Information Policy & Procedures

Apricot Centre CIC ensures that personal data in relation to Customers, Service Users, Practitioners, Staff, and Partners is used fairly, lawfully and transparently.

The UK Data Protection Act 2018 implements the EU General Data Protection Regulation (GDPR), a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU). It stresses 8 principles, that data must be:

1) Fairly and lawfully processed

2) Processed for limited purposes

3) Adequate, relevant and not excessive

4) Accurate

5) Not kept for longer than is necessary

6) Processed in line with your rights

7) Secure

8) Not transferred to other countries without adequate protection.

The Data Protection Act 1998 (DPA) sets standards governing the storage, processing of personal information held on manual records and on computers. The Care Standards Act 2000 provides the framework for ensuring service users rights to privacy are promoted and has been further developed over time.

Scope of this Information Policy

This policy addresses all information, systems, facilities, programs, data, networks and all users of technology in the Apricot Centre organisation, without exception. Apricot Centre Directors and Managers (Spring 2018) audited all information processes within the organisation and developed the GDPR Processes spreadsheet, identifying the types of data, basis for lawful processing, and the locations of data storage. Apricot Centre CIC handles personal data and sensitive information in both physical and digital formats.

Data and personal information is dealt with differently according to the specific service or business transaction. There are two main arms of the Apricot Centre with differing levels of sensitivity around data held. This policy therefore outlines different levels of security policy according to the level of service or business transaction.

Farm and Farm Services
Wellbeing Service

Farm and Farm Services Information includes (less sensitive information):

customer food orders
address and contact information
financial information relating to customer accounts
records of attendance at farm events and activities including outcome monitoring and customer feedback
Safeguarding information - Farm activities may also involve some engagement with children and families. In such cases the safeguarding policy and approaches developed for the wellbeing service will be applied.

Wellbeing Service Information includes (highly sensitive information):

financial information,
address and contact information,
medical/health-related information relevant to therapeutic or non-therapeutic intervention and including details of;

Information recorded during therapeutic sessions or group work
Personal and family history - including some 3rd party information
ethnicity,
gender,
age,
sexual orientation,
Religion

Safeguarding information - All safeguarding concerns will be recorded and monitored within Wellbeing Services information security practices.

Organisation wide security mandates:

Handling client sensitive digital information - All staff handling information in a digital format will use their individual user id and secure password as well as two-step verification for accessing the cloud-based system.
Secure Access to Cloud Based Services (SuiteCRM, GSuite, and Quickbooks). No staff will ever share their user id or password with another member of staff, or anyone outside the organisation.
Handling client sensitive physical information (i.e. paper based, artworks etc..) - All information with client sensitive data in a physical format i.e. paper or media based will be kept securely locked in a filing cabinet which will also be within a locked room, whether on site or in an alternate pre-agreed site (e.g. a therapist's office). Exceptions to this will be when information is in transit due to working in the community or from non-secure bases, in which case the practitioner will make every effort to transport and store information in such a way as to mitigate any risks to the security of the data.
Transportation of Physical Data - When working in the community, staff will be vigilant concerning the safest way of transporting paper-based information. Information should never be left unattended unless for example it is deemed safest to be temporarily locked in the boot of a car. Paper-based information should never be left in a car for a prolonged period or overnight, and should always be returned to the default security of a locked filing cabinet in a locked office.
Storage of Digital Information on Cloud-Based Systems - All information with client sensitive data in a digital format i.e. emails, digital media, scanned or typed documents will be stored within the secure Apricot Centre GSuite or Suite CRM systems.
Secure Emailing with Client Sensitive Information - Any transfer of client sensitive data in a digital format to an outside agency will either be printed and sent by recorded delivery, or sent via a secure encrypted email service such as Egress. Please Note: We have been informed by ICO (November 2016) that emails sent by us to a GCSX account are “not secure by the time it arrives” in the GCSX account. This is due to it crossing platforms. We operate on the understanding that emails to GCSX accounts are insecure and therefore not acceptable. Exception - We frequently find when making safeguarding referrals to appropriate bodies such as Multi-Agency Safeguarding Hubs (MASH), that there is an assumption on their part that emails with attachments sent to their GCSX email address is secure (see previous clarification with ICO). However, in circumstances where our encrypted service cannot be used we may elect to send an unsecure email referral in order to prioritise the safeguarding of the individual in question.

