DATA PROTECTION POLICY

Aims

Outskirts is committed to the protection of personal data including special categories of personal data and criminal allegations, proceedings and conviction in accordance with EU General Data Protection Regulation 2018 (GDPR).  GDPR applies both to automated personal data and to manual filing systems and hard copy data and is accessible according to specific criteria. The GDPR applies to ‘controllers’ and ‘processors’. A controller determines the purposes and means of processing personal data. A processor is responsible for processing personal data on behalf of a controller. In this instance, Outskirts is a controller responsible for the processing of personal data. In some instances a third party organisation may act as controller e.g a external payroll provider.

In order to carry out its day to day operations, to meet its charitable objectives and to comply with its legal obligations, Outskirts needs to retain certain information on its:

a) Beneficiaries (active and archived)

b) Employees, contractors and free lace workers

c) Trustees

d) Volunteers 

e) Donors, supporters, sponsors

This policy applies to:

 

a) Trustees

b) Employees, contractors and free lace workers

c) Volunteers

d) Third party data processors engaged by Outskirts

e) All others associated with Outskirts

Conditions of the Lawful Processing of Personal Data

In line with GDPR, Outskirts will ensure that personal data shall be processed lawfully, fairly and in a transparent way. Outskirts will ensure that it has a valid basis for processing personal data and will identify which basis personal data is processed, dependent on the relationship with the individual.

The lawful basis for processing personal data are as follows:

 

a) The data subject has been given consent to the processing of their personal data for one or more specific purposes 

b) Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering in to a contract.

c) Processing is necessary for compliance with a legal obligation to which the controller is subject 

d) Processing is necessary to protect the vital interests of the data subject or of another person

e) Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

f) Processing is necessary for the purposes of the legitimate interest pursued by the controller. This will require the controller to:

      -Identify legitimate interest

      -Show that the processing is necessary and to achieve it

      -Balance it against the individuals interests, rights and freedoms

 

In processing special category data, Outskirts will identify both a lawful basis for general processing and an additional condition for processing this type of data.

 

Processing of Personal Data

‘Processing ‘ includes obtaining, holding, amending, disclosing, destroying, deleting or otherwise using personal data, whether that information is storied electronically or in hard copy.

Outskirts processes the following personal data of beneficiaries

 

a) Identifying details such as name, dates of birth, family details

b) Personal contact data such as address and telephone number

c) Special categories about personal data such as information about race, ethnic origin, religion, physical and mental heath conditions (including case notes, referral forms, information about diagnosis, concerns, care plans, and reviews of treatment)

d) Data about communications such as emails or phone calls received.

Outskirts Processes the Following Data About Employees or Freelance Workers

a) Identifying details such as name, dates of birth, family details

b)Personal contact data such as address and telephone number 

c) Employment terms and conditions 

d) Other personal data such as bank account number, payroll information, supervision and appraisal notes, training records, qualification details.

f) Special categories of personal data such as race, ethnic origin, politics, religion, trade, union membership.

Outskirts processes the following personal data about placement students

a) Identifying details such as name, dates of birth, family details

b) Personal contact data such as address and telephone number 

d) Other personal data such as bank account number, payroll information, supervision and appraisal notes, training records, qualification details.

e) Data about communications such as emails or phone calls received.

f) Criminal offence data

Outskirts processes the following personal data about trustees:

 

a) Identifying details such as name, dates of birth, family details

b) Personal contact data such as address and telephone number 

c) Other personal data such as professional experience.

Outskirts processes the following personal data about donors, supporters and sponsors

a) Identifying details such as name, dates of birth, family details

b) Personal contact data such as address and telephone number

c) Other personal data such as bank account number 

 

Access to the personal data of which Outskirts is responsible will be restricted to authorised groups of people within Outskirts who will hold and process the data.Specifically:

a) Employees, students, free lance workers and volunteers with a particular beneficiary or management of a programme a beneficiary is in, safe guarding that program, or those involved in evaluating and monitoring that programme will have access to a particular beneficiaries personal data.

b) Only employees or trustees, freelance workers or volunteers involved with HR, finance functions, safe guarding or line management will have access to employee, free lance worker, trainee or volunteer information.

c) Only employee, free lance worker, trainee or volunteers involved in fundraising will have access to donor data.

d) Only employees or free lance workers involved in trustees management or safeguarding will have access to trustee data.

The name of the Outskirts data protection officer and contact for data protection matters is Corrina Eastwood.

 

Responsibilities for data protection compliance.

