Section 2 — Organisation Data Protection Policy and Procedure
The Strettons Mayfair Trust (SMT) needs to collect personal information about people with whom it deals in order to carry out its business and provide its services. Such people include clients, employees (present, past and prospective), volunteers, members, suppliers and other business contacts.
The General Data Protection Regulations 2016 and Data Protection Act 2018 defines ‘personal data’ as any information relating to a living identified or identifiable natural person (a data subject). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. The information includes name, address, email address, date of birth, private and confidential information, sensitive information. In addition, we may occasionally be required to collect and use certain types of such personal information to comply with the requirements of the law. No matter how it is collected, recorded and used (e.g. on a computer or other digital media, on hardcopy, paper or images, including CCTV) this personal information must be dealt with properly to ensure compliance with the General Data Protection Regulations 2016 (GDPR) and the Data Protection Act 2018 (DPA18)
SMT is committed not only to the letter of the law, but also to the spirit of the law and places high importance on the correct, lawful and fair handling of all personal data, respecting the legal rights, privacy and trust of all individuals with who it deals.
SMT is committed to providing a confidential service to its users. No information given to us will be shared with any other organisation or individual without the data subject’s prior consent/agreement.
For the purpose of this policy, confidentiality relates to the transmission of personal, sensitive or identifiable data about individuals or organisations which comes into the possession of SMT through its work.
SMT holds personal data about its staff, users, members etc. which will only be used for the purposes for which it was gathered and will not be disclosed to anyone outside the organisation without prior permission.
All personal data will be dealt with sensitively and in the strictest confidence internally and externally.
Data Protection Principles
SMT fully supports and complies with the principles of GDPR which are summarised below:
Personal data shall be processed fairly and lawfully and in a transparent manner in relation to the data subject.
Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes.
Personal data held must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
Personal data must be accurate, complete and kept up to date. Every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay.
Personal data shall not be kept for longer than necessary for the purposes for which it was ed. Personal data may be stored for longer periods if it will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to implementation of the appropriate technical and organisational measures required by GDPR and DPA18 in order to safeguard the rights and freedoms of the data subject.
Personal data shall be processed in a manner that ensures appropriate security of the personal data including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage using appropriate technical or organisational measures.
Personal data shall not be transferred outside the European Economic Area (EEA) unless there is adequate protection.
A copy of personal data, which is not covered by an exemption, will be supplied to an individual on request, within 1 month of that request.
Information covered by GDPR and DPA18
DPA18’s definition of “personal data” covers any data that can be used to identify a living individual. Anonymised or aggregated data can be used, providing the anonymisation or aggregation has not been done in a reversible way. Individuals can be identified by various means including their name and address, telephone number or Email address etc. Sensitive personal data is data related to:
Racial or ethnic origin; Political opinions; Religious or other similar beliefs; Membership of trade unions; Physical or mental health or condition; Genetic data; Biometric data; Social identifiers; Metadata; Sexual life or sexual orientation; and Convictions, proceedings and criminal acts.
The Rights of Data Subjects
The right to restrict processing
The right to be informed. The right of access. The right of rectification
The right of erasure (also known as the right to be forgotten)
The right to data portability
The right to object
Rights with respect to automated decision making and profiling
Lawful, Fair and Transparent Data Processing
GDPR and DPA18 seek to ensure that personal data is processed lawfully, fairly, and transparently, without adversely affecting the rights of the data subject. SMT must identify its lawful basis for processing of personal data shall be lawful if at least one of the following applies;
The data subject has given consent;
The processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a
contract with them;
The processing is necessary for compliance with a legal obligation to which SMT is subject;
The processing is necessary to protect the vital interests of the data subject or of another natural person; The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in SMT; or The processing is necessary for the purposes of the legitimate interests pursued by SMT, except where such interests are overridden by the fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child;
If the personal data in question is ‘special category data’ also known as ‘sensitive personal data’ at least one of the following conditions must also be met:
The data subject has given explicit consent;
The processing is necessary for the purpose of carrying out the obligations and exercising specific rights of SMT or the data subject, in the field of employment, social security social protection law;
The processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
The organisation is a foundation, association or other non-profit body with a political, philosophical, religious or trade union aim, and the processing is carried out in the course of its legitimate activities, provided that the processing relates solely to the members or former members of that body or to persons who have regular contact with it in connection with its purposes and that the personal data is not disclosed outside the body without the consent of the data subjects;
The processing relates to personal data which is clearly made public by the data subject;
The processing is necessary for the conduct of legal claims or whenever courts are acting in their judicial capacity;
The processing is necessary for substantial public interest reasons (with certain limits)
The processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of an employee, for medical diagnosis, for the provision of health or social care or treatment or the management of health or social care systems or services, on the basis of EU or UK law or pursuant to a contract with a health professional subject to conditions and safeguards;
The processing is necessary for public interest reasons in the area of public health;
The processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to conditions and safeguards.
