This is a summary of the Data Protection obligations of the UKAHPP towards its members and towards the public.

It is based on the advice of the ICO (Information Commissioner’s Office) which publishes a set of guidelines on their website at http://ico.org.uk/for_organisations.

The ICO advises on a number of related laws, not just the Data Protection Act but also the Privacy and Electronic Communications Act and the Freedom of Information Act.

The Data Protection Act is the set of regulations most relevant to the workings of AHPP. For this reason the document has been entitled “Data Protection Guidelines”.

The other acts have a limited relevance to the AHPP. Nevertheless these guidelines incorporate any parts of the other acts that seem relevant. The guidelines are not based just on the Data Protection Act.

The Data Protection Act is compatible with our role as a humanistic association. Members give personal details in the implicit understanding that those details will be used by the AHPP only for the purposes of conducting the association’s business. It would be a breach of trust to allow personal details to be used in any other way or to be accessed by anyone outside of the association. This is the essence of the Data Protection Act, so satisfying one requirement – the duty to be trustworthy with members’ details – meets the other requirement – the legal duty as a data controller.

Registration

It is clear that, since we hold personal information and are a company, we must be registered with the ICO. And indeed we are. As part of the registration process, we have made a declaration regarding the information we hold and the categories of people we hold this information for. This registration and the accompanying declaration determines what information we can hold and process. The following is a summary of what we have declared to the ICO.

Our ICO Reference: Z9654518

Nature of work – Healthcare

Reasons/purposes for processing information

We process personal information to enable us to provide health services to our patients, to maintain our accounts and records, promote our services and to support and manage our employees.

Type/classes of information processed

We process information relevant to the above reasons/purposes. This information may include:

  • personal details
  • family details
  • lifestyle and social circumstances
  • goods and services
  • financial details
  • employment and education details

We also process sensitive classes of information that may include:

  • physical or mental health details
  • sexual life
  • racial or ethnic origin
  • trade union membership
  • religious or other beliefs of a similar nature
  • offences and alleged offences

Who the information is processed about

We process personal information about our:

  • patients
  • customers and clients
  • staff
  • suppliers
  • business contacts
  • professional advisers

Who the information may be shared with

We sometimes need to share the personal information we process with the individual themselves and also with other organisations. Where this is necessary we are required to comply with all aspects of the Data Protection Act (DPA). What follows is a description of the types of organisations we may need to share some of the personal information we process with for one or more reasons.

Where necessary or required we share information with:

  • healthcare professionals
  • social and welfare organisations
  • central government
  • business associates
  • family, associates and representatives of the person whose personal data we are processing
  • suppliers and service providers
  • financial organisations
  • current, past and prospective employers
  • employment agencies and examining bodies

Transfers

It may sometimes be necessary to transfer personal information overseas. When this is needed information is only shared within the European Economic Area (EEA). Any transfers made will be in full compliance with all aspects of the data protection act.

Data Protection Principles

Data protection is covered by 8 basic principles.

  1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless –
    (a) at least one of the conditions in Schedule 2 [of the DPA] is met, and
    (b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 [of the DPA] is also met.
  2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
  3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
  4. Personal data shall be accurate and, where necessary, kept up to date.
  5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
  6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
  7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
  8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

For further details, read the relevant section of the ICO website at: http://ico.org.uk/for_organisations/data_protection/the_guide

Data Protection as it Applies to AHPP

For each member, we should hold only the minimum data we need to perform our role as a membership and accrediting organisation. We should only hold that data for the minimum time consistent with our role. We must protect the information according to the member’s right to privacy. We must keep it up to date to ensure fair representation of that member.

Some information has historic value to an ex-member – for example a member may leave but still require the AHPP to confirm their accreditation history. So some information must be kept for ex-members. This is not necessarily the same as that kept for members.

Subject Access

Subject access is one of the main rights of the Data Protection Act. It gives people the right to access their personal information via a Subject Access Request (SAR).

A SAR does not need to be in any particular form, it is simply a request in writing for us to tell them about any personal information we hold about them, and to provide them with a copy of that information. We must respond within 40 calendar days of receiving this request.

The majority of information we hold on members is in the form of the membership details held in the database, so this could be printed and sent to a member very easily. We do not hold any information that would not be shared with the individual.

At the time of writing the information held on the website can vary from the information in the database. For example, members may add information to advertise their practice. This information belongs to the member, not to the association. Members have access to their website information already, so only the database data is not readily accessible and is therefore subject to an SAR. Website information is automatically deleted when a member leaves the association.

Security of Data

We have a duty to everyone we hold data for, to ensure that data is not misused or released to unauthorised people.

The security measures we put in place should seek to ensure that:

  • only authorised people can access, alter, disclose or destroy personal data
  • those people only act within the scope of their authority

These principles need to be considered for each type of information held.

If personal data is accidentally lost, altered or destroyed, it can be recovered to prevent any damage or distress to the individuals concerned.

Governance Documents

Records of meetings relating to the governance of the UKAHPP are published in the members area of the website and archived by the Administrator. They include minutes of General Meetings, Board Meetings and Committee Meetings as well as procedures and other documents created by the board and committee members.

These documents include the names of those present at meetings, statements made in those meetings and the names of members discussed in those meetings. So, to meet Principle 7, all this historic information must be protected as part of the UKAHPP’s data protection policy.

Cookie Policy

The use of Cookies on websites is specifically addressed in the Data Protection Act, and the details of this part of the act and recommendations for meeting the requirements of the act can be found at http://www.aboutcookies.org/.

The Act states that any website that uses cookies must have a Cookie Policy explaining this. This is all that is required if the website only uses Cookies for the essential workings of the website. However, if the website uses Cookies for non-essential tasks, it must also seek the visitor’s consent to use them.

It seems in keeping with our ethical stance for UKAHPP to adopt a policy that is as considerate as possible to visitors of the website. It is not possible to avoid the use of Cookies entirely because they are essential for the provision of any service that needs information to be retained from one web-page to the next (this is what Cookies are for). For example, a members-only area requires the website to store the visitor’s login status and this is done with Cookies.

It is therefore our policy to only use Cookies for the essential operations of the website and no more.

A consequence of this policy is that we cannot use analytics software to track how people use the website, even if this is done anonymously, because analytics software uses Cookies and this is non-essential.