Data Protection Policy
Dwellbeing Shieldfield Limited Society Number: 8571
Introduction
Policy Statement
Responsibilities
Confidentiality
Security
Data recording and storage
Data breach
Access to data
Transparency
Consent
Direct marketing
Staff training and acceptance of responsibilities Definition of terms
Privacy Statement
Policy Information
Policy Start Date: 01 May 2021
Policy Review Date: 01 May 2022
Version 1
We are committed to reviewing our policy and good practice annually.
This policy will be reviewed and updated earlier if necessary, in response to changes in relevant legislation, contractual arrangements, and good practice or in response to an identified failing in its effectiveness.
Introduction
This policy applies to all our employees, Directors (known as Stewards) and volunteers.
The purpose of this policy is to enable Dwellbeing Shieldfield Limited to:
● Comply with the law in respect of the data it holds about individuals
● Follow good practice;
● Protect Dwellbeing Shieldfield Limited’s supporters, staff and other individuals;
● Protect the organisation from the consequences of a breach of its responsibilities.
The General Data Protection Regulations 2018 regulates the processing of information relating to living and identifiable individuals (data subjects). This includes the obtaining, holding, using or disclosing of such information, and covers computerised records as well as manual filing systems and card indexes.
Data users must comply with the data protection principles of good practice which underpin the General Data Protection Regulations and best practice for Information Governance and Data Security and Protection.
Personal data must be:
● Obtained and processed fairly and lawfully;
● Held only for specified purpose;
● Adequate, relevant and not excessive;
● Accurate and up to date;
● Not kept longer than necessary;
● Processed in accordance with the Regulations;
● Kept secure and protected;
● Not transferred to countries without adequate data protection.
Dwellbeing Shieldfield Limited holds two types of information:
● Personal information –information held about individuals such as names, addresses, job titles,
● Sensitive personal information –information held about employees and volunteers such as health and disability; and service-users such as information about health and disability, safeguarding procedures etc.
This policy applies to information relating to identifiable individuals, even where it is technically outside the scope of the General Data Protection Regulations, by virtue of not meeting the strict definition of “data” in the Regulations.
Dwellbeing Shieldfield Limited has identified the following potential key risks, which this policy is designed to address:
● Breach of confidentiality (information being given out inappropriately);
● Insufficient clarity about the range of uses to which data will be put – leading to Data Subjects being insufficiently informed;
● Failure to offer choice about data use when appropriate;
● Breach of security by allowing unauthorised access;
● Failure to establish efficient systems of managing changes to our staff and volunteers, leading to personal data being not up to date;
● Harm to individuals if personal data is not up to date;
● Insufficient clarity and failure to offer choice about how personal data of staff and volunteers and others is used;
● Data protection issues in partnerships and other collaborative relationships;
● Data protection issues in relation to contractors and other external bodies;
● Data processor contracts.
Policy Statement
Dwellbeing Shieldfield Limited will:
● Comply with both the law and good practice;
● Respect individuals’ rights;
● Be open and honest with individuals whose data is held;
● Provide training and support for staff and volunteers who handle personal data, so that they can act confidently and consistently.
Dwellbeing Shieldfield Limited recognises that its first priority under the General Data Protection Regulations is to avoid causing harm to individuals. In the main this means:
● Keeping information securely in the right hands, and
● Holding good quality information.
Secondly, the Regulations aim to ensure that the legitimate concerns of individuals about the ways in which their data may be used are taken into account. In addition to being open and transparent, Dwellbeing Shieldfield Limited will seek to give individuals as much choice as is possible and reasonable over what data is held and how it is used.
Responsibilities
Directors (known as Stewards)
The board of Directors (known as Stewards) recognises its overall responsibility for ensuring that Dwellbeing Shieldfield Limited complies with its legal obligations.
Data Protection Officer
The Designated Data Protection Person is currently Edyta Czarnecka, Administrator (dwellbeing.flourishing.together@gmail.com) who has the following responsibilities:
● Briefing the board of Directors board on data protection responsibilities;
● Reviewing data protection and related policies;
● Advising other staff on data protection issues;
● Ensuring that data protection induction and training takes place;
● Reporting data breaches to the Information Commissioners Office;
● Handling subject access requests;
● Approving unusual or controversial disclosures of personal data;
● Approving contracts with data processors;
● Ensuring signed written agreements are in place between the data Controller and the data Processors and these have appropriate data protection clauses;
● Electronic security;
● Ensuring that all personal and company data is non-recoverable from any computer system previously used within the organisation, which has been disposed of or passed on/sold to a third party;
● Approving data protection-related statements on publicity materials and letters.
Each employee, Steward and volunteer who handles personal data will comply with the organisation’s operational procedures for handling personal data (including induction and training) to ensure that good Data Protection practice is established and followed. All employees, Directors (known as Stewards) and volunteers are required to read, understand and accept any policies and procedures that relate to the personal data they may handle in the course of their work.
