Age UK Ashford is required to process relevant personal data regarding staff, clients and volunteers as part of its operations and shall take all reasonable steps to do so in accordance with this Policy. Processing may include obtaining, recording, holding, disclosing, destroying or otherwise using data. In this Policy any reference to staff, clients, volunteers includes current, past or prospective clients.
Age UK Ashford has appointed Cleo Smith, Chief Executive as Data Controller, who will endeavour to ensure that all personal data is processed in compliance with this Policy and the principles of the General Data Protection Regulation (GDPR).
In collecting and processing your personal information, Age UK Ashford shall, so far as is reasonably practicable, comply with the data protection law in force at the time. This requires that the personal information we hold about staff, clients and volunteers must be:
1. used lawfully, fairly and in a transparent way;
2. collected only for valid purposes that we have clearly explained to staff, clients and volunteers, and not used in any way that is incompatible with those purposes;
3. relevant to the purposes we have told staff, clients and volunteers about and limited only to those purposes;
4. accurate and kept up to date;
5. kept only as long as necessary for the purposes we have told staff, clients and volunteers about; and
6. kept securely.
Personal data covers both facts and opinions about an individual. Age UK Ashford may process a wide range of personal data of staff, clients and volunteers as part of its operation. This personal data may include (but is not limited to); names and addresses, bank details, disciplinary and attendance records and references.
Consent may be required for the processing of personal data unless the processing is necessary for Age UK Ashford to undertake its obligations to staff, clients and volunteers. Any information that falls under the definition of personal data, and is not otherwise exempt, will remain confidential and will only be disclosed to third parties with the consent of the appropriate individual or under the terms of this Policy.
Age UK Ashford may, from time to time, be required to process sensitive personal data. This data includes medical information and data relating to age, religion, race, or criminal records and proceedings. Where sensitive personal data is processed by Age UK Ashford, the explicit consent of the appropriate individual will generally be required in writing.
Individuals have a right of access to information held by Age UK Ashford. Anyone wishing to access their personal data should put their request in writing to the Data Controller. Age UK Ashford will endeavour to respond to any such written requests within 30 days.
Age UK Ashford will also treat as confidential any reference given by Age UK Ashford for the purpose of the employment, or prospective employment of any employee. Age UK Ashford acknowledges that an individual may have the right to access a reference relating to them received by Age UK Ashford. However, such a reference will only be disclosed if such disclosure will not identify the source of the reference or where, notwithstanding this, the referee has given their consent or if disclosure is reasonable in all the circumstances.
Certain data is exempted from the provisions of the General Data Protection Regulation which includes the following:
• The prevention or detection of crime;
• The assessment of any tax or duty;
• Where the processing is necessary to exercise a right or obligation conferred or imposed by law upon Age UK Ashford.
• The above are examples only and further information on exemptions should be sought from the Data Controller.
• Age UK Ashford may receive requests from third parties to disclose personal data it holds.
Age UK Ashford confirms that it will not generally disclose information unless the individual has given their consent or one of the specific exemptions applies. However Age UK Ashford does intend to disclose such data as is necessary to third parties for the following purposes:
a) To give the minimum necessary information in the pursuance of an outstanding debt incurred by an individual.
b) To disclose information where Age UK Ashford is legally obliged to do so (eg to tax authorities).
Where Age UK Ashford receives a disclosure request from a third party it will take reasonable steps to verify the identity of that third party before making any disclosure.
Age UK Ashford will, from time to time, make use of personal data relating to staff, clients or volunteers in the following ways. Should you wish to limit or object to any such use please notify the Data Controller in writing.
1. To make use of photographic images of staff, clients and volunteers in Age UK Ashford publications and on the Age UK Ashford website. However Age UK Ashford will not publish photographs of individuals without the express agreement of the appropriate individual.
2. For fundraising, marketing or promotional purposes.
Age UK Ashford will endeavour to ensure that all personal data held in relation to an individual is accurate. Individuals must notify the Data Controller of any changes to information held about them. An individual has the right to request that inaccurate information about them is erased or corrected.
Age UK Ashford will take reasonable steps to ensure that members of staff will only have access to personal data relating to clients and volunteers, where it is necessary for them to do so. All staff will be made aware of this policy and their duties under the General Data Protection Regulation. Age UK Ashford will ensure that all personal information is held securely and is not accessible to unauthorised persons.
Preventative measures Age UK Ashford will take include, but are not limited to, the following:
• All laptops/PCs/organisational mobile phones will be password protected.
