The processing of information (which term includes collecting, recording and storing information) is essential to our services and functions. Where information is about an individual then it is personal data and processing must be fair and lawful and in compliance with the Data Protection Act 1998. This Policy is intended to strike the balance between the needs of the organisation to process information in order to function effectively and the protection of the rights of individuals.
The purpose of the Policy is to ensure:
There are many unfamiliar terms used in this area, there is a definitions section at the end of this Policy (section 12)
The Data Protection Act is the key source of the law in this area, it has been in force since 2001; it contains eight principles which govern the way in which organisations process data about individuals. In summary these say that Personal Data which is held in a computer or a filing system :
shall be processed fairly and lawfully and only when one of the conditions for processing exists
shall be obtained for a specific purpose and shall not be processed in any manner incompatible with that purpose
shall be adequate, relevant and not excessive
shall be accurate and kept up to date
shall not be kept for longer than is necessary
shall be processed in accordance with the rights of the data subject
shall be kept safe from unauthorised or unlawful processing or loss, destruction or damage
shall not be transferred to any country outside the EU without precautions to ensure protection of the individuals rights
This Policy is made under the terms of the overarching Information Governance Policy; this and all other relevant policies are listed at Appendix 2
Helping Our Future’s policy is to comply with the Data Protection Act and its principles. It will:
comply with the law and follow good practice
respect the rights of customer’s former customers, applicants, employees, Board members and others we deal with
be open and honest with individuals whose data is held
provide training and support for staff who handle personal data so that they can act confidently and consistently
notify the Information Commissioner when required to do so.
In addition to the Data Protection Act principles Helping Our Future is subject to an obligation to respect the confidentiality of information. Confidentiality applies to a wider range of information than Data Protection although there is a considerable overlap where information relating to individuals is concerned.
where confidential information is about a person and is recorded in a computer or filing system it will be subject to the Data Protection principles,
where it is about organisations or is not held in a system, it is not covered by Data Protection principles but a duty of confidentiality may still arise.
A duty of confidentiality can arise in a number of ways:
Where information is provided on the explicit basis that it must not be disclosed
Where it is obvious from the relationship between the person giving and the person receiving the information that it should not be disclosed (for example the relationship between employer and employee may give rise to confidentiality in relation to certain information).
Where the nature of information is of such a personal or sensitive nature that it was clearly intended that it should be viewed as confidential
Confidentiality does not apply to information which is already publicly available.
Examples of information which are likely to be confidential include:
Information about the organisation (e.g. its business plans and finances)
Similar information about other organisations
Private information about employees such as appraisals
Sensitive or personal information about customers or applicants for housing
The duty of confidentiality requires that information is not disclosed to a third party. Within Helping Our Future such information should only be accessed on a “need to know” basis and no one should have access to such information unless it is relevant to their work.
Where information may be confidential but Helping Our Future reasonably needs to disclose it we will seek to make a clear statement so that no one will be surprised at how their information is used. The following are common examples:
We will share customer’s names addresses and contact details with our contractors to enable them to deliver services to our customers
We will share details of new tenants with utility providers to facilitate the delivery of utility services to our customers
We may share details of tenants who leave owing rent with tracing and recovery agencies to help us to recover money.
There are limitations to the duty of confidentiality, there are three broad circumstances in which confidential information may be disclosed:
Disclosures with consent: where the person or organisation to whom the duty is owed agrees. The consent should always be recorded.
Disclosures which are required by law: this may be in the course of an official investigation or by reason of a Court order. Such disclosures should always be dealt with by the Data Protection officer.
Disclosures where there is an overriding public interest: this is a limited ground as the right to expect that a confidence will be kept is very strong. Such disclosures should always be dealt with by the Data protection Officer.
Helping Our Future has established and will maintain the processes, roles and responsibilities for ensuring the security of data set out below:
Helping Our Future operates an office from a building which has multiple tenants with communal access premises areas. Helping Our Future will ensure that there is a clear and secure boundary between areas and Helping Our Future office areas. Helping Our Future office areas will be accessed only by Helping Our Future employees and their invitees who will be accompanied by a member of staff at all times.
Helping Our Future will take all reasonable measures to ensure the integrity of its office premises. This will include suitably secure doors and windows and burglar alarms when the building is not occupied.
Correspondence and other documents will be filed promptly and paperwork on desks will be kept to a minimum.
Manual files (house files) will be kept in appropriately labelled cabinets and will not be removed from the office unless it is unavoidable.
