Reality Consulting Limited data protection compliance

With effect from 23 May 2018 the Data Protection Act 2018 (the Act) is the UK’s implementation of General Data Protection Regulation (GDPR).

Reality complies with the Act.

 

Reality’s Registration Under the Data Protection Act 2018

Reality has appropriately registered with the Information Commissioner’s Office under the Act.

Our Registration Number is Z5954105.

Our Data Protection Officer is Kate Brown – email: kate@reality-consulting.co.uk

Reality maintains a simple spreadsheet of Customer contacts, i.e. the individuals with whom it is necessary for Reality staff to communicate. All contact information is provided voluntarily (either verbally in a telephone call or via email) and is essential in order that Reality may provide their contracted services.

This spreadsheet contains only basic details about existing Customers, or about prospective Customers who have contacted Reality to enquire about possible work. These details are limited to:

·        Name

·        Job title

·        Organisation worked for

·        Contact telephone numbers

·        E-mail addresses

All of Reality’s Customers and prospects are personnel working within NHS organisations, and whose contact details are generally a matter of public record. As such, none of the data held about these individuals can be deemed sensitive.

 

Customers’ “Personal Data”

Whilst Reality does not hold or process any Personal Data on behalf of its Customers, its staff are often required to examine a Customer’s Personal Data in the course of carrying out contracted tasks. This data is classified as Personal Data, as defined under the Act, but it is held and processed only by Customers, not by Reality. From the Reality point of view, all such data will be treated in accordance with the Patient Identifiable Data Procedure set out below.

When accessing a Customer’s Personal Data, Reality will follow the Code of Practice set out below. This includes access for the purposes of preventative maintenance; fault diagnosis; software installation; software testing; upgrade; repair; replacement or any other related activity carried out under the terms of any contract. The Code of Practice shall apply to access of Personal Data both at the Customer’s premises and remotely via a network, and in all circumstances: for example, during examination of software printouts or screen dumps created in order to investigate a support problem; or when using the Customer’s data for processing in a live or testing environment.

The Customer provides a secure facility for remotely connecting to their network to enable Reality to fulfil its contracts. This facility always precludes any data (patient based or otherwise) being copied from the Customer’s servers to Reality’s machines.

Reality will indemnify the Customer against any claim, demand or loss arising under the Act, or from any breach of the Code of Practice set out below, caused by any action (authorised or unauthorised) taken by any Reality employee, or other person acting officially on behalf of Reality.

The Customer agrees to conform to current Data Protection legislation, and to adhere to the Patient Identifiable Data Procedure set out below.

 

Code of Practice

             All work involving access to the Customer’s Personal Data shall be carried out only by employees, or other persons acting officially on behalf of Reality, who are aware of the requirements of GDPR and of their individual responsibilities under the Act to maintain the security of the data.

             Any Personal Data in the custody of Reality shall be kept under appropriately secure conditions.

             Where Personal Data is recorded or copied by Reality in any form, it shall either be returned to the Customer, or disposed of by secure means, at an appropriate time after completion of the work that required the record or copy to be made.

             Any Personal Data transferred between one place and another by Reality, or officially on behalf of Reality, shall be carried by an appropriately secure method.

             Reality shall not transfer Personal Data out of the United Kingdom unless specific and appropriate permission has been given to perform such a transfer.

 

Patient Identifiable Data Procedure

             The Customer agrees never to send anything containing Patient Identifiable Data (for example, screenshots showing a patient's name, date of birth, address, telephone number or text notes that may identify them, or data files containing this information in readable text) to Reality via any insecure means, including but not limited to e-mail or standard post. Where it is necessary to provide specific examples, such examples should ideally be placed in a file on the Customer's server (where patient data is already held securely) to which Reality has access. Alternatively, such details may be shared verbally over the telephone, or sent by an agreed method of encrypted e-mail.

             In the event of the Customer inadvertently sending Patient Identifiable Data to Reality by post or e-mail in breach of this procedure, Reality will immediately destroy such data as securely as it is able, and will not be able to respond to it. Reality will also send out a letter or e-mail to the Customer pointing out the breach, so that steps can be taken to ensure that a breach of this type does not recur.

 

Data Protection Details

Reality’s Data Protection Officer is:

Kate Brown

Reality Consulting Limited

Prior House

Nymet Rowland

Crediton

Devon

EX17 6AW

Telephone: 0300 600 1161

Email: kate@reality-consulting.co.uk

 

Reality has appropriately notified its systems to the Information Commissioner under the Data Protection Act 1998. Reality’s Registration Number is Z5954105.