The purpose of this policy is to enable the Charity of Thomas Oken & Nicholas Eyffler to comply with the law (The DPA 1998) in respect of the data it holds about individuals.
The Charity Will:
- follow good practice
- protect residents, trustees, staff, volunteers and other individuals by respecting their rights
- demonstrate an open and honest approach to personal data and
- protect the charity from the consequences of a breach of its responsibilities.
This policy applies to all the information that we control and process relating to identifiable, living individuals including contact details, test and exam results, bank details, photographs, audio and digital recording.
Data Storage and processing:
The Charity of Thomas Oken & Nicholas Eyffler recognises that data is held about:
- The Clerk and his staff
This information is always stored securely and access is restricted to those who have a legitimate need to know. We are committed to ensuring that those about whom we store data understand how and why we keep that data and who may have access to it. We do not transfer data to third parties without the express consent of the individual concerned.
Rights of individuals
All individuals who come into contact with the Charity of Thomas Oken & Nicholas Eyffler have the following rights under the DPA:
- a right of access to a copy of their personal data
- a right to object to processing that is likely to cause or is causing damage or distress
- a right to prevent processing for direct marketing
- a right to object to decisions being taken by automated means
- a right, in certain circumstances, to have inaccurate personal data rectified, blocked, erased or destroyed and
- a right to claim compensation for damages caused by a breach of the DPA.
Archived records are stored securely and the charity has clear guidelines for the retention of information.
The trustees recognise their overall responsibility for ensuring that the charity complies with its legal obligations. Mr Clive Mason, Chairman and a trustee is responsible as follows:
Roles and Responsibilities:
- briefing trustees on Data Protection responsibilities
- reviewing Data Protection and related policies
- advising other staff on Data Protection issues
- ensuring that Data Protection induction and training takes place
- handling subject access requests.
All trustees, staff and volunteers are required to read, understand and accept any policies and procedures that relate to the personal data they may handle in the course of their roles.
Significant breaches of these policies will be handled under disciplinary procedures.
Key risks to the safety of data control and process:
The trustees have identified the following potential key risks:
- breach of confidentiality (information being given out inappropriately)
- individuals being insufficiently informed about the use of their data
- misuse of personal information by staff or volunteers
- failure to up-date records promptly
- poor IT security and
- direct or indirect, inadvertent or deliberate unauthorised access.
The trustees will review the charity’s procedures regularly, ensuring that the charity’s records remain accurate and consistent and in particular:
- IT systems will be designed, where possible, to encourage and facilitate the entry of accurate data
- data on any individual will be held in as few places as necessary and trustees and staff will be discouraged from establishing unnecessary additional data sets
- effective procedures will be in place so that relevant systems are updated when information about an individual changes.
If a breach of data security is suspected or occurs the trustees and the Data Protection Officer should be notified immediately.
Subject Access Requests
Any individual who wants to exercise their right to receive a copy of their personal data can do so by making a Subject Access Request, (‘SAR’) to the clerk. The request must be made in writing and the individual must satisfy the clerk of their identity before receiving access to any information.
A SAR must be answered within 40 calendar days of receipt by the charity.
Collecting and using personal data
The Charity of Thomas Oken & Nicholas Eyffler typically collects and uses personal data in connection with the provision of (objects of the charity). The charity collects personal data mainly in the following ways: (below are examples)
- by asking applicants for accommodation to complete paper forms
- by asking residents to give Trustees the Clerk and his staff information verbally.
The Charity of Thomas Oken & Nicholas Eyffler will:
- not use any of the personal data it collects in ways that have unjustified adverse effects on the individuals concerned
- be transparent about how it intends to use the data and give individuals appropriate privacy notices when collecting their personal data
- handle people’s personal data only in ways they would reasonably expect
- not do anything unlawful with the data.
Keeping Data Secure
The Charity will take all appropriate measures to prevent unauthorised or unlawful processing of personal data and to protect personal data against loss, damage or destruction. This means that:
- personal files for residents, trustees, and employees and applications for accommodation will be kept in a locked filing cabinet at all times with access only by authorised staff
- trustees’ details will be kept in a locked filing cabinet with access only by the Clerk
- electronic files containing personal data will be password protected and passwords will be changed on a regular basis
- backed up electronic data will be held securely on an alternative site or when off‐site it will be encrypted, password protected and only accessed by named staff
- if any data is taken from the office (e.g. to work at home) the data must be held securely at all times whilst in transit and at the location the data is held.
Retention of personal data
The Charity will not keep personal data for longer than is necessary. This means that:
- a resident’s file will be completely destroyed after six years of the resident leaving or passing away
- records of complaint/investigations concerning residents will be destroyed six years after the resident leaves or passes away
- application forms for unsuccessful applicants will be destroyed six years after the date of application.
- trustees will destroy and delete all charity documents held within their own records, including all computer data and paper copies, on the earlier of their retirement of the time limits mentioned above.
- trustees personal files will be destroyed one year after ceasing to be a trustee
Full information about the Data Protection Act, its principles and definitions can be found at www.ico.gov.uk
Reviewed July 2018