Data Collection and Privacy Policy

Document description

This document outlines our legal requirements under the General Data Protection Regulations and the processes for how Adapt (NE) meets them.

Implementation and Quality Assurance

Implementation is immediate and this policy shall stay in force until any alterations are formally agreed.

The policy will be reviewed every three years by the Board of Trustees, sooner if legislation, best practice or other circumstances indicate this is necessary.

All aspects of this policy shall be open to review at any time. If you have any comments or suggestions on the content of this policy please contact Adapt (NE), Burn Lane, Hexham, Northumberland, NE46 3HN, 01434 600599.

Introduction

Adapt (NE) is committed to providing a confidential service to its users. No information given to the organisation will be shared with any other organisation or individual without the user’s expressed permission. Individuals with learning disabilities have the same right of control over information about themselves as others. The only limit is their ability to understand the issues involved. Where this is in question, any item of concern should be discussed with the Chief Executive Officer.

For the purpose of this policy, confidentiality relates to the transmission of personal, sensitive or identifiable information about individuals or organisations (confidential information), which comes into the possession of the Adapt (NE) through its work.

Adapt (NE) holds personal data about its board members, staff, volunteers, users, members, etc. which will only be used for the purposes for which it was gathered and will not be disclosed to anyone outside of the organisation without prior permission. There are two exceptions to this.

The first exception is when it is felt that somebody (client or third party) is at risk of harm. In this circumstance, the information can be shared in line with the Protection of Children and Vulnerable Adults Policy.

The second exception is when the law has been broken, as Adapt (NE) cannot be seen to be colluding after the fact. In this circumstance, the police should be informed. Initially the issue should be discussed with the Director, who will agree actions in relation to informing the police. Written records should be kept in relation to breaking confidentiality to protect someone from harm or because you have a legal duty to inform the police that a law has been broken.

All personal data will be dealt with sensitively and in the strictest confidence internally and externally.

The General Data Protection Regulation (GDPR) (Regulation (EU) 2016 / 679) is a regulation by which the European Parliament, the European Council and the European Commission intend to strengthen and unify data protection for individuals within the European Union (EU). It also addresses the export of personal data outside the EU. The primary objectives of the GDPR are to give citizens back control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. GDPR replaces the data protection directive (officially Directive 95 / 46 / EC)  from 1995. The regulation was adopted on 27 April 2016 and applied from 25 May 2018, after a two-year transition period.

The following guidance is not a definitive statement on the Regulations,but seeks to interpret relevant points where they affect Adapt (NE). The Regulations cover both written and computerised information and the individual’s right to see such records. It is important to note that the regulations also cover records relating to staff and volunteers.

All Adapt (NE) staff are required to follow this Data Protection Policy at all times. The Chief Executive Officer has overall responsibility for data protection within Adapt (NE) but each individual processing data is acting on the Chief Executive Officer’s behalf and therefore has a legal obligation to adhere to the regulations.

Definitions

Processing of information – how information is held and managed

Information Commissioner – formerly known as the Data Protection Commissioner

Notification – formerly known as Registration

Data Subject – used to denote an individual about whom data is held

Data Controller – used to denote the entity with overall responsibility for data collection and management.  Adapt (NE) is the Data Controller for the purposes of the Act

Data Processor – an individual handling or processing data

Personal data – any information which enables a person to be identified

Special categories of personal data – information under the Regulations which requires the individual’s explicit consent for it to be held by the charity

Data Protection Principles

As data controller, Adapt (NE) is required to comply with the principles of good information handling.

These principles require the Data Controller to:

  1. Process personal data fairly, lawfully and in a transparent manner.
  2. Obtain personal data only for one or more specified and lawful purposes and to ensure that such data is not processed in a manner that is incompatible with the purpose or purposes for which it was obtained.
  3. Ensure that personal data is adequate, relevant and not excessive for the purpose or purposes for which it is held.
  4. Ensure that personal data is accurate and, where necessary, kept up-to-date.
  5. Ensure that personal data is not kept for any longer than is necessary for the purpose for which it was obtained.
  6. Ensure that personal data is kept secure.
  7. Ensure that personal data is not transferred to a country outside the European Economic Area unless the country to which it is sent ensures an adequate level of protection for the rights (in relation to the information) of the individuals to whom the personal data relates.