Overall responsibility for the charities data protection compliance falls to the board of trustees.

The board of trustees delegates particular responsibilities and tasks regarding data protection to the data protection officer.

The data protection officer is responsible for:

a) Understanding and communicating and advising obligations to comply with GDPR and other data protection laws.

b) Monitor compliance with the GDPR and other data protection laws and with Outskirts data protection policies, including managing internal data protection issues, training employees and free lance workers and conducting internal audits.

All employees, free lance workers, volunteers, student and trustees and third party processors must ensure that they not only understand but also act in line with this policy and the GDPR. 

Breech of this policy may result in:

 

a) for employees, students, free lance workers or volunteer – disciplinary proceedings and potential termination of employment/ agreement.

b) Trustees could be made personally liable for any penalty arising form a breach that have made.

 

All employees, free lance workers, students, volunteers, trustees and 3rdparty processers who identify or suspect a data breach must report this breach to the Data Protection Officer or Outskirts director. 

Where a data breach is reported or suspected, Outskirts will put in place a plan to evaluate the nature, scope and potential consequences of the breach. This will be led by the Outskirts director.

 

Where Outskirts has assessed that a breach is of an appropriate nature i.e likely to result in a high risk to peoples rights and freedoms, scale or consequences, we will:

 

a) Seek advice from the appropriate regulating body within 72 hours of first becoming aware of the breach.

b) Notify those individuals affected by this breach without undue delay after first becoming aware of the data breach. This will include a description of the breach and how and when it occurred, our responses to the risks the breach posed, clear and specific advice around what they can do to minimise their risks and information on how to contact us further.

The charity will then investigate the causes of the breach and evaluate our effectiveness of response with a view to minimise ongoing risks.

 

Policy Implementation

Outskirts will endeavour to ensure that

a) anyone who wishes to make enquiries about Outskirts handling of personal information, whether a member of staff, volunteer or beneficiary, understands the policies and procedures.

b) Any disclosures of personal data will be in line with our procedures.

c) Queries about Outskirts handling of personal information will be dealt with swiftly and effectively.

d) Everyone processing personal data receives appropriate training in managing and processing the personal data as well as understanding what might constitute a data breach and the reporting procedure. 

e) Requirement to comply with this policy and GDPR are included in handbooks and employment contract or freelance worker agreement. 

 

Collecting Data Storing Data and Consent to Use Personal Data

Before personal data is collected, individuals will be provided with privacy information including

  • Outskirts policy for processing their personal data

  • Retention periods for that personal data

  • Who it will be shared with

 

Outskirts will consider the following:

 

a) The extent of the details that are necessary for our purposes

b) Our legal obligations under safe guarding legislation and guidance

c) How long are we likely to need and keep this information

d) Who should have access to this information and means to process it that will ensure such restricted access

e) Implementing appropriate technical and organisational measures in an effective way in order to meet that requirements of this regulation and protect the rights of data subjects

f) Ensuring that all consent for data is freely given, specific, informed and separate for other terms and conditions

g) Provide and positive opt-in consent that is not inferred through silence or inactivity.

 

Outskirts will inform people whose data is gathered about the following in concise, easy to understand clear language

 

a) Why we are gathering the data and our lawful basis for processing the data

b) What the data will be used for

c) Who will have access to the data

d) How long Outskirts will retain the data

e) Beneficiaries right to complain to the director if they think there is a problem with the way Outskirts is handling their data

 

If asked Outskirts will provide a copy of the personal data free of charge.

 

a) for beneficiaries over 16 , at the point of initial contact and commencement of service use via an initial assessment form

b) For employees of freelance workers and potential employees, at the point of employment and commencement of services via contract or agreement letter. 

c) For trustees at the start of their term via induction training

d) For volunteers and students, at the commencement of their placement via induction training.

e) For donors, supporters and sponsors, at the commencement of their support. 

 

Data about employees, free lance workers, volunteers, students and trustees DBS checks and other criminal records list updates will be updated annually by Outskirts. Records about updates will be recorded securely.

Consent to use active beneficiaries personal data on an on-going basis, i.e for as long as the beneficiaries is accessing

Outskirts services, is normally secured at the start of each beneficiaries contact with our services. 

