The General Data Protection Regulation (GDPR) comes into effect 25 May 2018. It applies to the control and processing of personal data. Personal data is defined as any information that relates, directly, or indirectly, to an identifiable person. Personal identifiers include name, identification number, location data, online identifiers (IP address and user name) etc.
Sensitive personal data is any information that concerns a children, racial or ethnic origin, political opinions, religious beliefs, trade union activities, physical or mental health, sexual life or details of criminal offences.
How does the GDPR relate to the Early Permanence Quality Mark?
The QM application process is via a web enabled application. It is hosted on the Coram Centre for Early Permanence. This operates as part of the Coram Group and will work within a robust GDPR framework of accountability and data security through methods such as:
- ii. Agency information being kept only for the purposes set out and for no longer than is necessary
- iii. Data being collected by consent for specified, explicit purposes and not processed in a manner incompatible with that stated purpose
- iv. Privacy by design of our systems and processing of information
- v. Privacy by default minimizing of personal data processing for the purpose of attaining the quality mark
- vi. Accountability on behalf of the hosting agency data controller and its guidance and procedures (including those relating to breach notifications)
- vii. quality-mark.earlypermanence.org.uk is a secure website protected by SSL encryption
Agencies are invited to supply information via the QM website under these frameworks. This includes describing their services in early permanence delivery as part of adoption services. By applying for the QM this data will be captured, received by the QM convener and then provided to an independent moderation panel for the purpose of:
- i. Considering the application and its merits for the award of the QM
- ii. Contact with the named contact person from the agency if clarification or communication is needed
- iii. Application renewals (after 3 years)
The types of information required for the Quality Mark involves:
- i. A named contact person, telephone contacts and address
- ii. Summary information about the agency (with a focus on early permanence and adoption services of that agency and its partners)
While the services work with sensitive personal data of people – there is no expectation that personal data is shared as part of the QM submissions. Case scenarios or a full case study drawn from service delivery may be used to illustrate agency practice. No sensitive data should be supplied that will identify a service user, whether adult or child. The identity of adopters or adoptees, family members or siblings or relatives should not be disclosed or be decipherable from the information supplied. In all cases, any data should be robustly anonymised and changed.
The legal basis for information held on the QM site is by consent of the agencies who supply it.
We are mindful of GDPR at each stage of the QM process and ensure agencies who entrust information to us are fully engaged in how the information is kept safe and are aware of their data rights. If you would like to know more, please email: Qualitymark@earlypermanence.org.uk
This statement will be reviewed in April 2018 and replaced with a Privacy Notice specific to the Early Permanence Quality Mark.