DATA PROTECTION POLICY
Data Protection Policy:
The Data Protection policy sets out criteria for the way in which personal information about an individual whether is used or kept on computer or in manual records.
Disclosing confidential personal information about a client, an employee, or the Project may be a breach of the Data Protection Act for which you may be personally liable. It may also be a breach of your duty of confidentiality as set out in your Statement of Terms and conditions. Any such disclosure may result in disciplinary action, and in serious cases, summary dismissal. All information, whether it is held manually or on computer, is to be kept securely. Manual records should be kept in locked cabinets. You should make sure that all computerised records containing personal data is password protected and cannot be accessed without obtaining the proper authorisation. All disks containing personal information should be secured in a locked cabinet.
Principles and definitions:
First Principle: Personal data shall be processed fairly and lawfully and, it particular, shall not be processed unless;
1. At least one of the conditions in schedule 2 is met, and
2. In the case of sensitive data, at least one of the conditions is schedule 3 is also met.
Schedule 2 Conditions:
-
Consent of the data subject
-
Necessary for the performance of the contract with the data subject
-
Legal obligation
-
To protect vital interests of the data subject
-
To carry out public functions to pursue legitimate interests of the controller unless prejudicial to the interests of the data subject.
Sensitive Data: racial or ethnic origin; political opinions or trade union Membership; religious or similar belief; health or sexual life; criminal offences.
Schedule 3 Conditions:
-
Explicit consent of the data subject
-
To comply with employers legal duty
-
To protect vital interests of the data subject or another person
-
Carried out by certain non-profit bodies
-
In legal proceeding
-
Exercising legal rights
-
To carry out public functions
-
For medical purposes
-
For equal opportunities monitoring
-
As specified by order
Second Principle: Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
Third Principle: Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they were processed.
Fourth Principle: Personal data shall be accurate and, where necessary kept up to date.
Fifth Principle: Personal data processed for any purpose or purposes shall not be kept longer than is necessary for that purpose or purposes.
Sixth Principle: Personal data shall be processed in accordance with the rights of the data subject under this Act.
Seventh Principle: Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
Eighth Principle: Personal data shall be transferred to coprocessor fairly and lawfully and, in particular, shall not process unless.
Definitions:
Data Classes: Types of data being processed e.g. financial details.
Data Controller: The person who determines the purpose for which, and the manner in which, any personal data are to be processed.
Data Subject: An individual who is the subject of the personal data.
Personal Data: data which relates to a living individual who can be identified from that data.
Processing: The means/method by which data is obtained, recorded or held.
Individual Rights:
The Data Protection Act gives rights to individuals in respect of personal data held about them by others. The rights are:
Right to subject access: Section 7-9 of the Act provide that upon making a request in writing ( which includes transmission by electronic means) and upon paying the appropriate fee to the data controller, and individual is entitled to be told by the data controller whether they or someone else is processing that individuals’ personal data, and if so be given a description.
Right to prevent processing likely to cause damage or distress: Section 10 of the Act states that if an individual believes that the data controller is processing personal data in a way that causes, or likely to cause substantial unwarranted damage or distress then he/she has right to send a notice to the data controller requiring, within reasonable time, the processing to stop (a data subject notice).
Right to prevent processing for the purpose of direct marketing: An individual is entitled, by written notice, to require the data controller to cease, or not begin processing his/her personal data for marketing purposes. When such notice is received such compliance must take place as soon as possible.
Right to relation to automated taking: An individual is entitled, by written notice to require the data controller to ensure that no decision which significantly affects the individual is based solely on the processing by automatic means of personal data. The Act includes specific examples i.e. creditworthiness.
Right to action for compensation if the individual suffers damage by any contravention of the act by the Data Controller: An entitlement to
compensation occurs when damage or distress can be proved as being a result of the contravention of the requirements of the Act by the data controller.
Right to take action to rectify, block, erase or destroy inaccurate data: Data is inaccurate if it is incorrect or misleading as to any matter of the
fact. A data subject may apply to the Court for an order requiring the data controller to rectify, block, erase or destroy such data relating to the data subject as are inaccurate together with any other personal data relating to the data subject which contain an expression of opinion which the Court finds is based on an inaccurate idea.
Project Requirements:
Recruitments and Selection: Individuals responding to job advertisements need to be informed of the name of the organisation to which they providing information and how it will be used unless this is self evident. State on application forms to whom the information is being provided and how it will be used if this not self evident. Only seek personal data that is relevant to the recruitment decision to be made. Only request information about an applicant’s criminal convictions if that information can be justified in terms of the role offered. If this information is justified, make it clear that spent convictions do not have to be declared, unless the job being filled is covered by the Exceptions Order to the Rehabilitation of the Offenders Act. Explain any checks that might be undertaken to verify the information provided in the application from including the nature of additional sources from which information may be gathered. If sensitive data is collected ensure the sensitive data condition is satisfied. Provide a secure method of sending applications. If it is necessary to secure the release of documents or information from a third party, obtain a signed consent form from the applicant unless consent to their release has been indicated in some other way. Ensure that personal data recorded and retained following interview can be justified as relevant to, and necessary for, the recruitment process itself, or for defending the process against challenge.
Consider carefully which information contained on an application form is to be transferred to the worker’s employment record. Delete information irrelevant to on-going employment process once it has verified through a Criminal check disclosure. Advice unsuccessful applicants that there is an intention to keep their names on file for future vacancies (if appropriate) and give them the opportunity to have their details removed from file. Ensure that personal data obtained during the recruitment process is securely stored or destroyed.
Employment Records: Ensure that newly appointed workers are aware of the nature and source of any information kept about them, how it will be used and who it will be disclosed to. Inform new Project Staff and remind existing staff about their rights under the Act, including their rights of access to the information kept about them, Provide each worker with a copy of information that mat be subject to change, e.g. personal details such as home address, annually. Ask staff to check their records for accuracy and ensure that any necessary amendments are made to bring the records up to date. Maintain a system of security with regard employment records. Keep sickness and absence records separately from absence records. Ensure that holding and use of sickness and accident records satisfy sensitive data conditions. Only disclose information from sickness and accident records about a staff member illness, medical condition or injury where there is legal obligation to do so, where it is necessary fro legal proceeding or where the worker has given explicit consent to the disclosure. Information about a staff member’s ethnic origin, disability or religion is sensitive personal data. Ensure that equal opportunities monitoring of these characteristics satisfies a sensitive data condition. Staff, like any other individual, has a right to gain access to information that is kept about them. This is known as ‘Subject Access’.
Responsibilities
Everyone who works for or with Dream Chaser Youth Club has some responsibility for ensuring data is collected, stored and handled appropriately.
Every individual who has access to personal data must ensure that it is used in line with this policy and data protection principles.
Record Keeping
Article 5(2) of the GDPR requires that:
“the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
In order to demonstrate compliance, Dream Chaser Youth Club will keep records of all processing of personal data.
Policy agreed on behalf of the management committee
Signed: …………………………………………………………..
Date: 11/09/2018
