Data Protection and Confidentiality Policy

1.  Introduction

1.1 YGIA Polyclinic collects and uses person-identifiable information about individuals in order to carry out its functions and fulfil its objectives. Personal data is defined as ‘information which relates to a living individual and from which they can be identified, either directly or indirectly’.

1.2 All Personal data at YGIA Polyclinic can include, among others, patients’ records (present and past), employees’ data (present, past and prospective), associated doctors’ data, contractors’ data and third parties’ data. Processing at YGIA Polyclinic can involve both personal data as well as special categories data, such as data concerning health. These data are compiled in written or electronic form, or both.

1.3 All person-identifiable information either manual or electronic must be processed (held, obtained, recorded, used and shared) properly to ensure compliance with the European Regulation (EU) 2016/679 (known as the “General Data Protection Regulation” (GDPR).

1.4 All YGIA Polyclinic employees have a legal duty to keep all information provided to the organisation and themselves strictly confidential. This legal obligation is further enforced through the codes of practice of all staff respective professions and by virtue of their contract of employment with YGIAPolyclinic.

1.5 The GDPR requires YGIA Polyclinic to comply with the eight Data Protection Principles (include Appendix below) and to notify the Office of the Commissioner for Personal Data Protection about the data that we hold and why we hold it. This is a formal notification and is renewed annually.

1.6 The GDPR gives rights to data subjects to access their own personal information, to have it corrected if wrong, in certain permitted circumstances to ask to control its use , and to seek damages where we are using it improperly.

1.7 The lawful and correct treatment of personal data by Ygia Polyclinic is paramount to the success of the organisation and to maintaining the confidence of its service users and employees. This policy will help YGIA Polyclinic ensure that all person-identifiable information is handled and processed lawfully and correctly.

GDPR principles

1.8 YGIAPolyclinic has a legal obligation to comply with all relevant legislation in respect of data protection and information / IT security. The organisation also has a duty to comply with guidance issued by the Department of Health, as well as other relevant guidance issued by advisory groups and professional bodies.

1.9 All legislation relevant to an individual’s right to the confidentiality of their information and the ways in which that can be achieved and maintained are paramount to YGIA Polyclinic. Significant penalties can be imposed against the organisation or its employees for non-compliance.

1.10 The aim of this policy is to outline how YGIA Polyclinic meets its legal obligations in safeguarding confidentiality and adheres to information security standards. The obligations within this policy are principally based upon the requirements of the GDPR, as the key legislative and regulatory provisions governing the security of person-identifiable information.

2.  What information is covered?

2.1 Personal data within the respective legislative and regulatory provisions covers ‘any data that can be used to identify an individual either directly or indirectly’. Individuals can be identified by various means including but not limited to, their address, telephone number or e-mail address. Anonymised or aggregated data is not regulated by the provisions, providing the anonymisation or aggregation of the data is irreversible.

3.  Policy statement

3.1 This document defines the data protection policy for YGIA Polyclinic. It applies to all person-identifiable information obtained and processed by the organisation and its employees.

It sets out: 
• the organisation’s policy for the protection of all person-identifiable information that is processed 
• establishes the responsibilities (and best practice) for data protection 
• the key principles of the GDPR.

4.  Principles

4.1 The objective of this policy is to ensure the protection of YGIA Polyclinic information in accordance with relevant legislation, namely:

• To ensure notification
Annually notify the Information Commissioner about the YGIA Polyclinic use of person-identifiable information. 
• To ensure professionalism
All information is obtained, held and processed in a professional manner in accordance with the provisions of the GDPR.

• To preserve security
All information is obtained, held, disclosed and disposed of in a secure manner.

• To ensure awareness
Provision of appropriate training and promote awareness to inform all employees of their responsibilities (eLearning training).

• Data Subject access - Provide Choice to Patients

Patients have different needs and values – this must be reflected in the way that they are treated, both in terms of their medical condition and the handling of their personal information.

Staff must:
• Seek the patient’s consent prior to using their information in ways that do not directly contribute, or support the delivery of their care
• Respect a patient’s decisions to restrict the disclosure or use of their information, other than where exceptional circumstances apply
• Communicate effectively with patients to ensure they understand the implications if they choose to agree or restrict the disclosure of their information

4.2 The policy will be reviewed periodically by YGIA Polyclinic Management Team. Where review and update is necessary due to legislative changes this will be done immediately.

4.3 In accordance with YGIA Polyclinic equality and diversity policy statement, this procedure will not discriminate, either directly or indirectly, on the grounds of gender, race, colour, ethnic or national origin, sexual orientation, marital status, religion or belief, age, union membership, disability, offending background or any other personal characteristic.

5.  Scope of this policy

5.1 This policy will ensure that person-identifiable information is processed, handled, transferred, disclosed and disposed of lawfully. Person-identifiable information should be handled in the most secure manner by authorised staff only, on a need to know basis.

5.2 The procedures cover all person identifiable information whether clinical or nonclinical, electronic or paper which may relate to patients, employees, contractors and third parties about whom we hold information.

6.  Policy

6.1 YGIA Polyclinic obtains and processes person-identifiable information for a variety of different purposes, including but not limited to: 

• medical records
• staff records and administrative records 
• matters relating to the prevention, detection and investigation of fraud and corruption 
• complaints and requests for information.

