our Data Protection Policy
Langworthy Cornerstone Association (LCA) recognises the importance of the correct and lawful treatment of personal data; it maintains confidence in the organisation and provides for successful operations. In order to ensure effective delivery of services, LCA is required to maintain certain personal data about individuals in order to carry out our work and legal obligations. This personal information must be collected and dealt with appropriately.
The aim of this policy is to ensure that everyone handling personal data is fully aware of the requirements and acts in accordance with data protection procedures.
The Data Protection Act 2018 and the General Data Protection Regulations (2018) governs the use of information about people (personal data). Personal data can be held on computer or in a manual file, and includes email, minutes of meetings, and photographs.
LCA will remain the data controller for the information it collects and holds. LCA, its members, staff and volunteers will be personally responsible for processing and using personal information in accordance with the current legislation.
All board members, staff and volunteers working with LCA who have access to personal information, will be expected to read and comply with this policy. None compliance with this policy could result in disciplinary action, loss of job (or volunteering placement), personal fines and potentially imprisonment.
-
Principles
The General Data Protection Regulations sets out seven key principles (Article 5(1)) which are summarised as follows:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Accuracy
- Storage limitation
- Integrity and confidentiality (security)
- Accountability
These principles specify the legal conditions that must be satisfied in relation to obtaining, handling, processing, transportation and storage of personal data and lie at the heart of the GDPR. Compliance with the spirit of these key principles are the fundamental building blocks for good data protection practice and compliance.
LCA fully endorses and adheres to these principles. Employees and any others who obtain, handle, process, transport and store personal data for LCA must adhere to these principles.
-
Responsibilities
The LCA Board will ultimately take responsibility for the implementation of this policy and take into account legal requirements to ensure that it is properly implemented,
LCA is currently not legally required to have a Data Protection Officer. However, a Data Protection Lead has been identified and will be responsible for ensuring that the policy is implemented and will have the responsibility:
- To inform and advise the organisation, the board and its employees about their obligations to comply with the GDPR and other data protection laws.
- To monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits.
- To ensure LCA continues to be registered with the Information Commissioner and that our details remain up to date.
- To be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc).
Staff and Volunteers are actively encouraged and supported through training and their line manager to report any concerns that they may have in order to improve both our data protection and services to users.
However, all staff and volunteers are also aware that a deliberate breach of the rules and procedures identified in this policy may result in disciplinary action being taken against them
This policy will be updated as necessary to reflect best practice in data management, security and control and to ensure compliance with any changes or amendments made to legislation.
In case of any queries or questions in relation to this policy please contact the LCA Data Protection Lead: Kate Crossan, Trustee: kate.crossan@gmail.com, Sam Palmer: spalmer@respectforall.org.uk
-
Data collection
LCA will only collect data that is ‘necessary’ to conduct its operational and contractual requirements. It will identify the lawful basis for processing and ensure that this communicated clearly within its privacy notices and that appropriate documentation of our processing activities is recorded.
When collecting data, the LCA will ensure that the Individual/Service User:
a) Clearly understands why the information is needed
b) Understands what it will be used for and what the consequences are should the Individual/Service User decide not to accept the purposes of processing
c) Where necessary, grants explicit consent, either written or verbal for data to be processed
d) Is, as far as reasonably practicable, competent enough to understand what processing would require and if necessary provide consent that has been given freely.
e) Has received sufficient information on why their data is needed and how it will be used.
Further information on the data we collect including its conditions for processing can be found within the LCA Privacy Notice.
-
Data Storage, Retention and Disposal
Information and records relating to service users will be stored securely and will only be accessible to authorised staff and volunteers.
Information will be stored for only as long as it is needed or required statute and will be disposed of appropriately. Retention periods will be kept to a minimum and data held will be filtered annually.
The organisation will take steps to ensure that personal data is kept secure at all times against unauthorised or unlawful loss or disclosure. The measures taken include:
- Personal Data will be kept in locked filing cabinets with access restricted to those people whom have authority to access the data
- Password protection on personal information files
- Restricted access to computer files and systems
- Data, including personal data, is backed up daily and information kept off site
- Suitable encrypted attachments for sensitive personal information sent by email
Any deliberate unauthorised disclosure of personal data to a third party by an employee may result in disciplinary proceedings.
