Personal data is any information relating to a person, who can be identified
Processing includes eg collecting, recording or retrieving personal data
Data breach is destruction, loss, unauthorised change or disclosure of personal data
Data consent is affirmative, informed, unpressured agreement to use of personal data
Personal data must be processed lawfully, fairly and transparently, and as agreed. CSASS policy complies with data protection laws, and applies to clients, employees, volunteers, freelancers, suppliers or partners. Risks are identified and managed to reduce the likelihood and the impact of any data breach. The Centre Manager is the Data Protection Officer and our ICO number is: Z2946994.
Individuals have the right to:
- know what personal information CSASS holds, how long for, how it will be used, who it has been disclosed to.
- see their personal data
- know who to contact about personal data, and how to complain
- change their consent, remove or change personal data, or the way it is processed
- be forgotten by CSASS, if they choose
- only collect personal data needed and only keep it for as long as needed
- ensure it is only accessible to people who need to use it
- ask for data consent
- make every effort to ensure personal data is accurate
- respond to requests to see/change/remove personal data within two months
CSASS will not disclose personal data unless:
- individuals have given consent
- there is a legal requirement or to prevent immediate harm.
- Consent has been sought, wherever possible.
Personal data is disposed of, deleted securely or anonymised in a timely way, when it is no longer needed. Data retention periods available on request. CSASS may store anonymised data for longer periods in order to help with monitoring, reporting on or improving our service.
Good practice guidelines for data security
- Workers should only have access to personal data required for their role, in particular through limiting access to online databases and systems
- Personal data should be stored in online databases, not on individual computers.
- Computerised and online personal data storage is password protected, with data in transition encrypted
- Passwords should be regularly changed, including on any personal computers, phones etc used to access personal data
- Personal data (particularly client data) should be anonymised e.g using client codes
- Paper records and notes should be promptly destroyed or archived electronically once no longer needed, day-to-day
- All CSASS IT equipment, and any personal equipment used while working remotely (computers, phones, tablets etc) to access personal data, will have up to date virus checking protection and firewalls installed.
- Care should be taken not to share contact details without consent, for example through sending group emails (use BCC), or whatsapp groups.
- Records of support calls or online conversations should not routinely be stored. Exceptions to this would include safeguarding or complaints records.
In the office:
- Idle terminals should be locked, and workers will be mindful to avoid visibility of screens by unauthorised individuals
- Sensitive monitoring data or contact details are removed from eg recruitment or service documents, where access to this data is not needed
- Paper records should only be used where other options are not feasible, and should be stored promptly in locked cabinets, with controlled access, and only removed from premises in exceptional circumstances
- Workers should use password protected cloud-based systems for secure, encrypted remote access to personal data
- Care should be taken to work in confidential spaces, ensuring personal data cannot be seen or overheard.
- Removable computer media should not routinely be used for transferring data
- Workers leaving CSASS will return or destroy any personal data held securely by them, or on their devices
Video meetings or groupwork:
- No meetings should be recorded
- Guidance should be sent to all attendees, to include:
- Invitations and links to meetings should not be shared, and should be kept on password protected devices
- Meetings should be attended from within a private space, ensuring both sides of conversation cannot be overheard
- Assurance that no video meetings are recorded by CSASS and attendees agree not to record sound or video from meetings
- Setting up and hosting
- Use a consistent title for a group or series of meetings
- Use a neutral name, not obviously related to sexual abuse or violence
- Host to use a password for entry
- Change the password for each meeting, and consider sending it separately where additional security may be useful
- Host to use waiting room feature (with doorbell), set initial settings to mute
- Host to keep a list of people invited, and only let invitees in to the meeting
Updated July 2021