Privacy
GDPR / DATA PROTECTION and CONFIDENTIALITY POLICY
This policy covers:
General principles and GDPR/Data Protection Act 2018 and the lawful bases for processing data
Personal information relating to any staff, Trustees, and Volunteers, Members and Partners
Subject access requests
Staff obligations
Guidelines on disclosing information to internal and external sources
Organisational information
Personal information relating to service users
Recording and accessing data
Passing on information
Collecting and safeguarding information
Subject access requests and express consent
Exceptions
Confidentiality statement
GENERAL PRINCIPLES
1. Whitfield Tabernacle Trust herein after referred to as the Trust recognises the right to privacy of the individual as a basic human right. We accept that personal details about an individual belong to that individual. Accordingly we undertake to respect the confidentiality of certain information.
2. Personal data is defined as “information about a living individual who is identifiable by that information, or who could be identified by the information combined with other data”. It includes names, addresses, identifying descriptions and information relating to individuals such as bank details or personal attributes.
3. Confidential information is defined as verbal or written information which is not meant for public or general knowledge, or information which is regarded as personal by clients, members, trustees, staff or volunteers. It includes expressed opinion about a person or intentions regarding a person.
4. This policy relates to the protection of the privacy of staff, volunteers, job applicants, Trustees, members, service users and any other person about whom the Trust holds personal information of a formal or an informal nature.
5. Confidentiality is based upon a reasoned concern for the interests of the person to whom personal information the Trust has access. Respecting confidentiality means that information may be disclosed only with consent and when necessary, and that consultation and discussion remains within those boundaries. This protects the integrity of both the Trust and of individuals.
6. Where there is uncertainly about issues around confidentiality, advice should be sought from the Secretary and, where appropriate, trade unions.
7. Failure to observe this policy or misuse of personal data is a disciplinary offence and may even constitute a criminal offence. Please refer especially to the section titled “Staff obligations”.
Data Protection Act 1998 General Data Protection Regulations and new Data Protection Act 2018.
8. The Trust takes seriously its obligations under the General Data Protection Regulations and new Data Protection Act 2018. We are registered with the Information Commissioner. Our registration, which is renewed annually, allows us to collect, store and use certain personal information following strict guidelines.
9. These guidelines define the purposes for which we hold information: in our case, this is information for the purposes of staff administration, membership administration, wider supporter list and fundraising and realising our charitable objectives.
10. Within these groups, the guidelines define the data subjects (i.e. the individuals about whom that information is held), the classes of data (i.e. what kind of information is held) and the data recipients (i.e. who has access to it).
11. In particular, the General Data Protection Regulations and new Data Protection Act 2018.requires that personal information should be adequate, relevant and not excessive; that it should be stored securely and used only for its intended purposes; and should be processed only with express the consent of the person concerned, we have guidelines for asking recording and managing consent set out in appendix one.
The lawful bases for processing data
12 The GDPR also sets out the lawful bases for processing data and at least one of these must apply whenever the Trust processes personal data:
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
13 The Trust will comply with these requirements and will extend the principles of data protection to apply to all forms of personal information it holds.
A. PERSONAL INFORMATION RELATING TO STAFF
14 The Trust holds information about employees to do with their working life in order to fulfil its responsibilities as an employer. Much of this information is highly personal and the Trust recognises its duty to safeguard the data by all means possible and to notify staff about what is kept and why, along with information about how the data can be accessed and by whom.
What
15 Information held by the Trust will include:
Information relating to recruitment and selection such as application forms; shortlisting and interview assessments; references; proof of eligibility to work in the UK; where relevant, unspent criminal records and/or the outcome of Criminal Record Bureau investigations;
Personal details of home address, phone number, next of kin;
Information necessary for payment of salaries, such as bank details, national insurance number, details of deductions to e.g. the courts or trade unions, expenses claims;
Information about academic and vocational qualifications and experience;
Notes of probationary and annual reviews and supervisions;
Sick notes, and medical assessments, including information relating to disabilities;
Absence records, including sickness absence, compassionate leave, unauthorised absences;
Time sheets and holiday sheets;
Details of grievance and disciplinary proceedings including current warnings (within the timescales allowed by the appropriate policies);
Reference requests and responses.
16 “Sensitive” data in particular, such as racial or ethnic origin, political opinions, religious beliefs, trade union membership, health, sex life, or criminal convictions will only be processed if necessary or advantageous to the employment relationship and with the explicit consent of the individual employee.
