Data Protection Policy
Data Protection Policy
We need to collect and use certain types of information about service-users, employees, volunteers, suppliers, and other individuals who come into contact with us. This personal information must be dealt with properly however it is collected, recorded and used – whether on paper, on a computer, or recorded on other material
We regard the lawful and correct treatment of personal information as very important and therefore aim to ensure and adhere to the Principles of Data Protection, as detailed in the Data Protection Act 2018 and the General Data Protection Regulation (GDRP) 2016
GDPR legislation lays out six principles for processing of personal data. These are:
Lawfulness, fairness and transparency
This covers the primary areas of concern that data should be gathered and used in a way that is legal, fair and understandable. The public have the right to know what is being gathered and have this corrected or removed.
Purpose limitation
Organisations should only use data for a legitimate purpose specified at the time of collection. This data should not be shared with third parties without permission.
Data minimisation
The data collected by organisations should be limited only to what is required for the purpose stated. Organisations should not collect data in mass without purpose.
Accuracy
The personal data you hold should be accurate, kept up to date, and, if it is no longer accurate, should be rectified or erased.
Storage limitation
Personal data should only be stored for as long as is necessary. Data can be archived securely and used for research purposes in the future. Where possible, the personally identifiable information should be removed to leave anonymous data.
Integrity and confidentiality
Personal data should be held in a safe and secure way that takes reasonable steps to ensure the security of this information and avoid accidental loss, misuse or destruction.
GDPR also provides the following rights for individuals:
We will address these rights as follows:
Furthermore we will:
In addition, we will ensure that:
_________________________________________________
This covers the primary areas of concern that data should be gathered and used in a way that is legal, fair and understandable. The public have the right to know what is being gathered and have this corrected or removed.
The lawful reason for processing and storing data is based upon informed consent. Privacy statements inform individuals the types of specific data that we store. Individuals are informed of their right to not share information. Consent may be written, or given verbally & recorded.
Organisations should only use data for a legitimate purpose specified at the time of collection. This data should not be shared with third parties without permission.
Data is gathered for legitimate purposes to enable provision of services. Data is not shared without informed consent (unless for safeguarding purposes) in line with policies and procedures (7.20 Information Security Policy)
The data collected by organisations should be limited only to what is required for the purpose stated. Organisations should not collect data in mass without purpose.
Data collected is limited to the requirements of service delivery in accordance with commissioned contracts.
The personal data you hold should be accurate, kept up to date, and, if it is no longer accurate, should be rectified or erased.
Data is accurate, up to date and concise in accordance with RASASC policies and procedures (3.8 Record Keeping Policy)
Personal data should only be stored for as long as is necessary. Data can be archived securely and used for research purposes in the future. Where possible, the personally identifiable information should be removed to leave anonymous data.
Individuals are informed of the length of time their data will be stored in accordance with RASASC policies and procedures (7.23 Data Retention & Destruction Policy)
RASASC follow comprehensive policies and procedures in relation to data retention (7.23 Data Retention & Destruction Policy)
Personal data should be held in a safe and secure way that takes reasonable steps to ensure the security of this information and avoid accidental loss, misuse or destruction.
RASASC follow comprehensive policies and procedures in relation to information security (7.20 Information Security Policy).
______________________________________________________
Guidelines
What records do we keep? Information on:
Further information on this is found in the Information Audit and Processing Categories’ Log.
Data Protection Controller and Advisor is Julie Evans Operations Director
Staff
Access to personal information
Notes can be collected in person, and the client must sign the Release of Clients Records Disclaimer Form (which is located on the Public Drive; Information Line Folder; Case Notes Requests Folder – an example is detailed below)
If the client is unable to collect the notes in person, then they may be sent by recorded delivery following receipt of a signed Release of Client Records Disclaimer Form, and receipt of identification (e.g., copy of driving license or passport) see appendix 1
Data Breaches
Please refer to 7.20 Information Security Policy
Release of Client Records Statement
RASASC (Cheshire and Merseyside) are responsible for the protection and confidentiality of information regarding clients held in paper form and in electronic form whilst in RASASC’s care.
Once this information is out of RASASC’s care, through the means of giving a requested copy of case notes or other relevant material to the client in question, it is the responsibility of the client holder to protect the information as they see appropriate.
RASASC will continue to uphold the protection and confidentiality of any information in their care, but RASASC does not take responsibility for the protection of information out of their care.