• Access to Charity Log (CRM system) is controlled and protected with a double password entry.
• We operate a clear desk policy.
• Personal data held in hard copy is locked away securely
• Staff working off site store and transport data securely
• Staff and volunteers are trained in data protection
• Data protection is an agenda item at team meetings.
• Third party referrals are shared securely
If an individual believes that Age UK Ashford has not complied with this Policy or acted otherwise than in accordance with the Data Protection Act, they should notify the Data Controller.
Subject Access Requests – Policy and Procedure
All Age UK Ashford staff and volunteers have received guidance on how to process a subject to access request.
Under certain circumstances, the law grants specific rights to the individual –referred to below and here ‘individual’ can apply to staff, volunteers, clients and specific third parties eg the holder of an LPA –Lasting Power of Attorney. These are summarised below. Please note that these rights may be limited and subject to restrictions in certain situations:
• Request access to personal information (commonly known as a “data subject access request”). This enables an individual to receive a copy of the personal information we hold about them and to check that we are lawfully processing it.
• Request correction of the personal information that we hold. This enables an individual to have any incomplete or inaccurate information we hold about them corrected.
• Request erasure of personal information. This enables an individual to ask us to delete or remove personal information where there is no good reason for us continuing to process or hold it. People also have the right to ask us to delete or remove personal information where they have exercised their right to object to processing (see below).
• Object to processing of personal information where we are relying on a legitimate interest (or those of a third party) and there is something about an individual’s particular situation which makes them want to object to processing on this ground.
• Request the restriction of processing of personal information. This enables an individual to ask us to suspend the processing of personal information about them, for example, if they want us to establish its accuracy or the reason for processing it.
• Request the transfer of personal information to another party.
If an individual wishes to review, verify, correct or request erasure of their personal information, object to the processing of personal data, or request that we transfer a copy of personal information to another party, please contact the appointed Data Controller – Helen Newman, Chief Executive at Age UK Ashford.
How individuals can access and update their information
If an individual would like to access a copy of the data we hold about them, They should do so by sending their request in writing to Age UK Ashford, Data Controller, Cleo Smith, Sanford House, Stade Street, Hythe, Kent. CT21 6BD or emailing firstname.lastname@example.org. Your request will be processed within 30 days. If you require further information on accessing your data please contact the Data Controller on 01303 269602
No fee required
There is no fee payable to access personal information (or to exercise any of the other rights).
What we will need from the individual
We will need to request specific information from the individual to help us confirm their identity and ensure their right to access the information (or to exercise any of their other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
Right to withdraw consent
In any circumstances where an individual may have provided consent to the collection, processing and transfer of personal information for a specific purpose, they have the right to withdraw consent for that specific processing at any time. If an individual wishes to withdraw consent, they should contact the appointed Data Controller –Cleo Smith, Chief Executive at Age UK Ashford. Once we have received notification that they have withdrawn consent we will no longer process their information for the purpose or purposes they originally agreed to, unless we have another legitimate basis for doing so in law.
Personal data breaches
All staff and volunteers have received guidance on how to recognise a personal data breach.
The response plan for addressing any personal data breaches have been put in place. Any breach would be escalated to the Data Controller or a member of the senior management team. Personal data breaches will be reported to the ICO within 72 hours.
What is a personal data breach?
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.
Personal data breaches can include:
• access by an unauthorised third party;
• deliberate or accidental action (or inaction) by a controller or processor;
• sending personal data to an incorrect recipient;
• computing devices containing personal data being lost or stolen;
• alteration of personal data without permission; and
• loss of availability of personal data.
A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data. In short, there will be a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable, for example, when it has been encrypted by ransomware, or accidentally lost or destroyed.
Recital 87 of the GDPR makes clear that when a security incident takes place, you should quickly establish whether a personal data breach has occurred and, if so, promptly take steps to address it, including telling the ICO if required.
We will hold data for seven years before it is securely destroyed or erased from Charity Log secure storage.
Age UK Ashford has carried out a Legitimate Interests Assessment and concluded that we are able to use this basis for gathering and processing data on clients and their activities. We would be unable to provide services or support clients to access them and our other activities without this information. Consent/registration forms ask clients to agree that we may hold their data and contact them with information related to the services provided by Age UK Ashford. Individuals are provided with information on how to opt out
Roles and responsibilities:
Data Controller – Cleo Smith, Chief Officer
In absence of Data Controller - Ben Gosden Services Manager.
This document is available on Age UK Ashford’s website www.ageuk.org.uk/Ashford.org.uk