Where are we now
The Data Protection Act 2018 and the GRPR regulations became law May 2018. Much of the regulation was covered by the first release of the CODE GDPR templates three months ago. But as there’s some important changes to the Information Commissioner’s Office ICO guidelines and the understanding of their consequences CODE has updated 12 major templates, which are discussed in this article and expored in this newsletter. CODE iComply members will be informed what to do and when to do it by iComply Application, so for them this article is for advice only. Non-members will find the article and newsletter helpful to understand some of the latest CODE advice about GDPR.
These are the CODE iComply templates that have just been updated:
- M 216 – Data Protection Overview
- M 216A – GDPR and Data Protection Action Plan
- M 217C – Information Governance Procedures
- M 217L – Network, Computer and Software Access Log
- M 217RA – Communication Consent Form
- M 217S – Legitimate Interests Assessment
- M 217T – Privacy Notice
- M 217TC – Privacy Notice for Children (new)
- M 217UA – Contract for Data Processor or Joint Data Controllers
- M 233-DPT – Data Protection and Information Security Policy
- M 245A – Staff Terms and Conditions of Employment
- M 245AA – IG Amendment to Staff Terms and Conditions
|Requirement||How to meet it||CODE iComply Template|
|Consent for special category data needs a lawful basis to process personal data plus a lawful basis to process special category data||We have suggested that “Legitimate interests” as the basis for processing personal data and the basis for processing special category data includes “Processing is necessary for health care purposes”
Note that we processing personal data includes:
Special category data includes:
Members will be advised to update their Data Protection and Information Security Policy (M 233-DPT) soon.
|Data Protection and Information Security Policy, (M 233-DPT). Version 7
See the new Legitimate Interests Assessment (Template M 217S).
The full list of Lawful Bases for Processing personal data is in the new Privacy Notice (M 217T)
|The new Data Security and Protection Toolkit. Privacy Notice for Children||Practices who access to NHS patient data and systems must now complete the new Data Security and Protection Toolkit instead of the Online IG Toolkit.||You can be guided with an updated version of the GDPR and Data Protection Action Plan (M 217A) available soon when CODE has analysed the new online toolkit requirements|
|New and updated Information Governance Procedures||
||Information Governance Procedures (M 217C). Version 3. Is one of the key templates that covers many areas of your procedures, policies and advice. It has just been updated|
|Network, Computer and Software Access Log||Minor changes to make the log more powerful and to add monitoring who can access the network||See the Network, Computer and Software Access Log, (M 217L). Version 3|
|Legitimate Interests Assessment||There are now two assessment templates, one for processing personal data and one to be used if you decide to use Legitimate Interests for Marketing, which is something that CODE cannot advise on at present, but you may decide to do it after taking your own advice.||Legitimate Interests Assessment, (M 217S), Version 2|
|Privacy Notice for Adults||It has been re-written and should be adpoted right away||Privacy Notice (M 217T). Version 2|
|Privacy Notice for Children||Required by the ICO, it’s an easy to read version for people under 18 years.||Privacy Notice for Children, (M 217TC). Version 1|
|Staff Terms and Conditions of Employment, new data protection amendments||There is a new version of the Staff Terms and Conditions of Employment that include clauses on meeting Data Protection and GDPR requirements.||Staff Terms and Conditions of Employment (M 245A). Version 5. If you are using version 3 or earlier, it’s time to issue new contracts.|
|Communication Consent||The form has been simplified into two parts, one for consent for sending text and email messages and the other consent for marketing||Communication Consent Form, (M 217RA). Version|
|Contract as data processor or joint controller for self-employed team members||The data processor contract now includes labs, and self-employed personnel. Please read the article for details.||Model Contract for Data Processor (M 217UA). Version 2|
|Staff Terms and Conditions of Employment, new data protection amendments||There is a new version of the Staff Terms and Conditions of Employment that include clauses on meeting Data Protection and GDPR requirements.Read more about it in the article.||Staff Terms and Conditions of Employment (M 245A). Version 5|
|There is a GDPR compliance agreement for employees who have recent CODE terms||Read more about it in the article.||Amendment to Staff Terms and Conditions, (M 245AA). Version 1
If your staff members have version 3 of the CODE Terms and Conditions you can use this, but better to upgrade all staff to Version 5.
There’s lots to do to keep updated now and things are still changing. But after this major update, CODE iComply members will be almost there. We will keep you informed. Find out more about iComply here.