DATA PROTECTION POLICY & STANDARD
This policy covers the protection of all data held by Eventide including electronic data and hard copy paper files.
It is the responsibility of all Eventide staff, volunteers and trustees to read and understand this policy. This policy may be updated from time to time, to comply with legal and policy requirements.
Within this policy, the term Data Subject refers to any person whose personal data is held by Eventide. This can include any of the following:
• Staff Members
• Service Users
• Family of Service Users
• Professional Contacts
This Data Protection Policy is intended to provide a framework for the protection of all data held and processed by Eventide. It should be interpreted such that it has the widest application and to include new and developing technologies and uses, which may not be explicitly referred to. The policy is also designed for the following purposes:
• compliance with the law
• following good practice
• protection of clients, staff and other individuals
• protection of the organisation
This Data Protection Policy is written to enhance and not replace other policies that cover the topics of confidentiality and security.
Members of staff, volunteers and trustees who have access to Eventide data are bound by the provisions of this policy. Eventide seeks to promote and facilitate the positive and legitimate use of Information in the interests of supporting the delivery of our services to the highest possible standards.
1.3 Policy Statement
Eventide commits to the following under the provisions of this policy:
• Compliance with both the law and good practice
• Respect for individuals’ rights
• To be open and honest with individuals whose data is held
• To provide training and support for staff who handle personal data, so that they can act confidently and consistently
• To Notify the Information Commissioner of any data loss or compromise of data security.
2 The General Data Protection Regulation (GDPR)
The GDPR is the new data protection regime that seeks to reinforce the protection of personal data as a fundamental right. The main aim of the regulation is to:
• Empower individuals to take more control of their personal data, and
• Hold the organisations who collect and store our personal data accountable
It is a piece of legislation that has huge penalties for organisations that don’t
comply with the law and its principles.
GDPR became enforceable from 25 May 2018 and replaces the Data Protection Act 1998.
The GDPR applies to ‘controllers’ and ‘processors’. A controller determines the purposes and means of processing personal data. A processor is responsible for processing personal data on behalf of a controller. If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a breach.
However, if you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR. The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU. The GDPR does not apply to certain activities including processing covered by the Law Enforcement Directive, processing for national security purposes and processing carried out by individuals purely for personal/household activities.
The UK’s exit from the EU will not affect our requirement to abide by GDPR.
2.1 Data Protection Principles
Under the GDPR, the data protection principles set out the main responsibilities for organisations. Article 5 of the GDPR requires that personal data shall be:
a) processed lawfully, fairly and in a transparent manner in relation to individuals;
b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
Article 5(2) requires that:
“the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
2.2 Lawful bases for processing
For processing to be lawful under the GDPR, we need to identify a lawful basis before we can process personal data.
Eventide’s lawful basis for processing personal data is:
• Contractual: The processing is necessary to fulfil our obligations in relation to your employment contract (GDPR 6(1)(b)).
• Legal Obligation: The processing is necessary to comply with employment law (GDPR Article 6(1)(c)).
• Legitimate Interests: The processing is necessary for our legitimate interests in providing our services (GDPR Article 6(1)(f)).
Eventide’s lawful basis for processing special category personal data is:
• Legal Obligation: Processing is necessary for carrying out our obligations under employment law (GDPR Article 9(2)(b)).
• Processing is necessary for carrying out our Safeguarding obligations (GDPR Article 9(2)(b)).
NB. Although Eventide do not use Explicit Consent as a lawful basis for processing, we will always seek to provide a Privacy Notice as soon as possible.
2.3 Data Definition
Data means information which –
(a) is being processed by means of equipment operating automatically in response to instructions given for that purpose,
(b) is recorded with the intention that it should be processed by means of such equipment,
(c) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system,
(d) does not fall within paragraph (a), (b) or (c) but forms part of an accessible record
(e) is recorded information held by a public authority and does not fall within any of paragraphs (a) to (d).
Paragraphs (a) and (b) make it clear that information that is held on computer, or is intended to be held on computer, is data. Data is also information recorded on paper if you intend to put it on computer.
Relevant filing system (referred to in paragraph (c) is defined as:
any set of information relating to individuals to the extent that, although the information is not processed by means of equipment operating automatically in response to instructions given for that purpose, the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible.
2.4 Personal Data Definition
The GDPR applies to ‘personal data’ meaning any information relating to an identified or identifiable natural person. This means any living person who can be directly identified or indirectly identified by reference to an identifier. This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people. The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This could include chronologically ordered sets of manual records containing personal data. Personal data that has been pseudonymised – eg key-coded –falls within the scope of the GDPR. Personal Data that has been anonymised so that there is no possible way of tracing it back to an individual, is exempt from GDPR.