Significant breaches of this policy and breach of personal data may be handled under our disciplinary procedures.
Confidentiality
In order to provide some services, we will need to share client’s personal data with other agencies (Third Parties). Verbal or written consent will always be sought from the client before data is shared.
Where anyone within our organisation feels that it would be appropriate to disclose information in a way contrary to the confidentiality policy, or where an official disclosure request is received, this will only be done after discussions with a manager or the Designated Data Protection Person. All such disclosures will be documented.
Security
This section of the policy only addresses security issues relating to personal data. It does not cover security of the building, business continuity or any other aspect of security.
Any recorded information on members, participants, volunteers and employees
● Will be Handled, transferred, processed and stored with the utmost care and regard and only made accessible to those with permission.
● When not being handled, transferred or processed, it will be stored in secure office facilities, locked drawers or cabinets, or secure cloud-based digital storage.
● Protected by the use of passwords if kept on computers and/or other devices and encrypted if appropriate.
● Destroyed confidentially if it is no longer needed, or if an individual request.
Access to information on the cloud-based facilities is controlled by a password and only those needing access are given the password. Employees, Directors (known as Stewards) and volunteers should be careful about information that is displayed on their computer screen and make efforts to ensure that no unauthorised person can view the data when it is on display.
Notes regarding personal data of participants should be shredded or destroyed.
Data recording and storage
We use secure cloud-based systems for holding basic information about participants, members and volunteers. The back-up copies of data are kept in a secure location.
We will regularly review our procedures for ensuring that our records remain accurate and consistent and, in particular:
● We will keep records of how and when information was collected;
● The storage system is reviewed and re-designed, where necessary, to encourage and facilitate the entry of accurate data;
● All employees, Directors (known as stewards) and volunteers will be discouraged from establishing unnecessary additional data sets;
● Effective procedures are in place so that all relevant systems are updated when information about any individual changes;
● Effective procedures are also in place to address requests from Data Subjects for access to, amendments or the erasure of their information;
● Employees, Directors (known as Stewards) and volunteers who keep more detailed information about individuals will be given additional guidance on accuracy in record keeping in compliance with the GDPR;
● Data will be corrected if shown to be inaccurate or a request is made by a Data Subject.
We store archived paper records of members and volunteers securely.
Information will be stored for only as long as it is needed or required by statute and will be disposed of appropriately.
Data breach
All Staff, Directors (known as stewards) and volunteers are required to report any data breach to the Designated Data Protection Person, (Edyta Czarnecka, dwellbeing.flourishing.together@gmail.com) as soon as possible once they are aware it has occurred. A data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, data transmitted, stored or otherwise processed.
The Data Controller is responsible for recording and reporting any data breaches that occur across the organisation.
Less serious breaches will be recorded and listed in an appropriate place, and trends or lessons learned will be reviewed.
Serious personal data breaches will be reported by the Designated Data Protection Person (Edyta Czarnecka, dwellbeing.flourishing.together@gmail.com) to the Directors (known as Stewards) the earliest possible time, as well as reported to the ICO within 72 hours of the breach occurring if possible, and if not, informing the ICO the reasons for any delay.
Incidents that Dwellbeing Shieldfield Limited may face that constitute a data breach:
● Staff or volunteers losing data in transit;
● Staff or volunteers with access to personal information misusing it;
● Staff tricked into giving away information, either about supporters or colleagues, especially over the phone;
● Staff or volunteers accidently sending personal information to the wrong person, especially by email;
● Dwellbeing Shieldfield Limited servers/systems hacked and personal information falling it other people’s hands or made accessible online;
● Unauthorised access by staff and volunteers while working and no longer working for Dwellbeing Shieldfield Limited.
Access to data
Information and records will be stored securely and will only be accessible to authorised employees and volunteers, and the individual to whom the information relates.
All participants have the right to request access to all information stored about them. Any subject access requests will be handled by the Designated Data Protection Person within the required time limit.
Subject access requests must be in writing or by email. All employees, Directors (known as Stewards) and volunteers are required to pass on anything which might be a subject access request to the Designated Data Protection Person without delay. In accordance with the GDPR, we will provide personal data in a ‘commonly used and machine-readable format.’ We also recognise the right of the individual to transfer this information to another Controller.
Where the individual making a subject access, request is not personally known to the Designated Data Protection Person their identity will be verified before handing over any information.
The required information will be provided in permanent form unless the applicant makes a specific request to be given supervised access in person.
We will provide details of information to service users who request it unless the information may cause harm to another person.
Employees have the right to access their file to ensure that information is being used fairly. If information held is inaccurate, the individual must notify the Manager so that this can be recorded on file.
