1) Introduction and definitions
This policy aims to ensure that personal data of individuals is stored and processed, by CSASS, with their consent. This applies to data within filing systems both on computer and in paper records.
- Personal data is any information relating to a person who can be identified directly or indirectly e.g. by name, an ID number or location data.
- Processing means any operation performed on personal data e.g. collecting, recording or retrieving.
- A personal data breach is the destruction, loss, alteration or unauthorised disclosure of, or access to, and individual’s personal data.
- Data consent means giving informed, unpressured agreement to the processing of personal data by a clear, demonstrable affirmative action e.g. by sending an email, signing a form or giving verbal consent over the phone
2) Policy statement
CSASS are committed to complying with all laws in respect of personal data. Other relevant policies and procedures include:
- Complaints policy
- Risk management policy
- Confidentiality policy
- Recruitment policy
This policy applies to all CSASS personal data processing, including personal data of clients, employees, volunteers, suppliers or partners. This policy also applies to external suppliers or partners working with CSASS, who have access to personal data processed by CSASS e.g. a payroll service provider, a cloud-based database provider, or a service delivery partner organisation. This policy will form part of any formal partnership agreements. Contracts with external organisations ensure practice that is compliant with this policy.
CSASS is aware of the risks associated with processing personal data, including the risks to individuals. These risks are identified and managed as part of CSASS service risk assessment, in order to reduce the likelihood and the impact of data breaches. Any changes to data processing procedures will be risk assessed.
We will review this policy regularly, or as needed.
3) Responsibilities and roles
The Centre Manager is the Data Protection Officer and is accountable to the Board of Trustees for the management of personal data and ensuring compliance with legislation and good practice. All trustees, staff and volunteers are responsible for following good practice in processing personal data within CSASS. Data protection principles and practice will form part of trustee, staff and volunteer induction and training.
4) Data protection principles
Personal data must be processed lawfully, fairly and transparently, and not for purposes outside those we have notified to the Information Commissioners Office (ICO). Our registration reference with the ICO is: Z2946994.
Individuals have the right to:
- know what personal information is stored and processed by CSASS, for what purpose it is processed, and how long it will be stored for
- see all their personal data held by CSASS, in an accessible way, usually within a month
- know who their personal data has been disclosed to
- know who to contact, at CSASS, about data protection, and how
- expect processing not to cause damage or distress
- complain, if damage or distress is caused e.g. by a data breach
- remove or change their personal data, including the right to be forgotten by us
- change the way their personal data is processed, including removing or changing consent to being contacted for different purposes
- CSASS will only collect personal data needed for specific and legitimate reasons, and only keep it for as long as needed for these purposes.
CSASS will ensure all data collection forms include a data consent statement (or a link to one), which includes these principles.
CSASS will make every effort to ensure personal data is accurate and up to date. Individuals are also expected to ensure personal data is accurate and up to date, notifying CSASS of any changes.
CSASS will respond to requests for change/removal of data from individuals within one month. This can be extended to a further two months for complex requests.
6) Consent
In most instances, data consent is obtained routinely through requiring agreement to statements include in standard documents e.g. new client referral forms, volunteer, staff or membership application forms, the website contact form or newsletter sign-up sheets at public events. Consent can be withdrawn at any time.
7) Security and disclosure of data
Personal data will be accessible only to those who need to use it.
CSASS will store personal data securely, and not disclose it to external individuals or organisations, unless:
- individuals have given consent
- there is a legal requirement e.g. from the police (in some circumstances), or to prevent immediate harm to any individual, where CSASS reasonably believes there is a risk. Consent from the individual will be sought, wherever possible.
- contracts or written agreements are in place to ensure data security meets the standards in our policy (e.g. with our payroll company or cloud databases)
- Authorisation from the Data Protection officer must be obtained in advance of disclosure, and only the information required will be disclosed. Good records will be kept, particularly of the reasons for the disclosure.
Good practice followed includes:
- Locking idle terminals and considering visibility of PC screens by unauthorised individuals
- Use of up to date virus checking software and firewalls and regularly changing passwords
- Role-based personal data access rights for workers
- Data protection and confidentiality included in trustee, staff and volunteer training and induction
- High expectations of workers to follow policy and practice, including the potential for disciplinary action, and consideration of reliability at recruitment
- A clear desk policy, paper records not left where unauthorised individuals can see them
- Storing paper records in locked cabinets, in a locked room with controlled access, an only removing them from premises in exceptional circumstances
- Separating sensitive monitoring data or contact details from e.g. recruitment or service paperwork, where access to this data is not needed
- Computerised and cloud-based personal data storage is password protected, with data in transition encrypted
- Removable computer media not used for transferring or storing personal data
- Paper records promptly archived electronically once no longer needed for day-to-day use
- Processing of personal data ‘off-site’ is risk assessed and actively managed, with preference given to use of password protected cloud-based systems for secure, encrypted access to personal data e.g. logging into a cloud database from an ipad, or anonymised e.g. full names not kept on mobile phone
- Personal data not routinely stored on personal computers, or off-site – BCC used for group emails, individual’s details anonymised in discussion, documents and emails
8) Retention and disposal of data
CSASS will not keep personal data for longer than is necessary for the purpose(s) for which it was originally collected e.g. to contact or support an individual, or to improve our service.
CSASS may store anonymised data for longer periods for the purposes of monitoring, reporting on or improving our service. Any exceptions to general retention procedures need authorisation from the Data Protection officer, and good records kept, including the reasons for the exception.
CSASS will review the retention dates of all personal data annually and remove and dispose of, or anonymise, any personal data no longer required.
Personal data is disposed of or deleted securely from cloud databases, file storage, automatic email lists (e.g. outlook contacts). Paper records are shredded, and computer hard drives removed and destroyed professionally.
9) Data transfers
CSASS will not normally export data outside the European Economic Area. In the event of a request or requirement, CSASS will obtain specific permissions from the individual and regulators, take professional advice and make a full assessment.
