Krysalis Consultancy Ltd acts as a data processor in line with the definitions in the regulation. We are not involved in the large-scale processing of personal data. Personal Data is used only to provide a designated service and not for large-scale data processing activities.
The Company is not required to appoint a Data Protection Officer, however, because the data we hold comes under the special category defined by ‘sensitive personal data’, the Company has appointed a voluntary Data Protection Controller to ensure that minimum tasks under the DPA are adhered to.
We take data protection seriously and are fully cognisant of, and compliant with, both GDPR and PECR. We are registered with the ICO as Data Processors (Registration Number ZA164687).
Definition of personal data
Personal data is information that relates to a living individual who can be identified from the information and which affects the privacy of that individual, either in a personal or professional capacity. Any expression of opinion about the individual or any indication of the intentions of any person in respect of the individual will be personal data.
Provided the information in question can be linked to an identifiable individual (data subject), the following are likely to be examples of personal data:
- an individual’s salary or other financial information
- information about an individual’s family life or personal circumstances, health needs, employment or personal circumstances, any opinion about an individual’s state of mind
- sensitive personal information – an individual’s racial or ethnic origin, political opinions, religious beliefs, physical or mental health, sexual orientation and criminal record.
Information we collect
The personal data we hold has been obtained direct from the data controller or data subject.
We collect and process data that includes personal identifiable information and information of a sensitive nature including name, date of birth, home and email address. We collect information about medical history and details relating to personal identity.
Where we are requested to provide a service to a beneficiary we may collect and process any of the following information:
- full name
- date of birth
- email address
- telephone number
- NHS number
- hospital number
- details of referring parties including, insurer, solicitor and Case Manager
- litigation friend details
- next of kin (NOK) details
- hospital / GP details
- accident circumstances.
We may collect video footage and photographs, however, these will only be collected and retained following signed consent from the data controller.
In line with the regulation, we are required to inform you of any other processors involved in the processing of your personal data. We have sought and have recorded assurances from other processors, where they are used; and they are as follows:
Microsoft We use Microsoft Office 365 to store information relating to a staff member, beneficiary and referrer. https://www.microsoft.com/en-us/trustcenter/privacy/
iinsight We use iinsight to store and manage information relating to a beneficiary and referrer. http://www.iinsight.biz/information-security.php
Qunote We use Qunote to store and manage information relating to a beneficiary and referrer. http://www.qunote.com/case-management-software-features/data-security/
PeopleHR We use PeopleHR to store and manage information relating to a staff member. https://www.peoplehr.com/gdpr.html
Dropbox We use Dropbox for some project related information. https://www.dropbox.com/en_GB/security/GDPR
Purpose of processing and the legal basis for processing
We process data to plan and implement the service, to improve service delivery and to measure the effectiveness of the service. We use data to record information for equality and diversity audits and to support compliance with all regulatory requirements. We use personal data to maintain staff and beneficiary safety.
We use data for marketing and promotion of the service and to share information and knowledge relevant to the service provided. We do not engage in profiling or automated decision making.
Data processing safeguards
We have data processing safeguards in place to support our service. A full outline of all of our data processing activities can be seen within our Data Protection Policy and GDPR risk assessment.
- Our day-to-day working practices and culture support good governance in relation to data protection.
- Training, education and supervision is offered to all staff in relation to data protection.
- Our electronic systems are structured in a way so to reduce the risks associated with managing personal information.
- We routinely audit working practices.
- We only utilise software from accredited sources.
- We only work with companies who can demonstrate a commitment to data protection.
- We ensure that all devices are protected from online threats.
- We use software firewalls and TSL encrypted emails hosted by a Microsoft exchange server to protect data.
- Our website has an SSL certificate and, therefore, adheres to industry standards for online website safety and security. We do not store any personal identifiable information on our website.
Details of transfers to third country and safeguards
We do not sell or transfer data onwards to other recipients, nor do we transfer data to third countries or international organisations.
Retention period or criteria used to determine the retention period
We collect data in order to provide quotes to prospective referrers and to fulfil service and contractual requirements. This information may be retained for up to 7 years for financial recording reasons as required by regulators. Further, data may be retained for the purposes of client and beneficiary communication, the marketing of services / sharing of information relevant to the service and for regulatory or legal defence reasons until such time as these details would no longer be relevant or required. If this contractually necessary information is not retained and provided we will be unable to satisfactorily communicate with referrers and beneficiaries, and so would be unable to act effectively on any requests from such individuals.
Where we are requested to provide a service to a beneficiary we are required to produce and retain clinical records. In relation to retaining clinical records the Company’s insurance policy states that it is a condition of the Insurance Policy to take and retain client records. The policy wording notes; ‘The records shall be kept for at least 7 years following the last occasion on which treatment was given. In the case of treatment to minors, it is advisable that records should be kept or at least 7 years after they reach the age of maturity (18).’ Record Keeping - Condition 14 c, on page 35
The Statute of Limitation in the UK (i.e. the time when an individual is able to bring a claim) is 6 years for certain injury claim situations, or 6 years after the individual reaches the age of maturity in the case of minors. However, these 6 years start from the date that the injury was discovered and not from the time that the alleged incident that caused it occurred. There are also instances, for example if treating a vulnerable client, where the statute may be overturned.
Due to the nature of the work undertaken by the Company our policy states that clinical records will be retained for 10 years after the beneficiary’s death. However personal identifiable data found within our electronic data management system is removed within 6 months of a case being closed. There are provisions under the GDPR with regards to keeping records in a claim situation. This guidance clearly gives the right to retain data to comply with insurance Terms and Conditions, should an individual make a request for them to be deleted under their Right of Erasure.
The existence of each of data subject’s rights
Data subjects have the right to request objection, access, deletion, alteration, restriction of processing, withdrawal of consent, and data portability. To exercise these rights data subjects should contact us using the details provided above.
Data subjects also have a right to raise a complaint with the UK supervisory authority (the ICO); their contact details can be found online.
Data subjects have a right to withdraw consent at any time, where relevant.
Information about other products and services
From time to time we may send you information about Krysalis Consultancy Ltd and our products and services which we think may be of interest to you.
Changes To Your Details
Information automatically collected from your computer
Cookies are small files transferred to your computer’s hard drive through your web browser. They are widely used in order to make websites work, or to work more efficiently, as well as providing information to the owners of the site.
The cookies used on this site are:
Information automatically collected from your computer
Log files/IP address: When you visit the Site our web server automatically records your IP address. This IP address is not linked to any of your personal information. We use IP addresses to help us administer the Site and to collect demographic information for aggregation purposes.
We may also gather non-personal information (from which we cannot identify you) such as the type of your internet browser which we use to provide you with a more effective service.
The internet is not a secure medium. However, we have implemented technology and policies to safeguard your privacy from unauthorised access and improper use.
Linking to third party websites
We cannot be responsible for the privacy policies and practices of other sites, even if these Sites have been accessed using links from our Site. We recommend that you check the policy of each site you visit and contact the organisation concerned if you have any questions.
If you linked to our Site from a third party site, we cannot be responsible for the privacy policies and practices of the owners or operators of that third party site and recommend that you check the policy of that third party site and contact the organisation concerned if you have any questions.