Other

June 2023
PPG 12.0 Information Sharing
1.
Privacy Notice
Introduction
NSCM Privacy Notice describes how we use information, particularly information that relates to YP/A.
For employee Privacy Notice please refer to NSCM Employee Handbook.
NSCM is a registered Data Controller with the Information Commissioner’s Office (ICO), under registration number Z8473128, for the purpose of collecting and processing personal information.
3.1.1. Data collection
3.1.2. Who do we collect information about?
NCSM collects records and holds information on all YP/A who have been referred for accommodation and/or outreach floating support and have taken up a placement.
We need to know their personal data/information so that we can provide YP/A with the right accommodation and outreach floating support to meet their needs.
3.1.3. What personal data/information do we hold, and why do we collect this
information?
Basic personal data/information may be provided to NSCM by the placing authority when they refer a YP/A to NSCM for a service. When contacting us, the YP/A and the referrer will be asked for personal information such as name, address, postcode etc. Information collected to inform the request for a service will include, for example:
•Personal details
•Family details
•Lifestyle and social circumstances
•Financial details
•Employment and education
•Offences and alleged offences
Some information is special due to its sensitivity, it may include:
•Physical or mental health details
•Sex life
•Sexual orientation
•Racial or ethnic origin
•Religious or other beliefs of a similar nature
•Political opinion
•Genetic and biometric data
This might be collected in person, over the phone or via forms sent through secure email or password protected.
June 2023
PPG 12.0 Information Sharing
Information may also be shared with NSCM by another organisation due to NSCM being part of a package of support being provided. This may include organisations such as national and local NHS bodies, local authorities, police, probation, colleges, and schools.
Lawful basis
3.2.1. What is the lawful base for NSCM using your personal data/information?
The law on data protection allows NSCM to process, keep or share YP/A’s data for certain reasons only.
The information below categorises the type of data processing NSCM undertake and the lawful basis we rely on.
Activity Lawful basis
NSCM Application form
Personal details, special categories, history, lifestyle, social circumstances, risk assessment
Public task
Personal details
Name, address, phone numbers, gender, national insurance number, right to work in UK, GP, next of kin, education, financial details, criminal convictions, risk assessment
Public task
Special categories
Physical or mental health, disability, sex life, sexual orientation, race, ethnic origin, political opinion, immigration status, religion, genetic and biometric data.
Public task
Risk Assessments
Circumstance that may pose a risk to the YP/A or NSCM staff or multi-agency professionals, how to support the YP/A and how to manage the risk.
Public task
Contact sheets.
Record of any contact with the YP/A, any professional working with the YP/A, family, or friends, in person, by phone or email.
Public task
June 2023
PPG 12.0 Information Sharing
Daily / Weekly / Monthly summary report
Updates to the placing authority about how the YP/A is getting on in placement, any risks, successes, strengths.
Public task
Accident / incident / injury reports / RIDDOR
Accidents and any treatment or hospitalisation, physical or verbal incidences towards NSCM staff or property.
Public task
Safeguarding form or Cause for Concern form
Details – reporting a safeguarding or concern to the placing authority, police, or appropriate agencies.
Public task
Missing Person Form
If the YP/A goes missing from placement, details of what may have triggered them going missing and risks form is shared with the placing authority, police, or appropriate agencies.
Public task
Independent Living Skills Assessment Form
Assessment of how the YP/A getting on living independently.
Public task
Relevant Plans
Where the YP/A needs support and what action is required and by whom.
Public task
Permission Form
When a YP/A requests NSCM staff speak to an agency on their behalf, or where we may suggest that we can speak to an agency on their behalf.
Contract
Use of personal data / information
3.3.1. How do we use personal data/information?
