Data protection and GDPR policy
|DATE REVIEWED||SUMMARY OF AMENDMENTS / CHANGES|
|July 2019||4.2 amended to include Pseudonymisation, amends approved by Chair’s Action, and by CSEK Board 18th September 2019.|
|October 2019||References to updated Complaints & Compliments Policy|
- ABOUT THIS POLICY
- The Data Protection Act 2018 controls how personal information is used by organisations, businesses or the government. The Data Protection Act 2018 is the United Kingdom’s implementation of the General Data Protection Regulation. (GDPR)
- Everyone responsible for using personal data has to follow strict rules called ‘data protection principles’. Carers’ Support East Kent is registered with the Information Commissioners Office as the Data Controller and is also a ‘data processor’.
- This Policy exists to ensure that Carers’ Support East Kent is fully compliant with all legal requirements in relations to all aspects of data management. This is in respect of personal data, as well as safeguarding the rights and freedoms of persons whose information Carers’ Support East Kent collects pursuant to the Data Protection Act 2018, GDPR, and the Privacy and Electronic Communications Regulations.
- POLICY SCOPE
2.1 This Policy applies to all staff, volunteers, trustees and contractors of Carers’ Support East Kent.
3.1 Whilst it is understood that the Board of Trustees carry ultimate responsibility for ensuring that Carers’ Support East Kent complies with this Policy, all Managers must ensure they are aware of their specific responsibility for operating within the boundaries of this policy, ensuring that all staff understand the standards required of them and taking action if behaviour falls below requirements.
3.2 The named individual responsible for the operation of this Policy is the Data Protection Lead. (DPL).
3.3 Carers’ Support East Kent uses a Customer Record Management System (CRMS). Overall management of the CRMS is the responsibility of the Board of Trustees, with an expectation that all staff, volunteers and Trustees understand their personal responsibility with regard to it’s use.
- COMMITMENT TO GOOD PRACTICE
4.1 Carers’ Support East Kent is committed to ensuring high standards of practice are maintained in order to:-
- Enable the organisation to meet its personal data obligations about how personal information is managed.
- Support the aims and objectives of the organization
- Set appropriate systems and controls according to Data Protection principles.
- Ensure compliance with all applicable data protection obligations, whether statutory, regulatory, contractual and/or professional.
- To safeguard personnel and stakeholder interests.
- To ensure the rights and freedoms of living individuals, and to protect their personal data by ensuring that it is never processed without their knowledge and, when possible, their consent
4.2 Carers’ Support East Kent will seek to ensure compliance with data protection legislation and uphold good practice by:-
- Processing personal information only when it is absolutely necessary for organisational
- Ensuring that the least possible amount of personal data is collected, and that personal data is never processed
- Informing individuals of how their personal data is or will be used and by whom.
- Processing only pertinent and adequate personal data.
- Processing personal data in a lawful and fair manner.
- Keeping a record of the various categories of personal data processed.
- Ensuring that all personal data that is kept, is accurate and up-to-date.
- Retaining personal data no longer than required by statute or regulatory body, or for organisational
- Giving individuals the right of ‘subject access’, as well as all other individual rights pertaining to their personal
- Ensuring that all personal data is maintained
- Identifying personnel that are responsible and accountable for GDPR Compliance.
- Pseudonymisation is used where possible.
- Processing is transparent allowing individuals to monitor what is being done with their data.
5.1 Carers’ Support East Kent has registered with the Information Commissioner as a ‘data controller’ – i.e. an organisation that engages in processing the personal information of data subjects.
5.2 All third parties working with or for Carers’ Support East Kent who have or may have access to personal data are required to read, understand and fully comply with this policy at all times. All third parties are required to enter into a data confidentiality agreement before accessing any personal data. The data protection obligations imposed by the confidentiality agreement shall be equally onerous as those to which Carers’ Support East Kent has agreed to comply with. Carers’ Support East Kent shall at all times have the right to audit any personal data accessed by third parties pursuant to the confidentiality agreement.