Role and Responsibilities of SMT
The Chief Officer is responsible for overseeing the implementation of this Policy and for monitoring compliance with this Policy, GDPR, DPA18 and any other applicable data protection legislation.
SMT will keep written internal records of all personal data collection, holding and processing, which will include the purposes for which SMT collects, holds and processes personal data, details of the categories of personal data collected, held and processed and the categories of data subject to which that personal data relates, retention periods of that personal data and descriptions of all technical and organisational measures taken by SMT to ensure security of personal data.
Provide guidance for all staff members and volunteers who handle personal data and ensure access to further support
Provide clear lines of report and supervision for compliance with data protection
Carry out regular checks to monitor and assess processing of personal data
SMT will carry out Data Protection Impact Assessments (DPIA) for any and all new projects and/or new uses of personal data.
Keeping Data Subjects Informed
SMT will provide Privacy information to every data subject where personal data is collected directly from the data subject. It will provide this information at the time of collection.
SMT will provide Privacy information where personal data is obtained from a third party, to the data subject within the prescribed time scales.
Privacy information must include:
SMT details including reference to the Chief Officer as data protection contact.
The purpose for which the personal data is being collected and will be processed and the legal basis justifying that collection and processing.
If applicable, the legitimate interests upon which SMT is justifying its collection and processing of the personal data.
Where the personal data is not obtained directly from the data subject, the categories of personal data collected and processed.
Where the personal data is to be transferred to one or more third parties, details of those parties Details of data retention.
Details of the data subject’s rights under the legislation.
Details of the data subject’s right to withdraw their consent to SMT processing their personal data at any time.
Details of the data subject’s right to complain to the Information Commissioner’s Office (ICO).
If applicable, details of any legal or contractual requirement or obligation necessitating the collection and processing of the personal data and details of any consequences of failing to provide it.
Details of any automated decision making or profiling that will take place using the personal data .
Employee and Volunteer Responsibilities
All employees and volunteers must:
Deliver privacy information at the time of collecting personal data if gathered directly from the data subject. If gathered from third-party privacy information should be delivered in accordance with the prescribed time limits.
No personal data may be shared informally. If an employee, agent, sub-contractor or other party working on behalf of SMT requires access to any personal data that they do not already have access to; such access should be formally requested from the Chief Officer.
Observe all forms of guidance, codes of practice and procedures about the collection and processing of personal data. All personal paper based, and electronic data must be stored in accordance with GDPR and DPA18 and must be secured against unauthorised access, accidental disclosure, loss or destruction.
All paper based, and electronic data must only be accessible to those individuals authorised to have access.
Understand fully the purposes for which the SMT processes personal data. Collect and process appropriate information, and only in accordance with the purposes for which it is to be used by the SMT to meet its service needs or legal requirements.
All paper-based records must be kept in locked filing cabinets. All information relating to service users will be left in locked drawers. This includes notebooks, copies of correspondence and any other sources of information.
Ensure the information is destroyed in accordance with the SMT Records Retention Policy) when it is no longer required.
On receipt of a request by or on behalf of an individual for information held about them the staff member will immediately notify the Chief Officer, who will respond appropriately and within time scales.
Report a suspected data protection breach immediately to the Chief Officer, who may need to report the breach to the ICO.
Not send any personal information outside of the United Kingdom without the authority of the Chief Officer or Central Services Manager.
Compliance with the policies and procedures laid down in this document will be monitored via Internal Audit.
The organisation will monitor this policy to ensure it meets statutory and legal requirements including the GDPR, DPA18, Childrens Act, Rehabilitation of Offenders Act and Prevention of Terrorism Act.
Existing and new employees and volunteers will be introduced to the Data Protection Policy and Procedure via induction and training.
They will be asked to sign their name to confirm they have read and understood the policy and procedure.
SMT is committed to effective statistical recording of the use of its services in order to monitor usage and performance. All statistical records given to third parties, such as to support funding applications or monitoring reports for the local authority shall be produced in anonymous form, so individuals cannot be identified.
Third party information, including information acquired verbally and subsequently recorded, can only be shared with clients with the explicit consent of the originator of that information. Consent should be in writing and specify exactly whom that information can be shared with. It may not always be possible to disclose to clients all information kept on file. This particularly applies to third party information, in the event that the agency or individual has not given us permission, or because an individual could be put at risk by sharing information.