In the process of undertaking our day to day work, CCS regularly has the need to collect and use information about people with whom we work – members, employees (current, past and prospective), trustees, clients, consultants and suppliers. This personal information must be handled and dealt with properly, regardless of how it is collected, recorded and used, and whether it is in paper form, in computer records, memory stick, mobile phone, laptop, i-Pad or recorded by any other means.
Community Council for Somerset (CCS) regards the lawful and correct treatment of personal information as imperative to our successful operation and to maintain confidence between us and those with whom we carry out business. We will ensure that we treat personal information lawfully and correctly.
The consequences of breaching Data Protection can cause harm or distress to service users if their information is released to inappropriate people or they could be denied a service to which they are entitled. Trustees, staff and volunteers should be aware that they may be personally liable if they use applicants’ personal data inappropriately. This policy is designed to minimise the risks and to ensure that the reputation of the charity is not damaged through inappropriate or unauthorised access and sharing.
To this end we fully endorse and adhere to the Principles of Data Protection as set out in the Data Protection Act 1998 and General Data Protection Regulation 2018.
1.Introduction to Data Protection and GDPR
Under the Data Protection Act and General Data Protection Regulation CCS will be:
Data Controller for its own business needs and employee and client details.
Data Processor for and on behalf of the clients with whom we have agreements and contracts.
Information Commissioner’s Office registration
CCS registered with the Information Commissioners Office on 17 September 2012, registration No: Z3356691. The Data Protection Act 1998 requires every data controller who is processing personal data, to notify and renew their notification, on an annual basis. Failure to do so is a criminal offence.
Data privacy principles
CCS fully endorses and adheres to the data privacy principles. Personal data shall be:
- processed lawfully, fairly and in a transparent manner in relation to the data subject
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
- accurate and, where necessary, kept up to date – inaccurate data to be erased or rectified without delay
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss or destruction.
- subject to the appropriate technical and organisational measures which will be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
- subject to assurances that personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data
The data controller shall also be responsible for, and be able to demonstrate, compliance with the principles.
What is personal data?
Under the EU’s General Data Protection Regulation: Personal Data is defined as “any information relating to an identified or identifiable natural person (‘data subject’; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identify of that natural person”).
Certain data is classified under the Regulation as “special categories”:
- Political opinions
- Religious beliefs
- Trade‐union membership
- Genetic data
- Biometric data
- Health data
- Data concerning a natural person’s sex life
- Sexual orientation
GDPR sets out the rights of data subjects; the right to be informed, right of access, right to rectification, right of erasure, right to restrict processing, right to data portability, right to object, and the right not to be subject to automated decision-making.
Any living individual has the right to make a Data Subject Access Request. The individual must confirm their identity and complete a Data Subject Access Request form and submit to CCS. A copy of this form is available by contacting CCS using the main address or by emailing firstname.lastname@example.org
2. Handling of personal/sensitive information
We will, through appropriate management and the use of strict criteria and controls comply with the principles of data privacy by:
- fully observing obligations regarding the fair collection, transparency and use of personal information;
- meeting our legal obligations to specify the purpose(s) for which information is used;
- collecting and processing appropriate information only in accordance with those purposes
- ensuring the quality and accuracy of information used;
- applying strict checks to determine the length of time information is held;
- ensuring that personal data is accurate and where necessary, kept up to date;
- ensuring that personal data shall not be kept for longer than is necessary for that purpose or those purposes, and then securely destroyed;
- maintaining physical and cyber security safeguards so as to ensure adequate security of data,
- observing the rights of data subjects and respond to requests within reasonable timescales;
- ensuring that all employees, volunteers and Directors/Trustees are aware of and understand their legal responsibilities regarding data protection, including this policy;
- regularly reviewing our practices for obtaining and processing personal information.
In order to ensure that CCS handles data correctly, we have undertaken some overarching steps to secure data. These include certification for Cyber Essentials (level 1) achieved in April 2018 to provide technical cyber security controls and ongoing compliance with the NHS Information Governance Toolkit to ensure the protection of client data.
We may occasionally need to share data with other agencies such as the local authority or funding bodies – however, no personal data is ever shared (unless consent is obtained) and demonstration of our work is anonymous with no identifiable content. The circumstances where the law allows the charity to disclose data (including sensitive data) without the data subject’s consent are:
- a) Carrying out a legal duty or as authorised by the Secretary of State Protecting vital interests of a Data Subject or other person e.g. child protection
- b) The Data Subject has already made the information public
- c) Conducting any legal proceedings, obtaining legal advice or defending any legal rights
- d) Monitoring for equal opportunities purposes – i.e. race, disability or religion
We regard the lawful and correct treatment of personal information as very important to successful working, and to maintaining the confidence of those with whom we deal.