Service Defined Information Categories, Privileges and Management Goals

The Apricot Management team will review permissions for access to written/printed materials across the service and permissions on cloud-based systems to be reviewed every 6 months - In the first week of January. And in the first week of July each year. These reviews will be recorded in the Directors Minutes at the subsequent directors meetings.

Classification Category	Category defined	Management goals/objectives
Wellbeing Customer Information	Wellbeing Customers refers to customers who refer, purchase or commission wellbeing services from Apricot Centre. We hold financial and contact information in respect of our wellbeing customers. For private referrals the customer may be also the client.	Wellbeing Staff roles will determine their level of access to customer data as follows: ACWS Administrators/Coordinators - Will have full access to customer data for the purpose of quoting, invoicing, and liaising with customers regarding service setup and delivery. information integrity entails no write access outside accountable job functions,and in order to prevent loss of assets. ACWS Manager - Will have full access to customer data to oversee all aspects of the business and service delivery. AC Directors - Will have access to relevant customer data by specific request made to the Manager and recorded as an ‘incident’. Supervisors & Coaches - Will have no access to customer data beyond the name of the customer and contact details in order to deliver services, and only for purposes of communicating with customer. information integrity entails no write access outside accountable job functions,and in order to prevent loss of assets. Practitioners - Will have no access to customer data, but will have access to contact details of key professionals with whom they are required to liaise. information integrity entails no write access outside accountable job functions,and in order to prevent loss of assets. Group Facilitators - Will have no access to customer data. Volunteers or Students on Placement - Will have no access to customer data.
Wellbeing Client Information	Wellbeing Clients refers to the recipients of services from the Apricot Centre. We hold address and contact information, medical/health-related information relevant to therapeutic or non-therapeutic intervention and including details of personal history, ethnicity, gender, age, sexual orientation, religion. Third-party information is often held such as other members of the family and their circumstances.	Wellbeing Staff roles will determine their level of access to client data as follows: ACWS Administrators - Will have full access to client data in order to coordinate core service delivery. ACWS Manager - Will have full access to client data to oversee and maintain quality standards for all aspects of the business and service delivery. AC Directors - In circumstances such as dealing with a complaint or a serious organisational issue, Directors will have access to relevant client data by specific request made to the Manager and recorded as an ‘incident’. Supervisors & Coaches - Will have full ‘read’ access to client data, but will only have ‘write’ access for a specific purpose and by request made to the Manager. Practitioners - Will have restricted access to client data where they are the ‘authorised’ or lead practitioner, or where they are the supporting practitioner for a particular contract. Group Facilitators - Will have restricted access to client data where there is a predefined need in order to fulfil their role and support clients effectively. Volunteers or Students on Placement - Will have no access to client data, except for basic service monitoring processes or questionnaires which will be processed and handed to a relevant manager. Please Note: As ACWS has client information based upon work in different counties within the UK, we realise that there is a need to separate access and permissions to such data according to where practitioners practice. We will soon be working with our IT Developers Clystnet Ltd to develop specific permissions, by area, access across the entire service.
Farm Customer Information	Customer food orders including: financial information, name and contact details	Farm Staff roles will determine their level of access to farm customer data as follows: AC Director - Full access Farm manager - Full access Farm staff - Access to orders and contact details only for the purpose of communicating with customer. Access to financial information only when involved in sales. Administrator - Full access Finance Coordinator - Full access. Apprentices - Will be given access specific to the area of their apprenticeship and tasks undertaken. E.g. access to market information, such as login to iZettle for taking monies at market. Volunteer - According to a defined purpose, and accountable to a named member of core staff may be given restricted access but allowing access to contact details, monitoring and evaluation processes.
Farm Consultation / Training Services	Customer information may include; financial information, name and contact details, personal or business-sensitive information (such as confidential business plans etc..)	Farm Staff roles will determine their level of access to farm consultation/training services data as follows: AC Director - Full access Farm manager - Full access Administrator - Full access Consultant or Trainer - Restricted access as required by specific role and in order to prevent loss of assets. Apprentices - Will be given access specific to the area of their apprenticeship and tasks undertaken. E.g. helping to gather information for a survey or farm design. Volunteer - Possible access defined by specific role and always accountable to a named core member of staff.

