Data Protection Policy
1. Purpose of the Policy
Staffordshire Women’s Aid is committed to protect the privacy of individuals who use its services and of those who provide the service by ensuring that all personal data is both accurate and contemporaneous, and that in keeping and processing the information it remains secure and confidential. Staffordshire Women’s Aid policy shall comply with the legislation set out in the Data Protection Act 1998. As SWA provides a place of safety and a service to individuals who are vulnerable and at risk, it is vital that all persons adhere to this policy to ensure that information on service users, staff and volunteers remains safe.
The scope of this policy covers the collection and processing of all data concerning service users, staff, volunteers and all others allied to the service e.g. students, trainees and those on secondment.
2. Related Policies
- Confidentiality and Access to Information
- Guidelines for use of Computers and Communication Systems
- Publicity and Media
- Child Protection
- Protection of Vulnerable Adults
- Equal Opportunities and Diversities Policy
3. Aims and Principles
Staffordshire Women’s Aid has data protection responsibilities with regard to its services users, those being referred to the services, trustees, volunteers, staff and supporters.
Staffordshire Women’s Aid needs to collect and use certain types of information about individuals in order to carry on its work. This personal information must be collected and dealt with appropriately, whether on paper, in a computer, or recorded on other material, and there are safeguards to ensure this under the Data Protection Act 1998. To comply with this law, personal information must be:
- collected and used fairly
- stored safely
- not unlawfully disclosed to another person.
Personal Information means information about named people, eg. volunteers, employees, trustees and service users (or those being referred to the service, or making an enquiry) that enables them to be identified e.g. name and address. It does not apply to information about organisations, companies and agencies.
The Data Protection Act controls how personal information is used by organisations. Everyone responsible for using data has to follow data protection principles, which means making sure the information is:
- used fairly and lawfully
- used for limited, specifically stated purposes
- used in a way that is adequate, relevant and not excessive
- kept for no longer than is absolutely necessary
- handled according to people’s data protection rights
- kept safe and secure
4. Data Protection Principles
The Data Protection Act 1998 sets out eight data protection principles, which are legally enforceable, which SWA will use as guide to the interpretation and implementation of the Act. These principles are:
- Personal data shall be processed fairly and lawfully.
- Personal data shall be obtained for only one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
- Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
- Personal data shall be accurate and, where necessary, be kept up to date.
- Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
- Personal data shall be processed in accordance with the rights of data subjects under the Act.
- Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
- Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
5. Staffordshire Women’s Aid’s Responsibility to the Information Commissioner
Staffordshire Women’s Aid is registered with the Information Commissioner’s Office and it shall notify the Information Commissioner that the Data Controller for the organisation is:
The Chief Executive
Staffordshire Women’s Aid
PO Box 2387
The organisation shall, where requested, keep the Information Commissioner informed as to the nature of an individual’s data which the organisation collects and processes, such as:
- on whom we hold information
- the type of information we hold
- what we do with that information
6. Processing of Data
Staffordshire Women’s Aid acknowledges that ‘processing’ of data is widely defined and covers all manner of use including obtaining, recording, holding, altering, retrieving, destroying and disclosing data.
Staffordshire Women’s Aid shall not use information for a purpose, which is incompatible with its original stated purpose for which, permission was given by the data subject.
Personal data shall not be transferred outside the European Economic Area (EEA) without the informed consent of the individual, except where adequate protection exists in the country receiving it.
Staffordshire Women’s Aid is mindful that transfer of information may be necessary in some circumstances such as:
- to protect the interests of the data subject (person on who data is gathered and retained)
- any legal proceedings
- for reasons of substantial public interest
- the data is on a public register
7. Protection of Information
Staffordshire Women’s Aid recognises that personal information is confidential and that unauthorised disclosure is an offence under the Data Protection Act 1998.
The organisation shall safeguard individuals’ information in whatever form it is kept. It shall endeavour to protect information held on computers, manual records, videos, audiotapes, photographs, CCTV and any other electronic equipment which would identify an individual.
To ensure the security and integrity of personal data held by Staffordshire Women’s Aid, no private use shall be made of any computer belonging to the organisation, nor shall a computer belonging to an individual be used for Staffordshire Women’s Aid business, without the permission of the Data Protection Officer.
It shall discourage the use of any imaging by service users and staff of other service users and staff.
It shall only use anonymous imaging for publicity and media material unless given specific, recorded consent by the data subject and the Data Protection Officer.
