top of page

Information Governance Policy

Bossa Health's information governance provides a comprehensive framework that ensures information is handled lawfully, securely, and with appropriate regard for confidentiality. It covers the protection and management of information-related risks, the lawful and ethical use of personal and sensitive data, access to information under relevant legislation, information sharing and disclosure, records management, and the oversight of IT systems and digital projects.

​​​

1. Definitions​

​

Personal data: Personal data is defined in the General Data Protection Regulation (GDPR) as: “‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person”.

 

Data subject: The identified or identifiable living individual to whom personal data relates.

 

Special category data: The GDPR singles out some types of personal data as likely to be more sensitive, and gives them extra protection:

​​

  • Personal data revealing racial or ethnic origin

  • Personal data revealing political opinions

  • Personal data revealing religious or philosophical beliefs

  • Personal data revealing trade union membership

  • Genetic data

  • Biometric data

  • Data concerning health

  • Data concerning a person’s sex life

  • Data concerning a person’s sexual orientation

 

Data Controller: An organisation (Bossa Health) that determines the purpose, categories, and manner in which personal data is processed.

 

Data Processor: An individual or organisation (Bossa Health) that processes personal data on behalf of a data controller, following their instructions.

 

Subject Access Request (SAR): Under Article 12 of the UK GDPR, individuals have the right to request access to their personal data, along with supplementary details. This right enables individuals to understand how their data is being used, why it is being processed, and whether the use is lawful (ICO, 2020).

​

Data Breach: A breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. This includes incidents resulting from both accidental and intentional actions, as well as the failure to share information when it should have been disclosed.

​

Processing (of Information): As defined in Article 4(2) of the UK GDPR, "processing" refers to any operation performed on personal data — whether automated or not — including collection, recording, organisation, structuring, storage, adaptation, retrieval, use, sharing, restriction, deletion, or destruction.

​

2. Data Protection

​

2.1. Data Collection and Processing Procedures

 

2.1.1. Data Collection: Data is collected via the Bossa Health website during patient registration and assessments. 

 

2.1.2. Data Storage and Access Control:

  • Patient data is securely stored in Bossa Health's patient database.

  • Access to patient data is restricted to authorised personnel directly involved in patient care.

​

2.1.3. Data Security Measures:

  • Encryption is used for data transfers and storage.

  • Regular audits are conducted to ensure compliance with security protocols.

  • Access controls are reviewed periodically to maintain compliance with the principle of data minimisation.

​

2.2. Data Breach Management

 

A data breach is defined as an incident compromising the confidentiality, integrity, or availability of personal data. Examples include unauthorised access, accidental disclosure, and loss of data.

​​​

In case of a data breach, immediate actions will be taken to prevent further unauthorised access. Bossa Health will notify the affected individuals promptly, explaining the breach and providing guidance on mitigating risks. The breach will also be reported to the Information Commissioner's Office (ICO) within 72 hours, if required, as per GDPR guidelines.

 

A rigorous investigation will be carried out to identify the breach’s cause and implement corrective measures, such as updates to security protocols or retraining staff. Policies and procedures will be reviewed for improvements.

​

3. Audits

​

Internal auditors carry out annual assessments or audits to review and evaluate the following areas:

 

  • Compliance with relevant legal and regulatory requirements

  • Implementation of information governance standards

  • Information security and IT system safeguards

​

4.  Freedom of Information and Subject Access Requests (SARs)

 

The Freedom of Information Act 2000 grants the public a general right to access information held by public bodies. This supports openness and transparency, and helps foster public understanding of how decisions are made and how resources are allocated in public services.

 

Under the right of access, individuals (Data Subject) are entitled to obtain a copy of their personal data, along with other relevant information. This enables them to understand how and why their data is being used, and to ensure it is being handled lawfully.

 

Requests can be made to Bossa Health verbally (via a provider) or via email  to support@bossahealth.com. A valid SAR does not require the individual to cite legislation or use formal language; it must simply be clear that they are requesting their own personal information. As a minimum, we require the requestor to include the following information in a SAR:

​

  • A subject line or header that says "subject access request";

  • The date the request is being made;

  • Full name (and any other names, where relevant);

  • Home address and phone number;

  • Personal information wanted;

  • The reason for wanting the information;

  • Format in which they would like to receive the information (e.g., electronically or printed and sent by post) and any accessibility requirements (e.g., large fonts).

 

A third party — such as a solicitor, relative, or friend — may submit a SAR on an individual's behalf. Before responding, Bossa Health must be satisfied that the third party is authorised to act for the individual, and it is the third party’s responsibility to provide evidence of that authority.

 

Bossa Health will respond to SARs without undue delay and no later than one month from receipt. This deadline can be extended by a further two months where requests are complex or if multiple requests are received from the same individual (e.g. relating to different rights under data protection law).

 

If Bossa Health holds a significant amount of information about the data subject and the request is unclear, clarification may be sought. The clock pauses until clarification is received, though any supplementary information that can be shared within the initial time frame should still be provided.

 

4.1. How information will be provided

 

Requestors are entitled to receive both personal data and supplementary information. The support team will share a form to be completed by the requestor, and they may be asked to provide proof of identity and address when submitting a form —  a passport or driving licence, a utility bill, bank statement, or an official document from a recognised body. The requestor’s identity is only needed to validate the request it must not be used for any other purpose.

​

As the data controller, Bossa Health is responsible for taking appropriate steps to ensure data is shared securely. When providing the response electronically, a password will be provided to the requestor in a separate email. If a different format is specifically requested, Bossa Health will evaluate the request and make a decision accordingly.

 

If the information disclosed is inaccurate, the requestor must notify Bossa Health without delay. If the accuracy of a record is disputed, the requestor's version will be added to their record following review and approval by Bossa Health's Clinical Lead. The requestor will be informed of any record updates or decline of an amendment.

 

4.2. When a request may be refused

 

Bossa Health may refuse to comply with a SAR if:

 

  • An exemption applies under the law;

  • The request is deemed manifestly unfounded or excessive.

 

Where a request is refused, the requestor has the right to:

 

  • Lodge a complaint with the ICO;

  • Seek legal recourse to enforce access.

​

5. Changes to this Policy

​

We may update this policy from time to time. Any changes will be posted on this page with an updated effective date.

​​

6. Contact Us

​

If you have any questions or concerns regarding this policy, please contact us at support@bossahealth.com

​

​

Effective Date: September 2024

​​

bottom of page