16.1 Sick notes, absence records and other health-related information are classed as “sensitive information” and particular care must be taken to ensure that these are stored securely and that access is limited to staff who need to see them.
Why
17 The data kept on staff is primarily in relation to their employment with the Trust. This data will be used for the purpose of administering and managing their employment.
17.1 Information may also be kept for the purposes of applying for funding, obtaining insurance or responding to requests for information from Government offices, the Charity Commissioners or other reputable bodies. Where possible, sensitive information will not be tied to individuals but will be given in anonomised statistical formats only.
17.2 No unrelated data will be kept and any sensitive data (excluding health and criminal records) held by the organisation will be deleted at the request of the individual concerned.
Where
18 All personnel data is kept either in a locked filing cabinet held by Secretary and /or in password protected computer files. Most personal data is kept in individual personnel files, including supervision sessions plus any job-related information necessary for management in a locked cabinet. Other data (e.g. bank details, NI number) is kept by the Treasurer on password protected computer files and in a locked filing cabinet.
18.1 Some personal information, including names and photographs, may be published in eg newsletters, annual reports, publicity leaflets or the organisation’s website. This information will not include home or personal contact details. Staff may request that all or any personal information and/or photographs are restricted to internal access and this request should be complied with.
Whom
19 Employees give implied consent to the Trust to hold data as described above and to access and use it as outlined by accepting an offer of employment and agreeing to their Written Statement of Employment Particulars.
19.1 Access to staff data is restricted to those Trustees appointing and providing supervision and support at the appropriate level or on a ‘need to know’ basis. Information may also be disclosed as required by law, contract or on a ‘need to know’ basis to other trustees, auditors, pension providers, funders, insurers, government departments or other relevant parties/individuals.
19.2 Job applicants are also covered by the Data Protection Act and by this policy. The Trust will design and process application forms and other information relating to applicants in line with the Act. The Trust will only request information which is relevant and not excessive and for the particular purposes of the selection process only.
19.3 This information will be securely stored and will only be accessed by the Trustees that need to have it for purposes of administration or selection. It will not be kept for longer than necessary for the needs of the organisation, normally six months for unsuccessful candidates. Sensitive information relating to health, disability, criminal records and immigration status will only be requested where necessary for the protection of the organisation and/or its service users and will not be disclosed to anyone who does not need to know. Sensitive information relating to gender, age, ethnicity and disability may be requested but will be used for equality and diversity monitoring purposes only. This information will not form part of the selection process and will not be retained in any form which identifies the individual to whom it pertains.
19.4 The identity of job applicants should be kept confidential as far as possible and for as long as possible. Where a job offer is made, the names of the successful candidates should not be made public until the appointment has been accepted and confirmed.
19.5 Feedback on interview performance should be made without specific reference to other candidates.
How long
20 Most information will be retained for as long as a person is employed by the Trust and for a reasonable period of time thereafter, not exceeding six years.
20.1 Sickness records will be kept for period not exceeding two years.
21.2 Disciplinary proceedings and warnings will be kept for the time stipulated in the policy concerned.
22.3 Recruitment papers from unsuccessful applicants to a job will be kept for a reasonable period of time not exceeding six months.
23.4 DBS documentation, where necessary, will not be retained although a record will be kept of the fact that a satisfactory/unsatisfactory DBS check has been seen.
I.T.
21 Personal data held on computers (including files, emails, databases etc) and personal data downloaded from the web are subject to the same control and restrictions as paper-based data. Trustees and Staff must take particular care when using any personal data in these contexts. In particular, no personal information should be posted on the internet in any circumstances without compelling reasons and the explicit consent of the individual to whom the information relates.
Monitoring of staff activity
22 Staff should be aware that the Trust may, if they have reason to do so, monitor use of the internet and/or emails. Private emails will never be opened intentionally but staff should be aware of the possibility of accidental access and of the Chair to question and investigate private use. Deliberate monitoring will only take place where there is good reason to suspect a disciplinary offence or another justified concern. Please refer to the policy on Acceptable Use of ICT.
22.1 Performance and quality control monitoring will be overt and for a clear purpose. Covert monitoring will not be permitted.
References
23 References given by an employer about a person currently working for them are exempt from some aspects of normal data protection rules. This means that an employee has no automatic right of access to a reference written about them by the Trust. However, as a matter of good practice, we will only respond to reference requests that are clearly authorised by the employee concerned.
