GDPR

At Major1 Healthcare Solutions, we are committed to ensuring that all personal data required for the delivery of our services and the lawful operation of our organization is collected, processed, and stored in full compliance with the Data Protection Act 2018.

The General Data Protection Regulation (GDPR) underpins this Act, and we adhere strictly to its principles to protect the privacy and rights of our clients, staff, and partners. To maintain compliance, we follow all relevant policies, regularly review our data handling processes, and keep up-to-date with guidance from the Information Commissioner’s Office (ICO).

Please note: All ICO guidance is considered “live documentation” and is regularly reviewed to ensure our practices remain aligned with the latest regulations. Additionally, the advisory group formerly known as Working Party 29 (WP29) continues to provide updates and clarification on GDPR’s complexities, which we incorporate into our procedures to ensure the highest standards of data protection and security.

Lawful Bases

After due consideration this organisation has determined that the following Lawful Bases are used in the collection of data

• Consent: the individual has given clear consent for us to process their personal data for a specific purpose.

• Contract: the processing is necessary for a contract you have with the individual, or because they have asked us to take specific steps before entering into a contract.

• Legal Obligation: the processing is necessary for us to comply with the law (not including contractual obligations) and CQC regulations.

• Vital Interests: the processing is necessary to protect someone’s life.

• Public Task: the processing is necessary for us to perform a task in the public interest, or for official functions and the task or function has a clear basis in law.

• Legitimate interests: the processing is necessary for our legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (Does not apply if a public authority is processing data to perform its official tasks).

Data Protection Principles

The Act sets out 8 Principles, which must be adhered to when processing data Please refer to the Related Guidance links for further information. The GDPR sets out the following principles for which this organisation is responsible and must meet. These require that personal data shall be:

1. Processed lawfully, fairly and in a transparent manner in relation to individuals;

2. Be collected for specified, explicit and legitimate purposes, and not further processed in a manner that is incompatible with purposes, further processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes shall not be considered to be incompatible with the initial purposes;

3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

4. Accurate and where necessary, kept up to date, every reasonable step must be taken that personal data that is inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;

5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer purposes in so far as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to the appropriate technical and organisational measures required by the GDPR (the safeguards) in order to safeguard the rights and freedoms of individuals; and

6. Processed in a manner that ensures appropriate security of the personal data. Including protection against unauthorised or unlawful processing and against accidental loss. Destruction or damage, using appropriate technical or organisational measures.

Individual Rights

Under GDPR, individuals have the following rights with respect to their personal data, which Major1 Healthcare fully recognizes and respects:

• Right to Be Informed:
  Individuals have the right to be informed about how their data is collected, used, and stored.

• Right of Access:
  Individuals can request access to their personal data and obtain confirmation of how it is being processed.

• Right to Rectification:
  Individuals can request correction of inaccurate or incomplete personal data.

• Right to Erasure:
  Also known as the "Right to Be Forgotten," individuals can request the deletion of their data under certain circumstances.

• Right to Restrict Processing:
  Individuals can request a temporary halt to the processing of their data under specific conditions.

• Right to Data Portability:
  Individuals have the right to obtain and reuse their personal data across different services.

• Right to Object:
  Individuals can object to the processing of their data for certain purposes, including direct marketing.

• Rights Related to Automated Decision-Making and Profiling:
  Individuals have the right to not be subject to decisions based solely on automated processing, including profiling, which significantly affects them.

Each of these rights is supported by detailed procedures and processes to ensure compliance.

For further guidance, please consult the Information Commissioner’s Office (ICO) guide to GDPR:
ICO GDPR Guide

Implementation and Accountability

Major1 Healthcare Solutions ensures compliance with GDPR by:

• Conducting regular data protection impact assessments (DPIAs).

• Implementing technical and organizational measures to secure data.

• Training staff on GDPR compliance and data protection best practices.

• Maintaining detailed records of processing activities.

For more information or to submit a Subject Access Request (SAR), please contact Major1 Healthcare’s Data Protection Officer (DPO).

