Data Protection Policy

Title / Version / Date / Changes / Authorised
Data Protection policy / 1 / 13th June 2016 / June 2016 Board
ditto / 2 / 14th Sept 2016 / Minor change to p 15 / Sept 2016 Board

Review date Sept 2017

Contents

Page
1. Introduction / 2
2. Purpose / 2
3. Data ProtectionAct1988 / 2
4. Healthwatch Surrey’sBusinessModel and the Data ProtectionAct
4.1TheBusinessModel ofHealthwatch Surrey
4.2 What this means in relationto the Data ProtectionAct / 3
5. Satisfyingthe requirementsofthe Data ProtectionAct / 5
6. Acceptableuse ofpersonaldata, transparency and consent / 6
7. Handlingpersonaldata
7.1 Controllingaccesstopersonaldata
7.2 Classificationofdocumentscontainingpersonaldata
7.3 Physicalsecurityofpersonaldata
7.4 SecurityofICT
7.5 Homeworkingand mobileworking
7.6 Use ofremovablemedia
7.7 Securityofpersonaldata whilein transit:email,fax,post
7.8 Securedisposalofpersonaldata / 6
8. Sharingand divulgingpersonaldata
8.1 Sharingpersonaldata within Healthwatch Surrey
8.2 Sharingand divulgingpersonaldata outsideHealthwatch Surrey
8.3Assureddata sharing
8.4 Limits to the confidentialityofpersonaldata
8.5 Use ofpersonaldataforpublicity,reportingortrainingpurposes / 8
9. Right ofaccess to personaldata (SubjectAccess) / 10
10. Duties ofthe BoardofDirectorsand Healthwatch SurreyCIC staff / 11
11. Dutiesofthe Chief Executive Officer / 12
12. Duties ofstaffemployedby servicedeliverypartners / 13
13. Duties ofHealthwatch Surreyvolunteers / 15

DataProtectionPolicy

1. Introduction

Healthwatch Surreyisthe independent consumerchampion forhealth and socialcare in Surrey.It isa Community Interest Company (CIC) limited by Guarantee(RegisteredCompanyNo.8737632) - that is,a companythat actsfor the benefit ofthe community.

Healthwatch Surreyisrequiredtomaintain certainpersonaldata1 aboutliving individualsforthe purposesofsatisfyingitsoperationaland legalobligations.

Thesepersonaldata, whetherheld on paper,computerorothermedia, are subject tothe legalsafeguardsspecifiedin the Data ProtectionAct1988.

2. Purpose

Healthwatch Surreyrecognisesthe importanceoftreatingallpersonaldata in a correctand lawful manner.

Thepurposeofthispolicyistoset out howHealthwatch Surreywillcomplywith the Data ProtectionAct1988 in allits operationsand thereby minimise the level of riskrelatingtothe management ofpersonaldata within the organisation.

3. DataProtectionAct 1988

TheData ProtectionAct1988 (DPA)establishesa frameworkofrightsand duties which aredesignedtosafeguardpersonaldata.Thisframeworkbalancesthe legitimateneedsoforganisationstocollectand usepersonaldata forbusinessand otherpurposesagainstthe rightsofindividualstohaverespectforthe privacyof their personaldetails.

Personaldata coveredby the DPAencompassesallinformationwhich is,oris intended tobe, processedautomatically(generallyby a computer)ormanually.1

Theprinciplesofthe DPAare set out overleaf.

Furtherinformationabout the DPAcan be foundon the website ofthe Information

Commissioner’sOffice(ICO) at:

1Personaldataaredefinedby the DPAasmeaningany data which relatetoa living individual who can be identified either fromthose data, orfromthose data and other informationwhich isin the possessionof,orislikely to comeinto the possessionof,the data controller(seePage4 ofthisdocument);and includesany expressionofopinionabout the individual and any indication ofthe intentions ofthe data controllerorany other

personin respect ofthe individual. It isimportantto note that, where the ability to identify an individual depends partly onthe data held and partly onotherinformation(not necessarilydata), the data held willstillbe “personaldata”.

