Data Protection Policy
Including Key Procedures. November 2016.
The Together Plan: Registered Charity Number: 1154167
1. AIMS OF THE POLICY
The Together Plan needs to keep certain information on its staff, trustees, volunteers, donors, members, friends and beneficiaries to carry out its day to day operations, to meet its objectives and to comply with legal obligations.
The organisation is committed to ensuring any personal data will be dealt with in line with the Data Protection Act 1998. To comply with the law, personal information will be collected and used fairly, stored safely and not disclosed to any other person unlawfully.
The aim of this policy is to ensure that everyone handling personal data is fully aware of the requirements and acts in accordance with data protection procedures. This document also highlights key data protection procedures within the organisation.
This policy covers: all employed staff, staff volunteers, trustees, both in the UK and overseas.
In line with the Data Protection Act 1998 principles the Together Plan will ensure that personal data will:
- Be obtained fairly and lawfully and shall not be processed unless certain conditions are met
- Be obtained for a specific and lawful purpose
- Be adequate, relevant but not excessive
- Be accurate and kept up to date
- Not be held longer than necessary
- Be processed in accordance with the rights of data subjects
- Be subject to appropriate security measures
- Not to be transferred outside the European Economic Area (EEA)
The definition of ‘Processing’ is obtaining, using, holding, amending, disclosing, destroying and deleting personal data. This includes some paper based personal data as well as that kept on computer.
The Personal Data Guardianship Code suggests five key principles of good data governance on which best practice is based. The organisation will seek to abide by this code in relation to all the personal data it processes, i.e.
- Accountability: those handling personal data follow publicised data principles to help gain public trust and safeguard personal data.
- Visibility: Data subjects should have access to the information about themselves that an organisation holds. This includes the right to have incorrect personal data corrected and to know who has had access to this data.
- Consent: The collection and use of personal data must be fair and lawful and in accordance with the DPA’s eight data protection principles. Personal data should only be used for the purposes agreed by the data subject. If personal data is to be shared with a third party or used for another purpose, the data subject’s consent should be explicitly obtained.
- Access: Everyone should have the right to know the roles and groups of people within an organisation who have access to their personal data and who has used this data.
- Stewardship: Those collecting personal data have a duty of care to protect this data throughout the data life span.
3. TYPE OF INFORMATION PROCESSED
The Together Plan processes the following personal information:
- Staff members and Trustees including:
- Information on applicants for posts (including references)
- Contact details, bank account number, payroll information, supervision and appraisal notes.
- Youth for Youth Volunteers in UK
- Youth for Youth Volunteers and Beneficiaries in Belarus
- Humanitarian Aid Beneficiaries in Belarus
- Prospective and Actual Financial Donors
- Other interested parties -i.e.Charity Supporters (Friends /Members), those who have actively asked to be on the charity’s mailing list.
- Personal information is kept in the following forms:
- Paper based records held at the charity office and computer based systems using secure software package Salesforce.
Groups of people within the organisation who will process personal information are:
- Employed staff,
- Trustees and other office and administrative volunteers under the supervision on the Chief Executive Officer.
Under the Data Protection Guardianship Code, overall responsibility for personal data in a not for profit organisation rests with the governing body. In the case of The Together Plan, this is the Board of Trustees.
The governing body delegates tasks to the Data Controller (Chief Executive Officer) The Data Controller is responsible for:
- understanding and communicating obligations under the Act
- identifying potential problem areas or risks
- producing clear and effective procedures
- notifying and annually renewing notification to the Information Commissioner, plus notifying of any relevant interim changes
All employed staff, trustees and volunteers who process personal information must ensure they not only understand but also act in line with this policy and the data protection principles.
Breach of this policy will result in disciplinary proceedings for staff, volunteers and trustees.
