The lawful and appropriate management of personal data is extremely important to Home-Start Hampshire.
This policy sets our commitment to protecting personal data and how we will implement this with regards to the collection and handling of personal data. The relevant legislation that this policy conforms to can be found in Appendix 2
Failure to comply with data protection legislation could lead to financial penalties, regulatory action, as well as reputational damage.
This policy applies to:
- All Staff, including temporary staff
- Trustees/Advisers
- Volunteers
The Data Protection Principles
Data protection laws describe how organisations must collect, handle and store all personal data. Ensuring and demonstrating compliance is underpinned by the following principles.
Personal data must be:
- processed lawfully, fairly and in a transparent manner in relation to individuals;
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that inaccurate personal data, having regard to the purposes for which they are processed, are erased or rectified without delay;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Responsibilities for Compliance
- Trustees are ultimately responsible for ensuring that Home-Start Hampshire meets its legal obligations.
- All staff have a responsibility for ensuring personal data is collected, stored and handled appropriately and must ensure that it is handled and processed in line with this policy and the data protection principles.
- DP Lead is responsible for monitoring compliance with this policy and the data protection legislation; managing personal data breaches and data subject rights; recording and maintaining appropriate records of processing activities and the documented evidence required for compliance.
Scope
The Policy applies to all personal data that Home-Start Hampshire holds relating to living identifiable individuals regardless of the category of data or the format of the data. Personal data is any data which could be used to identify a living individual e.g. name, address, email, postcode, CCTV image, and photograph. Special categories of personal data is any information about racial or ethnic origin, political opinions, religious beliefs, health (mental and physical), sexual health, trade union membership and criminal convictions.
The policy applies to personal data held or accessed on Home-Start Hampshire premises or accessed remotely via home or mobile working. Personal data stored on personal and removable devices are also covered by this policy.
Compliance
Home-Start Hampshire will comply with our legal obligations and the data protection principles by:
Processing Lawfully and Fairly
Home-Start Hampshire will ensure processing of personal data, and special categories, meets the legal basis as outlined in legislation. Individuals will be advised on reasons for processing via a freely available Privacy Notice.
Where data subjects’ consent is required to process personal data, consent (e.g. use of photos for Website/Annual Report) will be requested in a manner that is clearly distinguishable from other matters, in an intelligible and easily accessible form, using clear and plain language. Data Subjects will be advised of their right to withdraw consent and the process for Data Subjects to withdraw consent will be simple.
Purposes
Personal data will only be used for the original purpose it was collected for. These purposes will be clear to the data subject.
If Home-Start Hampshire wish to use personal data for a different purpose, we will notify the data subject prior to processing.
Adequate and Relevant data
Home-Start Hampshire will only collect the minimum personal data required for the purpose. Any personal data discovered as excessive or no longer required for the purposes collected for will be securely deleted.
Any personal information that is optional for individuals to provide will be clearly marked as optional on any forms.
Accurate
Home-Start Hampshire will take reasonable steps to keep personal data up to date, where relevant, to ensure accuracy.
Any personal data found to be inaccurate will be updated promptly. Any inaccurate personal data that has been shared with third parties will also be updated.
Retention
Home-Start Hampshire will hold data for the minimum time necessary to fulfil its purpose. Timescales for retention of personal data are outlined in the Records Retention Schedule (Appendix 1).
Data will be disposed of in a responsible way to ensure confidentiality and security.
Security
Home-Start Hampshire will implement appropriate security measures to protect personal data.
Personal data will only be accessible to those authorised to access personal data on a ‘need to know’ basis.
Employees, trustees and volunteers will keep all data secure, by taking sensible precautions and following the relevant Home-Start Hampshire policies and procedures relating to data protection.
Data Sharing
In certain circumstances Home-Start Hampshire may share personal data with third parties. This may be part of a regular exchange of data, one-off disclosures, or in unexpected or emergency situations.
Appropriate security measures will be used when sharing any personal data.
Where data is shared regularly a contract or data sharing agreement will be in place to establish what data will be shared and the agreed purpose.
Home-Start Hampshire will consider all the legal implications of sharing personal data prior to doing so.
Data Subjects will be advised of any data sharing in the Privacy Notice.
