General Personal Data Protection & Access Policy
1. Quetzal is registered with the Information Commissioners Office’s (ICO) under the Data Protection Act (DPA) 1988. It keeps information relating to its clients, employees, trustees and contractors both current and former.
2. QUETZAL as Data Controller takes responsibility for and is committed to the ICO’s 8 data protection principles for the processing of Personal Data.
3. QUETZAL is registered with the ICO for the collection and processing of personal data under six defined purposes and our internal ICO contact is the ICT Manager Systems Development and Data.
4. Personal Data means any personal information which is stored and processed electrically or is on paper in a structured filing system. In addition, to be ‘personal data’, the data must relate either directly or indirectly to an identifiable individual.
5. The Data Subject is the individual about whom the personal data relates. Individuals who are customers, contacts or clients of QUETZAL are considered Data Subjects. Data subjects have a series of entitlements and responsibilities under the D.P.A.
6. The subject on whom the organisation holds a record is entitled to have access to their personal data within forty days of a request being made. External requests for access to personal data should be made in the first instance to: The Service Manager.
7. Personal data held by QUETZAL can be broadly classified into 12 different Data Subject headings.
8. Measures need to be taken to prevent accidental or unauthorised removal, access, loss, destruction, damage or processing of data.
FULL POLICY
1.0 Purpose
1.1 Quetzal is registered under the Data Protection Act 1988. It keeps information relating to its clients, employees, trustees and contractors both current and former.
1.2 QUETZAL needs to collect and process information, including personal information about the people it deals with, in order to operate effectively and efficiently.
1.3 This Policy sets out a framework for compliance with the Data protection act (1988), and the responsibilities of QUETZAL & its staff.
2.0 Scope
2.1 This policy relates to personal data as defined by the 1988 Data Protection Act and Quetzal’s data collection purposes as set out in its registration with the Information Commissioner’s Office
2.2 This policy applies to all QUETZAL staff and 3rd parties with approved access to QUETZAL data.
2.3 This policy relates to the use of data by Quetzal and authorised 3rd parties.
2.4 Data protection applies to digital or computerised information, manual records, photographs, CCTV footage, video tapes and audio tapes.
2.5 Data protection is currently under review across the EU, with EU GDPR proposed for adoption in 2016 and enforcement from 2018.
3.0 Glossary
3.1 Personal Data – this means any personal information which is stored and processed electrically or is on paper in a structured filing system. In addition, to be ‘personal data’, the data must relate either directly or indirectly to an identifiable individual, e.g. a document containing the name, address, age, telephone number, etc.
3.2 Sensitive Personal Data – this means information about racial or ethnic origin, religious beliefs, membership of trade unions, physical or mental health condition, offences or alleged offences or proceedings for any offence committed or alleged to have committed.
3.3 Data Controller – this is the name for an organisation and its delegated staff who are ultimately responsible for the personal data and the body who controls and benefits from the processing activity i.e. QUETZAL and its designated staff
3.4 Data Processing – Obtaining, recording or holding data or carrying out any operation or set of operations on that data. Organising, storing, adapting and amending the data, retrieval, consultation and use of data; and disclosing and erasure or destruction of data. It is difficult to envisage any activity involving data that does not amount to processing.
3.5 Data Subject – this is the individual about whom the personal data relates. Thus, individuals who are customers, contacts or clients of the Data Controller are considered Data Subjects.
3.6 Data Recipients – The people/organisations who are allowed to see the data that we have collected and processed
3.6 I.C.O. – The Information Commissioner’s Office
3.7 D.P. A – Shorthand for the Data Protection Act (1988)
4.0 Risks
4.1 Failure to comply with the DPA could lead to significant legal, financial and reputational adverse impact
4.2 DPA breaches can result in fines imposed by the ICO of up to £0.5m
4.3 The consequences of non-compliant practices could have a significant impact upon Quetzal’s reputation
4.4 Controls set out within this policy will ensure risks are minimised along with the resultant impact of any reportable breaches
5.0 References
- ICT Security Policy
- Document archiving policy *
- Data Protection Act
- Financial Regulations
6.0 Data Protection Act Compliance at NCHA
6.1 QUETZAL as Data Controller takes responsibility for, and is committed to the following data protection principles for the processing of Personal Data:
- processed fairly and lawfully and under certain specified conditions;
- processed only for specified lawful purposes;
- adequate, relevant and not excessive in relation to the purpose for which personal data is processed;
- accurate and kept up to date;
- only kept as long as necessary;
- processed in accordance with the rights of that data subject; and
- Protected by appropriate security and organisational measures.
- not transferred to any country without adequate protection in situ
6.2 In the case of sensitive data the subject must give their explicit consent in writing, by signed declaration, and the processing must be necessary for the purposes of performing any right or obligation conferred or imposed by law on the data controller.
6.4 All staff, clients and other data subjects are entitled to:
- know what information QUETZAL holds and processes about them and why;
- know how to gain access to it;
- know how to keep it up to date; and
- know what QUETZAL is doing to comply with its obligations under the 1998 Act.
6.5 QUETZAL is registered with the ICO for the collection and processing of personal data under six defined purposes and our internal ICO contact is the Assistant ICT Manager Systems Development and Data
7.0 Data Collection and Data Subjects
7.1 QUETZAL is registered to collect data for six defined purposes, these are:
- 1. Property Management
- 2. Research
- 3. Staff, Agent and Contractor Administration
- 4. Associated welfare services, advice and support
- 5. Accounts and records
- 6. Crime prevention and prosecution
7.2 Personal data held by QUETZAL can be broadly classified into the following Data Subject headings:
- Clients – individuals who receive a service with QUETZAL or one of its consortium partners, or a family member of.
- Employee – individual who holds a contract of employment with NCHA.