Transparency
We are committed to ensuring that in principle Data Subjects are aware that their data is being processed and,
● for what purpose it is being processed,
● what types of disclosure are likely,
● how to exercise their rights in relation to the data.
Data Subjects will generally be informed in the following ways:
● Employees: in the staff terms and conditions;
● Volunteers: in the volunteer welcome/support pack;
● Directors (known as Stewards): in the roles and responsibilities/support pack;
● Participants: when they provide their information and consent to retain it is requested, or when they request (on paper, online or by phone) services;
● Members: In the membership pack / membership process.
Standard statements will be provided to all staff for use on forms where data is collected.
Whenever data is collected, the number of mandatory fields will be kept to a minimum and Data Subjects will be informed which fields are mandatory and why.
Consent
Staff details will only be disclosed for purposes unrelated to their work for the organisation (e.g., financial references) with their consent.
Information about volunteers will be made public according to their role, and consent will be sought for (a) the means of contact they prefer to be made public, and (b) any publication of information which is not essential for their role.
Information about participants will only be made public with their explicit consent (this includes photographs).
Membership details will only be used for processing the membership and providing the membership benefits (for example: newsletter / updates / provide details of services).
‘Sensitive’ data about participants (including health information) will be held only with the knowledge and consent of the individual.
Consent should be given in writing, although for some services it is not always practicable to do so. In these cases, verbal consent will always be sought to the storing and processing of data, and records kept of the dates, and circumstances. Online consent will be requested when participants sign up to services, donate or sign up to mailing lists. In all cases it will be documented on the database that consent has been given.
All Data Subjects will be given the opportunity to opt out of their data being used in particular ways, such as the right to opt out of direct marketing (see below).
We acknowledge that, once given, consent can be withdrawn by the Data Subject at any time. There may be occasions where the organisation has no choice but to retain data for a certain length of time, even though consent for using it has been withdrawn.
Direct marketing
We will treat the following unsolicited direct communication with individuals as marketing:
● Seeking donations and other financial support;
● Promoting any of our services;
● Promoting our events;
● Promoting membership to supporters;
● Promoting sponsored events and other fundraising exercises;
● Marketing on behalf of any other external company or voluntary organisation.
Whenever data is first collected which might be used for any marketing purpose, this purpose will be made clear, and the Data Subject will be asked to provide their consent. We do not have a policy of sharing lists, obtaining external lists or carrying out joint or reciprocal mailings.
We will only carry out telephone marketing where consent has been given in advance, or the number being called has been checked against the Telephone Preference Service.
Staff training and acceptance of responsibilities
All employees that have access to any kind of personal data will be given copies of all relevant policies and procedures during their induction process, including the Data Protection Policy and Confidentiality Policy. All staff and volunteers will be expected to adhere to all these policies and procedures.
Data Protection will be included in Directors (Stewareds) training and the induction training for all volunteers.
We will provide opportunities for all staff and volunteers as appropriate to explore Data Protection issues through training, team meetings, and supervisions.
Definition of terms Confidentiality
Confidential information is defined as verbal or written information, which is not meant for public or general knowledge, information that is regarded as personal by users, members, Directors (known as Stewards), employees or volunteers.
Consent
Any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Data
One piece or a combination of information that relates to a person or a ‘Data Subject’ that could identify them, that is stored:
a) Electronically i.e., on computer, including word processing documents, emails, computer records, CCTV images, microfilmed documents, backed up files or databases, faxes and information recorded on telephone logging systems.
b) Manually i.e., records which are structured, accessible and form part of a filing system where individuals can be identified and personal data easily accessed without the need to trawl through a file.
Data concerning health
Personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.
Data Controller
The person who (either alone or with others) decides what personal information we will hold and how it will be held or used.
Data Processor
A natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller.
Data Protection Act 1998
The UK legislation that provides a framework for responsible behaviour by those using personal information, which will be superseded by the General Data Protection Regulations on 25 May 2018.
Data Subject
Any living individual whose personal data is being processed. Examples include:
● employees –current and past,
● volunteers,
● members,
● apprentices,
● job applicants,
● donors,
● service users/participants,
● suppliers.
‘Explicit’ consent
Freely given, specific and informed agreement by an individual to the processing of personal information about them, leaving nothing implied. Explicit consent is needed for processing sensitive data.
Information Commissioner
Person responsible for implementing and overseeing the General Data Protection Regulations.
Notification
Notifying the Information Commissioner about the data processing activities of Dwellbeing Shieldfield Limited if required, however certain activities for not-for-profit organisations may be exempt from notification.
Personal data breach
A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Processing
The use made of personal data including any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Designated Data Protection Person
The person(s) responsible for ensuring that we follow our data protection policy and complies with the General Data Protection Regulations.
Sensitive Data
Factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the person.