How we manage the security of personal data held

Boxmaster - Online sales for Organic Fruit and Vegetables
SuiteCRM - Software developed by Apricot Centre with EngSofPro Ltd, for referral, recording and safeguarding purposes.
GSuite - GDocs, GSheets, Images, Photos, Hangouts (Video Conferencing).
Egress - Encrypted email system

Security -

Apricot Centre CIC has been working with Clystnet Ltd in order to bring our information security to the highest of standards. We operate from two cloud-based information systems accessed through the Google Chrome Browser. No client data is held, stored or processed on personally-owned devices or computers.

Egress Encrypted Email Software

ISO27001 is the international best practice standard for information security management systems: http://www.itgovernance.co.uk/iso27001.aspx . Egress Software data centres are all certified to ISO27001 and all Egress offices are in ISO27001 scope (London, Sheffield, Barnsley and Toronto). The initial ISO27001:2013 certification was completed in July 2014 and continues to undergo regular independent audits by BSI Group. Certificate No: IS 611606. Issue date: 14/07/2017

G Suite and Google Cloud Platform Security

System 1 - GSuite for Business - Staff have permission to access specific levels of data relevant to their role in working with clients or customers of the service. Google Apps is accessed via a username and strong password (see policy for required changes to passwords), as well as by two-step verification.

G Suite and Google Cloud Platform undergo SOC1™, SOC2™, and SOC3™ audits, by the American Institute of Certified Public Accountants (AICPA) and certification for ISO/IEC 27001, 27017, and 27018. This means that an independent auditor has examined the controls protecting the data in our systems (including logical security, privacy, and data center security), and assured that these controls are in place and operating effectively. Google solutions have regular audits for the following standard:
SOC1™ (SSAE-16/ISAE-3402)—G Suite , Google Compute Engine, Google Cloud Storage, Google App Engine
SOC2™—G Suite, Google Compute Engine, Google Cloud Storage, Google App Engine
SOC3™—G Suite, Google Compute Engine, Google Cloud Storage, Google App Engine - SOC3 report is available for download at https://cloud.google.com/files/GCP_SOC3_2017.pdf
ISO27001—for G Suite and Google Cloud Platform
ISO27017—for G Suite and Google Cloud Platform
ISO 27018—for G Suite and Google Cloud Platform
HIPAA—G Suite, Google Compute Engine, Google Cloud Storage, Google Big Query, Google Cloud SQL
FISMA—Google App Engine, G Suite
FEDRAMP—Google App Engine, G Suite

Data encryption in transit - Data is encrypted at several levels. Google forces HTTPS (Hypertext Transfer Protocol Secure) for all transmissions between users and G Suite services and uses Perfect Forward Secrecy (PFS) for all its services. Google also encrypts message transmissions with other mail servers using 256-bit Transport Layer Security (TLS) and utilizes 2048 RSA encryption keys for the validation and key exchange phases. This protects message communications when client users send and receive emails with external parties also using TLS.

PFS requires that the private keys for a connection are not kept in persistent storage. Anyone who breaks a single key can no longer decrypt months’ worth of connections; in fact, not even the server operator is able to retroactively decrypt HTTPS sessions.

Apricot Centre CIC have signed the G Suite and Cloud Data Processing Amendment (DPA 2.0) and model contract clauses as a means of meeting the adequacy and security requirements of the European Parliament and Council of the European Union's Data Protection Directive and General Data Protection Regulation (GDPR).

Drive File Stream encrypts all network traffic and validates host certificates to protect against man-in-the-middle (MITM) attacks.

SuiteCRM Security

SuiteCRM (Customer Relationship Management) hosted on Fast Comet a cloud-based service where information is stored in London servers only. Staff have designated permissions to only access information according to User Security Roles. Sensitive Information is thus locked-down and accessed only in accordance with individual or team security roles.

Passwords are set to expire within 35 days and so need to be renewed monthly.

1st Line of Defence - Boundary Firewalls and Internet Gateways

Assess and configure all boundary firewalls and internet gateways used on behalf of Apricot Centre CIC

Placement of the policy in the context of other management directives and supplementary documents (e.g., is agreed by all at executive level, all other information handling documents must be consistent with it)

Supporting Documents Referenced (e.g. roles and responsibilities, process, technology standards, procedures, guidelines)

Specific designation of well-established responsibilities (e.g. the technology department is the sole provider of telecommunications lines)

Consequences for non-compliance (e.g. up to and including dismissal or termination of contract)

Https:// and SSL certificates setup on cloud services
For accessing cloud services additional security of Two-Step Verification or randomly generated security codes for each session
MAC computers or Chromebooks or Chrome Tablets & tablets operating; Android or IOS. No windows based operating system to be used.
Client machine must use Google Chrome as browser
No documents or business information are to be held locally on any staff computer. Kingston DataTRaveler Locker+ G3 encrypted memory sticks have been supplied to all staff who may need the option to download confidential information although this will always be the exception rather than the rule.