NSCM holds personal data/information to enable us to provide appropriate accommodation and outreach floating support packages to YP/A, to refer to specialist services, to maintain our accounts and records.
June 2023
PPG 12.0 Information Sharing
We may also use information to:
•Deliver services and support to the YP/A.
•Manage services we provide to the YP/A.
•Producing assessments of the health and care needs, child protection or safeguarding.
•Contribute to assessments that may result in the YP/A being taken into care under mental health law, safeguarding or child protection framework.
•Identifying priorities for action.
•Informing decisions on planning of new services.
•Identifying staff training needs.
•Help investigate any worries or complaints to check the quality of the services.
3.3.2.
How the law allows us to use the YP/A’s personal data/information
We collate and use personal data/information where
•The YP/A or their legal representative have given consent.
•The YP/A have entered an agreement/contract with us.
•To perform our statutory duties.
•To protect someone in an emergency.
•To deliver health and social care services.
•It is required by law.
•To protect public health.
Information security and data sharing
NSCM is a data controller for the purposes of the General Data Protection Regulation (UK GDPR) January 2021. When processing the YP/A’s personal information we will aim to do so fairly, lawfully and in line with the UK GDPR. Information will not be held for longer than required and will be disposed of securely.
We will work in an open and transparent way, discussing and/or sharing any reports, updates and assessments written by the outreach worker, with the YP/A, before sending them to the placing authority.
We will only share the YP/A’s personal data/information after discussions with them, with appropriate organisations such as the NHS, health care professionals, social care, and welfare organisations. The Care Quality Commission and/or Ofsted may also request access to information as part of an inspection or monitoring process of NSCM. We will only share personal data/information once the necessary legal basis has been established and data protection safeguards have been verified. See Lawful basis above.
We will not give or sell YP/A’s information to any third party for marketing purposes.
Rights of young people / adults
June 2023
PPG 12.0 Information Sharing
3.5.1. What are the rights of the YP/A?
YP/A have the right to ask for all the information we have about them. When we receive a request from a YP/A in writing, we must give them access to everything that we have recorded about them. If the YP/A cannot request this in writing, they should speak to their outreach worker who will need to consider another way to enable the YP/A to make this request.
However, we are unable to let YP/A see any information held in their records which contain confidential information about other people or where a professional thinks this will cause serious hard to the YP/A or someone else.
3.5.2.
‘Right to be forgotten’ – you can ask for information to be deleted.
In some circumstances YP/A can ask for their personal data/information to be deleted. For example, where there is no legal reason for us to use it. If a YP/A believes the information we hold is wrong, they have the right to have it corrected or deleted.
Information required by law cannot be deleted where it is used for public health purposes or if it is necessary for legal claims.
3.5.3.
Limit the use of your personal data / information.
YP/A can request for NSCM to restrict what we use their personal data/information for and where they have identified inaccurate information and have told us about it.
Where possible NSCM will seek to comply but may not be able to where we need to hold or use the YP/A’s information because we are required to by law.
3.6.
Protecting personal data / information
3.6.1.
How we protect the YP/A’s personal data/information
We hold all records about the YP/A (paper or electronically) securely and only make them available to those who have the right to see them.
We secure information by using secure emails; hiding parts of your personal information from view and password protect electronic documents.
We ensure that emails are sent without revealing addresses to other recipients and use blind carbon copy (bcc), not carbon copy (cc). We also check group email addresses and only send the message to the people that need to see it.
Paper documents are held in a secure cabinet and locked room/office.
Paper is shredded and disposed of securely.