2.5 Special Categories of Data Definition
The GDPR includes a broader definition of special categories of personal data which were more commonly known as sensitive personal data. The concept has been expanded to expressly include the processing of genetic data and biometric data. Under the GDPR, ‘special categories of personal data’ refers to personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation.
Examples of special category data include:
Trade union membership
2.6 The Rights of Individuals
The GDPR provides the following rights for individuals:
The right to be informed
The GDPR sets out the information that we should supply and when individuals should be informed.
The information we supply is determined by whether or not we obtained the personal data directly from individuals.
The information we supply about the processing of personal data must be:
1. concise, transparent, intelligible and easily accessible;
2. written in clear and plain language, particularly if addressed to a child; and
3. free of charge.
The right of access
Under the GDPR, individuals have the right to obtain:
1. confirmation that their data is being processed;
2. access to their personal data; and
3. other supplementary information – this largely corresponds to the information that should be provided in a privacy notice (see Article 15).
NB. In providing a data subject access to their data, we do not need to provide them with access to any system that it is held on as that could result in the rights of other data subjects being breached. They do however have a right to see a copy of their personal data.
The right to rectification
Individuals are entitled to have personal data rectified if it is inaccurate or incomplete.
If we have disclosed the personal data in question to third parties, we must inform them of the rectification where possible. We must also inform the individuals about the third parties to whom the data has been disclosed where appropriate.
The right to erase
The right to erasure does not provide an absolute ‘right to be forgotten’. Individuals have a right to have personal data erased and to prevent processing in specific circumstances:
• Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.
• When the individual withdraws consent.
• When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing.
• The personal data was unlawfully processed (i.e. otherwise in breach of the GDPR).
• The personal data must be erased in order to comply with a legal obligation.
• The personal data is processed in relation to the offer of information society services to a child.
Under the GDPR, this right is not limited to processing that causes unwarranted and substantial damage or distress. However, if the processing does cause damage or distress, this is likely to make the case for erasure stronger.
There are some specific circumstances where the right to erasure does not apply and we can refuse to deal with a request. This might for example be in a circumstance where we are giving evidence in a court case or involved in the child protection process. At Eventide, each request for erasure will be dealt with on an individual basis and data will not be retained unless there is a valid lawful reason to retain it.
The right to restrict processing
We will be required to restrict the processing of personal data in the following circumstances:
• Where an individual contests the accuracy of the personal data, we should restrict the processing until we have verified the accuracy of the personal data.
• Where an individual has objected to the processing (where it was necessary for the performance of a public interest task or purpose of legitimate interests), and we are considering whether our organisation’s legitimate grounds override those of the individual.
• When processing is unlawful and the individual opposes erasure and requests restriction instead.
• If we no longer need the personal data but the individual requires the data to establish, exercise or defend a legal claim.
We will need to review procedures to ensure we are able to determine where we may be required to restrict the processing of personal data.
If we have disclosed the personal data in question to third parties, we must inform them about the restriction on the processing of the personal data, unless it is impossible or involves disproportionate effort to do so.
We must inform individuals when we decide to lift a restriction on processing.
The right to data portability
At a glance
• The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.
• It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.
• Some organisations in the UK already offer data portability through the midata and similar initiatives which allow individuals to view, access and use their personal consumption and transaction data in a way that is portable and safe.
• It enables consumers to take advantage of applications and services which can use this data to find them a better deal or help them understand their spending habits.
The right to object (to processing)
This section discusses how to comply with the right to object when we process personal data for the performance of a legal task or for Eventide’s legitimate interests.
Individuals must have an objection on “grounds relating to his or her particular situation”.
We must stop processing the personal data unless:
• we can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual; or
• the processing is for the establishment, exercise or defence of legal claims.
We must inform individuals of their right to object “at the point of first communication” and in our privacy notice.
This must be “explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information”.
Rights in relation to automated decision making and profiling.
At a glance
• The GDPR provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention.
• Identify whether any of our processing operations constitute automated decision making and consider whether we need to update our procedures to deal with the requirements of the GDPR.
Eventide do NOT use automated decision making and profiling.
2.7 The Data Controller
“Data controller” means a person who determines the purposes for which and the manner in which any personal data is or is to be processed; When an organisation fills out the registration form for the Information Commissioners Office (ICO), they must name the data controller. It is important to remember that although we have a designated individual who is responsible for ensuring compliance, it is actually the organisation that is the data controller.
2.8 The Data Processor
“Data Processor” means anyone who processes personal data on behalf of the data controller (excluding the data controller’s own employees). When a Controller authorises a Data Processor there should be a clear contract in place defining how the processing is taking place.
