Sharing of Information
Sharing of Information
We often get asked to share DBS, training certificates and patient treatment information with our clients, however, the availability of this information, outside of the company, is controlled by law.
With regards to staff DBS and training certificates, the default position of MedAid Services Ltd is not to share or release any of this information. If clients require these to comply with insurance requirements, MedAid Services Ltd are able to send a written letter confirming the checks carried out with regards to staff recruitment. If clients feel that a letter is not sufficient, then they must, in writing, submit their legal justification along with the lawful basis for processing in which the information is being requested.
With regards to records of patient treatment, MedAid Services will not share personal information of patients and medical interventions carried out. Details of patient treatments will only be provided upon request by legal representation detailing the lawful basis for processing and/or by written consent of the individual concerned and are subject at all times to the Data Protection Act 2018.
However, MedAid Services will provide a document, on request, detailing non-personal information such as age range, nature of injury/illness, was further treatment advised and was the patient taken to hospital.
- DBS Certificates
- Training Certificates
- Patient Information
As an organisation using the Disclosure and Barring Service (DBS) checking service to help assess the suitability of applicants for positions of trust, MedAid Services Ltd complies fully with the code of practice regarding the correct handling, use, storage, retention and disposal of certificates and certificate information.
We also comply fully with our obligations under the General Data Protection Regulation (GDPR), Data Protection Act 2018 and other relevant legislation pertaining to the safe handling, use, storage, retention and disposal of certificate information and has a written policy on these matters, which is available to those who wish to see it on request.
In accordance with section 124 of the Police Act 1997, certificate information is only passed to those who are authorised to receive it in the course of their duties. We maintain a record of all those to whom certificates or certificate information has been revealed and it is a criminal offence to pass this information to anyone who is not entitled to receive it.
Certificate information is only used for the specific purpose for which it was requested and for which the applicant’s full consent has been given.
Once a recruitment (or other relevant) decision has been made, we do not keep certificate information for any longer than is necessary. Throughout this time, the usual conditions regarding the safe storage and strictly controlled access will prevail.
Once the retention period has elapsed (usually 1 month after recruitment decision), we ensure that any DBS certificate information is immediately destroyed by secure means.
We do not keep any photocopy or other image of the certificate or any copy or representation of the contents of a certificate. However, notwithstanding the above, we keep a record of the date of issue of a certificate, the name of the subject, the type of certificate requested, the position for which the certificate was requested, the unique reference number of the certificates and the details of the recruitment decision taken.
Training Certificates contain, at a minimum, a person’s name and certificate number. Both of these pieces of information, under the General Data Protection Regulations are classed as personal information (as the certificate number, combined with training company name can be used to identify an individual). On this basis, individual training certificates will not be shared, however, MedAid Services Ltd are able to send a written letter confirming the checks carried out with regards to staff recruitment.
Consent is not a valid cause for processing or sharing under the GDPR where there is a power imbalance in the relationship, such as exists with an employer and their employee. You cannot rely on consent for any employee personal data processing, and must rely on a different lawful basis, such as legitimate interests.
Sharing of Information
Sharing information such as certificate numbers is also classed as unlawful, as they are individual and act as an identifier if combined with another data set. Therefore, this information to be protected as we would with other personal data.
In certain circumstances, sharing of staff details is required, however it would need to be part of a formal data sharing agreement, which outlines what each party can and cannot do with it, when the data received must be destroyed and would need to be accompanied with a full Data Privacy Impact Assessment
The Data Protection Act 2018 is underpinned by eight Data Protection Principles with which we comply. It also governs the use, storage and retention of all personal data.
Organisations that manage and store personal data must register as a ‘data controller’, and notify the Information Commissioner (ICO) why they need to use the data. MedAid Services Ltd is registered with the Information Commissioner our registration number is ZA170298.
The Data Protection Act 2018 states:
- personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject (Article 5(1)(a)).
- personal data must be collected only for specified, explicit and legitimate purposes. It must not be further processed in any manner incompatible with those purposes. (Article 5(1)(b).)
The data controller (MedAid Services Ltd) must be able to justify the processing of the data in order for that processing to be considered lawful.
In order to be lawful, the processing must either:
- be as a result of consent given by the data subject to the processing of their personal data for one or more specific purposes; or
- be necessary to protect the vital interests of the data subject; or
MedAid Services Ltd seeks the consent of all patients to process any information given on the basis of the need to provide them with first aid / medical care.
Where we are unable to obtain consent (such as the patient is unconscious) we use the “be necessary to protect the vital interests of the data subject” data protection principle.
As a result, we do not obtain consent for the purpose of sharing personal information with event organiser, unless there is a legal obligation to do so, for example, when a serious crime is being investigated or where there are safeguarding concerns. There are other occasions when there is a statutory requirement to report, for example, to meet Reporting of Injuries, Diseases and Dangerous Occurrences Regulations (RIDDOR).
However, MedAid Services will provide a document, on request, detailing non-personal information of patients treated during events such as age range, nature of injury/illness, was further treatment advised and was the patient taken to hospital.