6.2 Such information may be kept in either computer or manual records. In processing such personal data Ygia Polyclinic will comply with the data protection principles of the GDPR.
6.3 YGIA Polyclinic has in place the relevant policy and timeframes relating to retention and disposal of personal data which have been set according to data protection principles of the GDPR.

7.  Your rights under GDPR

Under the GDPR you have the following rights:
• To obtain access to, and copies of, the personal data that we hold about you;
• To require that we cease processing your personal data if the processing is causing you damage or distress;
• To require us not to send you marketing communications;
• To require us to erase your personal data;
• To require us to restrict our data processing activities;
• To receive from us the personal data we hold about you which you have provided to us, in a reasonable format specified by you, including for the purpose of you transmitting that personal data to another data controller; and
• To require us to correct the personal data we hold about you if it is incorrect.

Please note that the above rights are not absolute, and we may be entitled to refuse requests where exceptions apply subject to the provisions of GDPR.

8.  Data protection responsibilities

Overall responsibilities 

8.1 YGIA Polyclinic Board members, collectively known as the ‘data controller’ permit the organisation’s staff to use computers and relevant filing systems (manual records) in connection with their duties. Ygia Polyclinic Board members have legal responsibility for the notification process and compliance of the GDPR. 
8.2 YGIA Polyclinic Board members whilst retaining their legal responsibilities, they have designated for the purpose of monitoring compliance with the GDPR requirements, a Data Protection Officer.
8.3 The Data Protection Officer’s responsibilities have been allocated to the organisation’s Administration and Financial Governance Manager.

Data Protection Officer’s (DPO) responsibilities

8.4 The Data Protection Officer’s responsibilities include:

• ensuring that the policy is produced and kept up to date
• ensuring that the appropriate practice and procedures are adopted and followed by the YGIA Polyclinic.
• provide advice and support to the Board on data protection issues within the organisation. 
• work collaboratively with Organisational Development and Governance and Assurance to help set the standard of data protection training for staff. 
• ensure data protection notification with the Information Commissioner’s Office is reviewed, maintained and renewed annually for all use of person-identifiable information. 
• ensure compliance with individual rights, including subject access requests. 
• act as a central point of contact on data protection issues within the organisation. 
• implement an effective framework for the management of data protection.

Senior managers’ responsibilities

8.5 All senior managers across the organisation are directly responsible for: 
• ensuring their staff are made aware of this policy and any notices. 
• ensuring their staff are aware of their data protection responsibilities. 
• ensuring their staff receive suitable data protection training.

General responsibilities

8.6 All YGIA Polyclinic employees, including temporary and contract staff are subject to compliance with this policy. Under the GDPR individuals can be held personally liable for data protection breaches.
8.7 All YGIA Polyclinic employees have a responsibility to inform their Department Head and the Data Protection Officer of any new use of personal data, as soon as reasonably practicable after it has been identified. 
8.8 All YGIA Polyclinic employees will, on receipt of a request from an individual for information held, known as a subject access request or concerns about the processing of personal information, immediately notify the Data Protection Officer. 
8.9 Employees must follow the subject access request procedure (see Appendix C below).

9.  Human Resources

9.1 Contracts of employment

9.1.1 Staff contracts of employment are produced and monitored by the Hospital’s Human Resources department. All contracts of employment include an information governance/data protection and confidentiality clause. Students are subject to the same rules.

9.1.2 As part of the induction process, both corporate and departmental, all employees of the Hospital will be made aware of their responsibilities in connection with the GDPR mentioned in this Policy. This will be provided through their Statement of Terms and Conditions and targeted training sessions carried out by Application managers and/or other trainers/specialists.

10.  Consequences of a Breach to the Policy

10.1 Breaches of this Policy will be considered a serious disciplinary matter and will be dealt with accordingly. Examples of offences which may be considered to be gross misconduct (the list is not exhaustive) which may result in immediate dismissal are: 
• Unlawful disclosure of Personal Data and/or Sensitive Personal Data
• Inappropriate use of Personal Data and/or Sensitive Personal Data. 
• Misuse of the Personal Data and/or Sensitive Personal Data which results in any claim being made against the Hospital.
• Loss of Personal Data and/or Sensitive Personal Data.
• Unauthorised disclosure or copying of information belonging to the Hospital.

10.2 Reporting losses of Person Data
Any breaches/losses of personal data must be reported using the Incident reporting process. Reference the new Policy.

11.  Monitoring

11.1 Compliance with this policy will be monitored by the Data Protection Officer and the assigned team, together with internal audit reviews where necessary.

11.2 The Data Protection Officer is responsible for the monitoring, revision and updating of this policy document on an annual basis or sooner, should the need arise.

12.  DPO

YGIA Polyclinic’s Data Protection Office may be contacted directly with regards to all matters concerning this policy and the processing of your personal data including the enforcement of all applicable and available rights.
Official requests may be made electronically at: dpo@ygiapolyclinic.com

For any complaints you may have you may contact the Data Commissioner of the Republic of Cyprus at http://www.dataprotection.gov.cy