Data Protection responsibilities at Eventide are as follows:
The Eventide Trustees have overall responsibility for ensuring that the organisation complies with the General Data Protection Regulations, this policy and all legal obligations.
3.2 The Data Protection Lead
The Data Protection Lead’s responsibilities include:
• Briefing the Trustees on Data Protection responsibilities
• Reviewing Data Protection and related policies
• Advising other staff on complex Data Protection issues
• Ensuring that Data Protection induction and training takes place
• Advising Senior Management & Trustees on Notifications to the Information Commissioners Office (ICO)
• Handling subject access requests alongside senior management
• Advising on unusual or controversial disclosures of personal data
• Advising on contracts with Data Processors
Management are responsible for drawing up operational procedures (including induction and training) to ensure that good Data Protection practice is established and followed.
Management must ensure that the Data Protection Lead is consulted on any changes in their uses of personal data that might affect the organisation’s Notification.
3.4 Specific Other Staff
The designated Eventide ICT worker is responsible for electronic security and advising on all computer and electronic data security matters.
3.5 Staff & Volunteers
All staff and volunteers are required to read, understand and accept any policies and procedures that relate to the personal data that they may handle in the course of their work.
3.6 Enforcement & Penalties
All staff and volunteers should be aware that the penalties for breeches in data protection can be severe even for charities. As an example, The RSPCA were fined £25,000 by the ICO in 2016 for breaches of the first and second data protection principles of the Data Protection Act.
Confidentiality applies to a much wider range of information than Data Protection. Some of the things that are likely to be confidential, but may well not be subject to Data Protection, include:
• Information about Eventide (and its plans or finances, for example)
• Information about other organisations, since Data Protection only applies to information about individuals
• Information which is not recorded, either on paper or electronically
Information held on paper, but in a sufficiently unstructured way that it does not meet the definition of a “relevant filing system”.
4.1 Access to Confidential Information
Access to all confidential information at Eventide is defined on a “need to know” basis; no one should have access to information unless it is relevant to their work. This may be relaxed in the case of information which poses a low risk: for example, a list of business contacts may be made generally available, even if this means people having access who don’t strictly need it.
Access to Confidential Information in Electronic form is protected by role based permissions and passwords. Confidential information in hard copy form is stored in offices with suitable security locks. Confidential Information should never be left in public areas where service users and visitors might view it.
4.2 Communication with Data Subjects
Eventide have agreed the following with referral agencies as part of our Terms and Conditions of Service:
Eventide shall comply with vetting, disclosure and related data protection protocols required by the Referring Agency and all relevant laws, including Disclosure and Barring Service (DBS) vetting of all staff in contact with learners, working within their own safeguarding policy.
Eventide also ensure that our service users (young people) are made aware of how we protect confidential information as part of their induction process.
In addition, data subjects and their parent / guardian will also be provided with a copy of the Eventide Privacy Notice to sign and return. They will also be provided with a copy for their own retention.
4.3 Communication with Staff and Volunteers
All staff and volunteers are required to sign a Confidentiality Statement which is placed on their personnel file. Staff are also briefed about Confidentiality as part of their induction process and are required to read this policy. ICO approved signs relating to Confidentiality are placed around the Eventide building to aid staff awareness.
4.4 Authorisation for disclosures not directly related to the reason why data is held
There may be occasions when disclosures of confidential information are required other than for the purposes that the information was obtained. These disclosures will generally fall into the following two categories:
• Those likely to be at the instigation, or in the interests of, the Data Subject.
• Those that are made in the course of official investigations.
For the first category (such as a request for a financial reference from a bank), the consent from the Data Subject is likely to be the normal authorisation and this consent should be recorded.
For the second category, it may be appropriate for the Data Subject not even to be informed and authorisation should be made at a senior level within Eventide by the Charity Manager or Trustees. The decision would be made after consultation with the Data Protection Lead.
Security must not be confused with confidentiality. The latter is about defining what is allowed and setting the boundary; the former is about ensuring that the boundary is maintained. However, there must be a relationship between the two.
Like confidentiality, security is not wholly a Data Protection issue. Details of the following security areas can be found in the Eventide ‘IT Security Policy and Standard’:
• Physical Security
• Security Updates
• Anti-Virus Software
• Business Continuity / Backups
• Network & Internet Security
• Remote Access
• Use of Personal Hardware (BYOD)
• Transfer of Data
• Consequences of Breach
6 Data Recording & Storage
Eventide is committed to the following in relation to Data Recording and Data Storage:
6.1 Accuracy of Data
Eventide is committed to ensuring the accuracy of the data we hold and where practical will ensure that data is held in a single source and referenced from other data locations to ease the updating of information and reduce the risk of out of date information being held. The accuracy of data will also be included in file reviews as shown in section 6.2 below.
