Reality Consulting Limited GDPR compliance

 

Statement

Reality Consulting Limited (“Reality”) complies with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, as published in the Official Journal of the European Union 4 May 2016, reference L 119/50 (“GDPR”).

In particular:

Article 6: Reality complies with paragraph 1 (b) in that it only processes personal data necessary to the performance of a current or potential contract, and therefore does not require a specific opt-in to hold this information.

Article 7: Reality is transparent in how it uses personal data, and the use of personal data is included as section 10 of Reality’s Terms and Conditions, versions 3.9 onwards, and has been since 2011. In addition, Reality will comply fully with point 3 of Article 7.

Articles 13 and 14: The details of Reality’s Data Protection Officer and ICO registration number is provided with every contract as part of section 10 of Reality’s Terms and Conditions, versions 3.9 onwards.

Articles 15-20: Reality will provide any details on request, without charge, and will remove any details on request, without charge, and will keep the subject fully informed.

Article 30: As the information held about subjects is not sensitive, and Reality has fewer than 250 employees (Reality actually has four employees), and none of the processing it undertakes is likely to result in a risk to the rights and freedoms of data subjects, Reality is exempt from the obligations in paragraphs 1 and 2. Notwithstanding this, Reality does conform broadly to all the points in paragraphs 1 and 2, holds the contact information in an encrypted set of files, keeps this up to date, and is able to comply with requests for removal, disclosure or modification in accordance with Articles 15 to 20.

 

Summary

Reality maintains only basic details about existing customers, or about prospective customers who have contacted Reality to enquire about possible work. These details are limited to:

·        Name

·        Job title

·        Organisation worked for

·        Contact telephone numbers

·        E-mail addresses

·        E-mails relating to agreed or potential contracts

All of Reality’s customers and prospects are personnel working in NHS Trusts, and whose contact details are generally a matter of public record. As such, none of the data held about these individuals can be deemed sensitive.

 

Patient data

The nature of Reality’s work means that its staff access NHS Trust computers containing sensitive patient data. However, this sensitive data is never taken off site, and access to the Trust computers is under the control of each Trust’s IT department, and is via a secure VPN.

Trust staff have always been very well aware of patient confidentiality issues, but on the very rare occasions that a third-party supplier to a Trust has breached that confidentiality to Reality (for example, by emailing a screen shot showing identifiable patient data over a non-secure network), Reality deletes that email immediately and informs the Trust of the breach. The mechanism for this is outlined in full in section 10 of Reality’s Terms and Conditions, version 3.10. This mechanism has been in place since 2011. Whenever Reality needs to extract identifiable patient data (for example, for a data migration extract), this is always carried out on the relevant Trust’s server over a secure connection; extracted data is held in a folder on a Trust server, and is never moved off-site by Reality personnel.

 

Marketing

Reality does not maintain a marketing database itself, and thus all contact information about subjects has been provided voluntarily (either verbally in a telephone call or via email), and is necessary for Reality to provide the service it has contracted or offered to provide.

Reality has undertaken limited marketing campaigns by subscribing to a third-party database of NHS IT personnel, but has now removed data extracted from this database from its own computers. If Reality undertakes future marketing campaigns after 25 May 2018, it will ensure that these comply with GDPR. This is not, however, a current issue.

 

Data Protection Details

Reality’s Data Protection Officer is:

Kate Brown

Reality Consulting Limited

Prior House

Nymet Rowland

Crediton

Devon

EX17 6AW

Telephone: 0300 600 1161

Email: kate@reality-consulting.co.uk

 

Reality has appropriately notified its systems to the Information Commissioner under the Data Protection Act 1998. Reality’s Registration Number is Z5954105.