The Milton Keynes Cancer Patient Partnership (The MKCPP) is committed to a policy of protecting the rights and privacy of individuals. The MKCPP needs to collect and use certain types of Data in order to conduct its work. This personal information must be collected and dealt with appropriately.
The Data Protection Act 2018 governs the use of information about people (personal data). Personal data can be held on computer or in manual files, and includes email, minutes of meetings, and images etc. The MKCPP will remain the data controller for the information held. The MKCPP and its volunteers will be personally responsible for processing and using personal information in accordance with the Data Protection Act 2018.
Members and volunteers running The MKCPP who have access to personal information, will be expected to read and comply with this policy.
The purpose of this policy is to set out the The MKCPP commitment and procedures for protecting personal data. The MKCPP regards the lawful and correct treatment of personal information as very important to successful working, and to maintaining the confidence of those with whom we deal with.
Background to the MKCPP
The MKCPP is a non-registered, non-fundraising charity that facilitates the sharing of information, resources and pastoral care for cancer patients, their carers and families, in and around Milton Keynes, England. Members of The MKCPP consist of Health Professionals, cancer patients and carers, and representatives of local and national cancer charities volunteering their spare time for a few hours every other month. This time is spent mainly in a discussion during which all elements of cancer care in the Hospital and the Community are brought up to date.
It is to be emphasised that at no time does The MKCPP ever have any access to, or any discussion about, members’ personal medical information. Members’ information consists only of name, email address and where relevant the type of cancer/cancer care they represent. E.G.:
XXXXX XXXX, Advanced Nurse Practitioner, Upper GI (email address)
XXXXX XXXX, Patient Representative, Upper GI (email address)
The Data Protection Act 2018 Principles for Handling Personal Data
- processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89 of the European GDPR, not be considered to be incompatible with the initial purposes (‘purpose limitation’);
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89 of the European GDPR, subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
The following list contains definitions of the technical terms we have used and is intended to aid understanding of this policy:
- ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
- ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
- ‘restriction of processing’ means the marking of stored personal data with the aim of limiting their processing in the future;
- ‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
- ‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
- ‘filing system’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;
- ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
- ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
- ‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
- ‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
- ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
- ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
- ‘genetic data’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;
- ‘biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;
- ‘data concerning health’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;*
- ‘main establishment’ means:
- as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;
- as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;
- ‘representative’ means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27 of the European GDPR, represents the controller or processor with regard to their respective obligations under this Regulation;
- ‘enterprise’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;
- ‘group of undertakings’ means a controlling undertaking and its controlled undertakings;
- ‘binding corporate rules’ means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity;
- ‘supervisory authority’ means an independent public authority which is established by a Member State pursuant to Article 51 of the European GDPR;
- ‘supervisory authority concerned’ means a supervisory authority which is concerned by the processing of personal data because:
- the controller or processor is established on the territory of the Member State of that supervisory authority;
- data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or
- a complaint has been lodged with that supervisory authority;
- ‘cross-border processing’ means either:
- processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or
- processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.
- ‘relevant and reasoned objection’ means an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union;
- ‘information society service’ means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535of the European Parliament and of the Council (¹);
- ‘international organisation’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.
- *It is not expected that The MKCPP will hold special category data as it is not intended to hold any information on health or finance under its contract membership information unless a member requests access to the extra levels of website. Under the contract for this The MKCPP will ensure that such special category data will be held until finances are no longer required and then it will be deleted.
Applying the Data Protection Act 2018 within The MKCPP
Access to personal information is limited to the Chair and Secretary of The MKCPP (the only current “Officers” of the organisation.) These two individuals also are the sole people responsible for collecting personal details from new members of The MKCPP.
In such circumstances we will let people know why we are collecting their data, how it will be stored and what purposes it will be used for and it is our responsibility to ensure the data is only used for this purpose.
Individuals have a right to have data corrected if it is wrong, to prevent use which is causing them damage or distress or to stop marketing information being sent to them. In some circumstances the data will be corrected by striking a line through the incorrect data and adding an explanation for this strike-through with any amendment clearly shown. This is for legal evidence needs of both the organisation and the person to who the data refers.