Third Party agreements
Many organisations use third parties to store/process data such as: online payments, online forums, cloud storage facilities. There should be a third party written agreement with the other organisation to confirm they are meeting the regulations. These can sometimes be found as web-based documents. The data needs to be stored on European servers to ensure they comply with GDPR.
Appendix
Appendix to Dwellbeing Shieldfield Data Protection Policy
Privacy Statement
Dwellbeing Shieldfield Limited,
70 Falmouth Road, Newcastle upon Tyne, NE6 5NT
FCA Registration Number: 8571 (Community Benefit Society)
When you request information from us, sign up to any of our services or buy things from us, we obtain information about you. We will ask for your consent to retain this information, and make it clear what your information will be used for. This statement explains how we look after that information and what we do with it.
We have a legal duty under the General Data Protection Regulations to prevent your information falling into the wrong hands. We must also ensure that the data we hold is accurate, adequate, relevant and not excessive.
Normally information we hold comes directly from you, as set out in our Data Protection Policy. Whenever we collect information from you, we will ask for your consent to collect this information and make it clear what the purpose of this collection is, for example; which information is required in order to provide you with the information, service or goods you need. You do not have to provide us with any additional information unless you choose to.
We store your information securely on our computer system, we restrict access to those who have a need to know, and we train our staff in handling the information securely.
If you have signed up to a training event or other service, when you sign up, we will ask you for consent to pass your details to the professional worker/volunteer providing that service. That worker/volunteer may hold additional information about your participation in these activities. We have an agreement in place with our professional workers/volunteers or any other agents or sub-contractors which we need to disclose your personal information to our agents or sub-contractors. They will only be able to use your personal information in accordance with this agreement. In addition, we may disclose your personal information if required to do so by law, in connection with any legal proceedings or prospective legal proceedings, and in order to establish, exercise or defend our legal rights.
We would also like to contact you in future to tell you about other services we provide, to keep you informed of what we are doing and ways in which you might like to support us. You have the right to ask us not to contact you in this way and to ask us to remove the information which we hold on you. We will always aim to provide a clear method for you to consent for your information to be stored for this purpose. You can also contact us directly at any time to tell us not to send you any future marketing material or to remove your information by contacting us at, Email: dwellbeing.flourishing.together@gmail.com
You have the right to a copy of all the information we hold about you (apart from a very few things which we may be obliged to withhold because they concern other people as well as you).
To obtain a copy, either ask for an application form to be sent to you, or write to our Designated Data Protection Person (Edyta Czarnecka, dwellbeing.flourishing.together@gmail.com) at the address given above. We aim to reply as promptly as we can and, in any case, within the legal maximum of 30 days.
Updating This Statement
We may update this privacy policy by posting a new version on this website at any time. You should check this page occasionally to ensure you are familiar with any changes.
Other Websites
This website may contain links to other websites. We are not responsible for the privacy policies or practices of any third party.
Confidentiality statement for staff and volunteers
When working for Dwellbeing Shieldfield Limited, you will often need to have access to confidential information which may include, for example:
● Personal information about individuals who are members, users of our services or otherwise involved in the activities organised by Dwellbeing Shieldfield Limited;
● Information about the internal business of Dwellbeing Shieldfield Limited;
● Personal information about colleagues working for Dwellbeing Shieldfield Limited.
Dwellbeing Shieldfield Limited is committed to keeping this information confidential to protect people and Dwellbeing Shieldfield Limited itself. ‘Confidential’ means that all access to information must be on a need to know and properly authorised basis. You must use only the information you have been authorised to use, and for purposes that have been authorised. You should also be aware that under the General Data Protection Regulations, unauthorised access to data about individuals is a criminal offence.
You must assume that information is confidential unless you know that it is intended by Dwellbeing Shieldfield Limited to be made public, for example on the online database. Passing information between Dwellbeing Shieldfield Limited and a mailing house, or vice versa does not count as making it public, but passing information to another organisation does count. You can share information about organisations where this information is already in the public realm, for example registered charities, but you should still be careful about information that can be linked to individuals (staff, volunteers, Directors (known as stewards) and users) connected with organisations. This is also in line with the Information Governance requirements of the NHS.
You must also be particularly careful not to disclose confidential information to unauthorised people or cause a breach of security. In particular you must:
● Not compromise or seek to evade security measures (including computer passwords);
● Be particularly careful when sending information outside the office;
● Not gossip about confidential information, either with colleagues or people outside Dwellbeing Shieldfield Limited;
● Not disclose information — especially over the telephone — unless you are sure that you know who you are disclosing it to, and that they are authorised.
If you are in doubt about whether to disclose information or not, do not guess. Withhold the information while you check with an appropriate person whether the disclosure is appropriate.
Your confidentiality obligations continue to apply indefinitely after you have stopped working for Dwellbeing Shieldfield Limited.