Act and EU GDPR obligations, Invatech Health has a privacy statement and a series of privacy notices, which are externally-facing and outline our commitment to privacy and our methods of collection and storage of visitor and customer information. Invatech Health can provide individuals with a copy of privacy notices upon request.
Data Protection Officer (DPO)
Invatech Health maintains a Data Protection Officer position to oversee the ideas, implementation, and enforcement of all privacy-related activities. The Data Protection Officer is internally independent but reports directly to the management team. Though sitting at management level, the Data Protection Officer has no direct responsibility with regards to business operations as the Data Protection Officer is foremost responsible to Invatech Health Data Subjects and its Data Controllers for the protection of their data.
The Data Protection Officer shall be experienced and trained in information security and GDPR law and shall remain conversant, through privacy-related training sessions, conferences, or seminars and maintain all relevant Data Protection Officer certifications.
The Data Protection Officer:
- is responsible for the policies on data protection and supervises their compliance;
- carries out data privacy and protection checks and audits;
- manages business-related data protection risks;
- shall be involved in programs of projects where data processing activities or risks are planned or known;
- shall be immediately informed of any suspected or actual data breach.
Decisions made by the Data Protection Officer for the protection of data or that to remedy data protection breaches shall be upheld by the management of the company in question.
Quality of information
Invatech Health takes all reasonable steps to ensure that the information we collect and use is accurate, up-to-date, complete, and relevant to the practices outlined in Privacy Notices. Assurance happens at two stages:
1. Information collection.
2. Information disclosure (if relevant).
Invatech Health understands that handling poor quality information can have significant privacy impacts for individuals and is committed to maintaining its practices to ensure quality.
Use, retention, disposal and sanitisation of data
Invatech Health maintains stringent policies regarding the use, retention, disposal, and sanitisation of sensitive information and the media on which it is stored. In accordance with Invatech Health’s information security policy, sensitive information meeting retention timelines will be securely disposed of.
Disclosure to third parties
Personal information gathered by Invatech Health is for internal use only and Invatech Health will not authorise the release of this information to anyone outside Invatech Health (except to third party service providers to Invatech Health who perform functions on our behalf). In such an event, however, personal information will only be shared to the extent reasonably necessary to perform their functions and they will not be authorised to use it for any other function unless the customer has consented to such disclosure.
It is Invatech Health’s policy to never sell or disseminate personal information to other unauthorised third parties.
Invatech Health is committed to industry best practices concerning security measures which look to prevent the loss, misuse and alteration of the information in our possession. We use various audited and certified security measures to protect the information we collect (as appropriate to the classification), including encryption, firewalls and access controls. Company databases are accessible only by approved Invatech Health staff, contractors and agents on a need-to-know basis, and these staff, contractors and agents will have entered into, and are bound by, a confidentiality and non-disclosure agreement with Invatech Health.
Breach notification and reporting
Invatech Health adheres to relevant UK and EU laws and regulations regarding the notification and reporting of breaches. As outlined in policy, we are obliged to notify our Data Controllers of breaches within 72 hours of Invatech Health becoming aware of the breach, and to further report such breaches to the Data Subjects and the Information Commissioner’s Office (ICO) in accordance with their reporting guidelines and timeframes.
Invatech Health’s breach notification and reporting process is owned and executed by Invatech Health’s Data Protection Officer, and is as follows:
1) All reported security incidents are logged.
2) The nature of the security breach is analysed:
- Protected health information (PHI) breach:
- An incident document is created.
- A breach analysis is carried out.
- Other type of security breach:
- The breach is assessed in relation to the relevant applicable legislation.
- The appropriate action is taken.
On an annual basis, the business shall administer company-wide privacy and information security training.
Monitoring and enforcement
Invatech Health shall monitor this Policy for compliance by:
1) reviewing tasks relating to Data Controller and Data Subject requests for Invatech Health’s Privacy Notice;
2) ensuring service level agreements (SLAs) are met for providing the notice, subject access requests (SARs) and data breach notifications;
3) reviewing relevant policies to ensure consistency of approach and the existence of satisfactory security controls;
4) executing tasks outlined in this document.
Should anyone become aware of a violation of this Policy, it is his/her duty to report the violation to the Invatech Health Data Protection Officer using the contact information below. Such violations should be reported in writing (email) and maintained by the Data Protection Officer.