Mobile Device Management - Staff can access sensitive data, emails and calendars on personally-owned devices if they agree to Mobile Device Management enabling Apricot Centre managers to enforce security policies and security controls such as; configuration password options, application permissions, control over device updates, and to wipe or lock the device if necessary. A device can be considered 'managed' if the enterprise provisioned the device from a known initial state (e.g. from factory reset) and then technically enforces security policies on the device throughout its life. The user must not be able to modify a minimal set of critical security controls, including: data storage encryption VPN configuration passphrase options control over application permissions (eg no third party applications which require access to work email) control over device updates, to ensure devices remain up-to-date enterprise audit, wipe or lock of the device if necessary

Use of Public Wi-Fi Access Points - Staff may use Wi-Fi access point or the Wi-Fi service in public venues from their device except where they are required to authenticate to the Wi-Fi through a ‘captive’ portal (Such as is common in Starbucks/Costas etc..). Captive portals will ask for a separate login via the browser before giving access – allowing direct browser access to these captive portals will leave the browser open to attack. Therefore only Wi-Fi services which the user can access through standard pre-shared key authentication, or enterprise authentication with certificates should be used.

Apricot CIC responsibilities as a Data Controller. Data controllers are responsible for implementing appropriate technical and organisational measures to ensure and demonstrate that any data processing is performed in compliance with the GDPR. Controllers' obligations relate to principles such as;

lawfulness,
fairness and transparency,
purpose limitation,
data minimisation, and
accuracy, as well as
fulfilling data subjects' rights with respect to their data.

As a Data Controller involved in Cloud-based Processing of Client Sensitive Data - GDPR applies to our using Google and SuiteCRM for processing client data.

Contract with Google - GSuite - In order to be GDPR compliant regarding the storage of client sensitive data in the cloud, we have signed DPA version 2.0 which took effect on 25 May 2018. DPA version 2.0 specifically addresses GDPR changes. We have also opted-in to G Suite EU Model Contract Clauses (MCCs).

Confidentiality of treatment and personal information

- ensuring that personal files and records and financial information are kept confidential, and only shared with the consent of the person concerned. Discussions about a person’s well-being, treatment and any personal information take place in confidence within the team setting and with supervisors only. Confidentiality will be discussed with the client at the onset of therapy and reviewed periodically during the course of the work.

Confidentiality Statement

(This statement is included in the Wellcome Letter and a simpler version is written in the Therapy Plan)

As a rule the information which you and your child provide will only be shared with your agreement. However, there may be certain times when we may need to share information when somebody is at risk without your consent . For example:

When they need to find out urgently if a child is at risk of harm;
to help a child who is at the risk of harm;
when an adult is at risk of harm; or
to help prevent or detect a serious crime.

We always aim to communicate with you when it is important for us to share confidential information, unless we think that it will lead to increasing risks.

Privacy and Confidentiality

All service users have a right to privacy. This means that their personal information will be protected by staff of the Apricot Centre and through the processes and procedures of recording and reflecting upon confidential and personal identifying information. There are some exceptions to confidentiality and privacy for example when we believe that a child or vulnerable adult is experiencing abuse or neglect or is at risk of significant harm. We will always aim to address these issues as sensitively as possible when they arise. At such times we may need to communicate with the Police, Social Services. Care Standards Commission, Health or GP services.

Access to information relating to clients and staff will be restricted to those who need to know in order to provide safe care and working conditions for employees.
Patient Health Information will be recorded securely aiming to meet International Standards Organization (ISO) 27001. We have a Google Apps for Work account which is a package 100% compliant with (ISO) 27001. Staff wishing to record, send and receive PHI internally within ACWS or externally need to use and fully understand the following systems:

