This policy applies to all current and former employees, residents and Directors of the Charity. The General Data Protection Regulation (GDPR) (2018) regulates the way in which personal data about employees, residents and Directors is stored and for what purpose it is kept. Data comprises information held both electronically and as hard copy.
Purpose
The purpose of this policy is to enable the Charity to:
- comply with the law in respect of the data it holds about individuals
- follow good practice
- protect employees, residents and Directors
- protect the Charity from the consequences of a breach of its responsibilities
- demonstrate an open and honest approach to personal data.
Exeter Homes Trust (201530) is registered as a data controller under the GDPR with the Information Commissioner’s Office, registration ZA291856.
The purpose of the GDPR is to protect the rights and privacy of individuals and to ensure that data about them is not processed without their knowledge and is processed with their consent wherever possible. The previous Data Protection Act (1998) set out eight principles, which remain now that GDPR has been introduced. These are that data must:
- be processed fairly and lawfully
- be obtained only for specified and lawful purposes
- be adequate, relevant and not excessive
- be accurate and up to date
- not be kept for longer than is necessary
- be processed in line with individuals’ rights
- be securely kept
- not be transferred to other countries without adequate protection.
In addition, the GDPR contains the following changes:
- enhanced documentation to be kept by data controllers
- enhanced privacy notices
- more detailed rules regarding consent
- mandatory data breach notification requirements
- enhanced data subject rights
- new obligations on data processors
- expanded territorial scope
- significant increases in the size of fines and penalties for non-compliance.
Data subjects (residents, employees and Directors) have the following rights under GDPR:
- the right to be informed
- the right of access
- the right to rectification
- the right to erasure
- the right to restrict processing
- the right to data portability
- the right to object.
Policy
Under GDPR, personal data means ‘any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person’.
Personal data should only be kept where there is a legitimate interest to do so. Once obtained it should be used for a specific and lawful purpose without being processed any further. Any personal data should be limited to only that which is relevant.
GDPR states that the data should be kept for no longer than is necessary for the purposes for which the personal data is processed.
The Charity will ensure that all personal data is fairly and lawfully obtained and processed and securely held, in accordance with these principles. It will:
- comply with both the law and good practice
- respect individuals’ rights
- be open and honest with individuals whose data is held
- provide training and support for staff who handle personal data, so that they can act confidently and consistently.
Key Risks
The Charity has identified the following potential key risks:
- breach of confidentiality (information being given out inappropriately)
- misuse of personal information
- individuals being insufficiently informed about the use of their data
- breach of security by allowing unauthorised access
- harm to individuals if personal data is not up to date.
Roles and Responsibilities
The Directors recognise their overall responsibility for ensuring that the Charity complies with its legal obligations.
The General Manager acts as the Data Protection Officer. The General Manager will:
- brief Directors on Data Protection responsibilities
- review Data Protection and related policies
- ensure Data Protection training takes place for staff
- identify and log the personal data kept and ensure its security
- draw up a protocol for staff about the security of residents’ data
- ensure that only data which is necessary for the charity to fulfil its role is processed
- keep under review the data which is processed to ensure it remains necessary
- undertake a Legitimate Interests Assessment and keep this under review
- inform residents, employees and Directors of personal data that the Charity holds, the reason that the data is held, for how long the data will be held, how to make a subject access request, their right to rectification and their right to erasure
- deal with access requests. Requests by an individual for access to their data should be made in writing to the General Manager. Depending on the specific requirements of any request, and on resource availability, the General Manager will endeavour to meet any request within 10 working days
- ensure staff know how to report a data breach
- destroy personal data when it no longer needs to be processed.
Retention
The Charity will only process information necessary to carry out its work and to provide or administer activities for residents, employees and Directors. Retention of data is determined by the General Manager and data is destroyed by shredding hard copy and deleting electronic files as soon as they are no longer relevant to the running of the Charity. The Charity will only keep the information while the individual is a resident, employee or Director or as long as necessary for administration purposes up to a maximum of two years after the individual ceases to be a resident, employee or Director.
Access and security
Access to data stored by the Charity is restricted to those with a need to know or those data subjects who formally request access to their personal file.
The following security measures will be used to protect data;
- All hard copies of data are protected in locked storage cabinets in locked offices with restricted access controlled by the General Manager
- All electronically stored data is held on a password protected network and on password protected mobile phones. Backups occur daily. Employees set strong passwords and change them regularly.
If a breach of data security is suspected or occurs the General Manager should be informed.
Applicants for almshouse accommodation
Applicants applying for accommodation will disclose personal data on their application form.
The revised 2018 application form will contain the following clause:
It is part of the Directors’ responsibilities to ensure that applicants for almshouses are suitably qualified under the terms of the charity’s governing document. Directors therefore need to investigate the personal circumstances of applicants. If your application for accommodation is successful, the personal data supplied on this form and other information relating to an almshouse appointment will be held on file for the duration of your appointment as a resident and for two further years. Some details may be checked with relevant organisations, but none will be disclosed for any inappropriate purpose. You may have access to your personal information on request. If your application is unsuccessful, your application form and all other personal data supplied will be destroyed. Please sign below to indicate your acceptance for the Charity to hold your personal data.
Data breach
A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. A breach must be reported to the Information Commissioner’s Office within 72 hours of its discovery. In the event of a data breach, the General Manager must be informed and the individual whose data is involved in the breach must also be notified. The ICO can apply a fine.
In the event of a fine for a data breach, the Charity has Charity Protection Insurance. The Director Liability section of the policy will indemnify any Insured Person for Loss, arising from claims made during the policy period or any applicable Discovery Period for which the Charity has not provided an indemnity to that Director. Insured Person is defined as any natural person who was, is, or becomes a Director or volunteer who has been officially appointed by the Charity, a manager or Employee. The definition of Director includes employees to whom duties are delegated to by a Director. Extensions to the Director Liability section include Civil Fines and Penalties. If a fine were made for breach of the GDPR rules, an indemnity would be provided in accordance with the policy wording, which says ‘This Policy will pay any civil fine or penalty imposed upon an Insured Person by any United Kingdom regulator, disciplinary body, criminal authority, government body, government agency, official trade body or any other body that is empowered by United Kingdom statute to investigate the affairs of an Insured Person, as a direct result of such person acting in their capacity as an Insured Person unless that civil fine or penalty is deemed uninsurable under United Kingdom law’.
Adopted by: The Board of Directors of Exeter Homes Trust Ltd
Date: 10 May 2018
Review Date: May 2019