Data Protection Policy
Data Protection Policy
- Policy Statement
- Together Active is committed to compliance with the Data Protection Legislation.
- Together Active needs to process certain types of personal data (personal information) about the people with whom it deals in order to perform effectively as a charity. These people include current, past and prospective employees, service users, customers and clients and others with whom Together Active communicates. This data must be dealt with properly when it is collected, recorded, used and destroyed whether by manual or electronic means. Extra care must be taken with sensitive personal data.
- Together Active regards the lawful and correct treatment of personal information as important to the successful operation of the organisation’s. Numerous records and systems containing personal information exist within the organisation and the integrity and quality of this information is paramount. The communities serviced by Together Active expect data to be treated in line with legislation. If any breaches of Data Protection Legislation do take place then these will be dealt with in accordance with the policy.
- This policy applies to all employees and workers (both contracted and agency workers), contractual third parties, agents and representatives, volunteers, and Trustees (when acting on behalf of Together Active).
- This policy applies to all personal data processed or controlled by Together Active, in whatever format or however it is stored. This includes (but is not limited to) IT systems / databases, shared drive filing structures, email, paper records, videos and photos.
- Data Protection Principles
- All Together Active staff processing personal data must comply with the Data Protection Principles which make sure that personal information is:
- Fairly, lawfully and transparently processed
- Collected and processed for specified, explicit and legitimate purposes
- Adequate, relevant and limited to what is necessary
- Accurate and up to date
- Not kept for longer than is necessary
- Secure and protected against loss, theft and damage.
In addition Together Active and it’s staff must be able to demonstrate compliance with the principles.
- Roles and Responsibilities
- Together Active is a data controller under the Data Protection Legislation
- Senior Management (CEO and COO) – has overall responsibility for ensuring that Together Active and its staff, Trustees and volunteers comply with Together Active’s legal obligations regarding the handling of personal information and is responsible for ensuring compliance with this policy.
- Line Managers – shall promote good practice and assist Senior Management to ensure compliance with Data Protection Legislation and with this policy. They act as a referral point for the staff they represent in order to raise issues that may need to be addressed by Senior Management.
- Data Protection Lead (DPL) – is responsible for developing and keeping this policy up to date. They act as the lead advisor to Together Active regarding compliance with the Data Protection Legislation and this policy. They will ensure that compliance is monitored across Together Active and will act as the appropriate point of contact between Together Active and the Information Commissioner.
They are also responsible for the provision of day to day advice and assistance to Together Active employees on data protection issues, including assistance in responding to requests by individuals seeking to exercise their rights under the data protection legislation.
Together Active’s Data Protection Officer is the Chief Operating Officer.
- All members of staff and Trustees who hold or collect personal data are responsible for their own compliance with the Data Protection Legislation and must ensure that personal and/or sensitive information is kept and processed in accordance with the Data Protection Legislation, and with this policy. In particular, staff must not attempt to access personal data that they are not authorised to view. Employees who fail to comply with the Data Protection Legislation may face disciplinary action which could lead to dismissal and, in some cases, criminal proceedings or prosecution.
- Consequences of Non-Compliance
- An individual has the right to claim compensation for damage or distress suffered as a result of non-compliance, be it inappropriate processing or poor data quality. If an individual complains to the Information Commissioner’s Office (ICO) then the Information Commissioner is obliged to investigate in order to establish if a breach of Data Protection Legislation occurred.
- The Commissioner can serve a Data Controller with an ‘Information Notice’ requiring the Data Controller to provide certain information within set time limits. The deliberate provision of false information in response to an Information Notice is a criminal offence.
- If the Commissioner decides that there had been a breach of the Data Protection Legislation, he may serve the Data Controller with an ‘Enforcement Notice’. This may require Together Active to carry out certain steps, or refrain from taking certain steps, specified in the notice.
- The Commissioner can also prosecute those who commit criminal offences under the Data Protection Legislation, and conduct audits to assess whether an organisations processing of personal data follows good practice.
- The Commissioner is able impose financial penalties on organisations as a penalty for breaches of the Data Protection Legislation, including for failure to comply with Information or Enforcement Notices.
- Criminal Offences
- There are a number of criminal offences under the Act. These include:
- Obtaining or disclosing personal data or the information contained in personal data without the consent of the Data Controller (Together Active);
- Procuring the disclosure to another person of the information contained in personal data without the consent of the Data Controller.
- After obtaining personal data, to retain it without the consent of the person who was the controller in relation to the personal data when it was obtained.
A full list of offences can be found on the Crown Prosecution Service (CPS) website
- In addition, in relation to computer processed information, the following are offences under the Computer Misuse Act 1990:
- Unauthorised access to computer;
- Unauthorised modification to contents of computer; and
- Unauthorised access with intent to commit/facilitate the commission of further offences.
- Personal Interests and Connections
- In situations where a member of staff has a personal connection with the data subject (for example service user, customer, client) they must declare this connection, and the reason for the enquiry, to their manager before any action is taken. The manager will then consider any potential conflict of interest and allocate the enquiry to an independent person if deemed necessary.
- This applies to relatives, in-laws, spouse or partner, neighbours, friends and former or present colleagues, or any other person whose personal connection to you could be perceived as likely affecting your ability to act impartially and professionally.