 

For archived beneficiaries, their data will be archived at the end of their relationship with Outskirts. Employees responsible for the decision to close beneficiaries cases will be tasked with ensuring all data is accurate at the point of archiving. No attempt will be made to ensure data is kept up to date after the point of archiving, save for the event that

 

a beneficiary actively returns to use an Outskirts service.

a) Archived data will be stored securely for 7 years. This is to ensure that potentially vital health or social care records remain available. 

b) Data relating to safe guarding concerns, or beneficiaries who had significant safeguarding concerns will be archived indefinitely. 

c) Artworks created during art therapy will be stored securely in a locked confidential storage place at the clients request for the duration of the therapeutic work. Art works will not be archived and can be either taken by the client or will be securely disposed of by the therapists following termination of the therapy work. 

 

Consent to use archived beneficiaries personal data will be sought each specific time their data is to be used unless it contravenes safeguarding policy or where the safeguarding lead is assured that the beneficiary does not have the capacity to consent, but disclosing the data request poses some potential harm to their wellbeing, the request will be escalated as a safeguarding concern, in order to balance Outskirts obligation to safeguard venerable adults.

 

Outskirts will ensure that current employees, free lance workers, trustees or sponsors personal data is kept accurate by ensuring that all personal data is stored and is accessible to the individual on request.

Former employees or free lance workers who have left Outskirts will keep necessary data such as contact details and termination dates, salary levels and supervision and appraisal notes securely for 7 years for the termination of employment or agreement. 

 

Bank details will be destroyed 3 months after termination of employment or agreement.

Other data will be retained for 7 years unless their is a legal basis for retaining data.

 

Data Security

Outskirts will take steps to ensure that personal data is kept secure at all times against unauthorised or unlawful loss or disclosure. Outskirts will endeavour to ensure that the following measures are taken

a) Electronic data will be kept in encrypted servers.

b) Servers will be password protected with restricted access by employees, volunteers and students on placement

c) Any data taken off site via laptop will be password secured and USB will be encrypted to access.

d) ID numbers will be allocated to beneficiary using the therapy services and full names or contact details of clients will not be stored with process notes or supervision notes. 

e) Electronic date will be backed up regularly.

f) Paper based data will be stored securely in locked filing cabinets. Access to keys will be restricted to staff, volunteers and students on placement where it is within their scope of authority.

Subject access requests and their authorisation

Individuals have a right under the GDPR to access certain personal data being kept about then on the computer and in hard copy. They also have the right to prevent processing of their personal data in some circumstances and the right to correct ,rectify, object or restrict the processing of their data, block or erase their information.

Beneficiaries also have the right to receive the personal data concerning them, which they have previously provided, in a common use and machine-readable format, and have the right to transmit that data to another controller under the following conditions

  • Personal data that the controller has provided to a controller

  • Where the processing is based on the individuals consent or the performance of a contract

  • When processing is carried out by automated means

 

All persons, except active beneficiaries, wishing to exercise these rights should email contactoutskirts@gmail.com

The following information will be required before access is granted to individuals, except for individuals who are active beneficiaries. For subject access requests regarding non-sensitive personal data, the data subject will need to confirm:

 

a) Full name

b) Date of Birth

c) Postal address as know by Outskirts

d) Contact Number as know by Outskirts

e) Nature of their relationship with Outskirts

 

Where these requirements cannot be met, or where the request is regarding sensitive personal dada, the following forms of ID may be required before data is disclosed

 

a) Photographic driving licence

b) Passport

c ) Birth certificate and current utility bill 

 

Active beneficiaries wishing to exercise their subject access rights should contact the staff member with whom they are working in the first instance. In instances where they wish to make the request to someone else they can contact the

Data protection Officer via email. 

 

The following information will be required before access is granted to individuals who are active beneficiaries.

 

a) Full name and contact details of the person making the request

b) Information relevant to the request, such as timescales involved or types of data required.

 

For active beneficiaries the staff member who they are working with will conform their identity directly. 

In all instances where data request is deemed appropriate, data will be returned to the individuals in an appropriate, secure format within 30 days. The preferences of the data subject themselves will be given due consideration, but generally 

 

a) Our preference is to give hard copies of data or for large files encrypted USB handed in person to the individual or sent via recorded mail.

b) Where a subject requests data to be sent via non encrypted email we seek written (via email) confirmation of this request and explicit acknowledgment that they understand the risks of such request, before complying. 

In instances where a request is denied , we will tell the individual why and that they have the right to complain to the relevant supervisory authority and to a judicial remedy without undue delay within a one month time frame. 

 

Queries about handing personal information will be dealt with swiftly and politely.

 

We will aim to comply with requests for access to personal information as soon as possible but will ensure it is provided within 30 days of receiving the request, as required by GDPR. 

 

Last Reviewed 15/2/19

Next Reviewed 15/ 2/20