The Board and Trustees are accountable for compliance of this policy. A trustee could be personally liable for any penalty arising from a breach that they have made.
Any deliberate unauthorised disclosure made by a volunteer may result in the termination of the volunteering agreement.
It is LCA’s responsibility to ensure all personal and company data is non-recoverable from any computer system previously used within the organisation, which has been passed on/sold to a third party. Any external destruction of data will be undertaken under contract and undertaken to any relevant British Standard.
-
Data Accuracy
LCA will undertake reasonable steps to ensure data is kept accurate and up to date. This includes:
- To limit errors, data will only be held where necessary
- Asking data subjects whether there have been any changes to their information
- Ensuring that when inaccuracies are found that records are updated e.g. an out of date phone number is deleted from files
- Investigating and acting upon any notifications by individuals of inaccuracies.
- Training
Training and awareness raising about the Data Protection Legislation and how it is followed in this organisation will take the following forms:
On induction: All new staff, trustees and volunteers will have an assessment of their understanding of Data Protection during the induction process. Following this assessment staff will have a session which will outline Data Protection regulations, the organisations policy and procedures in respect of Data Protection and their responsibilities as staff volunteers of LCA. Staff and Volunteers will be asked to sign a declaration confirming they understand and will adhere to the policy.
Staff processing DBS applications will have additional training on the safe and secure handling of disclosure information.
General training/ awareness raising: Information will be placed around the building to remind staff of the principles of data protection. This will be in the form of simple do’s and don’ts. Staff will be reminded of their responsibilities at team meetings and in line management. Where required staff will be offered additional training as part of staff training and professional development opportunities.
LCA will ensure that:
- Everyone managing and handling personal information is trained to do so.
- Anyone wanting to make enquiries about handling personal information, whether a member of staff, volunteer or service user, knows what to do;
- Any disclosure of personal data will be in line with our procedures.
- Queries about handling personal information will be dealt with swiftly and politely.
- Data Protection by Design
LCA is committed to considering data protection and privacy issues upfront in everything we do. LCA are committed to integrating data protection into all our activities and practices, from the design stage right through delivery lifecycles. This includes:
- Anticipating risk and privacy invasive events through the organisational risk register and taking steps to prevent harm to individuals.
- Considering data protection issues as part of the planning, design and implementation of systems, services and delivery. Both through broader tools and Data Protection Impact Assessments as required.
- Only processing the personal data that we need for our purposes(s), and that we only use the data for those purposes.
- Providing the identity and contact information of those responsible for data protection both within our organisation and to individuals.
- Ensuring that data processors can provide sufficient guarantees of the measures for data protection.
- Using ‘plain language’ policy with any public documents and privacy notices so that individuals easily understand what we are doing with their personal data.
-
Subject Access Request
Under legislation individuals have the right to access data held about them as well as the right to be ‘forgotten’ where there is no longer a compelling reason to continue processing.
A subject access request must be made in writing (including email) to LCA although reasonable adjustments can be made if required.
Individuals can only request access to their own data (or must provide evidence that they are legitimately acting on another person’s behalf). LCA may request proof of identity to ensure this.
LCA may request further information on or clarification of the request.
Information mentioning other people will be redacted if reasonable to do but may not be shared unless reasonable to do so or unless consent can be obtained for the relevant individual.
Where requests are manifestly unfounded or excessive, in particular because they are repetitive, LCA will send a response to this affect and details of an appeals process (within the next calendar month)
LCA will respond to any formal request within a calendar month. If there is a delay in obtaining the information requested then the request shall still be acknowledged within this period with an explanation for the delay and an expected date of response.
Members of the public may request certain information from statutory bodies under the Freedom of Information Act 2000. The Act does not apply directly to LCA. However if at any time we undertake the delivery of services under contracts with relevant statutory bodies we may be required to assist them to meet the Freedom of Information Act request where we hold information on their behalf.
In case of any requiring further information on this aspect of the policy please contact the LCA Data Protection Lead.
- Disclosure & Data Sharing
LCA may need to share data with other agencies such as local authorities, funding bodies and other voluntary agencies as part of its work.
