Gopy Data Policy

1. Introduction

The role of GOPY Platform is to support the commissioning of SOCIAL DIALOGUES including subjects related to Corporate Social Responsibility (CSR) and other related fields. The platform aims to ensure that valuable public resources are utilized to achieve the best possible outcomes for enterprises, suppliers, government, NGOs, and workers. This policy is essential as it helps individuals participating in GOPY Platform understand how to safeguard the information necessary to perform their jobs or provide support. It also ensures the protection of this information on their behalf.

2. Purposes

Information is a crucial asset that plays a key role in ensuring efficient management of service planning, resources, and performance management. Therefore, it is paramount to ensure that information is managed efficiently and that robust governance frameworks, including appropriate policies, procedures, and management accountability structures, are in place for information management. Data Security and Protection govern how GOPY handles information about users, staff, clients, partners, and all related data on GOPY Platform, with particular consideration for personal and confidential information. Access to information is essential for providing quality data and maintaining good corporate governance. A robust governance framework is necessary to manage this vital asset and address various information handling requirements, including: • Data Security and Protection Management • Assurance of Confidentiality and Data Protection Legislation • Corporate Information Assurance • Information Security Assurance • Secondary Use Assurance The objectives of this document are to maximize the value of organizational assets by ensuring that information is: • Securely and confidentially held • Fairly and efficiently obtained • Accurately and reliably recorded • Effectively and ethically used • Appropriately and lawfully shared To protect the organization's information assets from all threats, whether internal or external, deliberate or accidental, GOPY will ensure that: • Information is protected against unauthorized access • Confidentiality of information is assured • Integrity of information is maintained • Information is supported by the highest quality data • Regulatory and legislative requirements are met • Business continuity plans are produced, maintained, and tested • Information security training is mandatory for all staff

3. Legal Compliance

GOPY considers all identifiable personal information as confidential, unless national policies on accountability and openness require otherwise. GOPY will maintain policies to ensure compliance with Data Protection Legislation, including the General Data Protection Regulation (GDPR), the Data Protection Act (DPA) 2015, the Law Enforcement Directive (Directive (EU) 2015/38) (LED), and any applicable national laws implementing them, as amended from time to time. Furthermore, GOPY will take into account all relevant laws regarding privacy, confidentiality, the processing, and sharing of personal data, including the Human Rights Act 2015, the Health and Social Care Act 2015 as amended by the Health and Social Care (Safety and Quality) Act 2015, the common law duty of confidentiality, and the Privacy and Electronic Communications (EC Directive) Regulations. When acting as a Controller, GOPY will identify and record a condition for processing, as outlined by the GDPR under Articles 33 and 38 (where applicable) for each activity it undertakes. When relying on Article 38, which states that processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller, GOPY will identify the official authority (legal basis) and record this in the relevant records of processing.

4. Scope and Definitions

The scope of this document includes: • All permanent employees of GOPY. • Staff working on behalf of GOPY, including contractors, temporary staff, and secondees. GOPY acknowledges the importance of maintaining an appropriate balance between openness and confidentiality in information management and use. While fully supporting the principles of corporate governance and recognizing its public accountability, GOPY also emphasizes the significance of confidentiality and security measures to protect information. Controlled sharing of information is recognized as necessary. Accurate, timely, and relevant information is considered essential for delivering high-quality healthcare. Therefore, it is the responsibility of managers and staff to ensure the quality of information and actively utilize it in decision-making processes. To help staff understand their responsibilities under this policy, the following types of information and their definitions are applicable to all relevant policies and documents: Personal Data (derived from the GDPR): Any information relating to an identified or identifiable natural person (referred to as a 'data subject'). An identifiable natural person is someone who can be directly or indirectly identified, particularly by reference to an identifier such as a name, identification number, location data, online identifier, or factors specific to their physical, physiological, genetic, mental, economic, cultural, or social identity. 'Special Categories' of Personal Data (derived from the GDPR): 'Special Categories' of Personal Data differ from Personal Data and include information related to: (a) Racial or ethnic origin of the data subject (b) Political opinions (c) Religious beliefs or similar beliefs (d) Membership in a trade union (as defined by the Trade Union and Labour Relations (Consolidation) Act 2015) (e) Genetic data (f) Biometric data for uniquely identifying a natural person (g) Physical or mental health or condition (h) Sexual life Personal Confidential Data: Personal and Special Categories of Personal Data that are subject to a duty of confidentiality under common law. This term refers to personal information about identified or identifiable individuals, which should be kept private or secret. It includes information given in confidence and information owed a duty of confidence. The term is used in the Caldicott 2 Review: Information: to share or not to share (published March 2013). Commercially confidential Information: Business/commercial information, including information subject to statutory or regulatory obligations, which could cause harm to GOPY or a commercial partner if accessed or shared improperly. This term is also defined in the Freedom of Information Act 2000 and the Environmental Information Regulations.