- ENSURING GDPR COMPLIANCE AND MANAGEMENT
6.1 Carers’ Support East Kent is a Data Controller and Data Processor pursuant to the Data Protection Act 2018 / GDPR. As such, Carers’ Support East Kent is responsible for ensuring overall compliance with the GDPR and for demonstrating that each of its processes is compliant with requirements. To this extent, the organization is required to:-
- Maintain relevant documentation regarding its processes and
- Implement proportionate security measures.
- Carry out Data Processing Impact Assessments.
6.2 Appointed staff of Carers’ Support East Kent with managerial or supervisory responsibilities are responsible for ensuring that good personal data handling practices are developed, reviewed and encouraged.
6.3 The position of Data Protection Lead (DPL) involves the management of personal data within the organisation as well as compliance with the requirements of the Data Protection Act 2018 / GDPR and demonstration of good practice protocols. The DPL will be an appropriately qualified and experienced member of the senior management team
6.4 The DPL will report directly to the Chief Executive Officer and is accountable for the development and day-to-day compliance with this policy, both in terms of security and risk management
6.5 The DPL is directly responsible for ensuring that Carers’ Support East Kent is GDPR compliant and that Trustees are compliant in respect of data processing that occurs within their field of responsibility and/or oversight.
6.6 The DPL is the first point of contact for any organisational members of Carers’ Support East Kent who require guidance in relation to any aspect of data protection compliance.
6.7 The DPL is responsible for the processing of Subject Access Requests.
6.8 In addition to the DPL, all staff who process personal data are responsible for ensuring compliance with data protection laws. Data Protection / GDPR training provides for specific training for all operational staff of Carers’ Support East Kent.
- RISK ASSESSMENT
7.1 Carers’ Support East Kent will ensure that all risks associated with personal data processing are assessed and ensure that recorded risk assessment processes are in place.
7.2. Carers’ Support East Kent is also required to carry out assessments of the personal data processing undertaken by other organisations on its behalf and to manage any identified risks, so as to mitigate the likelihood of potential non-compliance with this policy
7.3. Where personal data processing is carried out by using new technologies, or when a high risk is identified in relation to the “rights and freedoms” of natural persons, a risk assessment of the potential impact must be undertaken. (Data Protection Impact Assessment – ‘DPIA’.) More than one risk may be addressed in a single assessment.
7.4 If the outcome of a DPIA identifies a high risk that the intended personal data processing could result in distress and/or may cause damage to data subjects, the DPL will then decide whether Carers’ Support East Kent ought to proceed i.e. the matter must be escalated to the DPL. In turn, the DPL may escalate the matter to the regulatory authority if significant concerns have been identified.
7.5 It is the role of the DPL to ensure that appropriate controls are in place to ensure that the risk level associated with personal data processing is kept to an acceptable level, as per the requirements of the GDPR.
7.6 The DPL will ensure that security controls are in place to ensure that risks to personal data are appropriately mitigated as much as possible to reduce potential for damage or distress to those whose personal data is being processed. Such security measures will be subject to regular audit and review.
- MANAGING PERSONAL DATA
8.1. Personal data only includes information relating to persons who can be identified or who are identifiable, directly from the information in question, or who can be indirectly identified from that information in combination with other information.
8.3 Policies must also be transparent, meaning that Carers’ Support East Kent must ensure that its personal data processing policies, as well as any specific information provided to a data subject, are readily available, easily accessible and clearly understood.
8.4 The data subject- i.e. any living person who is the subject of personal data must be able to be provided with the following information:-
- The identity and contact details of the data controller and any of its representatives.
- The contact details of the Data Protection Lead.
- The purpose or purposes and legal basis of data processing.
- The length of time for which the data will be stored.
- The categories of personal data.
- The recipients and/or categories of any recipients of personal data, if applicable.
- Location of data if the data controller intends to make a transfer of personal data to a third party and the levels of data protection provided for by the laws of that country, if applicable.
- Any further information required by the data subject in order to ensure that the processing is fair and lawful.
- Confirmation of the rights to request access, rectification, erasure, and to raise of an objection to the processing of the personal data.