Introduction to Privacy Notices

Major1 Healthcare Solutions is committed to ensuring transparency in how we collect, use, handle, store, and process personal data. This commitment reflects our dedication to protecting the privacy and trust of our service users, staff, and stakeholders.

A Privacy Notice is a key tool that provides individuals with clear, accessible information about how their personal data is managed. This aligns with the General Data Protection Regulation (GDPR) principles of transparency, fairness, and accountability.

Our Privacy Notices explain:

• What information we collect

• Why we collect it

• How it is used

• Who it is shared with

• How we protect it

• The rights of individuals concerning their personal data

Key Considerations in Privacy Notices

When creating and maintaining Privacy Notices, Major1 Healthcare Solutions considers the following questions:

1. What information is being collected?
   This includes personal and sensitive data relevant to healthcare provision, such as names, contact details, medical history, and health conditions.

2. Who is collecting it?
   Data is collected by Major1 Healthcare directly or through trusted third-party processors engaged for specific purposes, such as medical testing or IT services.

3. How is it collected?
   Data may be collected through various means, including patient registration forms, online portals, medical consultations, and electronic health records.

4. Why is it being collected?
   To provide safe, effective, and personalized care, comply with legal and regulatory obligations, and improve our services.

5. How will it be used?
   Data is used for purposes such as diagnosis, treatment planning, communication, compliance with healthcare regulations, and internal reporting.

6. Who will it be shared with?
   Information may be shared with authorized personnel, regulatory bodies (e.g., the Care Quality Commission), or third-party service providers, always ensuring data protection standards are upheld.

7. What effect will this have on the individual?
   Data collection and use are designed to ensure high-quality care and meet individual expectations for safety, privacy, and informed consent.

8. Is the intended use likely to cause objections or complaints?
   We regularly assess our data practices to mitigate risks and address concerns proactively.

Privacy and Electronic Communications Regulations (PECR)

In addition to GDPR, Major1 Healthcare Solutions complies with the Privacy and Electronic Communications Regulations (PECR), particularly regarding:

• Electronic marketing (e.g., emails, texts, and phone calls)

• Use of cookies and similar technologies

• Security and confidentiality of electronic communications

These regulations ensure the privacy of users in electronic interactions and enhance data security.

File Retention and Archiving

Major1 Healthcare Solutions adheres to file retention and archiving guidelines as specified by:

• GDPR

• Care Quality Commission (CQC)

• NHS

• Local authorities under contractual service agreements

We periodically review these guidelines to ensure compliance and minimize risks associated with data retention. Health and Social Care data may be exempt from certain provisions, enabling its retention for lawful, essential purposes.

Compliance

Compliance with GDPR and related regulations is integral to our operations. This includes:

• Aligning policies with the Data Protection Act 2018

• Meeting requirements of the Health and Social Care Act 2008 (Regulated Activities) (Regulations 2014)

• Training staff to understand and implement data protection best practices

Training Statement

Major1 Healthcare Solutions ensures all staff receive training on GDPR and data protection during their induction. Specific roles that require advanced knowledge receive further training to meet organizational and legal requirements.

Policy Review

This Privacy Notice policy will be reviewed regularly (at least every three years) or as required to align with updates in legislation or organizational changes.

Supporting Documents and Resources

The following resources provide additional guidance:

• ICO Guide to GDPR

• Privacy Notice Checklist

• PECR Guidance

• Records Management Code of Practice for Health and Social Care

Legal Obligation

Processing personal data under the Legal Obligation basis is necessary for Major1 Healthcare Solutions to comply with applicable laws and regulations. For example, the Health and Social Care Act 2008 (Regulations 2014) requires healthcare providers to collect, handle, and process data in specific ways to ensure the delivery of safe and effective care.

As a regulated healthcare provider, we are legally bound to maintain compliance with such statutory requirements and other applicable legislation, ensuring that data processing activities align with legal mandates.

Legitimate Interests

The Legitimate Interests basis is one of the most flexible lawful bases for processing personal data and is applied where:

• The processing is expected by individuals in the context of the service provided.

• There is minimal privacy impact.

• There is a compelling justification for processing.