Reasons for Processing Data
The MKCPP will process data for one of two reasons:
- In the case of the normal operations of The MKCPP, Personal Data will be processed as is necessary for the performance of a contract to which the person providing their Personal Data is party or in order to take steps at the request of that person prior to entering into the contract. This contract will be the membership of The MKCPP and will enable the Officers of the organisation to share relevant information with the person (the member) in order to inform them of issues pertinent to The MKCPP’s activities, Minutes of Meetings, Agendas of Meetings, notice of EGMs, and any other information important to the running of The MKCPP. The contract will be explained to each person signing up to the contract of membership and his/her full verbal permission obtained.
- In the case of any extra relevant information that The MKCPP Officers might wish to share with individual members concerning issues such as single tumour site information, external cancer meetings arrangements, individual local and national cancer charity correspondence, and any other relevant information agreed by the Chair and/or the Secretary.
The MKCPP is the Data Controller under the Act, and is legally responsible for complying with the Act, which means that it determines what purposes personal information held will be used for.
The MKCPP Officers will take into account legal requirements and ensure that they are properly implemented, and will through appropriate management, strict application of criteria and controls:
- Observe fully conditions regarding the fair collection and use of information,
- Meet their legal obligations to specify the purposes for which information is used,
- Collect and process appropriate information, and only to the extent that it is needed to fulfil its operational needs or to comply with any legal requirements,
- Ensure the quality of information used,
- Ensure that the rights of people about whom information is held, can be fully exercised under the Act. These include:
- The right to be informed that processing is being undertaken
- The right of access to one’s personal information
- The right to be forgotten
- The right to prevent processing in certain circumstances and
- The right to correct, rectify, block or erase information which is regarded as wrong information when this is possible.
- Take appropriate technical and organisational security measures to safeguard personal information,
- Ensure that personal information is not transferred abroad without suitable safeguards,
- Treat people justly and fairly whatever their age, religion, disability, gender, sexual orientation or ethnicity when dealing with requests for information,
- Set out clear procedures for responding to requests for information
The Data Protection Officers of The MKCPP are:
Suzan St Maur (Chair)
6 Mount Pleasant
Milton Keynes MK17 8LA
Phone 01908 587050 / 07767 354090
Jennifer Newton (Secretary)
86 Wolverton Road
Milton Keynes MK16 8JG
Phone 01908 610598 / 07910 732819
The Data Protection Officers will be responsible for ensuring that the policy is implemented and will have overall responsibility for:
- Everyone processing personal information understands that they are contractually responsible for following good data protection practice
- Everyone processing personal information is appropriately trained to do so
- Everyone processing personal information is appropriately supervised
- Everyone processing personal information has read and signed this Policy
- Anybody wanting to make enquiries about handling personal information knows what to do
- Dealing promptly and courteously with any enquiries about handling personal information
- Describe clearly how it handles personal information
- Will regularly review and audit the ways it holds, manages and uses personal information
- Will regularly assess and evaluate its methods and performance in relation to handling personal information
- All staff and volunteers are aware that a breach of the rules and procedures identified in this policy may lead to action being taken against them
This policy will be updated as necessary to reflect best practice in data management, security and control and to ensure compliance with any changes or amendments made to the Data Protection Act 2018.
In case of any queries or questions in relation to this policy please contact the Data Protection Officers.
Data Collection and Processing
Contract Data and Consent
Contract data and consent is when
- A person providing their personal contract data so as to become a member must clearly understand exactly why their information is needed, who it will be shared with, the possible consequences of them agreeing or refusing the proposed use of the contract data
- Consent is required if The MKCPP requests further information above and beyond what was required for contract data.
The MKCPP will ensure that data is collected within the boundaries defined in this policy. This applies to data that is collected in person, or by completing a form being either paper based or online.
When collecting data, The MKCPP will ensure that the person supplying their data:
- Clearly understands why the information is needed
- Understands what it will be used for and what the consequences are should the person/member decide not to agree to the contract or give consent to the processing
- As far as reasonably possible, agrees to the contract or grants explicit consent, either written or verbal for the data to be processed
- Is, as far as reasonably practicable, competent enough to give agreement to the contract or consent and has given so freely without any duress*
- Has received sufficient information on why their data is needed and how it will be used
NOTE * It is not considered duress for The MKCPP to state that failure to agree the contract terms and supply their basic operating personal data will be reason to negate the person from becoming a member of the organisation. The MKCPP is a membership organisation and operates under open and visible methods to assist members. Personal data is required to become a member.
The MKCPP does not have its own offices and works through volunteers who own their own computers and use those to administer and store information about the service they provide. Information and records relating to service users (members) will be stored securely and will only be accessible to authorised volunteers.
