DATA PROTECTION POLICY
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the European Council and the European Commission intend to strengthen and unify data protection for individuals within the European Union (EU). It also addresses the export of personal data outside the EU. The primary objectives of the GDPR are to give citizens back control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. When the GDPR takes effect it will replace the data protection directive (officially Directive 95/46/EC) from 1995. The regulation was adopted on 27 April 2016 and applies from 25 May 2018 after a two-year transition period..
The 1998 Data Protection Act, which came into force on 1 March 2000, will continue to apply until the new General Data Protection Regulations come into force in May 2018.
The following guidance is not a definitive statement on the Regulations, but seeks to interpret relevant points where they affect Age UK North East Lincolnshire.
The Regulations cover both written and computerised information and the individual’s right to see such records.
It is important to note that the Regulations also cover records relating to staff and volunteers.
All Age UK North East Lincolnshire staff are required to follow this Data Protection Policy at all times.
The Chief Executive has overall responsibility for data protection within Age UK North East Lincolnshire but each individual processing data is acting on the controller’s behalf and therefore has a legal obligation to adhere to the Regulations.
Processing of information – how information is held and managed.
Information Commissioner - formerly known as the Data Protection Commissioner.
Notification – formerly known as Registration.
Data Subject – used to denote an individual about whom data is held.
Data Controller – used to denote the entity with overall responsibility for data collection and management. Age UK North East Lincolnshire is the Data Controller for the purposes of the Act.
Data Processor – an individual handling or processing data
Personal data – any information which enables a person to be identified
Special categories of personal data – information under the Regulations which requires the individual’s explicit consent for it to be held by the Charity.
1.1 The policy is to ensure that the staff, volunteers and Trustees working for Age UK North East Lincolnshire comply as fully as possible with the main principles as laid out in the GDPR regulations from 25th May 2018
Age UK North East Lincolnshire must record service users’ explicit consent to storing certain information (known as ‘personal data’ or ‘special categories of personal data’) on file.
For the purposes of the Regulations, personal and special categories of personal data covers information relating to:
The racial or ethnic origin of the Data Subject.
His/her political opinions.
His/her religious beliefs or other beliefs of a similar nature.
Whether he/she is a member of a trade union.
His/her physical or mental health or condition.
His/her sexual life.
The commission or alleged commission by him/her of any offence
Online identifiers such as an IP address
Name and contact details
Genetic and/or biometric data which can be used to identify an individual
Special categories of personal information collected by Age UK North East Lincolnshire will, in the main, relate to service users’ physical and mental health. Data is also collected on ethnicity and held confidentially for statistical purposes.
Consent is not required to store information that is not classed as special category of personal data as long as only accurate data that is necessary for a service to be provided is recorded.
As a general rule Age UK North East Lincolnshire will always seek consent where personal or special categories of personal information is to be held.
It should also be noted that where it is not reasonable to obtain consent at the time data is first recorded and the case remains open, retrospective consent should be sought at the earliest appropriate opportunity.
If personal and/or special categories of personal data need to be recorded for the purpose of service provision and the service user refuses consent, the case should be referred to the Chief Officer for advice.
Consent may be obtained in a number of ways depending on the nature of the interview, and consent must be recorded on or maintained with the case records:
A pro-forma should be used.
Verbal consent should be sought and noted on the case record.
The initial response should seek consent.
Consent obtained for one purpose cannot automatically be applied to all uses e.g. where consent has been obtained from a service user in relation to information needed for the provision of that service, separate consent would be required if, for example, direct marketing of insurance products were to be undertaken.
Preliminary verbal consent should be sought at point of initial contact as personal and/or special categories of personal data will need to be recorded either in an email or on a computerised record (e.g. Charitylog). The verbal consent is to be recorded in the appropriate fields on the computer record or stated in the email for future reference. Although written consent is the optimum, verbal consent is the minimum requirement.
Specific consent for use of any photographs and/or videos taken should be obtained in writing. Such media could be used for, but not limited to, publicity material, press releases, social media, and website. Consent should also indicate whether agreement has been given to their name being published in any associated publicity. If the subject is less than 18 years of age then parental/guardian consent should be sought.
Individuals have a right to withdraw consent at any time. If this affects the provision of a service(s) by Age UK North East Lincolnshire then the Chief Officer should discuss with the team manager at the earliest opportunity.
1.2 All data shall be:
- Fairly and lawfully processed
- Processed for limited purposes
- Adequate, relevant and not excessive
- Not kept longer than necessary
- Processed in accordance with the data subject’s rights
- Not transferred to countries without adequate protection
Ensuring the Security of Personal Information
Unlawful disclosure of personal information
- It is an offence to disclose personal information ‘knowingly and recklessly’ to third parties.
It is a condition of receiving a service that all service users for whom we hold personal details sign a consent form allowing us to hold such information.
Service users may also consent for us to share personal or special categories of personal information with other helping agencies on a need to know basis.