GSuite for Work account - (ISO) 27001 compliant - ACWS staff must use 2-step verification to improve security of information.
Any documents or data downloaded or backed up from Google Apps must be downloaded onto an Encrypted memory stick and not onto your hard drive. From there it can be sent as an attachment via Virtru email if necessary.
End to End Encrypted Chat service such as Whatsapp - Such services must only be used with explicit consent from clients if they are to contain confidential information. We have found the use of such services to be very helpful in providing a joined up communication around some clients or mentees.
Important note about using your personal computer - At present the use of a personal computer without signing into and using the above systems in recording, sending and receiving PHI is not secure and cannot be supported by ACWS. DO NOT USE YOUR HARD DRIVE FOR STORING ANY ACWS SENSITIVE DATA.
Your computer must have installed and up to date antivirus software
Windows computers must always be kept up to date
Turn on your windows Firewall
Use most up to date version of any browser - this helps avoid phishing attacks

Information will only be disclosed in line with the principles of good practice and recognising a service user's’ right to Privacy.
It is the responsibility of all staff to safeguard the interests of clients and their families, ensuring that confidentiality is maintained.
It is the responsibility of all staff to identify: determine and protect all information which could be regarded as confidential.
Staff are required to have a basic understanding of the data protection act before recording information of a personal nature on a personal computer.
Where confidential information is to be disposed of, it must be appropriately destroyed e.g. incinerated or shredded. Electronic Storage of confidential information should be deleted immediately, taking special care that it has not been saved on the hard drive or left on floppy disk.
Examples of confidential information include: all client information, clinical notes and correspondence. All information relating to personnel, Policies and Procedures. Financial Information Including fees/charge structures, accounts, and budgets.
Where disclosure of information and or concerns for the safety and welfare of service users may arise Apricot staff need to follow the relevant procedure: Complaints Procedures, Safeguarding Procedures, Disclosure Procedures, assessing Gillick Competence, Protection of vulnerable adults, and any other relevant policy and procedures. All information asked for by family or professionals visiting or requesting information over the phone or via email must be relevant to the particular service user and only after checks have been made regarding the authenticity of the person making enquiries.

Requests for Freedom of Information (FOI)

Members of the public are entitled to request

If the information you want is not publicly available, you can submit a FOIA request to the agency's FOIA Office. The request simply must be in writing and reasonably describe the records you seek. Most federal agencies now accept FOIA requests electronically, including by web form, e-mail or fax.

The Freedom of Information Act 2000 provides public access to information held by public authorities. It does this in two ways: public authorities are obliged to publish certain information about their activities; and. members of the public are entitled to request information from public authorities.

Your main obligation under the Act is to respond to requests promptly, with a time limit acting as the longest time you can take. Under the Act, most public authorities may take up to 20 working days to respond, counting the first working day after the request is received as the first day.

Subject Access Requests (SARs)

Please note: The following information has not been updated since the Data Protection Act 2018 became law. This ACT implements the EU’s General Data Protection Regulation (GDPR). The Apricot Policy will be updated soon to reflect recent changes.

The Apricot Centre CIC will work closely with the rights and duties as set out in sections 7-9A of the Data Protection ACT (DPA) referred to as ‘the right of subject access’. A SAR is a written request made by or on behalf of an individual for information which he or she is entitled to ask for under section 7 of the DPA. This request can come in any form.

The Apricot Centre CIC will respond to any requests received within 20 days of the request.

NB: Some key points with reference to Parents and Children requesting information are below:

Parents – Parents who seek disclosure of confidential information about their child should not be given access to any records of a child who was competent at the time the record was made without the consent of the child. (Offering children confidentiality: Law and guidance. The children’s legal centre)
Children – Children or young people who have had a confidential relationship with you may demand access to your records of working with them, whether for legal purposes, criminal injuries compensation, or for personal reasons. You are required to release your records or it may result in court action. However, personal notes made by you for professional purposes are regarded as belonging to the therapist and need not be disclosed. (Offering children confidentiality: Law and guidance. The children’s legal centre)

Requests for Disclosures of Information by Police and Other Agencies

Except under certain circumstances confidential information about a child should not be released to other agencies or individuals without the consent of the child, unless the protection of the child or a third party are at stake. However the Apricot Centre CIC asks all staff to work and discuss openly each individual case with management and in supervision.

