Data Protection Policy 2020

Date: July 2020

Review Date: October 2022

 

 

Contents Page

 

Introduction  ......................................................................................... 1

 

Policy Statement  .................................................................................. 1

 

Policy Detail  ......................................................................................... 2

     Appendix A General Information  ..................................................... 3

                       Rights of the Data Subject  ............................................. 3

                       The Public Interest Disclosure Act 1998  ........................ 3

                       The Freedom of Information Act 2000  ........................... 3

                       The Human Rights Act 1998  ......................................... 4

 

     Appendix B Sensitive Data  .............................................................. 4

     Appendix C Notification  .................................................................. 4

     Appendix D Data Protection Notice  ................................................. 5

     Appendix E Use of Mailing Lists  ....................................................... 7

 

 

Introduction

The Data Protection Act 1998 sets out basic principles that any data controller must adhere to, that is a person or organisation controlling the use of personal data.

 

Any person who processes personal data must comply with the eight enforceable principles of good practice that personal data must be:

  • fairly and lawfully processed;
  • processed for limited purposes;
  • adequate, relevant and not excessive;
  • accurate;
  • not kept longer than necessary;
  • processed in accordance with the Data Subject’s rights;
  • kept secure; and
  • not transferred abroad without adequate protection.

 

Personal data covers both facts and opinions about a living individual and can be any type of material including text, photographs, video or audio.

 

This policy is intended to assist staff in complying with the requirements of the Data Protection Act 1998 (DPA) and its related legislation:

  • the Freedom of Information Act 2000 (FOIA)
  • the Human Rights Act 1998 (HRA)
  • the Public Interest Disclosure Act 1998 (PIDA)

 

 

Policy Statement

It is the policy of Children First Derby that it will hold all personal data in accordance with the principles and requirements of the Data Protection Act 1998 and other relevant legislation.

 

All managers are committed to maintaining procedures that will ensure the unbiased processing of data relating to individuals (data subjects) and to raising awareness within the organisation of data protection issues.

 

Every member of staff and every volunteer is responsible for taking precautions to ensure the security of personal information and to prevent unlawful disclosure.  This applies:

  • when it is in their possession
  • when they are allowing access to it by another person or organisation
  • when they are transferring it to another person or organisation

 

 

Information covered by this policy

Personal data is any information that can identify the living individual that it is about.  It may take any of the following forms:

  • Computer documents;
  • Data processed by computer or other equipment, for example text, images, video or audio;
  • Information in some forms of structured manual records including photographs.

 

 

Policy Detail

  • The Chief Executive and Trustees will review this policy for its effectiveness at least once a year.
  • The Chief Executive will advise and consult on all aspects of personal data protection, including disclosure and security.
  • This member of staff will regularly perform internal audits of Children First Derby ’s information systems to maintain compliance with the Data Protection Act. The Trustees will determine the frequency of auditing.
  • Children First Derby will issue and maintain guidelines on:
  1. a) the secure storage of data;
  2. b) permisable disclosure of personal data: if Children First Derby will disclose, how it will disclose it and how it will make the data subjects aware of this;
  3. c) how long the various data records will be retained; and
  4. d) how personal data will be destroyed after the retention period.
  • Any person who is engaged in processing personal data will have training in awareness of data protection requirements.
  • Children First Derby will maintain a separate procedure for handling subject access requests.
  • Children First Derby will maintain a separate procedure to deal with data subject requests to correct or erase inaccurate data.
  • Children First Derby will maintain a separate procedure for dealing with employment references, according to the eight data protection principles, specifically that references are adequate, relevant and not excessive and that they are accurate.
  • Children First Derby will maintain a separate procedure that specifies what constitutes sensitive data and how it will obtain consent to process it. Also, senior management will specify any additional measures to be taken to safeguard sensitive personal data.
  • There will be a condition in all Children First Derby employment contracts, agreements and job and role descriptions to the effect that individuals must abide by the statements made in this policy
  • Failure by an individual to follow this policy will be dealt with in accordance internal disciplinary measures.

 

Appendix A - General Information

 

Rights of the data subject

The data subject has the following rights:

  • to access the information that they are the subject of;
  • to prevent processing likely to cause damage or distress;
  • to take action for compensation if they suffer damage as a result of any breach of the act;
  • to take action to rectify or destroy inaccurate data;
  • to consent or to withhold consent;
  • to opt out of direct marketing;
  • to restrict automated decision making; and
  • to make a request to the Information Commissioner for an assessment to be made as to whether any provision of the Act has been contravened.

 

On written request from the data subject and the payment of the fee (a maximum of £10.00), the data controller is obliged to supply (and give the data subject a copy of the data):

 

  • a description of the data;
  • the purpose for which it is being held;
  • the source of the data; and
  • details of the person(s) they will or may disclose the data to.

 

The data controller must supply everything held at the time of the application within 40 days.

 

The Public Interest Disclosure Act 1998

The Public Interest Disclosure Act 1998 is an act which protects workers who blow the whistle about wrongdoing in the workplace.  It mainly takes the form of amendments to the Employment Rights Act 1996, and makes provision about the kinds of disclosures which may be protected, the circumstances in which such disclosures are protected and the persons who may be protected.