23.1 As a general rule, employment-related references should only be given by the Chair. Personal references should be clearly stated as such and should not be on the Trust headed paper. References must be objective, truthful and justifiable. Telephone references should not be given unless you have been asked to provide one by the person whom the reference concerns, and then you should initiate (or return) the phonecall to the person to whom the reference is to be given to confirm identity.
23.2 Referees should bear in mind that although there is no automatic right for the subject of the reference to see it before it is sent, they will usually have a right to access any references written about them once they are received by a new/prospective employer.
SUBJECT ACCESS REQUESTS
24 Staff, are entitled to see their own personnel files. To do so, they should arrange a mutually convenient time with their line manager. Access may be denied or limited where it involves disclosing information about or from an identified third party (eg a colleague) unless the third party concerned has given consent to the disclosure of that information.
24.1 As well as taking action to protect third party confidentiality, the Trust will not respond to subject access requests which:
disclose any information relating to management forecasts where this could jeopardise the business effectiveness of the organisation;
or reveal legal proceedings against an individual, except to those directly concerned.
STAFF OBLIGATIONS
25 The Chair is the Registered Data Controller and is responsible for notification to the Information Commissioner. She/He should be deferred to with any questions relating to data protection or confidentiality. However, all staff, are responsible for ensuring compliance with this policy.
They must:
Ensure that they have read and understood this policy as it relates to them;
Ensure that data which they supply or for which they are responsible is up-to-date, accurate, fair and relevant to its purpose, including information about themselves. Staff must notify the organisation of any changes in circumstance to enable the organisation to update personnel records accordingly;
Not keep any records on other individuals (whether other employees or clients/service users) which are unnecessary, incorrect or which contain unfounded opinion or speculation;
Not share personal information about other members of staff or clients/service users (eg sickness, personal circumstances), that they know as a result of handling confidential information (eg sick notes, application forms) or which is disclosed in confidential settings (eg supervision or counselling), without that person’s unambiguous agreement;
Keep data secure. Paper and external computer files must be locked up, computers must be password protected; laptops and computer disks containing personal information, open computer screens, or open paper files must not be left unattended;
Not disclose, share or transfer outside the organisation any personal information relating to other staff, volunteers, trustees, or clients/service users without the explicit consent of the individual concerned;
Dispose of personal data safely. Paper notes and records must be shredded or disposed of as ‘confidential waste’. Hard drives of redundant PCs must be wiped clean before disposal.
25.1 Particular care must be taken where personal data is processed ‘off-site’, at home or in other locations. This presents a greater risk of loss, damage or theft and staff must take appropriate security precautions.
Volunteers and Trustee Board Members
26 Sensitive and personal information may also be held by the Trust relating to its Volunteers and Trustees. We will hold any such information with the same degree of privacy and security as that of staff and will allow the equivalent degree of access to such information. Volunteers and Trustees are bound by the same requirement to preserve the confidentiality of sensitive and personal information as staff of the Trust.
GUIDELINES ON DISCLOSING INFORMATION TO INTERNAL AND EXTERNAL SOURCES
Internal information sharing
27 The Trust recognises that trustees, staff and volunteers may need to share personal information with others internally within the Trust. This might include, for instance, discussion of client issues during supervision, discussion of situations to gain experience and opinion from colleagues, “on the job” training. Care must be taken that this kind of information sharing is not done publicly or where it can be overheard. Such conversations should wherever possible be held without explicitly identifying the individual or organisation under discussion.
Supervision
28 Supervision sessions are in general confidential to the Chair and the Trustees of the organisation.
28.1 Ground rules for when and why confidentiality may be broken should be agreed at the start of a supervision relationship and might include, for instance:
information about the progress of work against funding targets;
discussion of the implications for colleagues of a request for flexible working;
some information to colleagues about personal circumstances which are temporarily affecting performance;
discussion of grievances or concerns about performance with another Trustee
28.2 Wherever possible, agreement about any breach of confidentiality should be reached in advance of the disclosure taking place.
28.3 Although the supervisor is bound by confidentiality, it is helpful for the supervisee to inform the supervisor if there are any personal circumstances which are particularly sensitive.
Answering requests for personal staff information
29 Personal information about a colleague should not usually be discussed with other staff or people outside the Trust without that person’s permission. Personal details including address and phone number, health matters or personal circumstances may not be passed on without explicit consent.
