Data Protection & Information Management Policy

1. Introduction

 

This policy including the appended Information Handling Principles, applies to all staff, trustees, visitors and contractors and any other individual who processes personal data on behalf of WYMS.

 

The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA18) apply to all organisations that handle personal data about living individuals and aims to ensure that any personal or sensitive data about an individual is used appropriately. All employees are responsible for compliance with the UK GDPR, which came into effect on 25 May 2018.

 

2. Purpose

 

This document summarises the procedures that WYMS have in place to ensure that all data processed and handled on behalf of WYMS is compliant with the principles set out in the UK GDPR, that it is utilised only by those with a specific need to do so and is kept safe and secure. This policy applies to data held both in paper and electronic format.

 

If WYMS ICT equipment will be used, the ICT User Policy should be read in conjunction with this policy as it contains specific guidance on keeping data secure and managing personal data so that WYMS is compliant with the principles of the UK GDPR.

 

3. Processing Data

 

3.1 Obtaining personal data

 

As an organisation we need to be clear about what information we request and the purposes for which it is used. In doing this we must ensure that families or other individuals who may disclose personal information are clear about the reasons we are obtaining information about them. This means that:

 

  • We must have a legal basis for processing personal data.
  • We must not deceive or mislead anyone.
  • We must advise individuals that the data is being obtained on behalf of WYMS, and why and how it will be used. 
  • If we receive information of which third parties are the subject, we must advise them if we are to process this.

  • We must ensure that if we want to use sensitive (special category) data relating to ethnicity, religious beliefs, and so on, that we obtain the data subject’s consent or have an appropriate legal basis for holding data.

     

To comply with the above, privacy notices should be made available to the individual when we obtain their data. For example, reference to the Privacy Policy on the website will often be sufficient but in some circumstances (for example, for certain grant or support services) more specific notices may be applicable.     

 

3.2 Holding personal data

 

Under the UK GDPR all individuals processing data on behalf of WYMS have a duty to ensure that all personal information held, either manually or electronically is processed properly. This means that:

 

  • We can only use it for the purpose(s) for which it was originally obtained, we must obtain consent if we want to use data for an additional purpose. 
  • Consents must be registered, evidenced as appropriate, version controlled and managed in accordance with the rights of the individuals. This applies to, but is not limited to, opt-ins on websites, terms and conditions for grant schemes and verbal scripts that form the basis of our consents. 
  • We must take good care of it and ensure that security measures are implemented, as outlined in the Information Security Policy and detailed in: 
  • The ICT User Policy in terms of how you use business systems and hardware.
  • The Building Security Policy in terms of your obligations regarding visitors, locking doors, windows and key holder responsibilities.
  • The Information Security: Clear Desk Policy to ensure information is stored securely overnight and minimum personal information is in open space at all times. 
  • We must use all the information we receive fairly and handle the data in a way that an individual would reasonably expect. The Data Classification Procedure requires documents to be marked in a certain way so that the information is handled appropriately according to its sensitivity.
  • We must ensure that any information held is adequate, relevant, not excessive, accurate, up to date, and not held longer than is necessary. The Data Retention Procedure should be considered when destroying data. The Information Asset Register details the retention of each data set.
  • We must ensure that we only access personal data when authorised to do so, and only access the necessary files. 
  • We must not disclose personal data to anyone who is not authorised to have it.
  • We must not hold or allow our data to be processed outside of the EEA without appropriate safeguards.

 

Specific principles on handling individuals’ data are appended to this document. Adherence to these principles is mandatory in meeting the requirements of this Data Protection Policy.

 

3.3 Disclosing personal data

 

It is important that we are clear about what information we can disclose, and to whom. The following points should be considered.

 

  • Check that the disclosure meets with the purpose for which the data is held.
  • Check that the person you are disclosing the information to is authorised to have it.

  • Check that the data subject is aware that this type of disclosure is possible, or that there is an overriding reason for disclosure (such as a legal obligation).

     

Anyone disclosing personal information without the authority of the organisation may commit a criminal offence, unless there is some other legal justification, for example under ‘whistle-blowing’ legislation.

 

Information may be disclosed to a third party (for example, a social worker) if there is a safeguarding or protection issue and may only be disclosed by a member of the management team.  A record of all information disclosed will be kept. 

 

3.4 Rights of the individuals in respect of their data

 

Under the UK GDPR an individual has the right to see a copy of the personal data that we keep about them, as set out in the Requests for Information section below, and to require us to correct any inaccuracies, subject to certain exemptions. In some circumstances they may also have the right to:

 

  1. Request that we erase any personal data held about them.
  2. Restrict our processing of their personal data (for example, to ask to suspend the processing of personal information to establish its accuracy or the reasons for processing it).
  3. Data portability (for example, to request the transfer of personal data to a third party); and
  4. Object to our processing of their personal data.