8. Obtaining Individuals’ Data
The organisation acknowledges the rights of individuals to be informed that they are the subject of personal data processed by Staffordshire Women’s Aid.
Staffordshire Women’s Aid shall obtain permission from an individual to obtain and process the data and shall make clear for what purpose that information will be used.
Active steps will be taken to ensure that individuals know enough about how their information is used or disclosed, and that they have a genuine choice in these matters wherever reasonably possible.
Staffordshire Women’s Aid will always bear in mind diversity and difference. With reference to this policy it is important to bear in mind that some people with a disability, who do not speak English as a first language, or who do not read or write, may need particular support to understand their rights with regard to data protection.
Staffordshire Women’s Aid shall obtain clear express permission to obtain and process ‘sensitive’ personal information such as race, ethnicity, political opinions, religious beliefs or other beliefs, trade union membership, state of health both physical and mental, sexual life, criminal convictions and sentences and alleged criminal behaviour.
The organisation shall inform data subjects about any information that has been obtained from another person or agency, and make a record of its source.
Staffordshire Women’s Aid shall correct or erase, without unnecessary delay, any information on an individual, which is inaccurate or misleading.
Staffordshire Women’s Aid shall hold the minimum personal information necessary to enable it to perform its function, and the information shall be destroyed once the need to hold it has passed.
9. Rights of Individuals to Access Personal Data
Staffordshire Women’s Aid shall provide individuals that request it, access to personal information held about them. This request shall be honoured within a maximum of 40 days and for a maximum fee of £20.
The individual then has a right to access that data and is entitled to have a copy of the information. Complying with the request is conditional on whether or not another individual can be identified or, the source of any information can be identified. Disclosure shall only be made if that individual gives consent, if consent is not given or the individual cannot be traced the Data Protection Officer will make a decision; this will be either, to disclose, partly disclose or withhold information. Wherever possible, advice will be sought from the Information Commissioner’s Office.
Any decision will be placed on record. Staffordshire Women’s Aid shall comply with the request if it is:
- in writing
- accompanied by the individuals proof of identity
- contains sufficient information to locate the information requested
- accompanied by the appropriate fee
- not subject to an exemption
10. Personal Data disclosed to Third Parties
Personal data shall only be disclosed to third parties following the consent of the data subject or for legitimate purposes and is in accordance with the Data Protection Act 1998, this exemption applies to:
- the courts under direction of a Court Order
- any organisation having legal powers to demand disclosure, e.g. Department for Work and Pensions – Benefit Fraud Section
- any organisation operating under a specified protocol for information exchange with Staffordshire Women’s Aid in so far as such a protocol allows disclosure, e.g. Safe Guarding Children Agencies
- to protect third parties from harm or the belief that harm will take place
- to prevent or detect crime, or catch and prosecute a suspect.
Staffordshire Women’s Aid acknowledges that exemption does not cover the disclosure of all personal information, in all circumstances. It shall only release personal information for the stated purpose.
The Data Protection Officer will handle any requests from third parties on behalf of the organisation.
Staffordshire Women’s Aid shall comply with this Data Protection Policy and have regard to any such Guidelines, Codes of Practice and Procedures in relation to this policy. Disciplinary action shall be taken against any employee who breaches any instruction contained in, or arising from this policy.
PROCEDURAL AND PRACTICE GUIDELINES
All staff, volunteers and trustees must ensure that any personal information is handled responsibly.
Staffordshire Women’s Aid is responsible for ensuring that staff and volunteers are trained appropriately in their responsibilities to protect personal data and work within the Data Protection Act.
1. The Data Protection Officer
The Chief Executive Officer is the Data Protection Officer with particular responsibility for ensuring good practice and legal compliance with regard to Data Protection within Staffordshire. These responsibilities include handling information requests and ensuring that Data Protection policies and compliance are reviewed at appropriate intervals. This person ensures that all staff are aware of their responsibilities for confidentiality and for keeping good quality records. The Data Protection Officer will liaise with the Management Team and Board of Trustees in relation to authorising any exceptional disclosures, in resolving any issues not covered by existing policies, and in handling formal procedures such as requests by individuals for information held about them (which might be known as subject access requests). The Data Protection Officer will also review the information sharing arrangements that exist with regard to client referrals, or safeguarding.
The Data Protection Officer will ensure that record-keeping procedures and training are designed to ensure that all information held is fit for purpose, and that security and confidentiality are given appropriate emphasis. They will ensure that questions from individuals who want more details about how information concerning them is held and used are responded to promptly and fully.