NSCM mobile phones and devices used by staff in the course of their work with you are password protected.
June 2023
PPG 12.0 Information Sharing
3.6.2.
How we keep NSCM safe and protect against online risks
NSCM IT equipment has firewalls and virus checking systems to protect your personal data/information. Staff working for or on behalf of NSCM are expected to protect their personal devices i.e., mobile phones/IT equipment, if used for NSCM business.
All devices/IT equipment are password protected; in addition, all files containing personal data/information held on this equipment are password protected.
NSCM take the following actions to minimise the risk of personal data/information being compromised.
•Train staff.
•Staff declaration and commitment to reporting data breach.
•Email disclaimer.
•Secure email and file transfer.
•Delete suspicious emails.
•Robust reporting mechanisms in the event of lost or stolen devices (laptops, iPads, tablets, mobile phones etc).
•Strong password protection on all devices.
•Download software updates.
•Use of anti-virus software.
•Decommissioning the removal of data from devices/hardware no longer in use or obsolete.
•Memory sticks password protected.
•Refresh NSCM Policy & Procedures and continue to review the procedures annually.
NSCM have an encrypted backup storage server / system. The backup system stores information on the cloud and is backed up each night. This system is encrypted to protect all stored data/information.
NSCM rely on Egress Switch secure email and file transfer to communicate and share information and need to protect the personally and commercially sensitive data that staff share both internally and with external users. Egress Switch secure email and file transfer provides easy-to-use, flexible email and file encryption that offers the highest levels of security and access controls, in addition to encrypting message content and attachments. Switch secure email and file transfer provides total control over shared information in real time, with the ability to revoke access, audit user actions and add message restrictions to prevent data mishandling.
3.7.
Standards
•Government and industry-certified
June 2023
PPG 12.0 Information Sharing
•Switch secure email and file transfer features comprehensive government and industry-certified security and authentication, including email and file encryption at rest and in transit, multi-factor authentication, and customisable policy controls.
•Users can stay in control of their information after it has been shared both internally and externally by revoking recipient access, preventing actions such as download and copy/paste, and viewing audit logs.
•Switch is certified under NCSC Commercial Product Assurance, Common Criteria, and ISO 27001:2013
3.8.
Keeping personal data/information
3.8.1.
How long do we keep YP/A’s personal data/information for?
We are required, by law, to keep care YP/A’s personal information for a set period of time and this can range from months to decades for more sensitive records.
Records for YP/A leaving care are retained from the date of birth +75 years or 15 years after death of child (where child dies under 18). Adults with mental health difficulties and/or subject to the Mental Health Act files are retained from the last action +20 years. The only reason this may differ is if a local authority advises otherwise.
3.9.
Concerns
3.9.1.
If YP/A has concerns about how we use their personal information.
YP/A can make a complaint if they have a concern about the way NSCM is handling their information, they should email This email address is being protected from spambots. You need JavaScript enabled to view it. or they can complete an NSCM Complaint/Compliment form which can be downloaded from www.nscm.co.uk or they can contact NSCM Director of Finance and Compliance, Philip Savva on Tel: 0208 211 3663. The Director of Finance and Compliance will liaise with the RSM who will investigate your complaint and respond within 15 working days.
If that response does not fully address the YP/A’s complaint, or if they are still not satisfied with our actions, they can contact the Information Commissioner’s Office (‘ICO’). The ICO is an independent official appointed to oversee the UK General Data Protection Regulations, January 2021. Further information can be found on the ICO website https://ico.org.uk. The ICO’s address is Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF and the phone number is 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number.