Data Processors
Where Home-Start Hampshire engage Data Processors (e.g. outside contractors such as suppliers of IT systems, payroll or pensions providers to process personal data on our behalf, we will ensure:
- Data processors have appropriate technical security measures in place
- No sub-processors are used without prior written consent from Home-
Start Hampshire
- An appropriate contract or agreement is in place explaining the full
requirements of the data processor.
Security Incident & Breach Management
Occasionally Home-Start Hampshire may experience a personal data breach; this could be if personal data is:
- Lost, for example via misplacing documents or equipment that contain personal data, through human error, or via fire, flood or other damage to premises where data is stored.
- Stolen; theft or a result of a targeted attack on our network (cyber- attack).
- Accidently disclosed to an unauthorised individual
- Inappropriately accessed or used
All security incidents or personal data breaches will be reported and managed by the Data Protection Lead. The Information Commissioner’s Office and the individuals affected will be notified promptly, if required. All breaches will be managed using the Breach procedures within the Confidentiality policy.
Individual Rights
Home-Start Hampshire will uphold the rights of data subjects to access and retain control over their personal data held by us.
Home-Start Hampshire will comply with individuals’:
- Right to be Informed – by ensuring individuals are informed of the reasons for processing their data in a clear, transparent and easily accessible form and informing them of all their rights.
- Right to Access – by ensuring that individuals are aware of their right to obtain confirmation that their data is being processed; access to copies of their personal data and other information such as a privacy notice and how to execute this right.
- Right to Rectification – by correcting personal data that is found to be inaccurate. We will advise data subjects on how to inform us that their data is inaccurate. Inaccuracies with be rectified without undue delay.
- Right to Erasure (also known as ‘the right to be forgotten’) – we will advise data subjects of their right to request the deletion or removal of personal data where processing is no longer required or justified.
- Rights to Restrict Processing – we will restrict processing when a valid request is received by a data subject and inform individuals of how to exercise this right.
- Right to Data Portability – by allowing, where possible, data to be transferred to similar organisation in a machine-readable format.
- Right to Object – by stopping processing personal data, unless we can demonstrate legitimate grounds for the processing, which override the interest, rights and freedoms of an individual, or the processing is for the establishment, exercise or defence of legal claims.
Privacy by Design
Home-Start Hampshire has an obligation to implement technical and organisational measures to demonstrate that we have considered and integrated data protection into our processing activities throughout the organisation.
Trustees will be responsible for ensuring a Data Audit is completed and retained, this becomes a Record of Processing required by Article 30 of GDPR.
When introducing any new type of processing, particularly using new technologies, we will take account of whether the processing is likely to result in a high risk to the rights and freedoms of individuals and carry out Data Protection Impact Assessment.
All new policies including the processing of personal data will be reviewed by the Data Protection Lead to ensure compliance with the law.
Training
All staff will be aware of good practice in data protection and where to find guidance and support for data protection issues.
Adequate and role specific training will be available regularly to everyone who has access to personal data, to ensure they understand their responsibilities when handling data.
Breach of Policy
Any breaches of this policy, may be considered under the Home-Start disciplinary procedures, and may result in disciplinary action being taken, including dismissal.
Monitoring and Reporting
Regular audits will be undertaken to check compliance with the law, this policy and any relevant procedures.
Related Policies and documents
Safeguarding Policy and Code of Conduct, Confidentiality Policy, Privacy Notice, LIA, Record of Processing (data Audit), DPIA, DP Checklist, Record Retention table (Appendix 1)
Policy Review
This policy will be reviewed annually, although changes will be made to the policy during the 12 month period if required to meet changes in legislation and to address any weakness identified in the policy.