 

Any such requests should be referred the Audit and Compliance Department immediately.

 

3.5 Information that is not personal information but is confidential to WYMS.

The Data Classification Procedure defines categories of data in accordance with the level of confidentiality inherent in that data. Information does not need to be personal information to be confidential and the guidelines have many examples in them to highlight this. Documents such as commercial contracts or strategic plans may assume a high level of confidentiality and as a result storage, transmission and sharing of that data will often require the same diligence as handling sensitive personal data. The Information Handling Principles that append this policy will apply to such data and if you are in doubt about how you should use or store this data, consult the Audit and Compliance Department.

 

4. Requests for Information

The UK GDPR gives people the right to access their personal information; this is referred to as a Subject Access Request (SAR). It is essential that the business operates as defined by the SAR Guidance. Key points to note include:

 

  • A request is valid in any form it is given.  A verbal request is equal to a written one.
  • A request does not have to include the phrase 'subject access request' or reference Article 15 of the UK GDPR, as long as it is clear that the individual is asking for their own personal data.
  • Audit and Compliance fulfil the requests and should be notified of a request without delay.
  • The response must be provided without delay and at the latest within one month of receipt of the request. 
  • An individual is entitled to all personal data that we hold about them. It is essential that notes are only made on the file that you would be happy for the individual to read; opinions should be avoided and only made if absolutely necessary.
  • Failure to comply with a request is a breach of the UK GDPR and may result in enforcement action imposed by ICO.

 

Refer to the Subject Access Request Guidelines or to dataprotection@familyfund.org.uk for further information relating to requests for families’ information.

 

5. Staff 

WYMS will provide appropriate data protection training to all staff as part of their induction and through ongoing updates and training as required.

The UK GDPR is relevant to personal information about all living individuals, including staff. Failure to comply with the UK GDPR, for example, unauthorised, inappropriate or excessive disclosure of or obtaining information about individuals, will be regarded as serious misconduct and will be dealt with in accordance with WYMS’s disciplinary policy and procedure. If an employee is in a position to deal with personal information about other employees, they will be given separate guidance on their obligations either in the form of

  • departmental procedures that they must follow in their role or
  • where employees are also applicants, in the Information Handling Principles, which form part of, and are set out at the end of this Policy.

In line with our environmental policy staff are encouraged not to print to documents and/or information unless required, particularly where that document may contain sensitive information.

Staff working from home. 

When an employee leaves WYMS the employee will be reminded of their ongoing obligations in terms of confidentiality, they must hand back equipment, and their access will be removed from the systems in accordance with the Leavers Process.

 

6. Breach Notification

 

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclose of, or access to, personal data. A breach can be the result of both accidental and deliberate causes. 

 

A data security breach can happen for several reasons: 

 

•          Loss or theft of data or equipment on which data is stored. 

•          Inappropriate access controls allowing unauthorised access. 

•          Equipment failure. 

•          Human error such as sending an email or letter to the wrong recipient.

•          Unforeseen circumstances such as a fire or flood.

•          Hacking attack. 

•          Offences where information is obtained by deceiving (‘Blagging’) the organisation who holds it.

 

The above list is not exhaustive and circumstances where data has been lost or compromised need considering case by case.

 

We have a legal obligation to report a breach to ICO within 72 hours, if the breach is likely to result in a risk to the rights and freedoms of the individual/s involved. If the breach is likely to result in a high risk to the rights and freedoms of the individual, we also have an obligation to notify the individual concerned without delay. 

 

If you become aware of a breach, you should ensure it is reported to your line manager and the Data Protection Officer immediately. The breach will be investigated, contained and reported in accordance with the Breach Management Procedure. The Breach Management Procedure also includes more detailed guidance on what represents a data breach.

 

7. Risks to the Business

 

Failure to comply with this policy may cause a breach of the UK GDPR which as well as leaving WYMS open to substantial fines or ICO enforcement action may also cause:

 

  • A risk of harm to the individual whose data we hold. 
  • A risk of fraudulent activity by employees or third parties.
  • A breach of agreements with our partners which require us to process data in accordance with the regulation.
  • An inability to use the data obtained to its full potential.
  • Damage to reputation leading to a loss of confidence in the services provided; and/or
  • Potential censure or sanctions from other regulatory bodies (for example, Charity Commission or Fundraising Regulator). 

 

8. Information Security

 

To ensure that information security is maintained at all times WYMS operate the following protocols.

 

  • Access to the building is restricted by door entry systems and all staff and visitors are required to sign in/out.
  • A clean desk policy ensures that any documentation/information is filed away at the end of each working day. 
  • All PCs, laptops and electronic business equipment have a default sleep facility on screens, are password protected, and access rights are limited by ICT protocols. (See ICT User Policy)