PrinciplesoftheDataProtectionAct 1998

Theprinciplesrequirethat personaldata shall:

1.Beprocessedfairlyand lawfullyand shallnot be processedunlesscertain conditionsare met;

2.Beobtainedfora specifiedand lawfulpurposeand shallnot be processedin any manner incompatible with that purpose;

3.Beadequate, relevantand notexcessiveforthosepurposes;

4.Beaccurate and, where necessary,kept up to date;

5.Notbe kept forlongerthan isnecessaryforthat purpose;

6.Beprocessedin accordancewith the data subject’srights;

7.Bekept securefromunauthorisedorunlawfulprocessingand protectedagainst accidentalloss,destructionordamage by usingthe appropriatetechnicalor organisationalmeasures;and

8.Not be transferredtoa countryorterritoryoutsidethe EuropeanEconomic Area,unlessthat countryorterritoryensuresan adequate levelofprotection forthe rightsand freedomsofdata subjectsin relationtothe processingof personaldata.

4. Healthwatch Surrey’sBusinessModelandtheDataProtectionAct

4.1TheBusinessModelofHealthwatch Surrey

Healthwatch SurreyCICwas set up in 2013 as a jointventure by a new partnership ofthree well-established not for profit organisations:Surrey Independent Living Council (SILC), Help and Care (H&C) and CitizensAdvicein Surrey(CAS).

A1+1-yearcontract(alsoreferredtoasthe Head Contract)toprovidethe Local Healthwatch servicein Surreyforthe periodApril2013 - March 2015 was awarded jointlyby SurreyCounty Councilin 2013. A new three-year contract was awarded in April 2015.

Healthwatch SurreyCIC has sub-contractedsome of the provisionofthe LocalHealthwatch service to itsservicedeliverypartners:SILC, H&C and five Citizens Advice Bureaux, plus Surrey Disabled People’s Partnership for NHS Advocacy,allofwhomareregisteredwith the ICO.Theirworkismanaged through servicelevelagreements(SLAs).

In addition, SILC providesadministrative supportto the Board,as well as finance, human resourcesand informationand communicationtechnologies(ICT)supportto the organisation.Theprovisionofthissupportisalsomanaged throughan SLA.

Healthwatch Surrey CIC also uses LHM Media as a supplier of services. LHM Media is registered with the Information Commissioners Office.

Healthwatch SurreyCIC employsa Chief Executive Officerwhoassiststhe Boardto formulateand regularlyreviewthe organisation'smission,strategy,policiesand procedures,ensuringthey arerelevant,meet currentstandardsand arefitfor purpose.TheChief Executive Officeralsomeetswith each ofourservicedelivery partners every quarter to monitorthe services they provideonbehalf of Healthwatch SurreyCIC.TheChief Executive Officerreportsregularlytothe

Boardonprogress.

4.2 Whatthismeansin relation totheDataProtectionAct

TheHead Contractincludes a requirementthat bothparties to the contract (SurreyCountyCouncilas the Lead Purchaserand Healthwatch Surreyas the Provider)observetheirobligationsunderthe DPAthat arisein connectionwith the contract.

TheHead Contract alsospecifiesthat

•Personaldata, asdefinedin the DPA(seePage2 ofthisdocument),suppliedby and/orprocessedonbehalfofthe Purchaser(electronicand manual) isowned by the Purchaser,which isa Data Controller2 under the termsofthe DPA

•Healthwatch Surrey,as the Provider,isthe Data Processor3under the termsof the DPAand isrequiredto maintain appropriateconfidentialityand security arrangementsin respectofallpersonaldata suppliedby and/orprocessedon behalf ofthe Purchaserand to complyfullywith the principles ofthe DPAwhen processingthat personaldata