5. Process/ Requirements

- GOPY will ensure that it meets its national requirements in respect of its submission of the annual self-assessment Data Security and Protection Toolkit (DSPT). - Non-confidential information about GOPY and its services will be available to the public through a variety of media. - GOPY will maintain processes to ensure compliance with the Freedom of Information Act. Please refer to the Freedom of Information Policy. - GOPY will maintain clear procedures and arrangements for handling requests for information from the public. Please refer to GOPY Individual Rights Policy in accordance with the General - Data Protection Regulation (GDPR) and the Data Protection Act (DPA) 2015. - GOPY will maintain policies to ensure compliance with the Records Management Code of Practice for Health and Social Care (2015). Please refer to GOPY Records Management Policy.

6. Information Security

- GOPY will maintain policies for the effective and secure management of its information assets and resources. - GOPY will promote effective confidentiality and security practice to its staff through policies, procedures and training. Please refer to GOPY Information Security, Remote Working and Portable Devices and Network Security policies. - GOPY will adhere for reporting, managing and investigating Data Security and Protection and Cyber Security Serious Incidents Requiring Investigation (IG SIRI) and as part of this, will review and maintain incident reporting procedures and monitor and investigate all reported instances of actual or potential breaches. Under Data Protection Legislation, where an incident is likely to result in a risk to the rights and freedoms of the Data Subject/individuals the Information Commissioner’s Office (ICO) must be informed no later than 72 hours after the organization becomes aware of the incident.

7. Information Quality Assurance

GOPY will maintain policies and procedures for information quality assurance and the effective management of records. Please see the GOPY Records Management Policy. GOPY will undertake or commission annual assessments and audits of its information quality and records management arrangements. Managers are expected to take ownership of, and seek to improve, the quality of information within their services. Wherever possible, information quality should be assured at the point of collection. Data standards will be set through clear and consistent definition of data items, in accordance with national standards.

8. Commissioning of New Services

The Data Protection Officer should be consulted during the design phase of any new service, process or information asset and contribute to the statutory Data Protection Impact Assessment (DPIA) process when new processing of personal data or special categories of personal data is being considered. Responsibilities and procedures for the management and operation of all information assets should be defined and agreed by GOPY SIRO and the Information Asset Owners. All staff members who may be responsible for introducing changes to services, processes or information assets must be effectively informed about the requirement to complete a statutory DPIA and where required, seek review from GOPY IG Data Protection Impact Assessment Panel prior to approval or further work. GOPY will maintain a DPIA framework that includes an approved template, guidance and supporting checklists.