How do we use personal data / information? 
NSCM holds personal data / information to enable us to provide appropriate accommodation and outreach support packages to young people and adults,  to refer to specialist services, to maintain our accounts and records. We may also use information to: 
• Deliver services and support to you
• Manage services we provide to you
• Producing assessments of the health and care needs, child protection or safeguarding 
• Contribute to assessments that may result in the young people and adults being taken into care under mental health law / safeguarding or child protection framework
• Identifying priorities for action
• Informing decisions on planning of new services
• Identifying staff training needs 
• Help investigate any worries or complaints check the quality of the services

How the law allows us to use your personal data / information 
We collate and use personal data / information where:
• You or your legal representative have given consent
• You have entered into an agreement / contract with us
• To perform our statutory duties 
• To protect someone in an emergency 
• To deliver health and social care services
• It is required by law
• To protect public health

Information security and data sharing
NSCM is a data controller for the purposes of the General Data Protection Regulation (GDPR) May 2018.When processing your personal information we will aim to do so fairly, lawfully and in line with the GDPR. Information will not be held for longer than required and will be disposed of securely.  

We will work in an open and transparent way, discussing and /or sharing any reports, updates and assessments written by your outreach worker, with you, before sending them to your social worker. We will only share your personal data / information after discussions with you, with appropriate organisations such as the NHS, health care professionals, social care and welfare organisations. 

The Care Quality Commission and / or Ofsted may also access your information as part of an inspection or monitoring process of NSCM.   We will only share personal data / information once the necessary legal basis has been established and data protection safeguards have been verified. See Lawful basis above.

We will not give or sell your information to any third party for marketing purposes. 

What are your rights? 
You have the right to ask for all the information we have about you. When we receive a request from you in writing, we must give you access to everything that we have recorded about you. If you can’t request this in writing, please talk to you Outreach Worker who will   consider another way to enable you to make this request. 

However, we are unable to let you see any information held in your records which contain confidential information about other people or where a professional thinks this will cause serious harm to you or some else.

'Right to be forgotten’ – you can ask for information to be deleted
In some circumstances you can ask for your personal data/ information to be deleted. For example, where there is no legal reason for us to use it. If you believe the information we hold is wrong you have the right to have it corrected or deleted.

Information required by law cannot be deleted where it is used for public health purposes or if it is necessary for legal claims. 

Limit the use of your personal data/ information
You can request us to restrict what we use your personal data/ information for where you have identified inaccurate information, and have told us about it.

Where possible we will seek to comply, but we may not be able to where we need to hold or use your information because we are required to by law.

How we protect your personal data/ information
We hold all records about you (paper or electronically) securely and only make them available to those who have the right to see them. 

We secure information by using secure emails; hiding parts of your personal information from view and password protect electronic documents. 

We ensure that emails are sent without revealing addresses to other recipients and use blind carbon copy (bcc), not carbon copy (cc).  We also check group email addresses and only send the message to the people that need to see it. 

Paper documents are held in a secure cabinet and locked room / office.

Paper is shredded and disposed of securely.

NSCM mobile phones and devises used by staff in the course of their work with you are password protected. 

How we keep NCSM safe and protect against online risks
NSCM IT equipment has firewalls and virus checking systems to protect your personal data / information. Staff working for or on behalf of NSCM are expected to protect their personal devises i.e. mobile phones / IT equipment, if used for NSCM business.

All devises / IT equipment are password protected; in addition, all files containing personal data / information held on this equipment are password protected.  

NSCM take the following actions to minimise the risk of personal data / information being compromised:
• Train Staff  
• Staff declaration and commitment to reporting data breach
• Email disclaimer
• Secure email and file transfer
• Delete suspicious emails
• Robust reporting mechanisms in the event of loss or stolen devises (laptops, I-Pads, tablets, mobile phones etc.)
• Strong password protection on all devises 
• Download software updates
• Use of anti-virus software
• Decommissioning the removal data form devises / hardware no longer in use or obsolete 
• Memory sticks password protected
• Refresh NSCM Policy & Procedures, and continue to review the procedures annually

NSCM have a storage device located at Head Office. The devise stores information on the Cloud and is backed each night. This system is encrypted to protect all stored data / information. Closed files are stored on the system.  

NSCM rely on Egress Switch Secure Email and File Transfer to communicate and share information, and need to protect the personally and commercially sensitive data that staff share both internally and with external users. Egress Switch Secure Email and File Transfer provides easy-to-use, flexible email and file encryption that offers the highest levels of security and access controls. In addition to encrypting message content and attachments. Switch Secure Email and File Transfer provides total control over shared information in real time, with the ability to revoke access, audit user actions and add message restrictions to prevent data mishandling.  