8.5 Personal data may only be collected for specified, explicit and legitimate reasons. When personal data is obtained for specific purposes, it must only be used in relation to that purpose.
8.6 Personal data must be adequate, relevant and restricted to only what is required for processing. The DPL shall be involved in monitoring, managing, and providing advice to:-
- Ensure that any personal data that is superfluous and not required for the purpose(s) for which it is obtained is not collected.
- Approve all data collection forms, whether in hard-copy or electronic format.
- Carry out an annual review of all methods of data collection, checking that they are still appropriate, relevant and not excessive.
- Securely delete or destroy any personal data that is collected in a manner that is excessive or unnecessary according to Data Protection / GDPR related Policies.
8.7 Personal data must be accurate and up-to-date. All staff must receive training to ensure they fully understand the importance of collecting and maintaining accurate personal data, understanding that individuals are personally responsible for ensuring that personal data held is accurate and up-to-date.
8.8 Data should not be kept unless it is reasonable to assume its accuracy and data that is kept for long periods of time must be examined and amended, if necessary.
8.9 The DPL must ensure that where inaccurate or out-of-date personal data has been passed on to third parties, that the third parties are duly informed and instructed not to use the incorrect or out-of-date information as a means for making decisions about the data subject involved. Carers’ Support East Kent shall also provide an update to the third party, correcting any inaccuracies in the personal data.
8.11 The form in which the personal data is stored must be such that the data subject can only be identified when it is necessary to do so for processing purposes.
8.12 Personal data that is kept beyond the processing date must be either encrypted or anonymised and kept to an absolute minimum, to ensure the protection of the data subject’s identity should a data breach incident occur.
8.13 Personal data must be retained according to the Data and Document Retention Policy and must be destroyed or deleted in a secure manner as soon as the retention date has passed. This includes items such as data disks, removable flash drives and hard drives.
8.14 Should any personal data be required to be retained beyond the retention period set out in the Data and Document Retention Policy, this may only be done after seeking advice from the of the DPL, which must be in line with data protection requirements.
8.15 The processing of personal data must always be carried out in a secure manner.
8.16 Personal data must not be processed in an unauthorised or unlawful manner, nor should it be accidentally lost or destroyed at any time. Robust technical and organisational measures must be in place to ensure the safeguarding of personal data.
- ENSURING THE RIGHTS OF DATA SUBJECTS ARE UPHELD
9.1 Data subjects – i.e. a living person who is the subject of personal data – have the following legal rights in relation to personal data that is processed and recorded:-
- The right to make access requests in respect of personal data that is held and disclosed.
- The right to refuse personal data processing, when to do so is likely to result in damage or distress.
- The right to refuse personal data processing, when it is for direct marketing purposes.
- The right to be informed about the functioning of any decision-making processes that are automated which are likely to have a significant effect on the data subject.
- The right not to solely be subject to any automated decision making
- The right to claim damages should they suffer any loss or harm from a breach of the Data Protection and GDPR Policy.
9.2 Data subjects also have the right to take appropriate action in respect of the following:
- The rectification, blocking and erasure of personal data, as well as the destruction of any inaccurate personal data.
- The right to request that the Information Commissioners Office carry out an assessment as to whether any of the provisions of the GDPR have been breached.
- The right to be provided with personal data in a format that is structured, commonly used and machine-readable.
- The right to request that his or her personal data is sent to another data controller.
- The right to refuse automated profiling without prior approval.
- DATA ACCESS AND SUBJECT ACCESS REQUESTS
10.1 Data subjects have the right to access all personal data in relation to them held by Carers’ Support East Kent, whether as manual records or electronic format. Data subjects therefore may at any time request to have sight of confidential personal data, as well as any personal data received by Carers’ Support East Kent from third-parties. To do so, a data subject must submit a Subject Access Request.
10.2 All individuals who are the subject of any personal data that is held by us are entitled to:-
- Ask what information we hold about them and why.
- Ask how to gain access to it.
- Be informed how we keep it up to date.