2ADataControllerisdefined in the DPAas a “person”who (either aloneorjointlyorin commonwith otherpersons)determines the purposesforwhich and the manner in which any personaldata are, orare to be, processed.Adata controllermust be a “person” recognisedin law,that istosay,eitheran individual,an organisationsorothercorporate/ unincorporatedbodyofpersons.Data controllerswillusuallybe organisations.Evenifan individualisgivenresponsibilityfordata protectionin an organisation,they willbe acting on behalfofthe organisation,which willbe the data controller.In relationtodata controllers,the term‘jointly’isusedwheretwoormorepersons(usuallyorganisations)act togethertodecide the purposeand mannerofany data processing.Theterm‘in common’ applies where two ormorepersonssharea poolofpersonaldata that they process independentlyofeach other.Data controllersmustensurethat any processingofpersonal data forwhich they are responsiblecomplieswith theAct. Failure to dosorisks enforcementaction by the InformationCommissioner(who can imposepenalties up to

£500,000), prosecution,and compensationclaims fromindividuals.

3ADataprocessor,in relationto personaldata, isdefined in the DPAas any person(other than an employeeofthe data controller)who processesthe data onbehalfofthe data controller.Data processorsare not directlysubjectto theAct.However,mostdata processors,ifnotall,willbe data controllersin theirownrightforthe processingthey do fortheirownadministrative purposes,such asemployeeadministration orsales.

•TheProvidermust be able toprovideevidencethat it can complywith this obligationand mustnotifythe Purchaserpromptlyofany breachofthe security measures required to be in place.

AsHealthwatch SurreyCIC hassub-contractedsome of the provisionofthe Local Healthwatch serviceto its servicedelivery partners,Healthwatch SurreyCIC has delegatedthe data protectionrequirementssetoutin the Head Contracttoits servicedeliverypartners.Eachofthe SLAswith itsservicedeliverypartners includes a requirementthat the servicedelivery partner concernedmust comply with the requirementsrelatingtoData Protection,assetoutin the Head Contract, and alsodevolvesto each servicedeliverypartner the Providerresponsibilitiesas Data Processor(under the termsofthe DPA),as setoutin the Head Contract.

Healthwatch SurreyCIC isalsoa Data Controllerunder the termsofthe DPA(jointly with SurreyCountyCouncil)and isthereforeregisteringassuchwith the ICO.

Healthwatch SurreyCIC alsohasan SLAwith SILC forthe provisionof administrative supportto the Board,as wellas finance,human resourcesand ICT support tothe CIC.Allofthese functionsalsohave data protectionimplications and thisSLAthereforealsorequiresthat SILC complieswith the DPAin relationto these functions.

Personaldata heldby Healthwatch Surrey(eitherby the CIC orby oneofitsservice delivery partners) includes informationabout:

•clients and service users;

•surveyparticipants;

•current, past and prospectiveemployeesand volunteers;

•sub-contractorsand suppliers;and

•otherindividuals/organisationswith whomit communicates.

5.SatisfyingtherequirementsoftheDataProtectionAct

In orderto meet the requirementsofthe DPAprinciples,Healthwatch Surrey(both the CIC and its servicedeliverypartners)will:

1. Observefullythe conditionsregardingthe faircollectionand useofpersonal data;

2. Meet itsobligationstospecifythe purposesforwhich personaldata areused;

3. Collectand processappropriatepersonaldata onlytothe extent that it is needed tofulfiloperationalorany legalrequirements;

4. Ensure the quality ofpersonaldata used;

5. Applystrictcheckstodeterminethe lengthoftime personaldata areheld- personaldata willnotbe kept forlongerthan necessaryand allpersonaldata will be removedand disposedofafter seven years;

6. Ensurethat the rightsofindividualsaboutwhomthe personaldata areheldcan be fullyexercisedundertheAct;

7. Takethe appropriatetechnicaland organisationalsecuritymeasuresto safeguardpersonaldata; and

8. Ensure that personaldata are not transferredoutsidetheEuropeanEconomic

Areawithoutsuitablesafeguards.

