Reality Consulting Limited data
protection compliance
With effect from 23 May 2018 the Data Protection Act 2018 (the Act) is
the UK’s implementation of General Data Protection Regulation (GDPR).
Reality complies with the Act.
Reality’s Registration Under the Data
Protection Act 2018
Reality has appropriately registered with the Information Commissioner’s
Office under the Act.
Our Registration Number is Z5954105.
Our Data Protection Officer is Kate Brown – email:
kate@reality-consulting.co.uk
Reality maintains a simple spreadsheet of Customer contacts, i.e. the individuals with whom it is necessary for Reality
staff to communicate. All contact information is provided voluntarily (either
verbally in a telephone call or via email) and is essential in order that
Reality may provide their contracted services.
This spreadsheet contains only basic details about existing Customers, or
about prospective Customers who have contacted Reality to enquire about
possible work. These details are limited to:
· Name
· Job title
· Organisation worked for
· Contact telephone numbers
· E-mail addresses
All of Reality’s Customers and prospects are personnel working within NHS organisations, and whose contact details are generally a matter of public record. As such, none of the data held about these individuals can be deemed sensitive.
Customers’ “Personal Data”
Whilst Reality does not hold or process any Personal Data on
behalf of its Customers, its staff are often required
to examine a Customer’s Personal Data in the course of carrying out contracted
tasks. This data is classified as Personal Data, as defined under the Act, but
it is held and processed only by Customers, not by Reality. From the Reality
point of view, all such data will be treated in accordance with the Patient
Identifiable Data Procedure set out below.
When accessing a Customer’s Personal Data, Reality will
follow the Code of Practice set out below. This includes access for the
purposes of preventative maintenance; fault diagnosis; software installation;
software testing; upgrade; repair; replacement or any other related activity
carried out under the terms of any contract. The Code of Practice shall
apply to access of Personal Data both at the Customer’s premises and remotely
via a network, and in all circumstances: for example, during examination of
software printouts or screen dumps created in order to
investigate a support problem; or when using the Customer’s data for processing
in a live or testing environment.
The Customer provides a secure facility for remotely
connecting to their network to enable Reality to fulfil its contracts. This
facility always precludes any data (patient based or otherwise) being copied
from the Customer’s servers to Reality’s machines.
Reality will indemnify the Customer against any claim,
demand or loss arising under the Act, or from any breach of the Code of
Practice set out below, caused by any action (authorised or unauthorised)
taken by any Reality employee, or other person acting officially on behalf of
Reality.
The Customer agrees to conform to current Data Protection legislation, and to adhere to the Patient Identifiable Data Procedure set out below.
Code of Practice
• All work involving access to the
Customer’s Personal Data shall be carried out only by employees, or other
persons acting officially on behalf of Reality, who are aware of the
requirements of GDPR and of their individual responsibilities under the Act to
maintain the security of the data.
• Any Personal Data in the custody of
Reality shall be kept under appropriately secure conditions.
• Where Personal Data is recorded or
copied by Reality in any form, it shall either be returned to the Customer, or
disposed of by secure means, at an appropriate time after completion of the
work that required the record or copy to be made.
• Any Personal Data transferred
between one place and another by Reality, or officially on behalf of Reality,
shall be carried by an appropriately secure method.
• Reality shall not transfer Personal Data out of the United Kingdom unless specific and appropriate permission has been given to perform such a transfer.
Patient Identifiable Data Procedure
• The Customer agrees never to send
anything containing Patient Identifiable Data (for example, screenshots showing
a patient's name, date of birth, address, telephone number or text notes that
may identify them, or data files containing this information in readable text)
to Reality via any insecure means, including but not limited to e-mail or
standard post. Where it is necessary to provide specific examples, such
examples should ideally be placed in a file on the Customer's server (where
patient data is already held securely) to which Reality has access.
Alternatively, such details may be shared verbally over the telephone, or sent
by an agreed method of encrypted e-mail.
• In the event of the Customer inadvertently sending Patient Identifiable Data to Reality by post or e-mail in breach of this procedure, Reality will immediately destroy such data as securely as it is able, and will not be able to respond to it. Reality will also send out a letter or e-mail to the Customer pointing out the breach, so that steps can be taken to ensure that a breach of this type does not recur.
Data Protection Details
Reality’s Data Protection Officer is:
Kate Brown
Reality Consulting Limited
Prior House
Nymet Rowland
Crediton
Devon
EX17 6AW
Telephone: 0300 600 1161
Email: kate@reality-consulting.co.uk
Reality has appropriately notified its systems to the Information Commissioner under the Data Protection Act 1998. Reality’s Registration Number is Z5954105.