- Staff should only access systems and records containing personal information that are relevant to their work/duties.
- In the event of a breach or a potential breach of data protection, either from an internal or external source, the Data Protection Lead must be notified as soon as possible, and in any case within 24 hours. Where a member of staff reports another, protection and anonymity will be afforded to those who request it in accordance with the Together Active’s Whistleblowing Policy.
- Compliance with Data Protection procedures is taken very seriously and disciplinary action may be taken against any employee who breaches any instruction contained in, or arising from this policy.
- Any breaches of security involving personal data must be dealt with in accordance with the guidance provided by the Information Commissioner’s Office, including report of the breach to the Information Commissioner’s Office if necessary
- Regardless of whether the breach needs to be reported to the Information Commissioner’s Office, the Data Protection Lead must complete a Data Breach Reporting Form, which must be stored securely
- Subject Access Requests (SARs)
- The Data Protection Legislation gives individuals the right to access personal information held about themselves by Together Active and to be supplied with a copy of that information (subject to provisions).
- SARs are co-ordinated by the Data Protection Lead.
- There is a one month time limit specified within Data Protection Legislation in which to comply with such requests.
- Individuals requesting access to their records must provide details on the information they require and proof of identity.
- If a request is made through a third party acting on the data subject’s behalf, that person will need to provide evidence of their identity and proof that they are entitled to act on the data subject’s behalf. If they are a parent, foster parent or carer, acting on behalf of a child under 13 years of age, they will need to provide proof of parental responsibility (children 13 years of age or over would be expected to submit their own request).
- The Data Protection Lead may allocate the request to an appropriate staff member and will provide advice and guidance in dealing with the request.
- Rectification and Erasure
- The Data Protection Legislation also gives individuals the right to have inaccurate personal data concerning them rectified, to request that any personal data concerning them be erased and to request that restrictions are placed on the processing of their personal data.
- Any such requests should be forwarded to the Data Protection Lead in order to co-ordinate a response.
- Privacy Notices
- Whenever personal data is collected directly or indirectly from an individual, staff must ensure that a suitable, plain language privacy notice is provided covering all the information required under Articles 13 and 14 of the General Data Protection Regulation.
- These notices may be posted online (with a hardcopy available on request) or as a hardcopy. Assistance and guidance on the formulation of these notices can be obtained from the Data Protection Lead.
- Data Retention
- Together Active will retain personal data in line with its legal or business obligations. This will be stated in the relevant Privacy Notice.
- All staff and third parties holding Together Active data should work on the principle of holding data for the minimum time required, and that once no longer needed data is securely deleted or destroyed.
- Embedding Data Protection within Projects
- Together Active will apply the principles of data protection by design and by default in all its projects and processes that use personal data. Staff will make sure that new projects involving significant use of personal data (whether internal or using an external third party) are reviewed via the Data Protection Impact Assessment form and process.
- Staff should seek further guidance from the Data Protection Lead if they are unsure whether an impact assessment is appropriate. Wherever possible data minimisation should be considered and techniques such as data masking, pseudonymisation or anonymisation should be considered.
- Training and Awareness
- All Together Active staff need to be aware of their, and Together Active’s obligations under the Data Protection Legislation. A training programme is in place for all staff to ensure they are aware of their obligations under the Data Protection Legislation. Periodic refresher training will be provided to maintain and update staff awareness and knowledge of Data Protection requirements.
- The mandatory training will be supported by a regular programme of communications to staff.
- Managers are responsible for ensuring all members of staff take appropriate data protection training as part of their induction process.
- Policy Review and Revision
- This policy will be reviewed as it is deemed appropriate, but no less frequently than every 2 years.
- Policy review will be undertaken by the Data Protection Lead
- Related Legislation
- Together Active has a legal obligation to comply with the following relevant legislation:
- Data Protection Legislation
- Computer Misuse Act 1990
- Copyrights, Designs and Patents Act 1988
- Human Rights Act 1998
- Freedom of Information Act 2000
- Environmental Information Regulations 2004
- Private and Electronic Communications Regulations 2003
This list is not exhaustive.
- This policy should be read in conjunction with the Technology Services Policy.
Appendix 1 – Glossary
Data Controller A person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed
Data Protection Legislation Means the General Data Protection Regulation and the Data Protection Act 2018
Data Processor Any organisation or person (other than an employee of the data controller) who processes data on behalf of the data controller
Data Subject Means an individual who is the subject of personal data
Personal Data Any information relating to an identified or identifiable living individual who can be directly or indirectly identified in particular by reference to an identifier.
Processing Processing in relation to personal data means an operation or set of operations which is performed on personal data, or on sets of personal data, such as:
- a) collection, recording, organisation, structuring or storage
- b) adaptation or alteration
- c) retrieval, consultation or use
- d) disclosure by transmission, dissemination or otherwise making available,
- e) alignment or combination, or
- f) restriction, erasure or destruction
Sensitive Personal Data Defined as personal data concerning: racial or ethnic origin; political opinion; religious or other beliefs; trade union membership; physical or mental health or condition; sexual life; sexual orientation or criminal proceedings or convictions.