Sensitive personal data will be kept in locked cabinets within the office
When officers remove a file or other personal information from the office they will have due regard to the safety and security of the file and in particular will not leave the file unattended.
Confidential and non-confidential waste disposal systems will be maintained in all offices, unwanted personal or confidential information will always be disposed of through the confidential waste disposal service.
Users and prospective customers will always be offered a secure and private place to discuss any issues of a confidential or personal nature.
Staff will be aware of the risk of disclosing information by phone and will always verify a caller’s identity before discussing the caller’s personal information with him.
Where we contract with a third party to deliver a service which involves the transfer of data we will require a contractual obligation requiring the third party to maintain the same level of security in relation to that data as we ourselves apply.
Helping Our Future has adopted an ICT code of conduct which sets out detailed measures which staff are required to follow in order to ensure the security of data held or communicated in electronic form.
Helping Our Future has undertaken a business continuity planning process and has continuity plans in place for each of its major business areas. The plans deal expressly with the measures to be taken to ensure the preservation and retrieval of data and data security. The plans are updated every three years.
Helping Our Future has issue guidance to staff on lone working which deals with measures to be taken to protect personal security. This guidance will contribute to ensuring the security of data beyond the Office environment.
The following data protection principles inform this part of the policy:
Data shall be adequate, relevant and not excessive
Data shall be accurate and kept up to date
Data shall not be kept for longer than is necessary
Helping Our Future will only collect personal data where there is a specific purpose. It will not be collected “just in case”. There must be a clear business reason for the information to be recorded.
We will take reasonable steps to ensure that the information we record is reasonably accurate in matters of fact and, where necessary, kept up to date. Most of the data we collect is not controversial and may be accepted at face value from the data subject. Where it is clear from the nature of the information that it may be controversial then we will take steps to verify the information with independent sources. Where information is obtained from a third party, we will where it is reasonable to do so, confirm the information with the individual it is about.
We will avoid recording opinion and confusing opinion with fact. Where opinion may be legitimately recorded it will be recorded in a careful and professional manner and the facts underlying the opinion will be recorded with it.
Through our Service Improvement Team we will develop a protocol for improvement of data quality and provide guidance on logging and recording issues.
Helping Our Future has adopted a Policy dealing with the retention of information. Data will be stored for the period identified in the Policy as appropriate to that category of information. Information will be stored in secure archives located either:
In the case of electronic data within the Helping Our Future ICT system
In the case of paper based record within secure archives located in Helping Our Future premises or with reputable storage contractors.
Information which is no longer required to be retained will be securely destroyed by a secure document destruction service engaged by Helping Our Future for that purpose.
Within the organisation Helping Our Future will share information where it is necessary for the organisation to operate efficiently. In such instances the disclosure may be written or oral, it must be appropriate and reasonable for business purposes and will be strictly on a need to know basis.
Disclosing data to a third party organisation is only permissible when it is fair and lawful and where one of the conditions laid down by the Data Protection Act is met. The relevant conditions are different depending on whether the data is personal data or sensitive personal data (see “Definitions”). In summary the conditions which are likely to be relevant are:
In relation to personal data:
The data subject has given his consent to the disclosure
It is necessary to fulfill a contract involving the data subject
It is necessary to enable Helping Our Future to comply with a legal obligation#
It is necessary to protect the data subject’s vital interests
It is necessary for the administration of justice or for the exercise of functions of a public nature
It is necessary for the pursuit of a legitimate interest by Helping Our Future and this interest is not outweighed by the potential prejudice to the rights of the data subject.
In relation to sensitive personal data:
The data subject has given his explicit consent to the disclosure.
It is necessary for Helping Our Future to comply with a legal obligation (other than a contract)
It is necessary to protect the vital interests of the data subject or another person and consent cannot be obtained or is being unreasonably withheld.
The information has been deliberately made public by the data subject
It is necessary for legal proceedings
It is necessary to carry our certain public functions
In addition to these conditions there are exemptions to the restrictions on disclosure, the ones which are likely to be relevant are where disclosure is necessary for:
The prevention or detection of crime or the apprehension of offenders
The assessment or collection of taxes or duties.
Helping Our Future will not disclose data outside the organisation unless one of these conditions is met.
