In a nutshell:
In the process of undertaking our day-to-day work, Community Council for Somerset (CCS) regularly has the need to collect and use information about people with whom we work – members, employees (current, past and prospective), trustees, clients, consultants and suppliers. This personal information must be handled and dealt with properly, regardless of how it is collected, recorded and used, and whether it is in paper form, in computer records, memory stick, mobile phone, laptop, i-Pad or recorded by any other means.
We will ensure that we treat personal information lawfully and correctly. The consequences of breaching Data Protection can cause harm or distress to service users if their information is released to inappropriate people or they could be denied a service to which they are entitled. Trustees, employees, and volunteers should be aware that they may be personally liable if they use applicants’ personal data inappropriately. This policy is designed to minimise the risks and to ensure that the reputation of the charity is not damaged through inappropriate or unauthorised access and sharing.
DATA IS IMPORTANT!
CCS regards the lawful and correct treatment of personal information as imperative to our successful operation and to maintain confidence between us and those with whom we carry out business.
To this end we fully adhere to the Principles of Data Protection as set out in the General Data Protection Regulation (GDPR).
1.Introduction to Data Protection and GDPR
Under the GDPR CCS will be:
- Data Controller for its own business needs and employee and client details.
- Data Processor for and on behalf of the clients with whom we have agreements and contracts.
- Information Commissioner’s Office registration
CCS registered with the Information Commissioners Office on 17 September 2018, registration No: Z3356691. The General Data Protection Regulation requires every data controller who is processing personal data, to notify and renew their notification, on an annual basis. Failure to do so is a criminal offence.
Data privacy principles
CCS fully endorses and adheres to the data privacy principles. Personal data shall be:
- processed lawfully relying on consent and or legitimate interest to deliver our services, fairly and in a transparent manner in relation to the data subject
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
- accurate and, where necessary, kept up to date – inaccurate data to be erased or rectified without delay
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss or destruction.
- subject to the appropriate technical and organisational measures which will be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
- subject to assurances that personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data
The data controller shall also be responsible for, and be able to demonstrate, compliance with the principles.
GDPR sets out the rights of data subjects; the right to be informed, right of access, right to rectification, right of erasure, right to restrict processing, right to data portability, right to object, and the right not to be subject to automated decision-making.
Any living individual has the right to make a Data Subject Access Request. The individual must confirm their identity and complete a Data Subject Access Request form and submit to CCS. A copy of this form is available by contacting CCS using the main address or by emailing firstname.lastname@example.org
Handling of personal/sensitive information
We will, through appropriate management and the use of strict criteria and controls comply with the principles of data privacy by:
- fully observing obligations regarding the fair collection, transparency, and use of personal information;
- meeting our legal obligations to specify the purpose(s) for which information is used;
- collecting and processing appropriate information only in accordance with those purposes
- ensuring the quality and accuracy of information used;
- applying strict checks to determine the length of time information is held;
- ensuring that personal data is accurate and where necessary, kept up to date;
- ensuring that personal data shall not be kept for longer than is necessary for that purpose or those purposes, and then securely destroyed;
- maintaining physical and cybersecurity safeguards so as to ensure adequate security of data,
- observing the rights of data subjects and respond to requests within reasonable timescales;
- ensuring that all employees, volunteers and Directors/Trustees are aware of and understand their legal responsibilities regarding data protection, including this policy;
- regularly reviewing our practices for obtaining and processing personal information.
We regard the lawful and correct treatment of personal information as very important to successful working, and to maintaining the confidence of those with whom we deal. We will ensure that personal information is treated lawfully and correctly.
CCS has identified third parties who either process personal data on our behalf or with whom we share data. Assurance is sought from third parties that they are compliant with DPA and GDPR requirements and Data Protection Act 2018.
All contractors, consultants, partners, volunteers Trustees or Directors must:
- ensure that they and all of their employees who have access to personal/sensitive data held or processed for or on behalf of us, are aware of this policy and are fully aware of their duties and responsibilities under the DPA and GDPR. Any breach of any provision will be deemed as being a breach of any contract between the Company and that individual, company, partner or firm;
- allow data protection audits by us of data held on our behalf (if requested);
- indemnify us against any prosecutions, claims, proceedings, actions or payments of compensation or damages, without limitation.
CCS does not record personal data on children under the age of 13. If information is recorded on a child over the age of 13, consent must be obtained.
Code of Conduct
Compliance with the regulations is the responsibility of all CCS employees and any unlawful breach of the regulations by an employee is a serious matter which will result in disciplinary action. Any employee who breaches this policy statement will be dealt with under the disciplinary procedure which may result in dismissal for gross misconduct. Any such breach could also lead to criminal prosecution. Employees must familiarise themselves with the data breach policy and cooperate with management to ensure that CCS can respond effectively within the 72-hour timescales.