Information will be stored for only as long as it is needed or required statute and will be disposed of appropriately. Each volunteer will be requested to purge their computer each year to ensure we are not storing information that is no longer required.
It is The MKCPP’s responsibility to ensure all personal and company data is non-recoverable from any computer system previously used within the organisation, which has been passed on/sold to a third party.
This policy will be updated as necessary to reflect best practice in data management, security and control and to ensure compliance with any changes or amendments made to the Data Protection Act 1998.
Data Subject Access Requests
Members of the public may request a copy of the personal data that The MKCPP holds on them. This includes the following information:
- the purposes of the processing;
- the categories of personal data concerned;
- the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
- where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
- the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
- the right to lodge a complaint with a supervisory authority;
- where the personal data are not collected from the data subject, any available information as to their source;
- the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
In cases where this applies the The MKCPP Procedure in Appendix One (a) should be followed.
If members have been asked to provide extra information by The MKCPP and give their consent for that to happen but then change their mind, the withdrawal of their consent should be as easy to withdraw as it was to give. The procedure for this is to be found in Appendix One (b).
Right to Change Their Personal Data
Members of the public have the right to ensure the records stored about them are correct. If they believe a record is incorrect they can apply to have these amended or added to correct any wrongs. If a request of this type is received the The MKCPP Procedure in Appendix One (c) should be followed.
Right to be Forgotten Requests
Members of the public have a new right which is termed as ‘to be forgotten’. This means that they have the right to be removed from the records of the organisation if they request it. This is not an absolute right as parts of the record could well be required to be kept under statute and therefore when such a request is received, The MKCPP will follow the Procedure in Appendix One (d) should be followed. This include an explanation of why it might be detrimental to completely expunge their records.
Right to Transfer Personal Data
If another service similar to The MKCPP is available the member has the right to have their personal data transferred to this other service. The member would then transfer to this third party service and The MKCPP would no longer provide services. The process for this is to be found in Appendix One (e).
The MKCPP may need to share data with other agencies such as the local authority, funding bodies and other voluntary agencies. The MKCPP will, where it can, supply the information in anonymised form or general figures so that no personal data is given.
The person providing their personal information will be made aware how and with whom their information will be shared within the membership contract. There are circumstances where the law allows The MKCPP to disclose data (including sensitive data) without the data subject’s consent.
- Carrying out a legal duty or as authorised by the Secretary of State
- Protecting vital interests of a Data Subject or other person
- The Data Subject has already made the information public
- Conducting any legal proceedings, obtaining legal advice or defending any legal rights
- Monitoring for equal opportunities purposes – i.e. race, disability or religion
- Providing a confidential service where the Data Subject’s consent cannot be obtained or where it is reasonable to proceed without consent: e.g. where we would wish to avoid forcing stressed or ill Data Subjects to provide consent signatures.
The MKCPP regards the lawful and correct treatment of personal information as very important to successful working, and to maintaining the confidence of those with whom they deal.
The MKCPP intends to ensure that personal information is treated lawfully and correctly. If data has to be provided to a third party, especially if it has to be provided without the consent of the person concerned, and it can be anonymised before sharing, this should be undertaken.
The consequences of breaching Data Protection can cause harm or distress to service users if their information is released to inappropriate people, or they could be denied a service to which they are entitled. Volunteers should be aware that they can be personally liable if they use members’ personal data inappropriately. This policy is designed to minimise the risks and to ensure that the reputation of The MKCPP is not damaged through inappropriate or unauthorised access and sharing.
Breach of the Duties
In cases where there is any breach of duties under the Act or inappropriate release or theft of Personal Data, The MKCPP Officers must be informed immediately. The MKCPP has only 72 hours to inform the Information Commissioners Office (ICO) of the breach and therefore it must be actioned immediately. Reporting is achieved through the ICO’s website at:
Destroying Personal Data
Personal data should only be kept for as long as it is needed i.e. only keep that data for the duration of administering the campaign/project and securely dispose of once the promotion and monitoring period is complete. Members personal data will be removed when they leave the organisation at the first review after they leave. The MKCPP will ensure that all computers and paper files will be reviewed annually. We will ensure that this information is confidentially destroyed at the end of the relevant retention period. However, any data that has to be retained for a legal reason (eg Income Tax), then this will be reviewed during the first review when destruction becomes available as an option.
