TEXT SIZE: aA aA
Supporting Cornwall and the Isles of Scilly since 1998
We're recruiting! Find out more about the benefits of working for Nursefinders, use our straightforward online application form, and take a look at some of our downloadable resources for prospective employees.
Read about Careers
The General Data Protection Principles (GDPR), which comes into force in May 2018, increases the level of regulation surrounding the processing of information relating to individuals. The existing requirements under the Data Protection Act will be replaced by GDPR and thus this policy aims to ensure Nursefinders continued compliance with applicable legislation.
GDPR is concerned with obtaining, holding, using or disclosing of personal data. This includes data gathered for various purposes, including but not limited to marketing, sales of goods or services, employment and research.
In this policy, the Company is primarily concerned with the collection and processing of:
Client (Host Employer) information;
Information provided to Nursefinders as a third party to enable us to deliver services to our clients, i.e. Information regarding their workers, suppliers and contractors.
The legislation covers computerised records as well as manual filing systems.
Nursefinders is committed to holding the minimum personal information necessary to enable it to perform its functions. All such information is confidential and therefore must be treated with care to comply with the law.
Any breach of this Policy, whether deliberate, or through negligence may lead to disciplinary action being taken or even a criminal prosecution.
Summary of Data Protection Principles
Processed lawfully, fairly and in a transparent manner in relation to individuals;
Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which they are processed, is erased or rectified without delay;
Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Lawful Grounds for Processing Personal Data
Consent: Where the Worker/Client provides their express agreement to your obtaining and processing their personal data.
A contract with the individual: for example, to supply goods or services they have requested, or to fulfil an obligation under an employment contract.
Compliance with a legal obligation: when processing data for a particular purpose is a legal requirement, e.g. providing information to HMRC.
Vital interests: for example, when processing data will protect someone’s physical integrity or life (either the data subject’s or someone else’s).
A public task: for example, to complete official functions or tasks in the public interest. This will typically cover public authorities such as government departments, schools and other educational institutions; hospitals; and the police.
Legitimate interests: when a private-sector organisation has a genuine and legitimate reason (including commercial benefit) to process personal data without consent, provided it is not outweighed by negative effects to the individual’s rights and freedoms.
The right to be informed;
The right of access;
The right to rectification;
The right to erasure;
The right to restrict processing;
The right to data portability;
The right to object;
Rights in relation to automated decision making and profiling.
Data Protection Officer
Large scale data-processors, public authorities and organisations who process specific types of sensitive data, such as criminal convictions and offences, are required to appoint a Data Protection Officer (DPO).
It is therefore not necessary for Nursefinders to appoint a DPO under the provisions of GDPR, however Nursefinders feel that such a role should be considered in the best interests of the business and the Registered Manager has been appointed as Nursefinders’ DPO.
It is the responsibility of the Data Protection Officer to:
To inform and advise the organisation and its workers about their obligations to comply with the GDPR and other data protection laws;
To monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments; arrange GDPR training for staff and conduct internal audits;
To be the first point of contact for supervisory authorities and for individuals whose data is processed (workers, clients etc.).
It is NOT the responsibility of the Data Protection Officer to apply the provisions of the Data Protection Act or GDPR. This is the responsibility of everyone within the Company who are individual collectors, keepers and users of personal data. Therefore, all staff are required to be aware of the provisions of the Data Protection Act and GDPR, such as keeping records up to date and accurate, and its impact on the work they undertake on behalf of Company.
Nursefinders will ensure that adequate resources are provided to enable the DPO to meet their GDPR obligations.
Under the GDPR, Nursefinders staff plus our Clients and Suppliers are responsible for ensuring that:
Any (reciprocal) personal data held, whether in electronic or paper format, is kept securely, particularly from casual observation.
Personal information is not disclosed deliberately or accidentally either verbally or in writing to any unauthorised third party. If in doubt, do not disclose the information and check with our Data Protection Officer.
Records will normally be kept for a minimum of 3 years following completion of any work or requirement for the information to be kept, or in the case of employment records, for a minimum of six years following the termination of the Worker’s employment with the Company.
Subject Access Requests
Staff, clients and suppliers have the right to access personal data that is being kept about them, insofar as it falls within the scope of the GDPR.
Any person wishing to exercise this right should make their request in writing to the DPO
The information will normally be provided free of charge, unless the request is manifestly unfounded or excessive, or it is repetitive. In such cases Nursefinders reserve the right to either:
Charge a reasonable fee to cover the administrative costs associated with providing the information. If the Company considers it reasonable to charge a fee for providing
In the unlikely event that Nursefinders refuse to respond to a subject access request, the data subject has the statutory right to raise a complaint to the Information Commissioners Office (ICO). Nursefinders have been registered with ICO since 2003. (Ref No: Z7636722)
Nursefinders aims to comply with a request for access to personal information as quickly as possible, but the company must comply with a subject access request within one month of receipt or the request, or if later, within one month of the receipt of the identity information required, the completed subject access request form and the relevant fee (if appropriate).
Nursefinders will normally respond to such requests by electronic format, however if required, hard copies can be issued upon request.
Information Held by Nursefinders
This document conforms to our own Policies & Procedures and GDPR, but also complies with the Fundamental Standards set by the Care Quality Commission (CQC).