Data Protection Policy


Everyone has rights with regard to how their personal information is handled. During the course of Three Case Management (Threecm or The Business) activities, client data will be collected, stored and processed.

Threecm has a professional duty to comply with relevant legislation governing the complex issue of data protection including the General Data Protection Regulation (GDPR) 2018 (formerly Data Protection Act 1998 (DPA)) and guidance provided by the Information Commissioners Office (ICO), Department of Health and other relevant bodies.

It is the responsibility of each individual case manager to ensure they are familiar with the relevant legislation and guidance when dealing with person identifiable data.

Other Documents for Reference

  • Threecm Consent and Confidentiality Policy
  • Threecm IT Security Policy


This policy sets forth the expected behaviours of Threecm Partners, Employees and Third Parties in relation to the collection, use, retention, transfer, disclosure and destruction of any Personal Data belonging to a Data Subject. This policy applies to all processing of Personal Data in electronic form (including electronic mail and documents created) or where it is held in manual files that are structured in a way that allows ready access to information about individuals.

Personal Data is defined as any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.

A Data Subject is defined as the identified or identifiable natural person to which the data refers. In the normal course of Threecm business, this would typically be the client that the Case Manager is representing.


Threecm have identified a single Data Controller for the business, however, each Partner and Case Manager will take first line responsibility for ensuring this policy is adhered to for their own clients.

Responsibilities of the Data Controller

  • To take primary responsibility under GDPR for ensuring compliance with the Key Principles.
  • To ensure and facilitate the exercise of Data Subject's rights under GDPR. They are also obligated to respond to requests from Data Subjects without undue delay and within one month as from the request.
  • To act as a point of contact for and cooperating with Data Protection Authorities (DPAs)
  • To notify the Data Protection Authority of data breaches within 72 hours, and in some cases, the Data Subject. Data Controllers must also keep a record of any personal information breaches, regardless of whether they are required to notify or not.
  • To implement appropriate technical, procedural, and organizational measures to protect, within reason, personal information against accidental or unlawful destruction or loss, alteration, unauthorized disclosure, or access.


Data Protection Principles

Who is data collected on?
Data is collected for clients under the supervision of a Case Manager. The purpose and nature of the data is defined in a Consent form, agreed and signed by the client. Other third-party organisations may form part of a collective team in the provision of services provided to an end client. No data is retained on these parties other than to contact in the provision of services they provide.

What Data is collected?
Data collected on a client is defined in the Consent form, aligned to the following principles:

Lawfulness, Fairness and Transparency
Personal Data shall be processed lawfully, fairly and in a transparent manner in relation to the Data Subject. Through a Consent Form agreed and sign by the client (The Data Subject) or a suitable representative, they will be informed of what Processing will occur (transparency). The Processing must match the description given to the Data Subject (fairness), and it must be for one of the purposes specified in the applicable Data Protection regulation (lawfulness).

Purpose Limitation
Personal Data shall be collected for specific and legitimate purposes in support of case management of ThreeCM clients and not further processes in a manner that is incompatible with those purposes.

Data Minimisation
Personal Data shall be adequate, relevant and limited to what is necessary in the relation to the purpose of the Three Case Management business. Meaning Threecm will not store any Personal Data beyond what is strictly required.

Personal Data shall be accurate and kept up to date.

Storage limitation
Personal Data shall be kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data is Processed. But will be a minimum of 7 years, in accordance to ICO current regulations on health record storage.

Integrity & Confidentiality
Personal Data shall be Processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorised or unlawful Processing, and against accidental loss, destruction or damage. Threecm must use appropriate technical and organisational measures to ensure the integrity and confidentiality of Personal Data is maintained at all times.

Why Data is collected

Data Subject Consent

Each Threecm client will obtain Personal Data only by lawful and fair means by Consent of the individual concerned.

The Threecm Consent and Confidentiality agreement that is signed by both parties, sets out the full details, but the principles are:

  • Explaining why the data needs collecting and what it will be used for.
  • Determining what disclosures should be made in order to obtain valid Consent.
  • Ensuring the request for consent is presented in a manner which is clearly distinguishable from any other matters, is made in an intelligible and easily accessible form, and uses clear and plain language.
  • Ensuring the Consent is freely given (i.e. is not based on a contract that is conditional to the Processing of Personal Data that is unnecessary for the performance of that contract).
  • Documenting the date, method and content of the disclosures made, as well as the validity, scope, and volition of the Consents given.
  • Providing a simple method for a Data Subject to withdraw their Consent at any time.

When is data collected?

Each Threecm client will be asked to agree to the Threecm Consent form prior to any services being provided.

At the time of gaining consent all appropriate disclosures will be made in a manner that draws attention to them, unless one of the following apply:

  • The Data Subject already has the information
  • A legal exemption applies to the requirements for disclosure and/or Consent.

The disclosures may be given orally, electronically or in writing. If given orally, the person making the disclosures should use a suitable script or form approved in advance by the Data Protection Officer. The associated receipt or form should be retained, along with a record of the facts, date, content, and method of disclosure.

Security of Data Protection

Each Threecm Entity (Partners, Case Managers, Employees and other parties engaged who use Threecm systems) will adopt physical, technical, and organisational measures to ensure the security of Personal Data. This includes the prevention of loss or damage, unauthorised alteration, access or Processing, and other risks to which it may be exposed by virtue of human action or the physical or natural environment.

Full details in the Threecm IT Security Policy document

Use of Third Party Storage

Threecm uses two third parties for storage of data pertaining to its Business

Google Drive
Threecm uses Google Drive to store company documentation that may include client data. Threecm uses Google Drive to store company documentation that may include client data. Threecm has accepted the Google Cloud Identity agreement that stipulates Threecm as the Data Controller and Google as the Data Processor, and both entities will comply with the GDPR legislation.

Qunote is used to log client activity. It is a specialist application based in the cloud, for specific use of the business services that Threecm provide, is secure and GDPR compliant.

Data Subject Requests

The right of the Data subject is to:

  • object to processing of their Personal Data.
  • lodge a complaint with the Data Protection Authority.
  • request rectification or erasure of their Personal Data.
  • request restriction of Processing of their Personal Data.
  • require Threecm to correct or supplement erroneous, misleading, outdated, or incomplete Personal Data.

All requests received for access to or rectification of Personal Data must be directed to the Case Manager, who will log each request as it is received. A response to each request will be provided within 30 days

Transfers to Third Parties

Each Threecm Entity will only transfer Personal Data to, or allow access by, Third Parties when it is assured that the information will be Processed legitimately and protected appropriately by the recipient.

Where the Third Party is deemed to be a Data Controller, Threecm will enter into an appropriate agreement with the Controller to clarify each party’s responsibilities in respect to the Personal Data transferred.

Where the Third Party is deemed to be a Data Processor, Threecm will enter into an adequate processing agreement with the Data Processor. The agreement must require the Data Processor to protect the Personal Data from further disclosure and to only process Personal Data in compliance with Threecm Data Protection and IT Security policies.