6.Acceptableuseofpersonaldata,transparencyandconsent

Personaldata willonlybe soughtand recordedifit isnecessaryforthe deliveryof the serviceand/orit isexpresslyin the interestsofthe personconcernedtodoso (forexample,toenablebetterservicedelivery).

Healthwatch Surreyiscommittedtomakingthe way it retainsany personaldata transparent. Individualsabout whom personaldata are to be recordedwillbe made aware about what informationabout them will be retained and that this informationwill be held securely.

Theirconsent torecordand retain these personaldata willbe obtained- wherever possible,a signaturefromthe individualconcerned(ortheirparent,guardianor carer,whereappropriate)confirmingtheiragreementtothe recordingand retention ofthese personaldata willbe obtained.

Themethodologyofany new projectswhich requirethe collectionofpersonal information(egsurveys,trainingevents,etc) willensurethat data collectionforms alsocontainan appropriateconsentstatement.

7.Handingpersonaldata

Theneed toensure that personaldata are kept securely meansthat precautions mustbe taken againstthe physicallossof,ordamage to,the data.Measuresmust alsobe taken to ensure that bothaccessto, and disclosureof,personaldata are restricted.

Alldirectors,staffand volunteersareresponsibleforensuringthat:

•Any personaldata which they holdiskept securely;

•Personaldata arenotdisclosedeitherorally,in writingorotherwisetoany unauthorisedthird party; and

•Allpersonaldata held in electronicformisprotectedby the use ofcontrolled passwordsand otheraccess security provisions,as deemed to be required.

Allstaffareresponsibleforensuringthat personaldata arenotkept forlonger than necessary.

7.1Controllingaccesstopersonaldata

The‘need toknow’principleofminimised accesstopersonaldata willbe employedacrossthe organisation.Thiswillensurethat alldirectors,staffand volunteerswillonly everhave accesstothe minimum amount ofpersonaldata required toenable them toperformtheirvalid businessroleand forwhich appropriateconsentexists.

This‘need toknow’accessprinciplewillbe implemented

•throughthe establishmentofeffectiveICTuseraccountmanagement processes;

•by limitingthe numberand useofprivilegedaccounts;and

•by monitoringthe useofICTsystemsand limitingaccesstootherphysicalareas which house personaldata.

7.2Classificationofdocumentscontainingpersonaldata

In orderto enable directors,staffand volunteersto easily identify which documentscontainconfidentialpersonaldata, all documentsconcernedwill be clearly labelled in the header as ‘CONFIDENTIAL’.

7.3 Physicalsecurityofpersonaldata

Allrecordsrelatingtoindividuals,includingday books,files,correspondence,card indexeswith namesand addressesand computerdata, willbe storedsecurelyat all times, particularlywhen the officeisnot staffed.

Particularcarewillbe taken in the handlingofrecordswhen the officeisopen. Confidentialmaterial will not be placed orleftwhere it can be overlookedby members ofthe public orby staffwho are not involvedin that particular enquiry or case.

7.4 SecurityofICT

Allappropriatemeasureswill be implemented toensure the securityofICT

networksand systemsused by Healthwatch Surrey.

OnlyICTequipment and media authorisedby the Managerwith responsibilityfor ICTwill be used to handle, transport,storeorprocesspersonaldata. Privately ownedICTequipment willnotbe usedunlessapprovedin advanceby the Manager with responsibilityforICT.

Allremotecomputerprocessingofpersonaldata willbe protectedwith an identificationand authenticationmechanism(suchasuserlogonand password).

7.5 Homeworkingandmobileworking

Alldirectors,staffand volunteerswillreceivetrainingtoenablethem to understandtheirpersonalresponsibilitiesrelatingtoconfidentialdata when workingfromhomeand in outreachlocations.