New Software, Hardware and Other Systems
When new systems are put in place, whether computerised or manual the Data Protection Act provisions must be taken into account at the planning stage. Design must include the provisions of the Act and a Privacy Impact Assessment must be completed.
If anyone has specific questions about information security and data protection in relation to the The MKCPP please contact the Information Commissioner’s Office https://ico.gov.uk
All The MKCPP’s members are expected to follow the organisation’s policies in these areas, which the Officers will review at least every two years.
Signed: (Suzan St Maur) Suzan St Maur
Date : May 18, 2018
Signed: (Jennifer Newton) Jennifer Newton
Date: May 18, 2018
All references to days will be calendar days and not working days.
- a) Data Subject Access Requests
When a Subject Access Request is received the Officers need to be immediately informed. They will firstly ensure that the personal requesting the Data is legally entitled to that data. If the person requesting personal data is acting on behalf of somebody else, then consent will have to be obtained for The MKCPP to release the information to that third party. If the subject of the personal data is deceased then only the Executor of the Will or somebody who has an interest in the Will can receive such information. If there is no Will then the Officers will ensure themselves that the person concerned is a suitable person to receive the information by either encouraging them to get a legal consent or ensuring they are the closest relative. For third parties, consent and personal identity would be required. Personal identity can be confirmed by seeing the Passport or Driving Licence of the person along with proof of their current address (a utility bill or bank statement).
When it is clear that the person has a right to the information, the Officers will request all members of The MKCPP to search their computers for any information they hold. They should provide this within 7 days. If for any reason they are away then they should supply this information in 21 days at the very longest. The Officers will provide the person requesting the information with all the data found within one month of the request being received or the validation of the person’s identity. If this cannot be met the Officers will inform the person the reasons this cannot be achieved and agree a new timeframe with them.
- b) Consent Withdrawal
When consent has been requested from a member for extra non-contract information to be given to The MKCPP the person must be able to withdraw consent at any time as easily as it was to give it. When a request to withdraw consent is received, this must immediately be passed to the Officers who will arrange for the consent to be withdrawn.
Whatever the consent was received for, that person’s role and information will immediately cease and any non-contract information gathered will be destroyed. The Officers will request all members to purge their computers of any non-contract information within 7 days and cease to use that person’s information for the purpose it was requested. Once this has been completed each member will inform the Officers before the 10th day that they have completed this and the Officers will then inform the person that their information has been deleted and while the process might continue their data is no longer being used. This will be done within 21 days. There is no fee for this service.
- c) Right to Change Their Personal Data
Members have the right to change personal data that they believe to be incorrect. If a request is received by The MKCPP for data on a person to be changed this must be passed to the Officers immediately. The Officers will discuss this with the member and ensure the right changes are noted. In some cases, it may not be possible to change what has be noted either on computers or in written format. If for instance the member requests something deleted or changed that is covered by a legal requirement to keep that information (Income Tax for instance), then a change cannot be made. However, a note can be added to the record stating the members view of the record.
- d) Right to be Forgotten Requests
Everyone whose data The MKCPP holds has the right to be forgotten. That means a member of The MKCPP on which data is held can request for the whole of the data to be deleted. The MKCPP must them complete the request unless there is some legal reason that the data needs to be kept for. If there is the data must not be kept for any longer than the requirement and this must be explained to the person making the request. An example of data that may legally need to be kept is income tax data.
When such a request is received the Officers must immediately be informed. The Officers will request all members of The MKCPP to search their computers for any information they hold and to delete it. They should provide confirmation of this within 7 days. If for any reason they are away then they should supply this information in 21 days at the very longest. The Officers will provide the person requesting to be forgotten confirmation that this has been done within one month of the request being received or the validation of the person’s identity. If this cannot be met the Officers will inform the person the reasons this cannot be achieved and agree a new timeframe with them.
- e) Right to Transfer Personal Data
Under the Data Protection Act everyone has the right to transfer information. This mainly relates to the transfer of personal information between organisations that provide similar services such as between banks or between energy companies. Currently there are no circumstances in which such transfer of personal data would be appropriate. However, if things change, then The MKCPP could look into transferring information to another organisation.
If a request is received by The MKCPP to transfer information, such a request must be given to the Officers who will contact the member to discuss the request. If the Officers are satisfied that the transfer is correct then arrangements will be made to send the information to the relevant organisation.