Leave this site
About Us
About RASASC Our Mission How We Can Help Survivor Testimonies Our Annual General Report News
Our Services
Counselling Independent Sexual Violence Advisors RASASC Wellbeing Groups Children and Young People Parents and Carers
Help & Advice
How You Might Feel If You Have Been Recently Raped Police Reporting Myths vs Facts Dealing with triggering media What is Spiking?
Get Involved
Donate Fundraise Volunteer Job Vacancies Stakeholder Group Share your Feedback
Resources
RASASC Resources Books and Publications Self-Help Online Support Programmes Useful Websites National Support Lines
Contact
Our Information & Support Lines Referrals Social Media
Step Up for Survivors

MENU menu

Data Protection Policy

 

We need to collect and use certain types of information about service-users, employees, volunteers, suppliers, and other individuals who come into contact with us.  This personal information must be dealt with properly however it is collected, recorded and used – whether on paper, on a computer, or recorded on other material

 

We regard the lawful and correct treatment of personal information as very important and therefore aim to ensure and adhere to the Principles of Data Protection, as detailed in the Data Protection Act 2018 and the General Data Protection Regulation (GDRP) 2016

 

GDPR legislation lays out six principles for processing of personal data. These are:

 

Lawfulness, fairness and transparency

This covers the primary areas of concern that data should be gathered and used in a way that is legal, fair and understandable. The public have the right to know what is being gathered and have this corrected or removed.

 

Purpose limitation

Organisations should only use data for a legitimate purpose specified at the time of collection. This data should not be shared with third parties without permission.

 

Data minimisation

The data collected by organisations should be limited only to what is required for the purpose stated. Organisations should not collect data in mass without purpose.

 

Accuracy

The personal data you hold should be accurate, kept up to date, and, if it is no longer accurate, should be rectified or erased.

 

Storage limitation

Personal data should only be stored for as long as is necessary. Data can be archived securely and used for research purposes in the future. Where possible, the personally identifiable information should be removed to leave anonymous data.

 

Integrity and confidentiality

Personal data should be held in a safe and secure way that takes reasonable steps to ensure the security of this information and avoid accidental loss, misuse or destruction.

 

GDPR also provides the following rights for individuals:

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights in relation to automated decision making and profiling

We will address these rights as follows:

  1. We will inform all individuals of the data stored by our organisation; this includes how    information is stored; the type of information stored; and length of retention
  2. We will inform all individuals that they have a right to access the information stored; and the process for requesting access
  3. We will check information with each individual to ensure accuracy
  4. We will inform individuals that they have the right to erasure of their data; and the process for requesting erasure
  5. We will inform individuals that they can request a halt on processing data if the object to accuracy or purpose
  6. We will inform individuals that they are able to request their data in a suitable digital format
  7. We will inform individuals that they can object to the processing of their data (e.g. for marketing purposes)
  8. We will inform individuals that decisions relating to their data are based on human intervention

Furthermore we will:

  • Observe fully conditions regarding the fair collection and use of information
  • Meet our legal obligations to specify the purposes for which information is used
  • Collect and process appropriate information, and only to the extent that it is needed to fulfill operational needs or to comply with any legal requirements
  • Ensure the quality of information used
  • Apply strict checks to determine the length of time information is held. See data retention policy
  • Ensure that the rights of people about whom information is held, can be fully exercised under the legislation.
  • Take appropriate technical and organisational security measures to safeguard personal information
  • Ensure that personal information is not transferred abroad without suitable safeguards
  • Treat people justly and fairly whatever their age, religion, disability, gender, sexual orientation or ethnicity when dealing with requests for information
  • Set out clear procedures for responding to requests for information

 

In addition, we will ensure that:

  • There is someone with specific responsibility for Data Protection
  • Everyone managing and handling personal information understands that they are contractually responsible for following good Data Protection practice
  • Everyone managing and handling personal information is appropriately trained to do so
  • Everyone managing and handling personal information is appropriately supervised
  • Anybody wanting to make enquiries about handling personal information knows what to do
  • Queries about handling personal information are promptly and courteously dealt with
  • Methods of handling personal information are clearly described
  • A regular review and yearly audit is made of the way personal information is held, managed and used
  • Methods of handling personal information are regularly assessed and evaluated
  • Performance with handling personal information is regularly assessed and evaluated
  • A breach of the rules and procedures identified in this policy by a member of staff may lead to disciplinary action being taken
  • A breach of the rules and procedures identified in this policy by a member of staff is a potential breach of the Code of Conduct

 

_________________________________________________

 

How RASASC Meet GDPR Principles

 

Lawfulness, fairness and transparency

This covers the primary areas of concern that data should be gathered and used in a way that is legal, fair and understandable. The public have the right to know what is being gathered and have this corrected or removed.