For an organisation set up to work with survivors of domestic and sexual abuse, there may be times when data protection principles might conflict with safeguarding or criminal justice responsibilities. There may also be times when statutory organisations make demands that could lead Staffordshire Women’s Aid’s staff or volunteers to be in breach of data protection. It is the role of the Data Protection Officer to ensure that, as far as possible, such situations can be anticipated, and that relevant staff and volunteers are very clear about the appropriate responses, and data sharing protocols are clearly agreed with partner agencies.
It is the responsibility of the board of trustees, delegated to the Chief Executive Officer, to ensure that there is adequate cover for the Data Protection Officer, and that it is clear who will take on this responsibility in the event that the Data Protection Officer is unable to do so (e.g. during holidays or sickness)
This will be either the Operations Manager, or the Services Manager.
In retaining data on individual supporters and donors, Staffordshire Women’s Aid’s staff, trustees and volunteers will:
- only process information necessary to establish or maintain support, provide or administer activities for people who are supporters of the organisation or have regular contact with it; and
- only share the information with people and organisations necessary to carry out Staffordshire Women’s Aid’s activities, and have permission from the individual concerned to share their information; and
- only keep the information while the individual is a supporter.
All supporters will be given clear and regular opportunities to opt out of receiving fundraising materials of any kind, and individuals will be contacted electronically (by phone, fax or e-mail) in connection with fundraising only where they have given consent to this form of contact.
Supporter details will not be shared with other organisations, or published, unless they have given their specific consent to this.
New/potential supporters/donors will be informed of their choice of options for future contact for fundraising purposes, and this choice will be recorded and respected.
Once a year, supporters/donors will be sent a copy of their contact details on record. They will be invited to check this for accuracy and confirm their choice of contact.
3. Referrals, Enquiries and Service Users’ Records
The phrase ‘service user’ is here used to mean:-
- Anyone calling with an enquiry.
- Anyone being referred to or self-referring to Staffordshire Women’s Aid for a service.
- Anyone receiving support/services/information/accommodation from Staffordshire Women’s Aid or who has received services in the past, Staffordshire Women’s Aid will ensure that all records relating to service users are made with the knowledge of that individual, are sufficient for purpose without being excessive, are accurate and up-to-date, and that maintenance and storage of records complies with legal requirements.
No records will be kept without the knowledge of the individual concerned and all records will be relevant, factual and accurate and meet the needs of the service being provided.
All records are stored securely, and will be destroyed when they are no longer necessary to the organisation.
At initial contact referrals/enquirers must be told that the nature of the contact is being recorded, but that they may remain anonymous at this stage. If they choose this, care must be taken not to record any details that could lead to them being identified.
Information given by a service user (whether or not anonymous) must only be included in the record if it is relevant either to the service being provided or to provide statistics or other information about the services provided.
If there is any possibility that a contact might provide the basis of a useful case study, the service user must be asked for their permission, even if the case study is to be used anonymously. A worker obtaining verbal permission must sign and date a statement that permission has been obtained, and specify any restrictions (for example on how long the permission will remain in force). Permission for a case to be used as a case study will be assumed to expire after three years, even where no time limit has been stipulated.
Service users will normally be allowed access to their own records on request unless the record was anonymous, but only on proof of identity.
Access to records will normally involve providing a copy of any electronic record and a photocopy of any written record.
If a service user is not able to access to all or part of their records, they must be informed of their legal right of subject access under the Data Protection Act.
When records are made, the status of the information must be clear and a distinction made between: information provided by the service user, information which can be factually verified, and opinions, observations or actions of the worker/volunteer at Staffordshire Women’s Aid. Abbreviations must only be used if they can be clearly understood by all workers.
Records must be stored in such a way that prevents access by unauthorised persons. This includes anyone who has no need to see the information, including staff, volunteers and trustees.
Records will never be retained longer than necessary, and will be destroyed once they are of no further use to the work of the organisation.
4. Confidentiality, Security and Disclosure of Records
Staffordshire Women’s Aid is committed to maintaining confidentiality in all matters relating to service users.
No personally identifiable information will be disclosed by Staffordshire Women’s Aid to anyone who does not have right of access. Normally access will be restricted to those workers providing a service, or anyone engaged in quality control or review of a service, on a need to know basis.
Where a worker needs to discuss a case with colleagues this will be done anonymously wherever possible.
