• Ensure all staff, contractors, volunteers are at all times fully aware of their responsibilities regarding confidentiality
• Record client information accurately and consistently
• Keep client information confidential 
• Keep client information physically and electronically secure
• Disclose and use information with appropriate care
• Ensure that disclosure of information outside the practice is in accordance with UK GDPR, DPA 2018, Caldicott Principles

Yes - Privacy notices tell people what to expect the organisation to do with their personal data / information when you make contact with them or use on of your services.

They should include:

• Why you are able to process their information
• What purpose are you processing it for
• How long you store it for
• Whether there are other recipients of your information
• Whether you intend to transfer it to another country 
• Whether you do automated decision making or profiling

A Data Protection Impact Assessment (DPIA) is a process to help you identify and minimise the data protection risks of a project.

You must do a DPIA for processing that is likely to result in a high risk to individuals. This includes some specified types of processing.

It is also good practice to do a DPIA for any other major project which requires the processing of personal data.

Your DPIA must:

• Describe the nature, scope, context and purposes of the processing
• Assess necessity, proportionality and compliance measures
• Identify and assess risks to individuals
• Identify any additional measures to mitigate those risks.

To assess the level of risk, you must consider both the likelihood and the severity of any impact on individuals. High risk could result from either a high probability of some harm, or a lower possibility of serious harm.

Artilce 24 of the UK GDPR, states that process activities shall include the implementation of appropriate data protection policies by the data controller.

Policies differ from proceduers, as the are highlevel  documents that set principles, rather than details of how, what and when things should be done.

Policies must:

• Be capable of implementation and enforceable
• Be concise and easy to understand
• Balance protection with productivity

The data protection policy should specifically include the key elements:

• Reasons why the policy is needed
• Contacts and responsibilities
• Objectives and how to handle violations

This is a very  important task for all organisations processing personal data. This makes sure that all employees receive appropriate training about your privacy programme, including what its goals are, what it requires people to do and what responsibilities they have. The training must be relevant, accurate and up to date.

Training and awareness is key to actually putting into practice your policies, procedures and measures by ensuring that:

• Appropriate staff, such as the DPO or an information governance manager, oversee or approve induction training
• Your staff receive induction and refresher training, regardless of how long they will  be working for your organisation, their contractual status or grade
• Your staff receive induction training prior to accessing personal data and within one month of their start date 
• Your staff complete refresher training at appropriate intervals.

The UK GDPR introduces a duty for you to appoint a DPO if you are a public authority or body, or if you carry our certain types of processing activities.

DPOs assist you to monitor internal compliance, inform and advise on your data protection obligations.

DPOs must be independent, an expert in data protection, adequately resourced, and report to the highest management level. Your DPO can be an existing employee or externally appointed.

You need to be able to detect, investigate, risk assess and record any breaches. You must report them as appropriate. Having effective processes in place helps you to do this. A personal data breach can have a range of adverse effects on individuals. There can be serious repercussions for organisations, their employees and customers, such as financial penalties (failure to notify a breach when required can result in a fine up to 10 million Euros or 2% of your global turnover), reputational damage, loss of business and disciplinary action

• You have appropriate training in place so that staff are able to recognise a security incident and a personal data breach
• A dedicated person or team manages security incidents and personal data breaches
• Staff know how to escalate a security incident promptly to the appropriate person or team to determine whether a breach has occurred
• Procedures and systems facilitate the reporting of security incidents and breaches
• Your organisation has a response plan for promptly addressing any security incidents and personal data breaches that occur
• You centrally log/record/document both actual breaches and near misses (even if they do not need to be reported to the ICO or individuals)
• The log documents the facts relating to the near miss or breach including: its causes; what happened; the personal data affected; the effects of the breach; and any remedial action taken and rationale.