29.1 It is usually safe to reveal a colleague’s work contact (telephone and email address) in response to an enquiry regarding a work function, although these details should not be given to someone wishing to contact a colleague on a non-work related matter.
29.2 However, staff must not reveal personal details of other staff members to unknown or unverified external sources, even where these claim to be family members, friends, Government bodies or the police.
Strategies to deal with such enquiries could include:
Asking the enquirer to put their query in writing or into an email, if appropriate backed up by documentary evidence to support the request.
Informing the enquirer that a message will be passed on, either asking the person to contact the enquirer directly or agreeing to pass on a sealed envelope/incoming email message to the person;
Telling the enquirer that you will phone back once you have collected/verified the information required.
ORGANISATIONAL INFORMATION
30 Trustees, Staff and Volunteers are bound by confidentiality in all matters relating to the internal affairs of the Trust. Confidential information concerning Board meetings, staff meetings, finances, recruitment, planning etc should not be disclosed outside the organisation unless authorisation is given to do so. This does not apply to disclosures made under the Public Interest Disclosure Act (“whistle blowing”). See also Subject Access Requests above.
31 No statements concerning internal matters or policy may be made to the media without the express permission of the Chair.
B. PERSONAL INFORMATION RELATING TO SERVICE USERS
32 The Trust is committed to respecting the confidentiality of those who use and/or support its services. This means respecting the right of members, benefactors, beneficiaries and service users to privacy and their right to expect that any personal information they give us will not be discussed or passed on to anyone outside the Trust without their permission.
32 This policy applies equally to Trustees, Staff, and Volunteers of the Trust, and the use of the term ‘staff’ below does not preclude the policy’s application to all of these.
32.1 Please refer to “staff obligations” above for general instructions on the collection, use, storage and disposal of all personal information associated with the Trust.
What
33 Personal or sensitive information could include personal names and addresses, of the Trust members and service users
.
33.1 The Trust staff will also keep potentially business sensitive information about the groups they work with including internal organisational issues/disputes. The information may be given in conversation or in written form.
Why
34 The Trust keeps information on its clients/service users for the purposes of providing a service and meeting client needs.
34.1 It keeps information for applying for funding, monitoring how funds are spent and responding to request for information from, the Charity Commission and other reputable organisations. Statistical and depersonalised information may be used for campaigning purposes or publicity purposes.
34.2 No unrelated data will be kept and any sensitive data held by the organisation will be deleted at the request of the individual concerned.
Where
35 All personal data is kept in a locked filing cabinet and/or in password protected computer files.
RECORDING AND ACCESSING DATA
36 Written records of any dealings with clients/service users may be made with the client’s permission if the purpose of such records is clearly explained to the client.
36.1 Only essential information should be recorded and these records must be processed in line with Data Protection principles, stored securely and destroyed when no longer needed.
36.2 However, where practicable, data protection information will be given and explicit consent will be sought (or the opportunity to withdraw consent will be offered) on an appropriate letter or form.
PASSING ON INFORMATION
37 Where service users/hirers information is to be shared with a partner organisation or where the Trust is contacting a third party on the client’s behalf, the service users / hirers information must if possible and practicable confirm their agreement by giving signed authorisation.
37.1 Where funders require personal information about the beneficiaries of services for audit purposes, this information will be collected on forms which clearly indicate who will receive the information and include provision for service users to sign a consent declaration.
37.2 Personal information should not be conveyed to other organisations or individuals via telephone calls or faxes without adequate safeguards regarding confidentiality.
37.3 External requests for information about an individual should not be agreed to. Where appropriate, staff may agree to pass on the request to that individual to respond to if they so choose. See advice above for strategies for dealing with requests for information from unknown or unverified enquirers.
37.4 Email communications may not be private – please see the Trust policy on email and internet use.
37.5 Names or contact details should never be released to the media in response to requests for “case studies”. All media enquiries should be referred to the Chair and media enquiries may, however, be passed on to service users so that they can choose whether or not to respond to them.
37.6 Statistical information may be used for research, monitoring and funding purposes but must not be attributable to an individual. Where, for publicity purposes, the Trust wishes to use an attributed quotation from a client or service user the individual’s express permission must be sought before this can used.
