Clynfyw CIC - Policy No: 44
Date Protection Policy Statement - June 2018
Clynfyw CIC policies relate to Clynfyw CIC staff, volunteers and the people we support.
They are intended to ensure we provide a standardised service which matches ‘best practice’ and enable us to fulfil our business obligations.
They are reviewed annually. We welcome constructive advice as to how they can be improved.
The purpose of this policy is to ensure that the staff, volunteers and trustees of Clynfyw CIC are clear about the purpose and principles of Data Protection and to ensure that it has guidelines and procedures in place which are consistently followed.
Failure to adhere to the Data Protection Bill 2017 is unlawful and could result in legal action being taken against Clynfyw CIC or its staff, volunteers or trustees.
The Data Protection Bill 2017 regulates the processing of information relating to living and identifiable individuals (data subjects). This includes the obtaining, holding, using or disclosing of such information, and covers computerised records as well as manual filing systems and card indexes.
Data users must comply with the data protection principles of good practice which underpin the Act. To comply with the law, information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully.
To do this Clynfyw CIC follows the eight Data Protection Principles outlined in the Data Protection Bill 2017, which are summarised below:
I. Personal data will be processed fairly and lawfully
II. Data will only be collected and used for specified purposes
III. Data will be adequate, relevant and not excessive
IV. Data will be accurate and up to date
V. Data will not be held any longer than necessary
VI. Data subject’s rights will be respected
VII. Data will be kept safe from unauthorised access, accidental loss or damage
Data will not be transferred to a country outside the European Economic Area, unless that country has equivalent levels of protection for personal data.
The principles apply to “personal data” which is information held on computer or in manual filing systems from which they are identifiable. Clynfyw CIC’s employees, volunteers and trustees who process or use any personal information in the course of their duties will ensure that these principles are followed at all times.
Clynfyw CIC Privacy Notice—General Data Protection Regulations 2018
Why do we collect and keep your personal information?
Clynfyw CIC, as employers, collects and uses your personal information so that we can fulfil our contract with you as the staff member. We keep personal details such as name, address, phone numbers, bank details, employment history, training records and certificates, holiday and sickness records. This information is kept for the purposes of administering your contract with us and is used by management and administrative staff.
As service providers we collect and use your personal information so that we can fulfil our contract with you as participants. We keep information we require such as personal details - name, address, phone number, care plans, council contracts, health and medical information. We require this information to provide appropriate support services at Clynfyw, for invoicing and to provide supported living in our cottages. Participant data is shared between Clynfyw, county councils and the participant’s social workers and is used by management and administrative staff.
If you contact us through our website we will ask for your name, address, phone number and email address and will give you the opportunity to opt in to receiving communications from us by email.
As supporters of Clynfyw we would like to invite or inform you of any events and activities which take place however we will only keep a record of your personal details and use them to contact you if you have given us your permission to do so. We will not share your personal information to third party organisations.
How do we collect this information?
There are two main ways that we collect this information: directly from yourselves (as employees/through the website) or indirectly from the relevant county councils or parent/guardians (participants’ data).
In certain circumstances we will collect sensitive information, such as health and medical conditions. We will only collect this information with your permission and will take extra care of it, according to the General Data Protection Regulations 2018.
How information about you is used?
The information that you provide will be processed according to the General Data Protection Regulations 2018. We will not make any disclosures to third parties for marketing purposes. Your data will be secure and confidential at all times and we will only collect the personal information that is required to fulfil a contract with you. Here at Clynfyw CIC we take your privacy seriously and will only use your personal information to administer your account and to provide the services you have requested from us.
Legal reasons for sharing information
We will share personal information with companies, organisations or individuals outside of Clynfyw CIC if we strongly believe that access, use, storing or sharing of the information is reasonably necessary to meet any relevant law, regulation, legal process or lawful governmental request; detect, prevent or otherwise address fraud, security or technical issues; protect against harm to the rights, property or safety of Clynfyw CIC, the people we support or the public, as required or permitted by law.
How long do we keep hold of your information?