- Be informed how we are meeting our data protection obligations.
10.3 If an individual contacts us requesting the information detailed above, this is called a ‘Subject Access Request’. Subject Access Requests from individuals should be made by email or in writing to the DPL .
10.4 In most cases Carers’ Support East Kent will not charge a fee to comply with a subject access request. However, as noted above, where the request is manifestly unfounded or excessive, we may charge a “reasonable fee” for the administrative costs of complying with the request. Carers’ Support East Kent may also charge a reasonable fee if an individual requests further copies of their data following a request. This fee would be based on the administrative costs of providing further copies.
10.5 The DPL will aim to provide the relevant data within 14 days.
10.6 The DPL will always verify the identity of anyone making a Subject Access Request before handing over any information.
10.7 A Subject Access Request Form is provided for the data subject to complete in order to access their data.
11.1 Consent to the processing of personal data by the data subject must be:-
- Freely given and should never be given under duress, when the data subject is in an unfit state of mind or provided on the basis of misleading or false information.
- A clear and unambiguous indication of the wishes of the data subject.
- Provided either in a statement or by unambiguous affirmative action.
- Demonstrated by active communication between the data controller and the data subject and must never be inferred or implied by omission or a lack of response to communication.
11.2 The consent checklist (Appendix 1) sets out how to ask for, record and manage consent, including consent in relation to sensitive data.
11.3 Consent is considered to be a positive action on behalf of the data subject having read a clear, transparent and unambiguous “Privacy Notice (General)”. It does not necessarily have to be a box that is ticked, it could be the completion of a form, or the supply of contact information.
11.4 When promoting the aims and objectives of our organisation we reserve the right to use data wherever we believe a data subject has indicated their wishes and where we have collected the data for that particular purpose. We only use data for the purpose for which it was collected.
11.5 When the data subject is an employee Carers’ Support East Kent will usually obtain consent to process personal and sensitive data when a new employee signs an employment contract or during induction programmes. Data subjects have the right to withdraw consent for non-operational functions at any time.
11.6 The Privacy and Electronic Communications Regulations (PECR) is also covered by this section of this Policy in relation to understanding consent.
12.1 All complaints made with regard to Carers’ Support East Kent’s processing of personal data may be lodged by a data subject directly with the DPL by emailing them directly, or in writing, providing details of the complaint. The data subject must be provided with the Privacy Notice General at this stage.
12.2 All complaints in relation to how a complaint has been handled and any appeals following the submission of a complaint shall be dealt with by the DPL and in accordance with the Complaints & Compliments Policies.
- DATA SECURITY
13.1 All staff, volunteers and trustees of Carers’ Support East Kent are personally responsible for keeping secure any personal data held by Carers’ Support East Kent for which they are responsible. Under no circumstances may any personal data be disclosed to any third party unless Carers’ Support East Kent has provided express authorisation and has entered into a data processing agreement with the third party.
13.2 Access to personal data shall only be granted to those who need it and only according to the principles of Carers’ Support East Kent’s Security Access Policy.
- All personal data must be stored:-
- In a locked room, the access to which is controlled; and/or
- In a locked cabinet, drawer, locked briefcase or locker; and/or
- If in electronic format and stored on a computer, encrypted according to the corporate requirements set out in the Security Access Policy; and/or
- If in electronic format and stored on removable media, encrypted as per Security Access Policy.
13.4 Before being granted access to any organisational data, all staff, volunteers and trustees must be made aware of the Security Access Policy.
13.5 Computer screens and terminals must not be visible to anyone other than staff, volunteers, trustees and contractors of Carers’ Support East Kent with the requisite authorisation.
13.6 No manual records may be accessed by unauthorised staff of Carers’ Support East Kent and may not be removed from the business premises in the absence of explicit written authorisation. Manual records must be securely archived when access is no longer needed on a day-to-day basis.
13.7 All deletion of personal data must be carried out in accordance with the Data and Document Retention Policy. Manual records which have passed their retention date must be shredded and disposed of as ‘confidential waste’ and any removable or portable computer media such as hard drives and USB sticks must be destroyed.