Police - There is no duty to disclose to the police (even if a child has committed a criminal offence. Therapeutic records are protected from seizure by police by section 11 (1) of the Police and Criminal Evidence Act 1984 (PACE). In order to access this material the police must apply to a circuit judge under section 9 and schedule 1 of PACE, who can order the material be produced or issue a search warrant.
Social Services – “If a child protection conference is called in relation to a particular child, each professional will have to decide to what degree he or she will cooperate with the conference and the extent to which any confidential information relating to the child should be released. It is our view that a breach of confidentiality, without the consent of a competent child, would be ‘unreasonable’ and the professional would be justified in refusing to provide any confidential information.” (Offering children confidentiality: Law and guidance. The children’s legal centre)
School Records – Where treatment records are kept on the school record it may be requested by a child or by their parents. Information can only be withheld if it might result in harm to the physical or mental health of the pupil or other pupils (but not teachers), or forms part of a court report. A child cannot prevent their parents from viewing these records. This may be important to consider when writing assessments and therapeutic reports under these circumstances.
Courts – “In both criminal and civil proceedings, court intervention can override the confidential relationship. A court order to disclose information may be justified in the public interest, or where there is a statutory duty to disclose information, or on order of the court… In civil proceedings, a ..professional can be compelled to attend court by a witness summons (County Court), or a subpoena (High Court)” (Offering children confidentiality: Law and guidance. The children’s legal centre) Travel, subsistence, and compensation for loss of earnings can be claimed on the conclusion of the case.

“Professionals should be aware that it may be possible to prevent breach of confidentiality in court if it can be argued that the disclosure of personal information is not in the public interest. However, the circumstances in which public interest immunity can be used are limited, and legal advice should always be sought.” (Offering children confidentiality: Law and guidance. The children’s legal centre)

Data Retention and Data Destruction

The Apricot Centre CIC Wellbeing Service operates according to the GDPR storage limitation period ensuring that data is not kept for longer than it is needed. Retention periods are determined according to insurance, legal, accountability and valid reference purposes.

Retention Period - How long ACWS keeps Service User records

	Archiving Period	Retention Period	Disposal Method
Personnel Data	Archived as soon as practitioner leaves service	Retained for 6 years after leaving service	Digital information deleted. Physical information securely destroyed or shredded
Complaints Records	Archived within a year after the complaint is closed	Retained for 6 years after complaint closed, for legal and insurance reasons.	Digital information deleted. Physical information securely destroyed or shredded
Procurement Records			Digital information deleted. Physical information securely destroyed or shredded
Referral Information for Unopened cases - (N.B. Referral information for opened cases remains part of the Service User Records - see below)		Referral information and associated documents or unopened cases will be deleted or physically shredded/destroyed within 6 months of the referral being lost. If on review there is the possibility of the referral being reopened this period may be extended a further 6 months.	Digital information deleted. Physical information securely destroyed or shredded
Practitioner Process Notes - Contain detailed information of what happens or is discussed in sessions. These are often in paper form.		Practitioners are asked to shred or otherwise destroy process notes within a short period of time, for example, after they have been used or supervisory purposes. No more than 6 months	Physical information securely destroyed or shredded
Adult (only) Service User Clinical Record & Service User Records Service User information including Clinical Notes/Records - Contain information about the basic clinical details of therapeutic or mentoring sessions. These are stored on our SuiteCRM system, and occasionally in a client folder on GDrive.		Adult Clinical notes are kept for up to six years as this is the timeframe within which someone can take legal action against their therapist after therapy has ended. For Service Users who have no capacity to take an action within the timeframe (severe mental health problems, etc.). If evidence is convincing, the court may allow a case to proceed even after the deadline has elapsed as it has discretion to do so.	Digital information deleted. Physical information securely destroyed or shredded
Young Persons Service User Clinical Record & Service User Records Service User information including Clinical Notes/Records - Contain information about the basic clinical details of therapeutic or mentoring sessions. These are stored on our SuiteCRM system, and occasionally in a client folder on GDrive.		Young Person’s Clinical notes are kept for six years after their eighteenth birthday. Clinical Notes for For Service Users who have no capacity to take an action within the timeframe (severe mental health problems, etc.). If evidence is convincing, the court may allow a case to proceed even after the deadline has elapsed as it has discretion to do so.	Digital information deleted. Physical information securely destroyed or shredded

Reviews of Policies

All of our policies will be reviewed and updated annually (see latest update version details at bottom of each page)

This policy/document was reviewed by:

Signed Date 19th July 2018

Position Service Manager

Signed ………………………..…………… Date …………………….…………

Position ………………………………………………………………….

Previous revision date - July 2021

Last reviewed - 21/08/2024

The next revision date is: August 2027

Page of

AC & ACWS Information Policy & Procedures – previously reviewed 07/12/2022