COLLECTING AND SAFEGUARDING INFORMATION
37 The Trust also recognises its duty to safeguard the information it holds on external groups and individuals. We will regularly update information, dispose of outdated data and check that storage and archive systems are secure.
37.1 All written materials membership applications and packs, registration forms, newsletter forms, and database entry forms will be designed to ensure that only necessary data is being collected and that this is kept with permission.
37.2 If the trust wishes to use personal information for purposes such as “direct marketing” (eg of courses or new services on offer), the organisation will inform the person concerned at the time of collecting the data that it may be used for this purpose. People/organisations will be provided with the opportunity to opt out of being contacted in this way (e.g. by ticking an opt-out box on a form).
37.3 Mailing lists are the property of the Trust and will only be passed on to other organisations/individuals in order to comply with legal requirements with the express consent of those listed.
37.4 Membership list The Trust will provide an enquirer with access to a full list of members within 5 working days of that request.
SUBJECT ACCESS REQUESTS
38 Any member/user of the Trust is entitled to know what information is held about them, why and where it is held and who can access it. They have the right to see this information and to correct it if necessary.
38.1 In order to see information, they should contact the Secretary of the Trust who will arrange a mutually convenient time for this or who will facilitate the involvement of other relevant Trustees.
C. EXCEPTIONS
39 The Trust reserves the right to break confidentiality if it believes that:
A child or young person is at risk of being harmed
A person’s life or safety is at risk
If required by statute ( e.g. there is a legal obligation to report drug trafficking, money laundering, terrorist activity to the police)
If required under a contractual obligation (e.g. where services are purchased by a local authority and that contract requires disclosure of certain information)
If required by a court order.
39.1 Information may also be disclosed if the individual concerned has given explicit, written, consent.
39.2 In particular, maintaining the confidentiality of identifiable third parties in the course of a “subject access request” will be considered on a case by case basis.
39.3 In all the above cases, the Chair must be informed immediately.
39.4 In other cases where breaking confidentiality may seem appropriate, this must only be done with the knowledge of appropriate member of the Trustee Board and the person whose confidentiality is to be breached must be informed. They should be informed of their right of complaint and appeal.
D. CONFIDENTIALITY STATEMENT
1. I agree to the Trust holding and sharing information about me in line with the Data Protection and Confidentiality Policy.
2. I understand that in the course of my work with the Trust I may learn facts about colleagues or about individuals or organisations with whom the Trust works. I recognise that these facts may be of a personal and confidential nature. I agree not to disclose any such information to any person not authorised by the Trust to hold such information without the express permission of the individual to whom the information pertains, or, in exceptional circumstances, the agreement of the Chair of Trustees.
3. I agree to uphold this commitment to confidentiality both whilst I am employed by, or otherwise involved with, the Trust and afterwards
Signed: Date:
Name (please print):
Appendix One GDPR Consent Checklists
Asking for consent
☐ We have checked that consent is the most appropriate lawful basis for processing.
☐ We have made the request for consent prominent and separate from our terms and conditions.
☐ We ask people to positively opt in.
☐ We don’t use pre-ticked boxes or any other type of default consent.
☐ We use clear, plain language that is easy to understand.
☐ We specify why we want the data and what we’re going to do with it.
☐ We give individual (‘granular’) options to consent separately to different purposes and types of processing.
☐ We name our organisation and any third party controllers who will be relying on the consent.
☐ We tell individuals they can withdraw their consent.
☐ We ensure that individuals can refuse to consent without detriment.
☐ We avoid making consent a precondition of a service.
☐ If we offer online services directly to children, we only seek consent if we have age-verification measures (and parental-consent measures for younger children) in place.
Recording consent
☐ We keep a record of when and how we got consent from the individual.
☐ We keep a record of exactly what they were told at the time.
Managing consent
☐ We regularly review consents to check that the relationship, the processing and the purposes have not changed.
☐ We have processes in place to refresh consent at appropriate intervals, including any parental consents.
☐ We consider using privacy dashboards or other preference-management tools as a matter of good practice.
☐ We make it easy for individuals to withdraw their consent at any time, and publicise how to do so.
☐ We act on withdrawals of consent as soon as we can.
☐ We don’t penalise individuals who wish to withdraw consent
Date adopted:
October 2017
Internal Review 1
Internal Review 2
Trustee Board Review 1
Internal Review 3
Internal Review 4
Trustee Board Review 2
Date due
Feb 18
Date completed