However we keep, use, or share your information – in electronic or paper form – we have a legal duty to keep your information safe.
Our staff, partners, and suppliers have the same legal responsibility, too.
Our staff and on-site contractors are given information governance training so they know their responsibilities to you:
- Any data breach is taken seriously and
- reported to the Information Commissioner’s Office
- disciplinary action taken, including up to dismissal
- Our information systems are designed, planned and implemented with a focus on security
Data protection impact assessments
Whenever we do something new with your data, we have to understand if there are any risks involved.
By law, we have to complete a data protection impact assessment which:
- helps us find any security risks
- identifies the legal basis for the collection, use, and sharing of your information.
We assess the risk right at the beginning of a project. If we need to buy something new, our assessment takes place before we go out to tender.
All assessments are sent to our Data Protection Officer for approval, and if approval is given, we go ahead with our project.
We also regularly undertake data flow mapping exercises, where we note:
- what the information is
- where the information is stored
- how the information is shared (if at all)
For more information about our data protection impact assessments, email our Information Governance Team
Our Caldicott Guardian
The person who is responsible for making sure we comply with the Caldicott Principles is known as a Caldicott Guardian. They make sure we:
- justify the purpose of sharing your information
- don’t use identifiable information unless it is necessary…
- …if it is necessary, we use the minimum amount of information
- make sure only people who need to know have access to your information
- are aware of our responsibilities
- understand and comply with the law
- share information when it’s in your best interest.
Our Caldicott Guardian is Dr Charles Cayley.