A client’s individual consent to share information should always be checked before disclosing personal information to another agency.
Where such consent does not exist information may only be disclosed if it is in connection with criminal proceedings or in order to prevent substantial risk to the individual concerned. In either case permission of the Chief Officer should first be sought.
Personal information should only be communicated within Age UK North East Lincolnshire staff and volunteer team on a strict need to know basis. Care should be taken that conversations containing personal or special categories of personal information may not be overheard by people who should not have access to such information.
1.3 For the purposes of Age UK North East Lincolnshire personal data should include:
- Information of a personal nature held on computer systems
- Information of a personal nature held in filing systems
- Information meant to be held on such systems (e.g. questionnaires or survey forms, personal files etc.)
Responsibility of the Data
2.1 Ultimately, the “Data Controller”, is the Board of Trustees of Age UK North East Lincolnshire. However, individual members of staff shall be deemed as acting as agents for the Data Controller, where and when such staff are charged with handling data of a personal or sensitive nature.
2.2 Anyone who is responsible for handling such data should:
- Ensure the subject has given consent
- Processing is necessary to fulfil contractual obligations to which the subject is part
- Processing is necessary due to legal obligations
- Processing is necessary to protect the interests of the subject
- Processing is in the legitimate interests of the Data Controller unless it conflicts with the subjects rights, interests and/or freedoms
3.1 It shall be the duty of the Data Controller or the designated staff member to notify the Data Commissioner about the information held and its purposes and any security measures in place.
4.1 Consideration has been made when considering security.
- Only appropriate staff should be able to access the information
- Safeguards should be in place to prevent loss or damage of the information
4.2 Staff and volunteers at Age UK North East Lincolnshire tasked with handling data should ensure that they are clear as to who should have access to the information. In addition, the following should be ensured:
- Training on data security should be provided or outsourced
- All files of a confidential nature should be secure and locked away
- Unauthorised people should not be left alone when sensitive data is being handled
- Any sensitive data should be secured safely before the end of the working day and cleaning staff etc. may be in the building
- Databases, personal files and similar information held on computers should be suitably encrypted
- Any redundant information of a personal nature should be disposed of correctly (i.e. empty the recycle bins or shred paper files)
- Back ups should be kept to prevent accidental loss
- Sensitive paper files should be stored in an area protected from fire hazards
- Computer systems should have suitable anti-virus and firewall software installed
- Training should be provided so that staff don’t inadvertently delete important information
- All staff or volunteers sign our Confidentiality Policy Document
- Staff will be asked to annually check the accuracy of personal information that is held on file that may be subject to change i.e. home address
Personal Data held by Age UK North East Lincolnshire
5.1 Various data is held on staff relating to their employment with Age UK North East Lincolnshire; this will cover all aspects of recruitment, selection and employment such as the job application form, interview assessments, reference, probationary and annual reviews and supervisions, bank details and national insurance numbers, details of any deductions from pay (e.g. to the courts), sick notes and medical assessments, details of grievances and disciplinary proceedings including current warnings (within the timescale allowed by the appropriate policies), reference requests etc.
5.2 Much of this data is, by its nature, highly personal and Age UK North East Lincolnshire recognises that it is its duty to safeguard the data by all possible means, and to notify staff about what is kept and why, along with information on how the data can be accessed and by whom.
5.3 The data kept on staff is exclusively in relation to their employment with Age UK North East Lincolnshire; no unrelated data will be kept. The data that is kept will be used for the purpose of administering and managing the employment.
5.4 Most personal data is kept in individual personnel files in the Chief Officer’s office in a locked cabinet.
5.5 Other data (e.g. bank details, N.I. number, deductions details) are kept in your personal file, and again these are kept locked.
5.6 A copy of this information is supplied to Smethurst and Buckton Accountants to process the wages
5.7 Chief Officer to also keep staff files covering supervision sessions plus any job-related information. Again, these are kept locked.
5.8 Computer files (e.g. supervision records, payroll details) are pass-worded and secured.
5.9 Staff are entitled to see their own personnel files; to do so, they should arrange a mutually convenient time with the Chief Officer.
7.1 Age UK North East Lincolnshire recognises its duty to safeguard the data it holds on external groups and individuals. To this end, we annually conducted an audit of all data held, disposed of outdated information.
7.2 Secure storage systems for current data includes locked/pass-worded storage, and locked archive facilities.
7.3 Any Age UK North East Lincolnshire member is entitled to know what data is kept on her/him, why, how it is kept, and who can access it. Any Age UK North East Lincolnshire member may also see what data is kept on her/him and correct it if necessary; to do so, s/he should make a written request to the Chief Officer. All information will be copied and posted to the individual within 40 days of the request.
8.1 Any questions or concerns about the implementation of the Policy should be addressed to the Chief Officer, and further information on data protection issues generally is available from https://www.gov.uk/data-protection/the-data-protection-act