Data Protection Policy - RapeCentre UK

We need to collect and use certain types of information about service-users, employees, volunteers, suppliers, and other individuals who come into contact with us. This personal information must be dealt with properly however it is collected, recorded and used – whether on paper, on a computer, or recorded on other material

We regard the lawful and correct treatment of personal information as very important and therefore aim to ensure and adhere to the Principles of Data Protection, as detailed in the Data Protection Act 2018 and the General Data Protection Regulation (GDRP) 2016

GDPR legislation lays out six principles for processing of personal data. These are:

Lawfulness, fairness and transparency

This covers the primary areas of concern that data should be gathered and used in a way that is legal, fair and understandable. The public have the right to know what is being gathered and have this corrected or removed.

Purpose limitation

Organisations should only use data for a legitimate purpose specified at the time of collection. This data should not be shared with third parties without permission.

Data minimisation

The data collected by organisations should be limited only to what is required for the purpose stated. Organisations should not collect data in mass without purpose.

Accuracy

The personal data you hold should be accurate, kept up to date, and, if it is no longer accurate, should be rectified or erased.

Storage limitation

Personal data should only be stored for as long as is necessary. Data can be archived securely and used for research purposes in the future. Where possible, the personally identifiable information should be removed to leave anonymous data.

Integrity and confidentiality

Personal data should be held in a safe and secure way that takes reasonable steps to ensure the security of this information and avoid accidental loss, misuse or destruction.

GDPR also provides the following rights for individuals:

The right to be informed
The right of access
The right to rectification
The right to erasure
The right to restrict processing
The right to data portability
The right to object
Rights in relation to automated decision making and profiling

We will address these rights as follows:

We will inform all individuals of the data stored by our organisation; this includes how information is stored; the type of information stored; and length of retention
We will inform all individuals that they have a right to access the information stored; and the process for requesting access
We will check information with each individual to ensure accuracy
We will inform individuals that they have the right to erasure of their data; and the process for requesting erasure
We will inform individuals that they can request a halt on processing data if the object to accuracy or purpose
We will inform individuals that they are able to request their data in a suitable digital format
We will inform individuals that they can object to the processing of their data (e.g. for marketing purposes)
We will inform individuals that decisions relating to their data are based on human intervention

Furthermore we will:

Observe fully conditions regarding the fair collection and use of information
Meet our legal obligations to specify the purposes for which information is used
Collect and process appropriate information, and only to the extent that it is needed to fulfill operational needs or to comply with any legal requirements
Ensure the quality of information used
Apply strict checks to determine the length of time information is held. See data retention policy
Ensure that the rights of people about whom information is held, can be fully exercised under the legislation.
Take appropriate technical and organisational security measures to safeguard personal information
Ensure that personal information is not transferred abroad without suitable safeguards
Treat people justly and fairly whatever their age, religion, disability, gender, sexual orientation or ethnicity when dealing with requests for information
Set out clear procedures for responding to requests for information

In addition, we will ensure that:

There is someone with specific responsibility for Data Protection
Everyone managing and handling personal information understands that they are contractually responsible for following good Data Protection practice
Everyone managing and handling personal information is appropriately trained to do so
Everyone managing and handling personal information is appropriately supervised
Anybody wanting to make enquiries about handling personal information knows what to do
Queries about handling personal information are promptly and courteously dealt with
Methods of handling personal information are clearly described
A regular review and yearly audit is made of the way personal information is held, managed and used
Methods of handling personal information are regularly assessed and evaluated
Performance with handling personal information is regularly assessed and evaluated
A breach of the rules and procedures identified in this policy by a member of staff may lead to disciplinary action being taken
A breach of the rules and procedures identified in this policy by a member of staff is a potential breach of the Code of Conduct

_________________________________________________

How RASASC Meet GDPR Principles

Lawfulness, fairness and transparency

The lawful reason for processing and storing data is based upon informed consent. Privacy statements inform individuals the types of specific data that we store. Individuals are informed of their right to not share information. Consent may be written, or given verbally & recorded.

Purpose limitation

Organisations should only use data for a legitimate purpose specified at the time of collection. This data should not be shared with third parties without permission.

Data is gathered for legitimate purposes to enable provision of services. Data is not shared without informed consent (unless for safeguarding purposes) in line with policies and procedures (7.20 Information Security Policy)

Data minimisation

The data collected by organisations should be limited only to what is required for the purpose stated. Organisations should not collect data in mass without purpose.

Data collected is limited to the requirements of service delivery in accordance with commissioned contracts.

Accuracy

The personal data you hold should be accurate, kept up to date, and, if it is no longer accurate, should be rectified or erased.

Data is accurate, up to date and concise in accordance with RASASC policies and procedures (3.8 Record Keeping Policy)

Storage limitation

Individuals are informed of the length of time their data will be stored in accordance with RASASC policies and procedures (7.23 Data Retention & Destruction Policy)

RASASC follow comprehensive policies and procedures in relation to data retention (7.23 Data Retention & Destruction Policy)

Integrity and confidentiality

Personal data should be held in a safe and secure way that takes reasonable steps to ensure the security of this information and avoid accidental loss, misuse or destruction.

RASASC follow comprehensive policies and procedures in relation to information security (7.20 Information Security Policy).

______________________________________________________

Guidelines

What records do we keep? Information on:

Service Users
Staff Members
Volunteers
Suppliers

Further information on this is found in the Information Audit and Processing Categories’ Log.

Data Protection Controller and Advisor is Julie Evans Operations Director

Staff

Staff will receive regular training in data protection and will adhere to our current policies on data protection, retention and information security.

Access to personal information

If an outside agency requires access to personal information, the Data Protection Advisor and Manager (and ideally, the person concerned) should be consulted prior to release of this information, any third party requests for notes will be looked at and challenged if needed to ensure they are in line with the most recent guidelines and the attorney generals guidelines https://www.gov.uk/government/publications/attorney-generals-guidelines-on-disclosure all requests should be necessary and proportionate, the service user has the right to decline or set parameters on what is shared. See appendix 2

If a service-user requests access to information held by RASASC about them, then they should be informed that they are allowed full access to this information after discussion with the Data Protection Advisor and Manager. This will be completed within 28 days of receipt of the request, and we will require identification from the service user.

Notes can be collected in person, and the client must sign the Release of Clients Records Disclaimer Form (which is located on the Public Drive; Information Line Folder; Case Notes Requests Folder – an example is detailed below)

If the client is unable to collect the notes in person, then they may be sent by recorded delivery following receipt of a signed Release of Client Records Disclaimer Form, and receipt of identification (e.g., copy of driving license or passport) see appendix 1

Data Breaches

Please refer to 7.20 Information Security Policy

Release of Client Records Statement

RASASC (Cheshire and Merseyside) are responsible for the protection and confidentiality of information regarding clients held in paper form and in electronic form whilst in RASASC’s care.

Once this information is out of RASASC’s care, through the means of giving a requested copy of case notes or other relevant material to the client in question, it is the responsibility of the client holder to protect the information as they see appropriate.

RASASC will continue to uphold the protection and confidentiality of any information in their care, but RASASC does not take responsibility for the protection of information out of their care.