Confidentiality extends to all information relating to service users, whether recorded, verbal or observed.
As far as possible the individual will be made aware of the extent to which information may be shared, even with people who are authorised to have it.
Normally, no information relating to individuals will be passed outside Staffordshire Women’s Aid without their consent. In particular, sensitive personal data (as defined in the Data Protection Act) will be kept strictly confidential. Any outside individual or organisation requesting verbal or written information will be required to show proof of identity and demonstrate that they have right of access to the information.
Information about any individual will not be given over the telephone or by e-mail unless giving the information in this way is appropriate because of urgency and then only where the identity of the person making the request can be verified and they are authorised to have the information.
In exceptional circumstances (for example when it can be justified in the public interest, the interest of the enquirer or when required by law) information may be disclosed without the consent (or if necessary even the knowledge) of the individual. Any such disclosure can only be made with the approval of the Data Protection Officer. In the event of information being disclosed without the consent of the service user, a record must be kept of the decision including the reasons for making it. This is likely to be a difficult decision and should be defensible not defensive.
All records will be stored appropriately, and access will be controlled and monitored. Information will only be removed from secure storage when this is necessary for operational reasons.
It is the responsibility of all staff to inform a senior manager when they are made aware of a breach of confidentiality. The senior manager is then responsible for taking appropriate action when they are made aware of such a breach.
5. Staff and Volunteer Records
Staff records will be held securely by those so authorised. Access by any other member of staff will be strictly on a need to know basis. A record will be kept of any disclosure and of any access other than by authorised administrators or the individual’s direct line manager.
Line managers are not permitted to keep any records on staff additional to those held by the authorised administrators unless expressly permitted, with the exception of supervision and other notes to enable them to manage the work as required, and meet the requirements of personnel policies.
Particular care will be taken to ensure that sensitive data (as defined in the Data Protection Act), such as information about an individual’s health or criminal record, is not shared with other staff.
Staffordshire Women’s Aid maintains an “open files” policy, under which current staff may, by arrangement, check the contents of their personnel file or training record (except for any part which must remain confidential for operational reasons or to protect the privacy of other people).
Staff information will not be passed on to other organisations, such as those which might want to market pension or insurance policies, although appropriate information may occasionally be distributed to staff on behalf of such organisations.
References will be provided for all staff. Full references will be provided while a staff member is in post, and for three years after departure. Following that, a reference will be restricted to post held, duration, salary on leaving, and reason for departure, if known.
Copies of references will be stored securely in the staff/volunteer’s file. References will be “open”. Staff will have the opportunity to read a reference before it is supplied, and to propose corrections to any factual mistakes. Staffordshire Women’s Aid will not withhold consent for copies of references to be provided in response to a Subject Access request addressed to the recipient.
Where staff gives Staffordshire Women’s Aid as a referee for employment, it will be assumed that they have consented to the disclosure of all relevant information.
Where a reference is requested for other reasons (such as salary confirmation for a mortgage application) the staff member will be asked to confirm their consent if there is any uncertainty about whether they are aware of the request and/or whether they agree to it.
7. Keeping Information Secure
All staff, volunteers and trustees will ensure that personal data is kept secure at all times against unauthorised or unlawful loss or disclosure and in particular will ensure that:
- Paper files and other records or documents containing personal/sensitive data are kept in a secure environment
- Personal data held on computers and computer systems is protected by the use of secure passwords, which are periodically changed. Individual passwords should be such that they are not easily compromised.
- Information on individuals, whether service users, staff, volunteers or trustees, is confidential, and will only be passed to other organisations with the express written consent of the individual concerned, unless there are exceptional circumstances. Such circumstances include:
- For the prevention or detection of crime including the apprehension or prosecution of offenders
- For the assessment or collection of tax duty
- For the discharge of regulatory functions (includes health, safety and welfare of persons at work)
- For the prevention of serious harm to a third party;
- For the protection of the vital interests of the individual, this refers to life and death situations.
- Where there is clear evidence of fraud
Staffordshire Women’s Aid will never publish photographs or film images of beneficiaries of its services. It may publish photos of other people (e.g. staff, volunteers, supporters) with their permission, and in line with the Media and Publicity Policy, but will be mindful of the need to safeguard the identity of its refuges. When photos are being taken at an event (e.g. a conference) then participants will be informed that they may be in a photograph that may be published in a report or on the internet and requested to make themselves known if they do not want this to happen.