 

Confidences must be respected so far as is possible, with due regard to the individual's rights to privacy under data protection and human rights legislation.  However, a person who is under inquiry is entitled to know the nature of the allegations being made and any person criticised as a result of an inquiry has a right to be told the nature of the evidence upon which the criticism has been based.

 

The Freedom of Information Act 2000

The Freedom of Information Act 2000 is designed to change the default position from the need to know to the right to know.  The Act is intended to promote a culture of openness and accountability amongst public authorities by providing people with rights of access to the information held by them.  It is expected that these rights will facilitate better public understanding of how public authorities carry out their duties, why they make the decisions they do and how they spend public money.

 

Section 40 of the Act sets out an exemption from the right to know where the information requested consists of personal data.  It can be summarised as follows:

 

  • If the personal data is about the person requesting the information, then there is no right to know under the Freedom of Information Act. However, any such requests automatically become subject access requests under the Data Protection Act and must be treated as such.  This means that despite the exemption under the Freedom of Information Act, the applicant has a right to his or her information under the Data Protection Act.
  • If the personal data is about someone other than the applicant, there is an exemption if disclosure would breach any of the Data Protection Principles.

 

The Human Rights Act 1998

The Human Rights Act came into force on 2 October 2000 and incorporates into UK law certain rights and freedoms set out in the European Convention on Human Rights.  Article 8 states:  "Everyone has the right to respect for his private and family life, his home and his correspondence."  The right to privacy also includes the right to have information about individuals, such as official records, photographs, letters, diaries and medical information, kept private and confidential.  Unless there is a very good reason, public bodies should not collect or use such information.  Consequently, the principles of Article 8 are reflected in the legislation concerning data protection and the interception of communications.

 

Appendix B - Sensitive Data

 

There is now increased protection for what is termed sensitive data.  This is information on:

  • racial or ethnic origin;
  • political opinions;
  • religious or other similar beliefs;
  • membership of a trade union;
  • physical or mental health condition;
  • sexual life;
  • commission or (alleged commission) of any offence; and
  • court proceedings.

 

Sensitive data can be processed provided that:

  • the data subject has given their explicit consent;
  • it is a legal requirement of the subject’s employment;
  • it is necessary to protect the vital interests of the subject;
  • is carried out by certain non profit bodies established for political, philosophical, religious or trade union purposes;
  • it is necessary for legal proceedings;
  • it is necessary for medical purposes;
  • it is necessary for monitoring equal opportunities;
  • The Secretary of State has given consent;
  • it is necessary for the prevention or detection of any unlawful act;
  • it is necessary for the provision of services such as confidential counselling or advice; and
  • it is necessary for insurance or occupational pension scheme contracts.

 

The list is not exhaustive and new categories can be added by way of statutory instrument.

 

Appendix C - Notification

 

The process of registering is called notification.  It is a requirement of the Data Protection Act and it is an offence to process personal data without notifying the Information Commissioner.  Notification will be carried out by the Data Controller and will contain details of:

  • name and address;
  • similar details for a nominated representative;
  • details of the personal data to be processed;
  • the relevant categories which are applicable;
  • details of the purposes for which the data is being processed;
  • description of possible recipients of the data; and
  • details of the possible transmission of data outside the EEA.

 

Appendix D - Data Protection Notice

 

The following form is a sample data protection notice, which must be part of any data collection form.

 

It can be tailored to meet the needs of the data collection form; for example, the signature at the bottom of the form may not be necessary.

Data Protection Notice

Children First Derby is the data controller for the purposes of processing personal data and complies with the Data Protection Act 1998.

 

Children First Derby will hold personal data for the purpose of ……….. (for example, providing you with requested products or services) and will keep personal data only for as long as is necessary.

 

We will not provide information about you to other organisations, agencies or groups for marketing purposes. We disclose information about you only with your consent, or if we are required to do so by law.

 

Children First Derby will make every effort to ensure that your personal data is kept secure against:

  • loss;
  • unauthorised access;
  • disclosure; and

 

You can request a copy of the details that we hold about you.  We may charge a fee of £10.00 if the administration workload is significant.  Please use the contact details below.

 

I confirm that I have read the above Data Protection notice.

 

Name:

 

 

 

National Insurance number:

 

Signature:

 

 

 

Date:

 

 

(Note: If mailing lists are to be used, we must offer an opt-out: see next appendix.)

Appendix E - Use of Mailing Lists

 

Any data that Children First Derby collects in order to create and maintain a mailing list must comply with the eight data protection principles (see Section 1 - Introduction).

 

In particular, the data subjects whose personal data will be stored in the mailing list must:

  • be made aware that their personal data is held in the mailing list;
  • be made aware for what purpose(s) the mailing data will be used; and
  • be given an opportunity to opt out of inclusion in the mailing list.

 

As an example, the following could be used:

 

 

You can opt out of having your personal data held by us by ticking this box:  o

 

For example, you can provide us with a job title instead of your name, but please consider the implications.  It might not be possible to contact you for the above purposes if your name is part of your email address and we have to remove it.

 

 

Back to Reports and Policies ->