Helping Our Future works in conjunction with a range of partner organisations to provide support and assistance to its users and applicants for housing in a wide range of areas. It is often necessary to share information about customers to enable the effective delivery of such services. In such situations Helping Our Future will secure its users prior, informed, consent to the disclosure of information. Consent will almost always be required in writing by the signing of a written authorisation to the disclosure which is proposed.
Helping Our Future will endeavour to ensure that its partners comply with the Data Protection Act in the way in which they process any information received in this way.
Helping Our Future may be asked to respond to enquiries made by third parties (Councillors, Aid organisations) on behalf of its users. We will always ask for evidence of the customer’s authority to disclosure of information before responding to a third party in a way which would disclose personal data.
Disclosures to the Police
Helping Our Future may make disclosure of personal data to the Police or other law enforcement agencies where the information is required for the prevention or detection of crime and that purpose would be prejudiced if the information is not provided. Other than in an emergency all requests for information on this basis should be referred to and dealt with by the Data Protection Officer who will obtain written certification of the request and will keep a record of all such disclosures. .
Information sharing agreements and protocols
Where information exchanges regularly takes place between Helping Our Future and its partner organisations (for example with the Police and the Local Authority under the terms of the Crime and Disorder Act 1998 Section 115) Helping Our Future will enter into an Information Sharing agreement or protocol to regulate and monitor such information exchange. The Data Protection Officer will maintain a record of all Information Sharing agreements which we enter into and will monitor compliance with the requirements of the agreements.
Helping Our Future will not routinely carry out data – matching, it may do so where there is a clear justification for it such as the prevention of fraud.
All data subjects have the right to know what personal data Helping Our Future holds on them and (subject to certain constraints) to have access to that data. In line with our own principles of openness and honesty we acknowledge and will comply with the data subjects’ right of access to their personal data.
All requests for access to personal data by a data subject will be handled by the Data Protection Officer in accordance with the Data Subject Access Request procedure notes at Appendix A.
The Data Protection Act requires every data controller which is processing personal data to register with the Information Commissioners Office and to renew the registration annually. Helping Our Future has registered in accordance with the Act and the Data Protection officer will be responsible for renewing the registrations each year.
Compliance with this Policy is mandatory for everyone included within its scope. Where instances of non-compliance are suspected they will be investigated and disciplinary measures may be invoked.
Compliance audits will be undertaken and findings and recommendations reported to the Information Governance steering unit who will ensure that significant risks are assessed in the most appropriate manner.
All staff who have access to personal data will receive guidance on their responsibilities in their induction into the organisation.
Update and refresher training on Data protection requirements will be provided regularly. It is the responsibility of all staff who deal with personal data to ensure that they access training events and that they are aware of their obligations under this Policy.
Information security breaches may take a number of forms:
Loss or theft of equipment on which data is stored
Deception (e.g. by blagging information)
Unauthorised access to systems or data
or other infringements of the Data Protection Policy.
Any breach or suspected breach must be reported immediately to the Data Protection officer.
The Data Protection Officer will be responsible for co-ordinating the organisation’s response by ensuring that the appropriate officers with the necessary level of authority are identified in order to investigate and contain the breach. The Data Protection Officer will notify senior managers within Helping Our Future and, where serious breaches are involved, Board members
Following immediate action to contain the breach the Data Protection officer will co- ordinate a review and assessment of risk in relation to the breach by the appropriate Officers. The Officers will decide on any further action necessary including:
Notifying the individuals whose data security may have been compromised.
Notifying the Regulator
Informing the Information Commissioners Office.
Following any Data security breach the Data Protection officer will co-ordinate an evaluation of the reason for the breach and the effectiveness of the response. Improvements to policies and procedures will be identified and implemented.
Data: data is another term for information and includes information held on paper or a computer; it includes images, for example CCTV images.
Personal Data: is data which relates to a living individual who can be identified from the data or from the data and other information which is or may come into the possession of the data controller.
It includes expressions of opinion about an individual
Sensitive Personal Data: includes data which is about:
The commission of a criminal offence
Physical or mental health
Race or ethnic origins
Trade Union membership
Data Controller: means the organisation which decides when and how data is to be processed; Helping Our Future is a data controller.
Processing data: includes obtaining, recording, using or disclosing data
Data subject: an individual who is the subject of personal data
13.0 Best practice and Review
There will be an automatic review of this policy whenever there is a change of statutory or regulatory provisions, or when other Best Practice information becomes available that will impact on the policy. In any event there will be a substantive review of this policy every 3 years.