Data security: Retention of records
The regulation requires that personal data is “kept in a form which permits the identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.” CCS has a retention of records policy which states how long records, including personal data, need to be kept.
Clear desk policy
It is important to keep desks clear of personal data when the office is closed or desks are left unattended to prevent unauthorised disclosure. This includes manual data but also mobile phones, memory sticks, etc.
- All personal data must be kept in a locked drawer or cabinet, and access to the keys should be restricted.
- Personal data should not be left visible on screens. PCs and laptops should be logged out and shut down when employees have finished working. Screens must be locked when left, and will automatically be locked after 5 minutes of inactivity.
- When manual records are no longer needed they should be shredded or moved to confidential waste, and in no circumstances left in regular waste.
- Personal data should not be left on the printer/photocopier but should be retrieved immediately or the locked print facility should be used.
- Employees should make sure no sensitive data is visible on desks or screens when non CCS employees are visiting the office.
All photos of individuals are classed as personal data and we aim to treat this securely in line with the GDPR 2018 regulation. All photos published via all marketing platforms must be the property of CCS, not third-party images. Photos must have the permission of those photographed via the CCS Photo Consent form. Any photos supplied to CCS must be checked as consented before sharing. If a photo includes anyone under the age of (13) a person holding ‘parental responsibility’ must give their consent.
Data transfer and storage
Server – Personal information is securely stored across a combination of on-premises servers and Microsoft 365. The backups are carried out every weekday to both a Network Attached Storage device and Cloud based solution provided and supported by our IT Support provider CETSAT. All personal information is stored on CCS’s cloud-based data server (where data is both secure and backed up). This service is provided by a third party – currently Cetsat. The server is backed up every weekday. Back up tapes in the office are kept in a locked, fireproof box.
Telephone – The CCS and Carers Service lines have the facility to record conversations. This will not be used without the permission of the caller.
Email – CCS uses Office 365 to exchange email and Mimecast encryption. For employees who take referrals from Somerset County Council or NHS then emails are sent via CCS and NHS mail accounts, and not using personal unsecured mailboxes.
Emails that contain personal information must be encrypted and any attachment must be password protected. Each user will accept responsibility to ensure the correct recipient has been selected to receive the email.
PCs / laptops / other devices
Most employees are issued with CCS or NHS PCs or laptops. These require log-ins and passwords to be able to access any systems or data. Data is not to be stored on desktop PC hard drives where it is not protected by the firewall. If this is necessary temporarily then it must be promptly moved to the secure network and any locally stored data deleted after use. Where personal devices are used and these are shared with other users, employees must remove any personal data to prevent unauthorised access.
Public Wi-Fi hotspots in coffee shops, libraries, airports, hotels, universities, and other public places are convenient, but often they’re not secure. If you connect to a Wi-Fi network and send information through, Office 365, websites or mobile apps, someone else might be able to see it. Therefore, all employees are not permitted to use or join public Wifi on any CCS device (including laptop or mobile phone) protect any personal data being breached. Agents with an NHS laptop have an extra level of security with Virtual Private Network (VPN) establish a protected network connection when using public networks. VPNs encrypt your internet traffic and disguise your online identity. This makes it more difficult for third parties to track your activities online and steal data. The encryption takes place in real time. Not all agents have an NHS laptop so please ensure you check with your manager.
Do not use passwords that are easy to guess. All your passwords should contain both upper and lower-case letters and preferably contain some numbers. Passwords should be a strong password at least 8 characters or more in length.
Protect Your Password:
- Common sense rules for passwords are: do not give out your password
- Do not write your password somewhere on your laptop
- Do not keep it written on something stored in the laptop case.
Mobile telephones – CCS employees have mobile phones to contact other professionals, and clients, access emails, and to take photographs of forms. These require a PIN to access the information or fingerprint security on a smartphone. Photographs are deleted once forwarded. In the event of loss of the device e-mail data on Office 365 can be wiped remotely, contact names and numbers will be blocked via the phone provider once reported.
USB memory sticks will not be used unless it is an operational requirement. If it is necessary, then only encrypted memory sticks maybe used and the files must be deleted after use.
Manual records –where it is necessary to remove manual records containing personal data from the CCS office then equipment will be provided to ensure secure storage.
Relevant Contact Information
• DPO IG Smart email: email@example.com tel: 0207 167 4268
Overall responsibility for this policy lies with the CCS Board of Directors / Trustees and its implementation with the Senior Management Team.
Review – This policy is reviewed annually and updated as required.
This policy is intended as guidance for management and employees.
It does not confer any contractual rights on individuals