Information provided by other agencies will be reviewed upon receipt to check for any inaccuracies.
6.2 Updating of Data
Eventide is committed to updating data as soon as practically possible. The following reviews will take place to ensure that data is up to date and meets with the changing demands of the business:
Type of Data Review Period
Service User Files Annually
Policies & Procedures Annually
Personnel Files Annually
6.3 Storage of Data
Eventide is committed to storing all data in locations appropriate to the Confidentiality and level of sensitivity of the data. The following principles apply to Eventide Data Storage:
• Electronic File Server Data is stored on an Encrypted drive that is of a 256-bit AES Encryption Standard.
• Electronic File Server Data is only transferred on Encrypted Media of a 256-bit AES Encryption Standard.
• All hard copy files are stored in a lockable office.
• All archived hard copy files are stored in an appropriately secured location.
6.4 Retention Periods
Eventide fully understands that personal data should only be retained for as long as is necessary for the purposes under which it was obtained. We also understand that certain statutory retention periods need to be met. We are therefore committed to destroying data as early as possible after that date has expired.
Eventide’s record of retention periods can be found at the end of this document.
6.5 Archiving & Data Destruction
6.5.1 Hard Copy Data
Eventide commits to archiving hard copy data to its offsite storage facility as soon as practical after a file is closed. At the time of archiving, the archive register should be updated to show the date of archiving and the date that the data should be destroyed.
The process for Hard Copy Data Destruction is as follows:
1. Reviews of all Hard Copy Data are to be done Bi-annually (July & December).
2. All data that has passed its retention period is to be destroyed as part of that review.
3. The destruction is to consist of a minimum of cross-cut shredding. For sensitive personal data, the burning of this shredding should also be considered.
4. A record of all destruction is to be recorded
6.5.2 Electronic Data
Eventide commits to storing electronic data in a logical structure that is based on the status of the data or its age. This will aid the data destruction process once retention periods have been reached.
The process for Electronic Copy Data Destruction is as follows:
1. Reviews of all Electronic Data are to be done Bi-annually (July & December).
2. All data that has passed its retention period is to be erased as part of that review.
3. A record of all data that has been erased is to be recorded.
6.5.3 Data Destruction on Hardware Disposal
Eventide commits to ensuring that the disposal of all hardware that has, or could, contain data is done in a secure manner. This includes ensuring that the data is erased to a ‘British HMG Infosec Standard 5, Enhanced Standard’ where possible. As a minimum, it should be to a ‘British HMG Infosec Standard 5, Basic Standard’. A certificate of destruction must be obtained and retained for all hardware disposals.
Hardware disposals must also be done in accordance with the Waste Electrical & Electronic Equipment (WEEE) Directive.
7 Subject Access Requests
This right, commonly referred to as subject access, is part of the ‘right of access’ under GDPR. It is most often used by individuals who want to see a copy of the information an organization holds about them. The GDPR clarifies that the reason for allowing individuals to access their personal data is so that they are aware of and can verify the lawfulness of the processing
In most cases, we must respond to a subject access request promptly and in any event within 1 month of receiving it. We will be able to extend the period of compliance by a further two months where requests are complex or numerous. If this is the case, we must inform the individual within one month of the receipt of the request and explain why the extension is necessary.
7.1 Valid Requests
A valid subject access request is one that provides all the information Eventide requires in locating the information requested by the Data Subject and will contain sufficient information to verify the data subject’s identity.
Where requests are manifestly unfounded or excessive, in particular because they are repetitive, we can:
• charge a reasonable fee taking into account the administrative costs of providing the information; or
• refuse to respond.
Where we refuse to respond to a request, we must explain why to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy without undue delay and at the latest within one month.
7.2 Subject Access Request Process
We must provide a copy of the information free of charge. However, Eventide can charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive.
We may also charge a reasonable fee to comply with requests for further copies of the same information. However, this does not mean that we can charge for all subsequent access requests. The fee must be based on the administrative cost of providing the information such as an hourly rate for producing the information, costs per printed copy and postal charges. The current charges for extra printed copies are as follows:
• A4 Black and White: £0.10p (single sheet)
• A4 Colour: £0.15p (single sheet)
The procedure for processing subject access requests is contained within a separate procedure document.
If an individual suffers damage because we have breached the GDPR, they are entitled to claim compensation from us. This right can only be enforced through the courts. The Regulation allows us to defend a claim for compensation on the basis that we took all reasonable care in the circumstances to avoid the breach. Although the Regulation does not provide a definition of damage, an individual who has suffered financial loss because of a breach of the regulation is likely to be entitled to compensation. If an individual has suffered damage, any compensation awarded may consider the level of any associated distress, but distress alone will not usually be sufficient to entitle an individual to compensation.