We will ensure that personal information is treated lawfully and correctly.
Third party providers
CCS has identified third parties who either process personal data on our behalf or with whom we share data. Assurance is sought from third parties that they are compliant with DPA and GDPR requirements.
All contractors, consultants, partners, volunteers Trustees or Directors must:
- ensure that they and all of their staff who have access to personal/sensitive data held or processed for or on behalf of us, are aware of this policy and are fully aware of their duties and responsibilities under the DPA and GDPR. Any breach of any provision will be deemed as being a breach of any contract between the Company and that individual, company, partner or firm;
- allow data protection audits by us of data held on our behalf (if requested);
- indemnify us against any prosecutions, claims, proceedings, actions or payments of compensation or damages, without limitation.
CCS does not record personal data on children under the age of 13. If information is recorded on a child over the age of 13, consent must be obtained.
Code of Conduct
Compliance with the Act is the responsibility of all CCS staff and any unlawful breach of the Act by a staff member is a serious matter which will result in disciplinary action. Any employee who breaches this policy statement will be dealt with under the disciplinary procedure which may result in dismissal for gross misconduct. Any such breach could also lead to criminal prosecution. Staff must familiarise themselves with the data breach policy and cooperate with management to ensure that CCS can respond effectively within the 72-hour timescales.
Data security: Retention of records
The regulation requires that personal data is “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.” CCS has a retention of records policy which states how long records, including personal data, need to be kept.
Clear desk policy
It is important to keep desks clear of personal data when the office is closed or desks are left unattended to prevent unauthorised disclosure. This includes manual data but also mobile phones, memory sticks etc.
- All personal data must be kept in a locked drawer or cabinet, and access to the keys should be restricted.
- Personal data should not be left visible on screens. PCs and laptops should be logged out and shut down when staff have finished working. Screens must be locked when left, and will automatically be locked after 5 minutes of inactivity.
- When manual records are no longer needed they should be shredded or moved to confidential waste, and in no circumstances left in regular waste.
- Personal data should not be left on the printer/photocopier, but should be retrieved immediately or the locked print facility should be used.
- Staff should make sure no sensitive data is visible on desks or screens when non staff members are visiting the office.
All photos of individuals are classed as personal data and we aim to treat this securely in line with the GDPR 2018 regulation. All photos published via all marketing platforms must be the property of CCS, not third party images. Photos must have the permission of those photographed via the CCS Photo Consent form. Any photos supplied to CCS must be checked as consented before sharing. If a photo includes anyone under the age of (13) a person holding ‘parental responsibility’ must give their consent.
Data transfer and storage
Server – All personal information is stored on CCS’s cloud based data server (where data is both secure and backed up). This service is provided by a third party – currently Cetsat. The server is backed up every weekday. Back up tapes in the office are kept in a locked, fireproof box.
Telephone – The CCS and Carers Service lines have the facility to record conversations. This will not be used without the permission of the caller.
Email – CCS uses Office 365 to exchange email and Mimecast encryption. For staff who take referrals from Somerset County Council or NHS then emails are sent via CCS and NHS mail accounts or the Egress switch platform, and not using personal unsecured mailboxes.
Emails that contain personal information must be encrypted and any attachment must be password protected. Each user will accept responsibility to ensure the correct recipient has been selected to receive the email.
PCs / laptops / other devices
Most staff are issued with CCS or NHS PCs or laptops. These require log-ins and passwords to be able to access any systems or data. Data is not to be stored on desktop PC hard drives where it is not protected by the firewall. If this is necessary temporarily then it must be promptly moved to the secure network and any locally stored data deleted after use. Where personal devices are used and these are shared with other users, staff must remove any personal data to prevent unauthorised access.
Do not use passwords that are easy to guess. All your passwords should contain both upper and lower-case letters and preferably contain some numbers. Passwords should be a strong password at least 8 characters or more in length.
Protect Your Password:
- Common sense rules for passwords are: do not give out your password
- Do not write your password somewhere on your laptop
- Do not keep it written on something stored in the laptop case.
Mobile telephones – CCS staff have mobile phones to contact other professionals, and clients, access emails, and to take photographs of forms. These require a PIN to access the information or fingerprint security on a smartphone. Photographs are deleted once forwarded. In the event of loss of the device e-mail data on Office 365 can be wiped remotely, contact names and numbers will be blocked via the phone provider once reported.
USB memory sticks will not be used unless it is an operational requirement. If it is necessary then only encrypted memory sticks may be use and the files must be deleted after use.
Manual records – where it is necessary to remove manual records containing personal data from the CCS office then equipment will be provided to ensure secure storage.
Overall responsibility for this policy lies with the CCS Board of Directors / Trustees and its implementation with the Senior Management Team.
This policy is reviewed annually and updated as required.