13.8 Personal data that is processed ‘off-site’ must be processed by authorised staff, volunteers, trustees and contractors of Carers’ Support East Kent, due to the increased risk of its loss, damage or theft.
- DISCLOSURE OF DATA
14.1 Carers’ Support East Kent will take appropriate steps to ensure that no personal data is disclosed to unauthorised third parties. This includes friends and family members of the data subject, governmental bodies and, in special circumstances, even the Police. All staff are required to complete Data Protection / GDPR training in order to learn how to exercise due caution when requested to disclose personal data to a third party.
14.2 Disclosure may be permitted by the Data Protection Act 2018 / GDPR without the consent of the data subject under certain circumstances, namely in the interests of:
- Safeguarding and National Security
- Crime prevention and detection which includes the apprehension and prosecution of offenders
- Assessing or collecting a tax duty
- Discharging various regulatory functions, including health and safety
- Preventing serious harm occurring to a third party
- Protecting the vital interests of the data subject e. only in a life and death situation.
14.3 The DPL is responsible for advising on all requests for the disclosure of data for these reasons above, and authorisation by the DPL shall only be granted with the support of appropriate documentation and verification.
- DATA RETENTION AND DISPOSAL
15.1 Carers’ Support East Kent will not retain personal data for longer than is necessary and once an employee has left the organisation it may no longer be necessary to retain all of the personal data held in relation to that individual.
15.2 Some data will be kept for longer than other data, in line with data retention and disposal procedures in the Data and Document Retention Policy.
15.3 Personal data must be disposed of securely to ensure that the data subject’s information is protected at all times.
- POLICY ENFORCEMENT
16.1 Carers’ Support East Kent’s IT and internet resources — including computers, smart phones and internet connections — are provided for legitimate business use. We reserve the right to monitor how social networks are used and accessed through these resources. Any such examinations or monitoring will only be carried out by authorised persons.
16.2 All data relating to social networks written, sent or received through Carers’ Support East Kent’s computer systems are part of official records. Carers’ Support East Kent can be legally compelled to share that information to law enforcement agencies or other parties.
16.3 Breaches of this Policy will be managed through the Disciplinary Procedure. If there is a possibility that the breach could amount to a criminal offence, the matter shall be referred to the relevant authorities.
- AWARENESS OF THIS POLICY
Awareness in relation to this policy is incorporated in the Induction Programme for all staff, trustees and volunteers.
- RELATED POLICIES
Compliments & Complaints Policy
Data and Document Retention Policy
Data Protection Policy
Internet Usage Policy
Security Access Policy
Social Media Policy
ICO Consent Checklist
Asking for consent
☐ We have checked that consent is the most appropriate lawful basis for processing.
☐ We have made the request for consent prominent and separate from our terms and conditions.
☐ We ask people to positively opt in.
☐ We don’t use pre-ticked boxes or any other type of default consent.
☐ We use clear, plain language that is easy to understand.
☐ We specify why we want the data and what we’re going to do with it.
☐ We give separate distinct (‘granular’) options to consent separately to different purposes and types of processing.
☐ We name our organisation and any third-party controllers who will be relying on the consent.
☐ We tell individuals they can withdraw their consent.
☐ We ensure that individuals can refuse to consent without detriment.
☐ We avoid making consent a precondition of a service.
☐ If we offer online services directly to children, we only seek consent if we have age-verification measures (and parental-consent measures for younger children) in place.
☐ We keep a record of when and how we got consent from the individual.
☐ We keep a record of exactly what they were told at the time.
☐ We regularly review consents to check that the relationship, the processing and the purposes have not changed.
☐ We have processes in place to refresh consent at appropriate intervals, including any parental consents.
☐ We consider using privacy dashboards or other preference-management tools as a matter of good practice.
☐ We make it easy for individuals to withdraw their consent at any time and publicise how to do so.
☐ We act on withdrawals of consent as soon as we can.
☐ We don’t penalise individuals who wish to withdraw consent.