- Job Applicant – applicant for employment with NCHA.
- Worker / Agency Staff – individuals who are contracted to provide services via a third party.
- Delegate – applicant for training courses.
- Trustee – individual who is a registered member of Quetzal’s Board of Management.
- Volunteer/work placement – individual who delivers an element of QUETZAL service in a voluntary non-contractual basis.
- Maintenance Contractor – individual or organisation who provides a service
- Approved Supplier – individual or organisation who/that is included on Quetzal’s approved supplier listing.
- External Organisation staff – personal details of individuals from external organisations which are required for them to access funding for training and to meet regulatory requirements under the terms of contracts managed by Quetzal.
7.3 All data subjects are responsible for:
- checking that any information that they provide to QUETZAL is accurate and up-to-date;
- informing QUETZAL of any changes to the information that they have provided e.g. change of address etc.;
- checking the information that QUETZAL may send out from time to time relating to them is accurate; and
- informing QUETZAL of any errors or changes to their personal data.
7.4 Within QUETZAL personal data can be broadly classified as being stored in one or more of three main areas:
- Data held corporately within the IT network in applications such as Lamplight, etc
- Data held non-corporately within the IT network in Word documents, Excel spread sheets, Access databases, Outlook etc.; and
- Data held in structured paper-based systems across the organisation.
7.5 Procedures for ensuring the security of personal data held on corporate IT network applications is set out in the ICT Security Policy
7.6 We should think in advance about how we wish to use data (e.g.: – Mobile numbers) and data subjects should be made aware of how their data might be used.
7.7 Data subjects should be clearly given the option to opt out of data use where it is non-essential.
7.8 Data subjects have a right to see what personal data of theirs that we are processing, we will charge up to £10 and must provide the information within 40 days.
7.9 Data is a valuable asset and it must be treated as such, where ever & however it is used.
7.10 Payment card data. All staff who handle payment card data should sign the appropriate financial/banking forms.
8.0 Data storage and processing
8.1 The following QUETZAL departments hold Data Controller responsibility for their associated Data Subject groups:
- Clinical services – Clients, volunteers.
- Business Development – Clients, Volunteers, employees
- Organisational – Employees, Job Applicants, Board Members, Clients, Volunteers, approved suppliers,
8.3 Data processing procedures will incorporate management controls to:
- clearly identify the data co-ordinator who has specific responsibility for data protection;
- maintain an accurate and up to date notification of processing purposes;
- comply with the fair processing code regarding the collection and use of the data collected;
- maintain the quality and accuracy of data held and processed;
- clearly define and review retention periods for which data is retained;
- fully meet the rights of the subject regarding data held and processed;
- take appropriate technical and organisational measures to protect personal data from unauthorised access, processing, accidental loss, destruction or damage;
- ensure that all staff involved in the processing of personal data receives adequate, appropriate and periodic training about the data protection awareness, responsibilities and procedures;
- ensure adequate management supervision is in place for the processing of personal data; and
- the methods for handling and managing personal data collected and processed are periodically reviewed.
- Cloud processing (including storage) has to be arranged and authorized with the ICT department to ensure compliance with the DPA.
8.4 Working out of the office
8.4.1 Managers should be aware of any data that staff use to work out of the office, this includes site visits, working from home and away days.
8.4.2 If an employee uses their own equipment to process QUETZAL data this data must be removed as soon as the processing is finished.
8.4.2 Data used out side of the office must be kept securely. Measures should be taken to prevent people gaining unauthorised access to data, this can include preventing people from being able to read data from screens, files or paper notes where the data does not pertain to them.
8.5 Security
Measures need to be taken to prevent accidental or unauthorised removal, access, loss, destruction, damage or processing of data.
Bear in mind the points below:
- Take steps to control physical security (keeping sensitive data in locked filing cabinets, complying with the clean desk policy etc.)
- Putting information access controls in place and using them (e.g. not sharing your username and password)
- Notifying mangers if you suspect a breach has taken place
8.6 Destruction
Paper records containing sensitive data (such as client contact details) need to be securely destroyed, it is recommended that any paperwork containing this data is shredded. Paperwork containing medical details, diary notes and other very sensitive information should be destroyed using the secure shredding service.
8.7 Lost/Stolen Data
Lost or Stolen data should immediately be reported to your line manager who should then inform the ICT external provider. If possible please include the following information.
- What data has gone missing
- When did the data go missing?
- What format was the data in (paper/electronic)
- What device was the electronic data held on (e.g. Laptop, smart phone)
- Have the police/insurers been informed
9.0 Data Access
9.1 All personal information held by QUETZAL is confidential and can only be accessed for a specific purpose and with the relevant authority.
Any data sharing agreement entered into with a 3rd party should be agreed with The Service Manager.
9.2 Access is defined as either having physical access to the information or having a copy of the information.
9.3 Personal data will not be used for direct marketing.
9.4 Subject Access Requests
The subject on whom the organisation holds a record is entitled to have access to the personal data within forty days of the request being made, provided that:
- They can provide appropriate evidence as to their identity;
- Information emanating from, or concerning other people has been removed from his/her record; and
- A £10 fee is paid to cover administrative costs.
9.5 External requests for access to personal data should be made in the first instance to: The Service Manager
9.6 Internal requests from QUETZAL employees for access to personal data should be made in the first instance to: The Service Manager
9.8 FoI (draft, currently QUETZAL is not covered by FoI, this may change). The freedom of information act, allows people to request information from public bodies (currently governmental, including local & central government). The information is generally organisational rather than personal.
• Since the information is organisational, it is subject to both tests & exemptions. There is a scale of fees covering requests.
• When we receive FoI requests they should be treated as any other data request & forwarded to the service manager where they will be handled.