The lawful reason for processing and storing data is based upon informed consent.  Privacy statements inform individuals the types of specific data that we store.  Individuals are informed of their right to not share information.  Consent may be written, or given verbally & recorded.

 

 

Purpose limitation

Organisations should only use data for a legitimate purpose specified at the time of collection. This data should not be shared with third parties without permission.

 

Data is gathered for legitimate purposes to enable provision of services.  Data is not shared without informed consent (unless for safeguarding purposes) in line with policies and procedures (7.20 Information Security Policy)

 

Data minimisation

The data collected by organisations should be limited only to what is required for the purpose stated. Organisations should not collect data in mass without purpose.

 

Data collected is limited to the requirements of service delivery in accordance with commissioned contracts.

 

Accuracy

The personal data you hold should be accurate, kept up to date, and, if it is no longer accurate, should be rectified or erased.

 

Data is accurate, up to date and concise in accordance with RASASC policies and procedures (3.8 Record Keeping Policy)

 

Storage limitation

Personal data should only be stored for as long as is necessary. Data can be archived securely and used for research purposes in the future. Where possible, the personally identifiable information should be removed to leave anonymous data.

 

Individuals are informed of the length of time their data will be stored in accordance with RASASC policies and procedures (7.23 Data Retention & Destruction Policy)

 

RASASC follow comprehensive policies and procedures in relation to data retention (7.23 Data Retention & Destruction Policy)

 

Integrity and confidentiality

Personal data should be held in a safe and secure way that takes reasonable steps to ensure the security of this information and avoid accidental loss, misuse or destruction.

RASASC follow comprehensive policies and procedures in relation to information security (7.20 Information Security Policy).

______________________________________________________

Guidelines

 

What records do we keep? Information on:

  • Service Users
  • Staff Members
  • Volunteers
  • Suppliers

 

Further information on this is found in the Information Audit and Processing Categories’ Log.

Data Protection Controller and Advisor is Julie Evans Operations Director

 

Staff

  • Staff will receive regular training in data protection and will adhere to our current policies on data protection, retention and information security.

 

 

Access to personal information

 

  • If an outside agency requires access to personal information, the Data Protection Advisor and Manager (and ideally, the person concerned) should be consulted prior to release of this information, any third party requests for notes will be looked at and challenged if needed to ensure they are in line with the most recent guidelines and the attorney generals guidelines https://www.gov.uk/government/publications/attorney-generals-guidelines-on-disclosure all requests should be necessary and proportionate, the service user has the right to decline or set parameters on what is shared. See appendix 2

 

  • If a service-user requests access to information held by RASASC about them, then they should be informed that they are allowed full access to this information after discussion with the Data Protection Advisor and Manager.  This will be completed within 28 days of receipt of the request, and we will require identification from the service user.

 

Notes can be collected in person, and the client must sign the Release of Clients Records Disclaimer Form (which is located on the Public Drive; Information Line Folder; Case Notes Requests Folder – an example is detailed below)

 

If the client is unable to collect the notes in person, then they may be sent by recorded delivery following receipt of a signed Release of Client Records Disclaimer Form, and receipt of identification (e.g., copy of driving license or passport) see appendix 1

 

Data Breaches

 

Please refer to 7.20 Information Security Policy

 

Release of Client Records Statement

 

RASASC (Cheshire and Merseyside) are responsible for the protection and confidentiality of information regarding clients held in paper form and in electronic form whilst in RASASC’s care.

Once this information is out of RASASC’s care, through the means of giving a requested copy of case notes or other relevant material to the client in question, it is the responsibility of the client holder to protect the information as they see appropriate.

RASASC will continue to uphold the protection and confidentiality of any information in their care, but RASASC does not take responsibility for the protection of information out of their care.