Standards:
• Government and industry-certified data security
• Switch Secure Email and File Transfer features comprehensive government and industry-certified security and authentication, including email and file encryption at rest and in transit, multi-factor authentication, and customisable policy controls. 
• Users can stay in control of their information after it has been shared both internally and externally by revoking recipient access, preventing actions such as download and copy / paste, and viewing audit logs. 
• Switch is certified under NCSC Commercial Product Assurance, Common Criteria and ISO 27001:2013. 

How long do we keep your personal data / information for?
We are required, by law to keep your personal information for a set period of time and this can range from months to decades for more sensitive records. Records for YP/A leaving care are retained from the date of birth + 75 years or 15 years after death of child (where child dies under 18. Adults with Mental Health difficulties and or subject to the Mental Health Act files are retained from the last action + 20 years.

If you have concerns about how we use your personal information You can make a complaint if you have a concern about the way the NSCM is handling your information you can email  This email address is being protected from spambots. You need JavaScript enabled to view it., or you can complete an NSCM Complaint / Compliment form which can be downloaded from www.nscm.co.uk or contact NSCM Compliance Officer Philip Savva on Tel: 0208 211 3663.  

The Data Compliance 
Officer will investigate your complaint and respond within 15 working days.If that response does not fully address your complaint, or if you are still not satisfied with our actions, you can contact the Information Commissioner’s Office ('ICO'). The ICO is an independent official appointed to oversee the General Data Protection Regulations, May 2018. Further information can be found on the ICO web site, https://ico.org.uk/. The ICO's address is Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, and the phone number is 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number.

ISO 9001 Introduction / Awareness Information

Summary:
The Standard: - ISO 9001 – “Quality Management Systems” is a written set of guidelines (a framework), which any organisation can follow, in order to help control operations.  The overall aim of a quality management system is that the customer requirement is clearly understood and effectively delivered.‘ISO 9001’ specifies that certain activities should be under control and particular records must be maintained. 

What does ISO 9001 'Certification' mean?WHAT DOES ISO 9001 ‘CERTIFICATION’ MEAN?
Once an organisation has established suitable processes and records, a third party certification body is invited to assess the compliance of the ‘Quality Management System’, against the requirements of the standard.  If satisfied, they grant certification (sometimes referred to as ‘ISO 9001 Registration’), which can then be forwarded to interested parties as evidence of well-structured and diligent practices and a ‘Registered Logo’ can be displayed on corporate information.  ISO 9001 is internationally recognised, with over a million certificated organisations, worldwide. 

The assessment process:
Our selected Certification Body, who carries out the ISO 9001 assessments, is the British Standards Institution (BSI).  A representative from BSI regularly visits us to carry out assessments, within which he/she verifies that we comply with all of specified requirements of the standard, by sampling documentation, speaking to personnel and observing departments and practices. 

Why do we use ISO 9001?
There are various reasons why organisations, such as us, choose to adopt this standard. 
1. The quality management system is a useful tool to help us define and monitor our processes and to ensure that we are in compliance with customer expectations and industry requirements.
2. It provides an independent benchmark to verify that we are indeed following the high standards that we set for ourselves and that the overall service provided to the customer is at a consistently high level.
3. Customers and other external stakeholders often expect that their service providers, such as us, are able to demonstrate compliance with this quality standard through accredited third party certification. 

Who is involved in ISO 9001?
In short… everyone who carries out work on behalf of Next Step.  - For example, directors set out policies, procedures, objectives, and these are implemented and adhered to throughout the workforce. 

We are supported in development and implementation of our ISO system by consultants from Admac Ltd. 

The Next Step Care Management policy/procedures and documentation,  that comprises our quality system can be found via the NSCM staff website, or also available electronically via:  www.admac.co.uk/gateway. 

Policy Statement:
Within our quality management system, we have defined a ‘Policy Statement’.  To paraphrase, this is the senior management’s endorsement that we shall comply with customer requirements, and commit to continually improve through the setting of objectives.  It is the responsibility of every member of the company to do whatever he/she reasonably can, to control and improve our corporate quality performance.