The Data Subject will be made aware in most circumstances how and with whom their information will be shared as part of the Privacy Notice process. However, there are circumstances where the law allows LCA to disclose data (including sensitive data) without the data subject’s knowledge.
These include:
1. When required to by law – This may as simple as providing information to HMRC for tax purposes or if required by the police in relation to a crime.
2. Protecting vital interests of a Data Subject or other person – This includes safeguarding concerns where an individual may be at risk or in cases of medical emergencies.
3. The Data Subject has already made the information public
4. Conducting any legal proceedings, obtaining legal advice or defending any legal rights
LCA regards the lawful and correct treatment of personal information as very important to successful working, and to maintaining the confidence of those with whom we deal.
LCA will ensure that personal information is treated lawfully and correctly.
Staff or Volunteers who are unsure about whether they can legitimately disclose personal data to an individual or organisation should seek advice from their line manager or the Data Protection Lead.
- Risk Management
The consequences of breaching Data Protection can cause harm or distress to service users if their information is released to inappropriate people, or they could be denied a service to which they are entitled.
This policy and the supporting policies and procedures are designed to minimise the risks and to ensure that the reputation of LCA is not damaged through inappropriate or unauthorised access and sharing.
Data Protection is everyone’s responsibility; if staff or volunteers know or suspect that a personal data breach has occurred, then they should immediately contact the Data Protection Lead.
LCA makes every effort to avoid data protection incidents, however, it is possible that mistakes will occur on occasions. Examples of how personal data incidents might occur include through:
- Loss or theft of data or equipment
- Ineffective access controls allowing unauthorised use
- Equipment failure
- Unauthorised disclosure (e.g. email sent to the incorrect recipient)
- Human error
- Hacking attack
In the event of a breach leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, LCA will promptly assess the risk to individuals concerned and if appropriate report this breach to the Information Commissioners Office (more information is available on the ICO website).
If a reportable breach has occurred LCA is required to notify the Information Commissioner’s Office as soon as possible, and not later than 72 hours after becoming aware of it.
Staff and Volunteers are actively encouraged to report any incidents or concerns that they may have in order to improve both our data protection and services to users.
However, staff and volunteers are also aware that they can be personally liable if they deliberately or maliciously use service user’s personal data inappropriately.
-
Related Policies
Data protection is an organisation wide process and this policy does relate to other policies and documents within the organisation including but not limited to Subject Access Requests Procedure, IT Usage Policy, and Business Continuity.
-
Policy Review
This policy should be reviewed annually by the board
- Further information
If staff, volunteers or members of the public/or stakeholders have specific questions about information security and data protection in relation to LCA please contact the Data Protection Lead:
The Information Commissioner’s website (www.ico.gov.uk) is another source of useful information.
Appendix i – Glossary of Terms
The following list contains definitions of the technical terms we have used and is intended to aid
Data Controller – The person who (either alone or with others) decides what personal information (Langworthy Cornerstone Association) will hold and how it will be held or used.
Data Protection Act 2018 – The UK legislation that provides a framework for responsible behaviour by those using personal information.
Data Protection Impact Assessments (DPIA) – is a process to help you identify and minimise the data protection risks of a project.
Data Protection Lead – The person(s) responsible for ensuring that LCA follows its data protection policy and complies with legislation.
General Data Protection Regulation (GDPR) – The GDPR is the EU General Data Protection Regulation which will replace the Data Protection Act 2018 in the UK and the equivalent legislation across the EU Member States.
Individual/Service User – The person whose personal information is being held or processed by (Langworthy Cornerstone Association) if for example: a client, an employee, or supporter.
Information Commissioner (ICO)– The UK Information Commissioner responsible for implementing and overseeing the Data Protection Act 2018.
Processing – means collecting, amending, handling, storing or disclosing personal information.
Personal Information – Information about living individuals that enables them to be identified – e.g. name and address. It does not apply to information about organisations, companies and agencies but applies to named persons, including service users, individual volunteers or employees
Sensitive data – refers to data about:
· race;
· ethnic origin;
· politics;
· religion;
· trade union membership;
· genetics;
· biometrics (where used for ID purposes);
· health;
· sex life; or
· sexual orientation..
Updated May 2024