The GDPR sets out the information that you should supply and when individuals should be informed.
The information you supply about the processing of personal data must be:
The identity and contact details of the company Reading Borough Council
Contact details of the Data Protection Officer (DPO): Nayana.George@reading.gov.uk
A consolidated list of people who have expressed an interest in being involved in consultations, focus groups, mystery shopping and Adult social care forums, and to receive invitation to meetings/events/various information relating to wellbeing, health etc…
We hold the following information:
Areas of concerns/interest
E.G on secure encrypted laptops and systems. List any other security measures taken
to ensure security of the data.
The data is stored in a secured shared area on secure encrypted systems.
The area where the data is stored is accessed by a limited number of users.
Reading Borough Council staff working for the Wellbeing Team, part of Adult Care
and Health Services.
The secure shared area can only be accessed with a username and password. Each
system user has an individual username and password and a user profile which only
allows them to access the details they need to carry out their job.
Describe for what purpose you need the data.
Under the Care Act, local authorities have new functions. This is to make sure that
people who live in their areas:
The Care Act helps to improve people’s independence and wellbeing. It makes clear that local authorities must provide or arrange services that help prevent people developing needs for care and support or delay people deteriorating such that they would need ongoing care and support.
Local authorities have to consider various factors:
In taking on this role, local authorities need to work with their communities and provide or arrange services that help to keep people well and independent. This should include identifying the local support and resources already available and helping people to access them.
The Adult Care Forums are one of the vehicles that help Reading Borough Council meet this responsibility under the Care Act : prevention, information and advice, and shaping the market of care and support services.
The Generic Retention schedule for section 1. Administration / Distribution lists reads:
How long kept: until updated
Action at the end of that period: Destroy
Updates to address and contact details and areas of interest are carried out on a regular basis, as and when required.
If the distribution list is no longer needed for its intended purpose, it will be destroyed.
Under the GDPR we have a legal duty to pass information to third party organizations such as the Police, The Department of Work and Pensions and antifraud agencies for the purposes of preventing and detecting crime, or for antifraud purposes.
Subject Access Request can be made by following the link:
Forums’ members cannot access the information and any information relating to
other forums’ members.
If so how will the data be safeguarded?
The right to withdraw consent at any time needs to be communicated
Processing is based on consent. When registering their interest, forums’ members consent that their contact details are stored for the purpose of being listed on their preferred distribution list and of receiving information related to the forum they have selected.
The right to have their data corrected, the right to have their data deleted and their right to put a complaint to the Information Commissioner’s Office (ICO)
The forum member has a right to have their data corrected or deleted.
Members are reminded of this on a regular basis at meetings/events and in order to ensure the data is kept up to date at all times.
The service provider has a right to put a complaint to the Social Care Complaints Team if they think their data has been misused.
Refer back to the IG team if yes
The GDPR sets out a higher standard for consent than the Data Protection Act. The GDPR defines consent as ‘any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.’
Consent has to be a positive indication of agreement to personal data being processed. It cannot be inferred from silence, pre-ticked boxes or inactivity. Opt out consent is no longer acceptable under the GDPR. The GDPR is clear that controllers have to demonstrate that consent was given, so a review is best practice in order to ensure there is an effective audit trail.
How should you write a consent request?
Consent requests need to be easy to understand and separate from any other information such as general terms and conditions.
The consent request must include the name of your organisation and the names of any third parties who will rely on the consent.
Your purpose for wanting the data and the processing activities you will be doing with the data need to be included.
The right to withdraw consent at any time and how to do this must be included.