This policy is intended to ensure that Reducing the Risk upholds the rights and respects the privacy of all individuals about whom it holds data.
Reducing the Risk holds personal data in relation to:
- staff employment and volunteer support
- its services for people who are vulnerable to abuse and multi-agency front line staff and others who support them
- individuals who attend training events or conferences organised by the charity
- donors and supporters of the charity
It intends to fill all its ethical and legal obligations in relation to data protection and upholding the rights of these data subjects. This applies both to the way in which it holds and processes data and to confidentiality associated with it. See also Reducing the Risk’s confidentiality policy.
Reducing the Risk will conform to the principles and duties specified under the General Data Protection Regulation 2018 (GDPR), building on obligations under the Data Protection Act 1998.
The main points are detailed below.
Data protection is concerned with the processing of information about living individuals (personal data) and gives rights to the individuals who are the subject of that information. It places obligations on the organisation in respect of any personal information it processes — or causes to be processed on its behalf by third parties. The Data Protection Acts apply to computerised and manual filing systems.
The aims of the Acts are embodied in Data Protection principles. Any organisation holding personal data must:
- maintain a register of data held
- maintain a register of breaches
- hold an overview of how transparent the data processes are for the individuals whose data is being held, and how secure.
Anyone processing data must comply with the enforceable principles. Data held must be:
- fairly, lawfully and transparently processed: Art 5(1)(a)
- obtained for specific purposes and not processed in a manner incompatible with those purposes: Art 5(1) (b)
- adequate, relevant and not excessive for the purposes for which it is processed: Art 5(1)(c)
- accurate and kept up to date: Art 5(1)(d)
- not kept for longer than necessary for the purpose: Storage limitation Art 5(1)(e)
- secure: Integrity and confidentiality Art 5(1) (f)
- processed in accordance with the data subject’s rights: Accountability Art 5(1)(g)
It is important that trustees and staff are aware of the existence of the Act and the principles on which it is based. In particular, they must not access or disclose any personal data other than is necessary to carry out their role within Reducing the Risk. If a trustee or staff member discloses personal data in breach of the principles set out in the Act such disclosure may result in the commission of a criminal offence. It could also lead to disciplinary action being taken.
The Acts provide rights to individuals to access personal data stored about them. This includes employees who may access personal data held by Reducing the Risk. If an employee wishes to access their personal data the employee should consult his/her manager in the first instance.
Reducing the Risk is too small for all the requirements of GDRP to apply. The charity has adopted basic GDPR procedures and utilises Oxfordshire Community and Voluntary Action/databasix guidelines for good practice.
The charity has named trustees and staff to carry specific data protection responsibilities.
- employees, volunteers and donors; R. Briant
- training and event participants and Champions: S. McInroy
- direct support services: P. Walsh
Together the three data processors act as Reducing the Risk’s data control group, hold an overview of implementation of this policy, and report, at a minimum annually, to the trustees.
The data processors are responsible for complying with the principles of the Act and for keeping a record of compliance with GDPR requirements:
- data held
- its source
- the grounds for holding it
- whom it is shared with — if applicable – and associated permissions from data subjects
- the length of time it is held
- where it is held and that this is secure
- ensuring it is held no longer than necessary
- reporting and investigating any breaches
- ensuring that any data held is appropriate for the purpose.
The data processors will ensure data subjects are informed about data held and about their rights in relation to this data.
They will ensure that data subjects know whom to contact and respond to all requests by data subjects in respect of their rights.
Where the grounds for holding data is consent the processors will ensure this both complies with the principles of GPDR and includes provision of a privacy notice.
Where information is kept which is of a sensitive nature, they will ensure security which complies with GPDR and with OCVA/databasix guidelines.
Data protection record collation
Mr McInroy will act as the data protection record collator: facilitating collation of all the records of compliance with GDPR and receiving any reports of breaches.
Quality assurance and registration
The charity has appointed a lead trustee to quality assure the implementation of this policy. Sian Rodway, the lead trustee, has authority to review the processes and challenge the processors to ensure Reducing the Risk is meeting its obligations.
Registration has been undertaken by the trustees in accordance with the Act.
Signed: Romy Briant, Chair
Date: May 2018
Date of next review: May 2021 or earlier in case of any revision to the Act