Consent

Adapt (NE) must record service users’ explicit consent to storing certain information (known as ‘personal data’ or ‘special categories of personal data’) on file.

For the purposes of the Regulations, personal and special categories of personal data covers information relating to:

  1. The racial or ethnic origin of the Data Subject
  2. His / her political opinions
  3. His / her religious beliefs or other beliefs of a similar nature
  4. Whether he / she is a member of a trade union
  5. His / her physical or mental health or condition
  6. His / her sexual life
  7. The commission or alleged commission by him / her of any offence
  8. Online identifiers such as an IP address
  9. Name and contact details
  10. Genetic and / or biometric data which can be used to identify an individual

Special categories of personal information collected by Adapt (NE) will, in the main, relate to service users’ disabilities (physical, learning disability, mental health, conditions), religious / spiritual beliefs, name, contact details and commission or alleged commission of any offence. Data is also collected on ethnicity and held confidentially for statistical purposes.

Consent is not required to store information that is not classed as special category of personal data, as long as only accurate data that is necessary for a service to be provided is recorded.

As a general rule Adapt (NE) will always seek consent where personal or special categories of personal information is to be held.

It should also be noted that where it is not reasonable to obtain consent at the time data is first recorded and the case remains open, retrospective consent should be sought at the earliest appropriate opportunity.

If personal and/or special categories of personal data need to be recorded for the purpose of service provision and the service user refuses consent, the case should be referred to the Services Manager or Chief Executive Officer for advice.

Obtaining consent

Consent may be obtained in a number of ways depending on the nature of the interview, and consent must be recorded on or maintained with the case records:

  • face-to-face
  • written
  • telephone
  • email

Face-to-face / written: A pro-forma should be used.

Telephone: Verbal consent should be sought and noted on the case record.

Email: The initial response should seek consent.

Consent obtained for one purpose cannot automatically be applied to all uses e.g. where consent has been obtained from a service user in relation to information needed for the provision of that service, separate consent would be required if, for example, the organisation requires to hold information undertakes a separate kind of support (e.g. Healthwatch Northumberland, room booking, advocacy for additional issues, a transport issue).

Preliminary verbal consent should be sought at point of initial contact as personal and / or special categories of personal data will need to be recorded either in an email or on a computerised record (e.g. Cygnet). The verbal consent is to be recorded in the appropriate fields on the computer record or stated in the email for future reference. Although written consent is the optimum, verbal consent is the minimum requirement.

Specific consent for use of any photographs and / or videos taken should be obtained in writing.  Such media could be used for, but not limited to, publicity material, press releases, social media, and website. Consent should also indicate whether agreement has been given to their name being published in any associated publicity. If the subject is less than 18 years of age then parental / guardian consent should be sought.

Individuals have a right to withdraw consent at any time.  If this affects the provision of a service(s) by Adapt (NE) then the Service Coordinator should discuss with the Services Manager at the earliest opportunity.

The rights of an individual

Under the Regulations an individual has the following rights with regard to those who are processing his / her data:

  • Personal and special categories of personal data cannot be held without the individual’s consent (however, the consequences of not holding it can be explained and a service withheld).
  • Data cannot be used for the purposes of direct marketing of any goods or services if the Data Subject has declined their consent to do so.
  • Individuals have a right to have their data erased and to prevent processing in specific circumstances:
    • Where data is no longer necessary in relation to the purpose for which it was originally collected
    • When an individual withdraws consent
    • When an individual objects to the processing and there is no overriding legitimate interest for continuing the processing
    • Personal data was unlawfully processed
  • An individual has a right to restrict processing – where processing is restricted, Adapt (NE) is permitted to store the personal data but not further process it. Adapt (NE) can retain just enough information about the individual to ensure that the restriction is respected in the future.
  • An individual has a ‘right to be forgotten’.
  • Adapt (NE) will not undertake direct telephone marketing activities under any circumstances.

Data Subjects can ask, in writing to the Chief Executive Officer, to see all personal data held on them, including e-mails and computer or paper files. Adapt (NE) must comply with such requests within 30 days of receipt of the written request.

Details of the Information Commissioner

Further information is available at www.informationcommissioner.gov.uk

The Information Commissioner’s office is at:

Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Switchboard: 01625 545 700

Email: mail@ico.gsi.gov.uk

Data Protection Help Line: 01625 545 745  Notification Line: 01625 545 740