Key Considerations for Legitimate Interests

1. Identify a Legitimate Interest:
   This may include the interests of Major1 Healthcare Solutions, third parties, commercial benefits, or individual/social benefits.

2. Necessity of Processing:
   The processing must be essential to achieve the identified legitimate interest.

3. Balance of Interests:
   A balance must be maintained between Major1 Healthcare Solutions interests and the individual’s rights and freedoms. If the processing is unexpected, causes harm, or infringes on rights, it may be overridden by the individual’s interests.

Record of Legitimate Interests Assessment (LIA)

Major1 Healthcare Solutions maintains a documented Legitimate Interests Assessment (LIA) for all processing activities under this basis to demonstrate compliance and accountability.

Other Lawful Bases

While Contract, Vital Interests, and Public Task are recognized lawful bases, they are typically less applicable within regulated healthcare settings where specific legislative and regulatory requirements dictate data processing activities.

Examples:

• Contract: Used in scenarios such as employment contracts or agreements with third-party service providers.

• Vital Interests: Applied when processing is necessary to protect someone’s life in emergencies.

• Public Task: Relevant for public health reporting or similar statutory requirements.

The choice of a lawful basis must be carefully considered and documented before processing personal data. Service users and residents are informed of the lawful basis applied to their data processing activities through Privacy Notices and other communications.

Individual Rights

Major1 Healthcare Solutions upholds the rights of individuals as provided by GDPR, including:

1. Right to Be Informed:
   Individuals are entitled to know how their personal data is collected, used, and shared.

2. Right of Access:
   Individuals may request access to their personal data and information about how it is processed.

3. Right to Rectification:
   Individuals can request corrections to inaccurate or incomplete data.

4. Right to Erasure:
   Also known as the "Right to Be Forgotten," this allows individuals to request deletion of their data under specific conditions.

5. Right to Restrict Processing:
   Individuals may request a limitation on data processing in specific circumstances.

6. Right to Data Portability:
   Individuals can obtain their data in a machine-readable format and transfer it to another service provider.

7. Right to Object:
   Individuals can object to certain types of processing, including direct marketing or processing based on legitimate interests.

8. Rights Related to Automated Decision-Making and Profiling:
   Individuals can object to decisions made solely through automated processes that significantly affect them.

All individual requests under these rights will be handled in line with current ICO guidance. For more information, refer to:
ICO Guide to Individual Rights

Transparency and Privacy Notices

Major1 Healthcare Solutions is committed to transparency in its data processing activities. Our Privacy Notices clearly outline:

• Who we are.

• What we do with personal data.

• Who we share data with.

Privacy Notices are designed to be clear, accessible, and written in plain language. This approach fosters trust, ensures compliance, and empowers individuals with control over their data.

Transparency Defined

In the context of data processing, transparency means that individuals are fully informed about:

• The collection, use, consultation, or other processing of their personal data.

• The extent and purposes of such processing.

Role of the Information Commissioner’s Office (ICO)

The Information Commissioner’s Office (ICO) serves as the UK’s supervisory authority for GDPR enforcement. Under GDPR, the ICO has enhanced enforcement powers, including:

• Issuing fines up to €20 million or 4% of global turnover for severe infringements.

• Conducting audits and issuing tailored corrective actions for non-compliance.

While large fines are reserved for major breaches, small and medium-sized organizations must still maintain diligent compliance to avoid penalties.

For further guidance and updates, refer to the ICO website:
ICO Guidance and Resources

Codes of Conduct and Certification Mechanisms

Though not mandatory, Major1 Healthcare Solutions supports the use of approved codes of conduct or certification schemes where available. These provide an additional way to demonstrate compliance with GDPR and build trust with stakeholders.

Derogations and Exceptions

GDPR allows for specific national rules to address processing activities in specific contexts. In the UK, schedules within the Data Protection Act 2018 provide additional lawful exemptions, including:

• Health and Social Work: Enhanced safeguards for sensitive health data.

• Research, Statistics, and Archiving: Special provisions for processing data for public interest purposes.

Major1 Healthcare Solutions ensures compliance with all relevant schedules and regularly reviews updates from the ICO.