In addition, the Policy and the accompanying procedures will be subject to ongoing scrutiny and operational review, in consultation with all relevant stakeholders.
Data Subject Access Request Procedure
The Data Protection Act 1988 gives individuals the right to receive a copy of any personal data which a data processor (such as Helping Our Future) holds about them. This procedure sets out how requests for personal data (known As Data subject access requests) will be dealt with.
Responsibility: the responsibility for responding to a data subject access request in accordance with this procedure lies with the Data Protection Officer. It is the responsibility of each individual member of staff to identify and forward access requests to the Data Protection officer without delay.
Recognising a request: Access requests must be made in writing. There is no prescribed form for a request, it need not be described as an “access request” any request in which an individual is seeking access to information should be treated as a potential access request and, if in doubt advice should be sought from the Data Protection Officer.
Sufficiency of a request: a request must be sufficiently clear to enable the information to be found.
Authenticating a Request: We must be sure of the identity of person making a request before releasing any information. Where the person making the request has not been personally identified by the officer receiving it we will ordinarily rely on the signature on the request corresponding with previously held signatures by the data subject held on our files. This will be sufficient authentication to enable data to be sent o the data subject’s known address. However where the data is sensitive personal data we will additionally verify the request by telephoning the data subject using the telephone contact details which we hold on file to confirm identity or some equivalent level of security check.
Collation and provision of Data
The Data Protection Officer will be responsible for collating the data by contacting the departments which may hold data about the data subject in either paper or electronic form. All data holding departments are responsible for responding promptly to a request from the Data Protection officer.
The response to a Data subject access request will ordinarily be made by the provision of paper copies of the data held.
Data Subject Access fee
There is a maximum fee of £10 chargeable for subject access. Payment of this fee will be required before any application will be processed. If a request is received without a fee it should be passed to the Data Protection Officer without delay so that notification of the requirement for a fee can be given to the data subject.
Helping Our Future will respond to access requests as soon as reasonably practicable and at least within the time limit of 40 days from receipt of the request and the fee.
Note: there is a corresponding procedure note applicable to Data Subject Access Requests made by employees; this is as follows:
Employee Subject Access Request Procedure
What is Subject Access Request?
The Subject Access provisions of the Data Protection Act 1988 give individuals the right to:
be supplied with a copy of any personal data which the Helping Our Future charity may hold about them.
This is known as a Subject Access Request. At statutory fee of £10.00 per request applies. An employee wishing to make a request should follow the procedure below:
This procedure covers all employees up to and including the Executive Management Team.
In order to make a subject access request an employee must complete a Subject Access Request form and submit this to HR. The subject access request form should be printed off and completed before being sent to HR with a cheque for £10.00 made payable to Helping Our Future.
Alternatively, employees who do not have internet access should email or telephone HR or telephone for a paper-based copy of the form. This should then be completed in full and returned together with a cheque for £10.00 made payable to Helping Our Future.
Identification and Verification
When a Subject Access Request form is received by Human Resources accompanied by the £10.00 fee, identification and verification checks will be carried out. This will be done by checking specific pieces of data provided on the Subject Access Request Form match the data held on the HR system.
This is to prevent unauthorised individuals from being able to fraudulently obtain personal data. As an additional check, and also to confirm receipt of the request, Human Resources will either email or telephone the individual within 24 hours of verifying your identity.
Helping Our Future is obliged to comply with subject access requests within forty days. The forty day period commences once identification and verification checks have been satisfied. If a request cannot be complied with within the forty days, an explanation will be given to the employee.
Collation of Data
Human Resources will collate the data by contacting other departments and individuals who may also hold data about the employee, either in a manual or electronic filing system.
All data which is supplied in accordance with a subject access request will be sent to an employee’s home address by recorded delivery or hand delivered to prevent unauthorised individuals from being able to obtain an employee’s personal data.
If, on receipt of the data relating to a subject access request the employee believes the information to be incomplete he/she should contact HR.
Subject Access Request Fee
The subject Access provisions allow a maximum fee of £10.00 per subject access request and will be required before any application can be progressed.
This policy is not contractual and does not form part of your terms and conditions of employment and may vary from time to time after consultation with the Unions.
Appendix B Related Policies
Information Governance Policy Document Retention Policy
ICT Code of Conduct
Confidential reporting (Whistleblowing) Policy Code of Conduct for Staff
Code of Conduct for Board Members
Safeguarding Vulnerable Adults and Children Policy CCTV Code of Conduct