5. POLICY IMPLEMENTATION
To meet our responsibilities as staff and trustees we) will:
- Ensure any personal data is collected in a fair and lawful way;
- Explain why it is needed at the start;
- Ensure that only the minimum amount of information needed is collected and used;
- Ensure the information used is up to date and accurate;
- Review the length of time information is held;
- Ensure it is kept safely;
- Ensure the rights people have in relation to their personal data can be exercised
We will ensure that:
- Everyone managing and handling personal information is trained to do so through the provision of induction requiring them to read this document and being made aware of the aspects of their role that are relevant to Data Protection legislation.
- Anyone wanting to make enquiries about handling personal information, whether a member of staff, volunteer or service user, knows what to do;
- Any disclosure of personal data will be in line with our procedures.
- Queries about handling personal information will be dealt with swiftly and politely.
Training and awareness raising about the Data Protection Act and how it is followed in this organisation will take the following forms:
On induction: the Chief Executive Officer (or delegated staff member) should list the source of documents falling within the Data Protection Act and outlining secure passwords as appropriate.
Further training should be considered as the charity grows in size.
7. GATHERING AND CHECKING INFORMATION
Before personal information is collected, we will consider: the 8 principles under which Data is gathered, retained and subsequently updated.
We will inform people whose information is gathered about the following:
- why the information is being gathered,
- what the information will be used for
- who will have access to their information (including third parties) (in most cases, this is simply stated on the form that they complete)
We will take the following measures to ensure that personal information kept is accurate:
- Giving subscribers to the charity’s mail shots the option to opt-out at anytime; and
- Engaging with subscribers and former volunteers to ensure they wish to remain part of The Together Plan’s database.
Personal sensitive information will not be used apart from the exact purpose for which permission was given.
This is information about ethnic origin, political opinions, religious beliefs, membership of a trade union, physical or mental health, criminal convictions etc.
This information should only be captured with a specific purpose, to either help meet the needs of an individual or to explain behaviour or absence relating to sensitive personal data.
In the case of the charity’s beneficiaries, particular care should be taken to what data is captured and shared with.
8. DATA SECURITY
The organisation will take steps to ensure that personal data is kept secure at all times against unauthorised or unlawful loss or disclosure. The following measures will be taken:
- Using lockable cupboards (restricted access to keys) as appropriate for files
- Taking Sensitive data out of the office and being held at a Trustee’s home in a secure location
- Password protection on personal information files
- Setting up computer systems to allow restricted access to certain areas
- Not allowing personal data to be taken off site (as hard copy, on laptop or on memory stick) unless deemed necessary by the Chief Executive Officer. Particularly not when travelling out of the UK.
- If personal data can be taken off site, in which forms (paper, memory stick, laptop) this must be with the consent of the Chief Executive Officer.
- Back up of data on computers to be regular and secure.
Any unauthorised disclosure of personal data to a third party by an employee may result in disciplinary proceedings.
Any unauthorised disclosure of personal data to a third party by a volunteer or trustee may result in disciplinary proceedings.
9. SUBJECT ACCESS REQUEST
Anyone whose personal information we process has the right to know:
- What information we hold and process on them
- How to gain access to this information
- How to keep it up to date
- What we are doing to comply with the Act.
They also have the right to prevent processing of their personal data in some circumstances and the right to correct, rectify, block or erase information regarded as wrong.
Individuals have a right under the Act to access certain personal data being kept about them on computer and certain files. Any person wishing to exercise this right should apply in writing to Chief Executive Officer.
The following information will be required before access is granted: Full name and contact details of the person making the request and their former or current relationship with the organisation that should be verified.
Agree the timescale in which the charity will process the request.
Agree type of identification needed if releasing to a third party – i.e. evidence of relationship (passport/birth certificate) plus any other information deemed relevant by the Chief Executive Officer.
Queries about handling personal information will be dealt with swiftly and politely.
We will aim to comply with requests for access to personal information as soon as possible, but will ensure it is provided within the 40 days required by the Act from receiving the written request.
This policy will be reviewed at intervals of 1 year to ensure it remains up to date and compliant with the law. It will also be reviewed when new data capture is instigated through the broadening of the charity’s activities. We will use the 1st January as The Together Plan’s review date.