Community Connexions needs to gather and use certain information about individuals in order to deliver its services.
These can include customers, suppliers, business contacts, employees and other people the organisation has a relationship with or may need to contact.
This policy describes how this personal data must be collected, handled and stored to meet the company’s data protection standards – and to comply with the law.
Why this policy exists
This data protection policy ensures Community Connexions;
- Complies with data protection law and follow good practice
- Protects the rights of staff, customers and partners
- Is open about how it stores and processes individuals’ data
- Protects itself from the risks of a data breach
Data Protection Law
The Data Protection Act 1998 and the provisions of the General Data Protection Regulations (GDPR) effective from 23rd May 2018, describe how organisations – including Community Connexions – must collect, handle and store personal information.
The rules apply regardless of whether data is stored electronically, on paper or in some other format.
To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.
The Data Protection Act is underpinned by eight important principles. These say personal data must
- Be processed fairly and lawfully
- Be obtained only for specific, lawful purpose
- Be adequate, relevant and not excessive
- Be accurate and kept up to date
- Not be held for any longer than necessary
- Processed in accordance with the rights of data subjects
- Be protected in appropriate ways
- Not be transferred outside the European Economic Area unless that other country also ensures adequate protection
In addition GDPR dictates personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.
This policy applies to;
- All offices of Community Connexions
- All service users
- All staff and volunteers (including Trustees) of our organisation
- All contractors, suppliers and others working on behalf of Community Connexions
It applies to all data the company holds relating to identifiable individuals. This can include;
- Names of individuals
- Postal addresses
- Email addresses
- Telephone numbers
- Any other information relating to individuals
- ‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number etc.
Sensitive personal data
Under GDPR there is a special category of personal data which includes;
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Sex orientation
- Genetic data
- Biometric data
- Physical or mental health or condition. As we hold some medical information on some customers then this will be categorised as sensitive personal data
Additional requirements under the GDPR
- Enhanced documentation to be kept by data controllers
- Enhanced Privacy Notices (see Appendices)
- More prescriptive rules on what constitutes consent
- Mandatory data breach notification
- Enhanced subject access rights (see separate policy on Subject Access for procedures)
- New obligations on Data Processors (e.g. OGL and CATSS)
Legal basis for processing
We may only hold data for the following reasons;
- Consent has been given (see Consent below)
- Under a contract
- There is a legal obligation
- There is a vital interest
- There is a public interest
- There is a legitimate interest
The legal basis for holding the information must be specified in the ‘fair’ notice
Conditions for consent must be;
- Written in clear and plain language
- Separate from other written matters
- Freely given
- Consent may be withdrawn at any time
- Sensitive data cannot be collected unless there is specific written consent
Data Protection Risks
This policy helps to protect Community Connexions from data security risks, including;
- Breaches of confidentiality. For instance, information being given out inappropriately
- Failing to offer choice. For instance, all users should be free to choose how the company uses data relating to them.
- Reputational damage. For instance, the company could suffer if hackers successfully gained access to sensitive data. As an organisation we will be working towards the Cyber Essentials certification with our I.T. provider OGL.
Everyone who works for or with Community Connexions has responsibility for ensuring data is collected, stored and handled appropriately. As we deal with personal data every day (in order to deliver our services) we are known as ‘Data Controllers’. If there is a breach of the regulations then the organisation is responsible. An individual is not personally responsible under law unless they have committed a criminal offence (e.g. deliberately giving data). However a breach of the regulations (and/or this policy) may constitute a disciplinary matter
‘Data Processors’ are third party users of our data (so this would include OGL, CATSS, GCC and partner agencies with whom we exchange data). We are responsible for what they do with our data and a compliance contract will exist between us.
Each team that handles personal data must ensure it is handled and processed in line with this policy and data protection principles
However, these people have specific responsibilities;
- The Board is ultimately responsible for ensuring Community Connexions meets its legal obligations.
- The data controller, Paul Riddick, is responsible for;
(1) Keeping the Board updated about data protection responsibilities, risks and issues
(2) Reviewing data protection procedures and related policies, in line with an agreed schedule
(3) Arranging data protection training for staff/volunteers
(4) Handling data protection questions from staff/volunteers/partners
(5) Dealing with subject access requests (see separate policy on Subject Access requests)
(6) Checking partners comply with data protection principles
- The IT Provider, OGL, is responsible for;
(1) Ensuring systems, services and equipment used for storing data meet acceptable security standards
(2) Performing regular checks and scans to ensure security hardware and software is functioning properly
(3) Evaluating any third party services the charity is considering using to store or process data. For instance, cloud computing services.
- The Business Development Manager, Bev Hemming, is responsible for;
(1) Approving any data protection statements attached to communications such as our website, emails and letters
(2) Addressing data protection questions from journalists or media outlets
(3) Where necessary, working with other staff to ensure marketing initiatives abide by data protection principles, ensuring specific consent has been given by data subjects.