7.6 Useofremovablemedia

Personaldata willonlybe storedona portabledeviceifthishasbeen authorisedby a Line Managerand a secureprotocolfordata recordinghasbeen agreedwith the Managerwith responsibilityforICT.Wherean alternativeprotocolisagreed,all files tobe storedonmobilestoragedevicesmustalwaysbe passwordprotected.

7.7 Securityofpersonaldatawhilein transit: email, fax,post

Alldirectors,staffand volunteerswillbe made awarethroughinitialand refresher trainingthat Healthwatch Surreyislegallyresponsibleforthe securityofpersonal data sentwhilstin transit,includingdata sentviaemail,faxand post.

7.8 Securedisposalofpersonaldata

Allcopiesofconfidentialdata will be securely erased ordestroyedat the end of their business‘life’.Feedback forms or other paper records of health and social care experiences will be destroyed after one year.

Paperrecordsand confidentialmaterial willbe shreddedorstoredin confidential waste sacks, orotherwisephysically destroyed, to ensure that no-onecan link the name and addressofan individual with otherspecificinformationheld about them.

8.Sharinganddivulgingpersonaldata

8.1SharingpersonaldatawithinHealthwatch Surrey

Personaldata willbe treatedin confidenceand willonlybe sharedwith another individualwithin Healthwatch Surreyona “need toknow”basis.Forexample,it may be necessarytosharepersonaldata with a manager,orwith colleagueswithin the Healthwatch Surreyfamily,in orderto providethe best possiblehelp to the personconcerned.

8.2SharinganddivulgingpersonaldataoutsideHealthwatch Surrey

Personaldata willonlybe passedtoanotheragency/organisationortoother individualsoutsidethe organisationwith the consentofthe personconcerned- where possiblethis will be with written consent.Ifa member ofstafforvolunteer intendstoget informationfromanotheragency tohelpthe person,ortorefer them toanotheragency, then thismustbe explainedtothe personconcernedand theirpermissiongiven.

Personaldata aboutstaff,volunteersorpeopleusingthe servicewillnotbe divulgedtoanyoneoutsidethe organisation,includinga memberoftheirfamily, withoutthe consentofthe personconcerned,unlessextenuatingcircumstances exist(see7.4 below).

8.3Assureddatasharing

Data sharingagreementsconsistentwith the ICO’sCodeofPracticeonData Sharing will be put in place where the business need to share confidentialpersonaldata with externalorganisationsexistsand whereconsentorotherlegalauthorityexists forthe data sharing.Thiswillincludethe sharingofpersonaldata between partner organisationswithin the Healthwatch Surreyfamily.Alldata sharingpartner organisationswillbe requiredtoconfirmannuallythat they areadheringtothis agreement.

8.4 Limitsto theconfidentialityofpersonaldata

In certaincircumstancesHealthwatch Surreyreservesthe righttobreaka person’s confidentialityand todivulgepersonaldata shouldthisbe deemed necessary. Thesecircumstancesinclude:

•When a memberofstaffbelievesthat a personcouldcausedangertothemselves ortoothers;

•When a memberofstaffsuspectsabuseorhasknowledgeofabuse;

•When the persongivesinformationwhich indicatesthat a crimehasbeen committed;

•When disclosureisrequiredby law,forexample,by the police;

•When a personisfeltto lack the mental capacity to make a decision - in such cases,staffand volunteerswilldiscussthe issuewith a seniormanager;they will only act in the person’sbest interest;

•When the persongivesinformationwhich indicatesa possibleterroristthreat. Thedecisionwhethertobreaka person’sconfidentialityand todivulgepersonal

data will be decided ona case by case basis and always in conjunctionwith a seniormanager.