We will retain the information provided to us under the terms of your contract for up to 6 years for financial records and your information will be securely disposed of once it is no longer required. If you have requested that we do not contact you by email to advise you of Clynfyw events then we shall delete your details from our mailing list.
Access to my personal information?
You can find out if we hold any personal information by making a subject access request under the General Data Protection Act Regulations 2018. To make a request for any personal information we hold you need to put your request in writing addressing it to:
Pembrokeshire SA37 0HF
Under the General Data Protection Regulations 2018, you have rights as an individual which you can exercise in relation to the information we hold about you:
The right of access – you are entitled to request access to and a copy of, information we
hold about you.
The right to rectification – you have the right to ask to have your information corrected.
The right to restrict – you may request that we stop processing your personal data however; this may delay or prevent us delivering a service to you. We will seek to comply with your request but may be required to hold or process information to comply with our legal duties.
The right to object – this is not an absolute right and will depend on the reason for processing your personal information.
The right to erasure -this is not an absolute right.
The right to data portability - this is not an absolute right.
The right to not be subject to automated decision-making and profiling.
Complaints or Queries
Clynfyw CIC endeavours to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this seriously. We encourage people to bring to our attention if they believe that our collection or use of information is unfair, misleading or inappropriate. If you want to make a complaint about the way we have processed your personal information, you can contact the Information Commissioner’s Office as the statutory body which oversees data protection law:
Information Commissioner’s Office
Wilmslow SK9 5AF
Telephone No: 0303 123 1113
Changes to this privacy notice.
We keep our privacy notice under regular review.
The following procedures have been developed in order to ensure that Clynfyw CIC meets it’s responsibilities in terms of Data Protection. For the purposes of these procedures data collected, stored and used by Clynfyw CIC falls into 2 broad categories:
1. Clynfyw CIC’s internal data records; Staff, volunteers and trustees
2. Clynfyw CIC’s external data records; Members, customers, clients.
Clynfyw CIC as a body is a DATA CONTROLLER under the Act, and the Executive
Committee is ultimately responsible for the policy’s implementation.
Internal data records
Clynfyw CIC obtains personal data (names, addresses, phone numbers, email addresses), application forms, and references and in some cases other documents from staff, volunteers and trustees. This data is stored and processed for the following purposes:
• Equal Opportunities monitoring
• Volunteering opportunities
• To distribute relevant organisational material e.g. meeting papers
The contact details of staff, volunteers and trustees will only made available to other staff, volunteers and trustees. Any other information supplied on application will be kept in a secure filing cabinet and is not accessed during the day to day running of the organisation.
Contact details of staff, volunteers and trustees will not be passed on to anyone outside the organisation without their explicit consent.
A copy of staff, volunteer, trustee emergency contact details will be kept in the Emergency File for Health and Safety purposes to be used in emergency situations e.g. fire/ bomb evacuations.
Staff, volunteers and trustees will be supplied with a copy of their personal data held by Clynfyw CIC if a request is made.
All confidential post must be opened by the addressee only.
Clynfyw CIC will take reasonable steps to keep personal data up to date and accurate.
Personal data will be stored for 6 years after an employee, volunteer or trustee has worked for the organisation and brief details for longer. Unless Clynfyw CIC is specifically asked by an individual to destroy their details it will normally keep them on file for future reference. The Director has responsibility for destroying personnel files.
Personal data is kept in paper-based systems and on a password-protected computer system.
Every effort is made to ensure that paper-based data are stored in organised and secure systems.
Clynfyw CIC operates a clear desk policy at all times.
Use of Photographs
Where practicable, Clynfyw CIC will seek consent from individuals before displaying
photographs in which they appear. If this is not possible (for example, a large group photo), Clynfyw CIC will remove any photograph if a complaint is received. This policy also applies to photographs published on the organisations website or in the Newsletter.
External data records
Clynfyw CIC obtains personal data (such as names, addresses, and phone numbers) from members/clients. This data is obtained, stored and processed solely to assist staff and volunteers in the efficient running of services. Personal details supplied are only used to send material that is potentially useful. Most of this information is stored on the organisation’s database.
Clynfyw CIC obtains personal data and information from clients and members in order to provide services. This data is stored and processed only for the purposes outlined in the agreement and service specification signed by the client/ member.