General Staff Guideline
- The only people able to access data covered by this policy should be those who need it for their work
- Data should not be shared informally. When access to confidential information is required, employees can request it from their line managers.
- Community Connexions will provide training to all employees to help them understand their responsibilities when handling data.
- Employees should keep all data secure by taking sensible precautions and following the guidelines below.
- In particular, strong passwords should be used and they should never be shared.
- Personal data should not be disclosed to unauthorised people, either within the company or externally. This includes leaving screens on or drivers’ sheets around which family members may see. Personal or sensitive data must not be discussed other than in the course of delivering our services.
- Drivers’ sheets contain personal data and can contain sensitive personal data. They must be kept securely and returned at the end of the relevant duty. They must not be left in public view (e.g. in the windscreen or on the passenger seat) and, when not in use, kept in the opaque plastic file provided.
- Data (especially emails) should be regularly reviewed and updated if it is found to be out of date. If no longer required it should be deleted and disposed of.
- Employees should request help from their line manager or the data protection officer if they are unsure about any aspect of data protection.
These rules describe how and where data should be safely stored.
The overall principle is that data should not be kept any longer than necessary for the purpose it was collected. Data must be securely deleted when it is no longer required. Any information we hold must be accurate.
When data is stored on paper, it should be kept in a secure place where unauthorised people cannot see it.
These next guidelines apply to data which is stored electronically but has been printed out;
- When not required the paper or file should be kept in a locked drawer or filing cabinet.
- Employees should make sure paper and printouts are not left where unauthorised people could see them, like on a printer
- Data printouts should be shredded and disposed of securely when no longer required.
When data is stored electronically it must be protected from unauthorised access, accidental deletion and malicious hacking attempts;
- Data should be protected by strong passwords that are changed regularly and never shared between employees.
- If data is stored on removable media such as DVD’s or memory sticks, these should be kept locked securely away when not being used.
- Data should only be stored on designated drives and servers, and should only be uploaded to an approved cloud computing service.
- Data should be backed up frequently.
- Data should not be saved directly to laptops or other mobile devices such as tablets or smart phones.
- All computers (including laptops, smartphones and tablets) and servers containing data should be protected by approved security software and a firewall.
Personal data is of no value to Community Connexions unless the charity can make use of it. However, it is when such personal data is accessed and used that it can be at the greatest risk of loss, corruption or theft;
- When working with personal data, employees should ensure the screens of their computers are always locked when left unattended.
- Personal data should not be shared informally. In particular, it should not be sent by email which is not secure.
- If data is being transferred electronically, it should be encrypted.
- Employees should not save copies of personal data to their own computers. Always access the central copy of any data.
The Purpose Limitation Principle
Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
- Personal data shall be obtained only for one or more specified and lawful purpose
- It may not be further processed in any manner incompatible with those purposes
- Those purposes must be specified in a fair and transparent notice
The law requires Community Connexions to take reasonable steps to ensure data is kept accurate and up to date.
It is the responsibility of all employees who work with data to take reasonable steps to ensure it is kept as accurate and up to date as possible.
- Data will be held in as few places as necessary. Staff should not create any unnecessary additional data sets.
- Staff should take every opportunity to ensure data is updated, For instance, by confirming a customer’s details when they call.
- Community Connexions will make it easy for subjects to update information.
- Data should be updated as soon as inaccuracies are discovered.
Subject Access Requests
All individuals who are subject of personal data held by Community Connexions are entitled to;
- Make a written request to see what personal data we hold about them
- Be told the purpose for which it is being processed, any recipients, the retention period and rights of rectification, erasure, restriction and objections
If an individual contacts the organisation requesting this information, this is called a subject access request. Please see the separate policy on Subject Access requests. Any such requests should be passed to Paul Riddick without delay.
Subject access requests from individuals should be made in writing (letter or email) addressed to Paul Riddick.
There will be no charge for a subject access request. The information should be supplied within one month.
The data controller will always verify the identity of anyone making a subject access request before handing over any information.
Disclosing Data for other reasons
In certain circumstances, the Data Protection Act and the GDPR allows personal data to be disclosed to law enforcement agencies without the consent of the data subject.
Under these circumstances the data controller will disclose requested data. However, the data controller will ensure the request is legitimate, seeking assistance from the Board and from the company’s legal advisers where necessary.
Community Connexions aims to ensure that individuals are aware that their data is being processed and that they understand;
- How their data is being used
- How to exercise their right
The GDPR defines a breach as ‘A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed’.
Data breach notification
If a data breach occurs the ICO must be informed, where feasible, within 72 hours unless the breach in unlikely to result in risk to individuals. There is also a requirement to notify individuals if the breach is likely to result in high risk to the individuals affected. Paul Riddick, or in his absence the Chair of Trustees, Cavus Batki, must be informed of any breach (or possible breach) as soon as possible.