8.5 Useofpersonaldataforpublicity,reportingortrainingpurposes

Healthwatch Surreydoesneed to be able to shareinformation,where appropriate, aboutthe impact ofourservices.Ifoneofourserviceshasa storyrelatingtoa particularindividual,which wouldprovideusefulmaterialforpublicity,reporting

ortrainingpurposes,then whereverpossiblethe permissionofthe personwillbe soughtin writingbeforetheirstoryistoldtoanyoneelse in the event that we plan to use personally identifiable information.Ifpermissioncannotbe obtained,then any detailsthat would enable the identificationofthe person concernedwill be anonymised.

9.Rightofaccesstopersonaldata(SubjectAccess)

Data subjects4havethe righttoaccessany personaldata that isbeingkept about them.Anypersonwhowishestoexercisethisrightshouldbe askedtomake a requestin writing,addressedtothe Chief Executive Officer.Thisrightissubjectto certainexemptions,which aresetoutin the DPA.TheActwillbe referredtoby

the Chief Executive Officerbeforeany requestsareprocessed.

Healthwatch Surreyaims to complywith requestsforaccessto personaldata as quickly as possibleand will ensure that the personaldata kept about the individual concernedareprovidedwithin 21 workingdays,unlessthereisgoodreasonfora delay.In suchcases,the reasonforthe delaywillbe explainedin writingtothe data subject,explainingthat the requestand the legaltime limitof40 calendar days will be compliedwith.

In the case ofrequestsfromindividuals who are neither staffnorvolunteers,the Chief Executive Officerwillestablish,beforeany disclosure,the identity ofthe individualby requestingtwoformsofproofofidentity.

Healthwatch Surreywillmake a chargeof£10 fora disclosureunderthisrightof access.

In accordancewith the DPA,an individual who make a writtenrequestand pays the required fee isentitled tobe:

•Toldwhetherany personaldata arebeingheldaboutthem by Healthwatch

Surrey;

•Given a descriptionofthe personaldata held about them, the reasonsthis informationisbeingheldand what it isusedfor,and whetherit willbe givento any otherorganisationsorpeople;

•Given a copyofthe personaldata held about them and details ofthe sourceof this information(where this isavailable).

Any request forpersonaldata underthispolicy will be reportedtothe Boardon completionofthe appropriateaction.

An individualcan alsoprevent furtheruse oftheirpersonaldata ifthey can demonstratethat thisiscausing,orislikelytocause,unwarrantedorsubstantial damage ordistress.Anindividualwhowantstoexercisethisrightmustput their objectionin writingtothe Chief Executive Officerand statewhat they requireto be donetoavoidcausingdamage ordistress.TheChief Executive Officerwillrefer tothe DPAwhen dealingwith any suchrequests.

Individualsalsohavea rightunderthe DPA,in certaincircumstances,tohaveany inaccurate personaldata held about them by Healthwatch Surreyrectified, blocked,erased ordestroyed.

Thedatasubjectisdefined in the DPAas the individual who isthe subjectofpersonal data - ie the individual whom particular personaldata areabout.TheActdoesnot countas a data subjectan individualwhohasdied orwhocannotbe identifiedordistinguishedfrom others.

10. DutiesofHealthwatch SurreyCICDirectorsandstaff

Overalland ultimateresponsibilityforensuringthat Healthwatch SurreyCIC and its servicedeliverypartners(throughthe SLAs)arecomplyingwith the Data Protection Act lieswith the BoardofDirectors.

TheDirectorresponsibleforthe oversightofthispolicyisthe Directorfor

Governanceand Compliance.

Operationalresponsibilityforensuringthispolicyisput intopracticeisdelegated tothe Chief Executive Officer(seebelow).

AllDirectorsand staffemployedby the CIC, includingtemporaryworkers,will undertakedata protectiontrainingpriortobeinggivenaccesstoany personaldata

- thiswillbe provideduponappointmentaspartoftheirinductiontraining,when a copyofthis policywill be providedas part ofthe induction checklist.In addition, refreshertrainingwillbe undertakenat leastannually.Thetrainingprovidedwill be sufficientto ensure all directorsand staffunderstand their personal responsibilitiesrelatingtopersonaldata and havea goodawarenessofgeneral

data security principles and potentialthreats.