Personal data is collected over the phone and using other methods such as e-mail. During this initial contact, the data owner is given an explanation of how this information will be used.
Written consent is not requested as it is assumed that the consent has been granted when an individual freely gives their own details.
Personal data will not be passed on to anyone outside the organisation without explicit consent from the data owner unless there is a legal duty of disclosure under other legislation, in which case the Director will discuss and agree disclosure with the Chair/ Vice Chair. Contact details held on the Clynfyw CIC’s database may be made available to groups/ individuals outside of the organisation. Individuals are made aware of when their details are being collected for the database and their verbal or written consent is requested.
Only Clynfyw CIC’s staff, volunteers and trustees will normally have access to personal data. Information will only be supplied to individuals if there is a need for it. Examples would include service delivery plans, which would be supplied to staff who only support that individual rather than the staff team.
All staff, volunteers and trustees are made aware of the Data Protection Policy and their obligation not to disclose personal data to anyone who is not supposed to have it.
Information supplied is kept in a secure filing, paper and electronic system and is only accessed by those individuals involved in the delivery of the service.
Information will not be passed on to anyone outside the organisation without their explicit consent, excluding statutory bodies e.g. the Inland Revenue.
Individuals will be supplied with a copy of any of their personal data held by the organisation if a request is made.
All confidential post must be opened by the addressee only.
Clynfyw CIC will take reasonable steps to keep personal data up to date and accurate.
Personal data will be stored for as long as the data owner/ client/ member uses our services and normally longer. Where an individual ceases to use our services and it is not deemed appropriate to keep their records, their records will be destroyed according to the schedule in Appendix B. However, unless we are specifically asked by an individual to destroy their details, we will normally keep them on file for future reference.
If a request is received from an organisation/ individual to destroy their records, we will remove their details from the database and request that all staff holding paper or electronic details for Clynfyw CIC destroy them. This work will be carried out by the Information Officer.
This procedure applies if Clynfyw CIC is informed that an organisation ceases to exist.
Personal data may be kept in paper-based systems and on a password-protected computer system. Paper-based data are stored in organised and secure systems.
Disclosure Barring Service checks
Clynfyw CIC will act in accordance with the DBS’s code of practice.
Disclosures remain the personal property of the individual at all times, and copies of DBS certificates are only made if the Registered Manager and Responsible Person is unable to witness the recordings of the certificate. In this circumstance the copy is held for no more than 3 months, and is returned to the individual for disposal.
The DBS certificate number and date of issue is entered into a database and stored on file. This is to ensure that we keep certificates up to date, and to ensure that we are able to demonstrate that we have obtained DBS certificates for our staff.
Responsibilities of staff, volunteers and trustees
During the course of their duties with Clynfyw CIC, staff, volunteers and trustees will be dealing with information such as names/addresses/phone numbers/e-mail addresses of members/clients/volunteers. They may be told or overhear sensitive information while working for Clynfyw CIC. The Data Protection Bill 2017 gives specific guidance on how this information should be dealt with. In short to comply with the law, personal information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully. Staff, paid or unpaid must abide by this policy.
To help staff, volunteers, trustees meet the terms of the Data Protection Act; the attached Data Protection/Confidentiality statement has been produced. Staff, volunteers and trustees are asked to read and sign this statement to say that they have understood their responsibilities as part of the induction programme.
Compliance with the Act is the responsibility of all staff, paid or unpaid. Clynfyw CIC will regard any unlawful breach of any provision of the Act by any staff, paid or unpaid, as a serious matter which will result in disciplinary action. Any employee who breaches this policy statement will be dealt with under the disciplinary procedure which may result in dismissal for gross misconduct. Any such breach could also lead to criminal prosecution.
Any questions or concerns about the interpretation or operation of this policy statement should in the first instance be referred to the line manager.
Retention of Data
No documents will be stored for longer than is necessary. For guidelines on retention periods see the Data Retention Schedule.
All documents containing people will be disposed of securely in accordance with the Data Protection principles.
Policy reviewed: July 2015
Policy reviewed and updated by Jim Bowen, June 2018