Terms of note
The ‘owner’ of this website and Digital Quit tool is Lewisham Council
The ‘Tool’ refers to the Digital Quit Tool at https://iquit.smokefreelewisham.co.uk/
The ‘Service’ refers to Lewisham and Greenwich NHS Trust
‘DPO’ refers to the appointed Data Protection Officer at the Service
‘Data Subject’ refers to our customers, clients and patients providing data to the Service under any circumstance
Fair and lawful processing
We must process personal data fairly and lawfully in accordance with individuals’ rights. This generally means that we should not process personal data unless the individual whose details we are processing has consented to this happening.
As a result, you are asked for your permission when inputting any personal information into our website or Digital Quit tool.
The processing of all data must be:
- Necessary to deliver our services.
- In our legitimate interests and not unduly prejudice the individual's privacy.
- In most cases this provision will apply to routine business data processing activities.
- Our Terms of Business contains a Privacy Notice to clients on data protection.
- Sets out the purposes for which we hold personal data on customers and employees
- Highlights that our work may require us to give information to third parties such as expert witnesses and other professional advisers
- Provides that customers have a right of access to the personal data that we hold about them
Sensitive personal data
In most cases where we process sensitive personal data we will require the data subject’s explicit consent to do this unless exceptional circumstances apply or we are required to do this by law (e.g. to comply with legal obligations to ensure health and safety at work). Any such consent will need to clearly identify what the relevant data is, why it is being processed and to whom it will be disclosed.
The ‘owner’ will never receive any personal or identifiable information at any point. This will only ever be seen by the Service and the DPO.
Accuracy and relevance
We will ensure that any personal data we process is accurate, adequate, relevant and not excessive, given the purpose for which it was obtained. We will not process personal data obtained for one purpose for any unconnected purpose unless the individual concerned has agreed to this or would otherwise reasonably expect this.
Individuals may ask that we correct inaccurate personal data relating to them. If you believe that information is inaccurate you should record the fact that the accuracy of the information is disputed and inform the DPO at Lewisham Council.
Your personal data
You must take reasonable steps to ensure that personal data we hold about you is accurate and updated as required. For example, if your personal circumstances change, please inform the Smokefree Service so that they can update your records.
You must keep personal data secure against loss or misuse. Where other organisations process personal data as a service on our behalf, the DPO will establish what, if any, additional specific data security arrangements need to be implemented in contracts with those third party organisations.
Storing data securely
- In cases when data is stored on printed paper, it should be kept in a secure place where unauthorised personnel cannot access it
- Printed data should be shredded when it is no longer needed
- Data stored on a computer should be protected by strong passwords that are changed regularly. We encourage all staff to use a password manager to create and store their passwords
- Data stored on CDs or memory sticks must be locked away securely when they are not being used
- The DPO must approve any cloud used to store data
- Servers containing personal data must be kept in a secure location, away from general office space
- Data should be regularly backed up in line with the Service’s backup procedures
- Data should never be saved directly to mobile devices such as laptops, tablets or smartphones
- All servers containing sensitive data must be approved and protected by security software and strong firewall
We must retain personal data for no longer than is necessary. What is necessary will depend on the circumstances of each case, taking into account the reasons that the personal data was obtained, but should be determined in a manner consistent with our data retention guidelines.
Subject access requests
Please note that under the Data Protection Act 1998, and subsequent updated act policy under GDPR regulations from March 2018, individuals are entitled, subject to certain exceptions, to request access to information held about them.
Please contact the Data Protection Officer if you would like to correct or request information that we hold about you. There are also restrictions on the information to which you are entitled under applicable law.
All staff will receive training on this policy. New joiners will receive training as part of the induction process. Further training will be provided at least every two years or whenever there is a substantial change in the law or our policy and procedure.
Training is provided through an in-house seminar on a regular basis.
It will cover:
- The law relating to data protection
- Our data protection and related policies and procedures.
Completion of training is compulsory.
Emails and communication
1. Text Messages
By opting into the digital quit tool you give your permission to be sent a number of SMS text messages throughout the journey of your quit process with the Service.
Unless you specifically opt out of messages by contacting the service, we may at time to time also contact you by SMS message at the end of your quit journey.
By signing up to the tool you give your permission to receive emails by the Service.
Emails sent through the Tool are all powered by Mandrill. Mandrill is a transactional email API procured by Lewisham council, hosted securely on Mandrill servers.
No personnel from the Owner or the Service will have access to, be able to view, amend or create any data within Mandrill.
As part of the process in the Tool, emails are to be sent to GP’s by Mandrill with likely personal sensitive information included. These emails will be sent securely via Mandrill over TLS. Emails are ‘outgoing only’ from the Mandrill system with no return traffic of data to Mandrill at any time.
Where not specified previously in this policy, the following provisions will be in effect on or before 25 May 2018.
Privacy Notice - transparency of data protection
Being transparent and providing accessible information to individuals about how we will use their personal data is important for our organisation. The following are details on how we collect data and what we will do with it:
Conditions for processing
We will ensure any use of personal data is justified using at least one of the conditions for processing and this will be specifically documented. All staff who are responsible for processing personal data will be aware of the conditions for processing. The conditions for processing will be available to data subjects in the form of a privacy notice.
Justification for personal data
We will process personal data in compliance with all six data protection principles.
We will document the additional justification for the processing of sensitive data, and will ensure any biometric and genetic data is considered sensitive.
The data that we collect is subject to active consent by the data subject. This consent can be revoked at any time.
Criminal record checks
Any criminal record checks are justified by law. Criminal record checks cannot be undertaken based solely on the consent of the subject.
Upon request, a data subject should have the right to receive a copy of their data in a structured format. These requests should be processed within one month, provided there is no undue burden and it does not compromise the privacy of other individuals. A data subject may also request that their data is transferred directly to another system. This must be done for free.
Right to be forgotten
A data subject may request that any information held on them is deleted or removed, and any third parties who process or use that data must also comply with the request. An erasure request can only be refused if an exemption applies.
Privacy by design and default
Privacy by design is an approach to projects that promote privacy and data protection compliance from the start. The DPO will be responsible for conducting Privacy Impact Assessments and ensuring that all IT projects commence with a privacy plan.
When relevant, and when it does not have a negative impact on the data subject, privacy settings will be set to the most private by default.
Data audit and register
Regular data audits to manage and mitigate risks will inform the data register. This contains information on what data is held, where it is stored, how it is used, who is responsible and any further regulations or retention timescales that may be relevant.
All members of staff have an obligation to report actual or potential data protection compliance failures. This allows us to:
- Investigate the failure and take remedial steps if necessary
- Maintain a register of compliance failures
- Notify the Supervisory Authority (SA) of any compliance failures that are material either in their own right or as part of a pattern of failures
Everyone employed by, and involved in Smokefree Lewisham activity must observe this policy. The Service has overall responsibility for this policy. They will monitor it regularly to make sure it is being adhered to.
What information do we collect?
We may collect, store and use the following kinds of personal information:
- Information about your computer and about your visits to and use of this website (including your IP address, geographical location, browser type and version, operating system, referral source, length of visit, page views, website navigation details).
- Information relating to any transactions carried out between you and us on or in relation to this website, including information relating to any purchases you make of our goods or services.
- Information that you provide to us for the purpose of registering with us.
- Information that you provide to us for the purpose of subscribing to our website services, email notifications and/or newsletters.
- Any other information that you choose to send to us.
A cookie is a file containing an identifier (a string of letters and numbers) that is sent by a web server to a web browser and is stored by the browser. The identifier is then sent back to the server each time the browser requests a page from the server. This enables the web server to identify and track the web browser.
We may use both "session" cookies and "persistent" cookies on the website.
Session cookies will be deleted from your computer when you close your browser.
Persistent cookies will remain stored on your computer until deleted, or until they reach a specified expiry date.
We will use the session cookies to: keep track of you whilst you navigate the website; keep track of items in your shopping basket; prevent fraud and increase website security; and other uses.We will use the persistent cookies to: enable our website to recognise you when you visit; keep track of your preferences in relation to your use of our website; and other uses.
Most browsers allow you to reject all cookies, whilst some browsers allow you to reject just third party cookies. For example, in Internet Explorer (version 9) you can refuse all cookies by clicking "Tools", "Internet options", "Privacy", and selecting "Block All Cookies" using the sliding selector. Blocking all cookies will, however, have a negative impact upon the usability of many websites, including this one.