Healthwatch SurreyCIC directorsand staffmust ensure that they complywith this policyat all times.Any failureto complywith this policywill be subject to disciplinaryproceedings.

AllDirectorsand CIC staffhave Healthwatch Surreyemail accountson an ICT systemwhich ismanaged, onbehalfof HealthwatchCIC, by SILC.AllDirectorsand CIC staffarerequiredtoagreethat they willcomplywith theTermsand Conditionsofthe systemwhen allocatedtheir accounts.Allocationofaccounts iscontrolledby SILC.

In addition, all Directorsand CIC staffhave accessto an electronicdocumentstoragesystem. Accessrightsarealsocontrolledby SILC.

Currently, the onlypersonaldata to which Directorshave access are the contact details ofDirectorsand theChief Executive Officer.

Ifany directorormember ofstaffadvisesHealthwatch SurreyCIC that this policy has not been followedin respectto personaldata held about themselves,this will be dealt with under SILC’sDisputeResolutionand GrievanceProcedure.

11. DutiesoftheChief Executive Officer

TheChief Executive Officerhas,onbehalfofthe BoardofDirectors,the responsibilityforallmatterspertainingtoData Protectionand is,forthe purpose ofcompliancewith the DPA,actingasthe Data Controller1onbehalf of Healthwatch SurreyCIC.Assuch,they will:

•Briefthe Boardon itsData Protectionresponsibilities

•EnsureallDirectorsand staffemployedby the CIC, includingtemporaryworkers, receivedata protectiontrainingpriortobeinggivenaccesstoany personaldata, as wellas annual refreshertraining

•Maintain this policy

•Ensurethat ourservicedeliverypartnersareadheringtoDPArequirements,as setoutin the SLAswith each servicedeliverypartner,and that they are providinginitialand ongoingtrainingondata protectiontoallstaffundertaking

workonbehalf ofHealthwatch SurreyCICand to Healthwatch Surreyvolunteers, which isappropriateto their roleand needsand isprovided

•Check DPAcompliancewithin individual projectsbeforethese are initiated and when they are reviewed

•Handle subjectaccessrequests,requeststo preventfurtheruse ofan individual’spersonaldata and requestsforany inaccurate personaldata held by Healthwatch Surreyto be rectified,blocked,erased ordestroyed

•Ensurethat the policiesrelatingtothe securityofthe electronicinformation held by Healthwatch Surreyare consistentwith this policy2

•Handle demands fordisclosureofpersonaldata tooutsideagencies(e.g.the

Police)

•Continuetomonitorwhetherregistrationwith the InformationCommissioner’s

Officeisrequired.

TheDataControllerisresponsible(either aloneorjointlyorin commonwith other persons)fordeterminingthe purposesforwhich and the mannerin which any personaldata are,oraretobe, processed.Data controllerswillusuallybe organisations.Evenifan individualisgivenresponsibilityfordata protectionin an organisation,they willbe acting on behalfofthe organisation,which willbe the data controller.Data controllersmust ensurethat any processingofpersonaldata forwhich they areresponsiblecomplieswith the DPA.

SILCisresponsibleforthe securityofthe electronicsystemsused by Healthwatch Surrey Directors,the Chief Executive Officerand otherCIC staff;

LHM is responsible for hosting the Healthwatch SurreyWebsite; Healthwatch Surrey CIC is responsible for security of records that are sent via the website.

LHM

LHM is responsible for the security of the Informatics System and records stored within it.

CABxareresponsibleforthe securityofthe electronicsystemsused by staffemployed by CAiDand Bureauxstaffand volunteerswhoundertakeworkonbehalfofHealthwatch

Any questionsorconcernsabout the interpretationoroperation ofthispolicy should,in the firstinstance,be taken up with the Chief Executive Officer.

In addition, the Chief Executive Officerisresponsibleforrecordingthe following personaldata: