The purpose of this policy is to enable Caleb Lovejoy’s Almshouse Charity to comply with the law (The Data Protection Act 1998) in respect of the data it holds about individuals. The General Data Protection Regulation (GDPR) 2018 regulates the way in which personal data is stored and for what purpose it is kept.
The charity will:
- demonstrate an open and honest approach to personal data
- follow good practice
- protect all personal data
- respect the rights of residents, trustees, staff, volunteers, contractors, supporters and other individuals
- protect the charity from the consequences of a breach of its responsibilities.
Under GDPR, personal data means ‘any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to another identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic cultural or social identity of that natural person’.
Data storage and processing:
Caleb Lovejoy’s Almshouse Charity recognises that data is held about:
- Residents & Applicants
- Contractors & Advisors
This information is always stored securely and access is restricted to those who have a legitimate need to know. The charity is committed to ensuring that those about whom we store data understand how and why we keep that data and who may have access to it. We do not transfer data to third parties without the express consent of the individual concerned.
Rights of individuals
All individuals who come into contact with Caleb Lovejoy’s Almshouse Charity have the following rights under the GDPR:
- a right of access to a copy of their personal data
- a right to object to processing that is likely to cause or is causing damage or distress
- a right to prevent processing for direct marketing
- a right to object to decisions being taken by automated means
- a right, in certain circumstances, to have inaccurate personal data rectified
- a right to be erased or ‘forgotten’
- a right to claim compensation for damages caused by a breach of the DPA.
Archived records are stored securely and the charity has clear guidelines for the retention of information.
The trustees recognise their overall responsibility for ensuring that the charity complies with its legal obligations. The Data Protection Officer (Manager and Clerk to the Trustees) is responsible as follows:
Roles and responsibilities:
- briefing trustees on Data Protection responsibilities
- reviewing Data Protection and related policies
- advising staff on Data Protection issues
- ensuring that Data Protection induction and training takes place
- handling subject access requests.
Access to policies and procedures that relate to the personal data they may handle in the course of their roles should be available to all trustees, staff, volunteers, supporters and contractors eg via the charity website.
Significant breaches of these policies will be handled under disciplinary procedures.
Key risks to the safety of data control and process:
The trustees have identified the following potential key risks:
- breach of confidentiality (information being given out inappropriately)
- individuals being insufficiently informed about the use of their data
- misuse of personal information
- failure to up-date records promptly
- poor IT security and
- direct or indirect, inadvertent or deliberate unauthorised access.
The trustees will review the charity’s procedures regularly, ensuring that the charity’s records remain accurate and consistent and in particular:
- IT systems will be designed, where possible, to encourage and facilitate the entry of accurate data
- data on any individual will be held in as few places as necessary and trustees and staff will be discouraged from establishing unnecessary additional data sets
- effective procedures will be in place so that relevant systems are updated when information about an individual changes.
If a breach of data security is suspected or occurs the Trustees/Data Protection Officer should be notified immediately. Any known breach will be reported by the trustees/Data Protection Officer to the Information Commisioners Office (ICO) at the earliest opportunity.
Subject Access Requests
Any individual who wants to exercise their right to receive a copy of their personal data can do so by making a Subject Access Request, (‘SAR’) to the Clerk to the Trustees. The request must be made in writing and the individual must satisfy the clerk of their identity before receiving access to any information.
A SAR must be answered within 30 days of receipt by the charity.
Collection and usage of personal data
Caleb Lovejoy’s Almshouse Charity typically collects and uses personal data in connection with the provision of housing. The charity collects personal data mainly in the following ways:
- by asking applicants for accommodation to complete paper forms
- by obtaining references about an applicant/staff/trustee/contractor
- by obtaining information for the Emergency Communication Service
- by receiving Social Services assessments undertaken relating to home adaptations or care packages
- by receiving medical information related to the ability to live independently
- by asking residents to give staff information verbally
- by recording financial information related to charity income and expenditure
- by recording information which could be used to damage the charity or threaten the security of property or buildings
- by receiving tenders and quotations for services and works
- by recording up to date trustee/resident/staff/contractor contact details
- by recording the content of official meetings in the form of minutes
Caleb Lovejoy’s Almshouse Charity will:
- not use any of the personal data it collects in ways that have unjustified adverse effects on the individuals concerned
- be transparent about how it intends to use the data and give individuals appropriate privacy notices when collecting their personal data
- handle people’s personal data only in ways they would reasonably expect
- not do anything unlawful with the data.
Data security and retention
The charity will take all appropriate measures to prevent unauthorised or unlawful processing of personal data and to protect personal data against loss, damage or destruction. This means that:
- paper files containing personal data of residents, trustees, staff, applicants, volunteers, supporter and contractors will be kept in a locked filing cabinet at all times with access only by authorised staff/trustees
- electronic files on computers/mobile phones containing personal data will be protected with a strong password and no unauthorised persons will have sight of personal data displayed on screens
- backed up electronic data will be stored securely at an alternative location and only accessed by authorised personnel
- if any data is taken transported from its usual location, the data must be held securely at all times whilst in transit and at the location the data is held
- personal data will not be kept for longer than is necessary
- when the charity disposes of personal data, this will be undertaken in a secure manner.
Full information about the GDPR 2018 and the Data Protection Act 1998, its principles and definitions can be found at www.ico.org.uk