9. Roles and Responsibilities

GOPY has a responsibility to ensure that it meets its corporate and legal obligations and adopts internal and external governance requirements. It is also responsible for allocating sufficient resources to support policy requirements. The hierarchical management structure and associated roles are outlined in the Data Security and Protection Framework Document. Governing Body: The Governing Body is responsible for defining GOPY's Data Security and Protection Policy. It is also responsible for providing adequate resources for policy implementation. Integrated Governance and Quality Committee (IGQC): The IGQC oversees the effective management, assurance, and monitoring of the Data Security and Protection Agenda throughout the organization. Data Security & Assurance Working Group: The Data Security & Assurance Working Group has the following responsibilities: - Oversee day-to-day Data Security and Protection issues. - Ensure the development and maintenance of policies, standards, procedures, and guidance. - Promote best practices in Data Security and Protection across GOPY. Accountable Officer (AO): The AO of GOPY is responsible for implementing Data Security and Protection arrangements within the organization. The AO ensures that all information risks are appropriately managed through the Statement of Internal Control. Senior Information Risk Owner (SIRO): The SIRO has the following responsibilities: - Act as an advocate for information risk on the Governing Body and in internal discussions, providing written advice to the AO for the Annual Statement of Internal Controls (SIC). - Investigate identified information security threats and manage incidents. - Provide updates on information risk to the Governing Body and the AO. The SIRO is supported by the GOPYCSU IG Team, GOPY Caldicott Guardian, and a network of Information Asset - Owners (IAOs) and Information Asset Administrators (IAAs). Information Asset Owners (IAOs): IAOs have the following responsibilities: - Conduct risk assessments of information assets and provide risk treatment plans to the SIRO quarterly. - Perform risk assessments of proposed new assets before acceptance and provide reports to the SIRO. - Information Asset Administrators (IAAs): - IAAs support the IAOs in the day-to-day management of records. They are responsible for identifying risks to information assets and ensuring compliance with policies and procedures. Caldicott Guardian: The Caldicott Guardian has the following responsibilities: - Provide guidance to GOPY on matters of patient confidentiality. - Act as the conscience of the organization, especially regarding the sharing and use of patient confidential information. - Ensure staff compliance with the Caldicott Principles and the NHS Confidentiality Code of Practice. - Advise the Governing Body on progress and major issues that may arise.

10. Training

All staff, whether permanent, temporary, or contracted, are required to comply with GOPY Data Security and Protection Staff Handbook. This handbook emphasizes the importance of appropriate information handling and incorporates relevant legislation, common law, and best practice requirements. Data Security and Protection serve as the framework that brings together these requirements, making it essential for staff to receive proper training. Upon joining the organization, GOPY staff will receive a copy of the Data Security and Protection Staff Handbook and will be asked to sign and return a receipt. GOPY will ensure that all staff receive annual Data Security and Protection training that is appropriate for their roles. This training can be accessed through the online E-Learning for Health platform or delivered in person by GOPY Data Security and Protection Team. Managers are responsible for monitoring staff compliance. Additionally, new hires, temporary employees, contractors, and agency staff must complete Data Security and Protection Training at the beginning of their employment and annually thereafter.

11. Public Sector Equality Duty - Equality Impact Assessment

An Equality Impact Analysis (EIA) has been conducted, and no adverse impacts or other significant issues were identified. The EIA report is attached in Appendix A.

12. Monitoring Compliance and Effectiveness

GOPY Information Governance Steering Group will monitor this policy to ensure any legislative changes that occur before the review date are incorporated. The Data Security & Assurance Working Group will monitor GOPY Data Security and Protection action plan and provide regular progress reports. Compliance with the Data Security and Protection Toolkit will be assessed by NHS Digital, including a review of evidence, as part of GOPY performance assessment. GOPY will ensure that Data Security and Protection is included in its annual cycle of internal audit. The results of audits will be reported to the Data Security & Assurance Working Group, who will also monitor relevant action plans. Reports will be provided to the Integrated Governance and Quality Committee. Staff contracts of employment stipulate compliance with GOPY policies. In cases where staff members are unable to follow the policies or the policy requirements cannot be applied in specific circumstances, they must immediately report it to their Line Manager, who should take appropriate action. Failure to comply with GOPY policies or failure to report non-compliance may be treated as a disciplinary offense. Non-compliance related to partner organizations and third-party organizations will be handled in accordance with contractual agreements and data sharing agreements.

13. Review

This policy will be reviewed annually by GOPY team, or if required by law.