This policy adopted: 15th May 2019
Date policy to be reviewed: May 2020
Name: Lynn Ludford
Position: Chair of Trustees/Safeguarding Trustee
Appendices
Appendix 1: Record Retention Periods
| Record Retention Periods in Home-Start | |
|
Employment In general the personnel file should be retained for 6 years, but need only contain sufficient information in order to provide a reference. Copies of any reference given should be retained for 6 years after the reference request. Exception: if an allegation has been made about the member of staff or trustee the personnel record should be retained until they reach the normal retirement age or for 10 years, if that is longer. |
|
| Application form | Duration of employment, shred when employment ends Exception: With the same exception as detailed for a volunteer below). |
| References received | May destroy 1 year after received, otherwise shred at end of employment. |
| Passports/Driving Licence/Eligibility to work in the UK | Duration of employment and for a further two years after employment ends. |
| Sickness records | 3 years (i.e. at the end of employment, the previous 3 year’s records will be in the file, assuming they have been employed for at least that period of time). |
| Annual leave records | 2 years |
| Unpaid leave/special leave records | 3 years |
| Records relating to an injury or accident at work | 12 years |
| References given/information to enable a reference to be provided (including sickness records) | 6 years from end of employment |
| Recruitment and selection material | 6 months after decision |
| Disciplinary records | 6 years after employment ends |
| Trustee files | 6 years after standing down as trustee Exception: With the same exception as detailed for a volunteer below). |
| Volunteer files |
The volunteer file is retained for 12 months after the volunteer has ceased to be a Home-Start volunteer. Sufficient info in order to provide a reference may be retained. Exception: if an allegation has been made about the volunteer, the volunteer file should be retained until the volunteer reaches normal retirement age or for 10 years if that is longer.
|
Record Retention Periods in Home-Start
|
DBS/PVG/ACCESS NI checks/PVG check by Disclosure Scotland and Access NI Checks
|
Documented record of each as received and satisfactory (or otherwise) then destroy securely in compliance with DBS/PVG/ACCESS NI/PVG Scotland* or Access NI guidance. |
|
Potential Employees and Volunteers:
Disclosure Information
|
Disclosure Information will not be kept for any longer than is absolutely necessary once a decision has been made about a potential applicant (staff, volunteer or trustee). Normally this will be for up to a period of 6 months, to allow for the consideration and resolution of any disputes or complaints. If, in very exceptional circumstances, it is considered necessary to keep Disclosure Information for longer than six months, the scheme will consult the DBS/PVG/ACCESS NI about this and will give full consideration to the Data Protection Act. Throughout this time, the usual conditions regarding safe storage and strictly controlled access will prevail.
A record will be maintained of all those to whom disclosures or Disclosure Information has been revealed. *Disclosure information requested under the PVG scheme: Under the PVG scheme (Scotland) and in accordance with the Data Protection Act, the original paper or electronic image of the disclosure information will not be retained and should be destroyed in line with the Safe Storage and Handling of Disclosure Information Policy (Scotland). However, prior to disposal of the original document, schemes should record the date of issue, the individual’s name, the disclosure type, purpose for which it was requested, the unique reference number and details of the disclosure information. The information recorded by the scheme should be held for the period of time that the employee/volunteer remains in paid or unpaid work for Home-Start. |
|
Family and volunteer records |
|
|
Family records, where no safeguarding concern
|
The family file is retained for 12 months from the date of ending Home-Start support. The file is stored securely and is marked with the date (month/year) it should be destroyed. The file will be securely destroyed at the appropriate date. |
|
Family records, where a safeguarding concern was referred by Home-Start, or the family were subject to a child protection plan or a Child in Need Plan and any files containing a Record of Concern and Action |
The family file is retained for 6 years from the date of ending Home-Start support. The file is stored securely and is marked with the date (month/year) it should be destroyed and stored securely. The file will be securely destroyed at the appropriate date. |
|
Volunteer files |
The volunteer file is retained for 12 months after the volunteer has ceased to be a Home-Start volunteer. Sufficient info in order to provide a reference may be retained. Exception: if an allegation has been made about the volunteer, the volunteer file should be retained until the volunteer reaches normal retirement age or for 10 years if that is longer. |
|
Financial Records |
|
|
Financial records |
6 years |
|
Payroll and tax information |
6 years |
|
Corporate |
|
|
Employers Liability Certificate |
40 years |
|
Insurance policies |
Permanently |
|
Certificate of Incorporation |
Permanently |
|
Minutes of Board of Trustees |
Permanently |
|
Memorandum of Association |
Original to be kept permanently |
|
Articles of Association |
Original to be kept permanently |
|
Variations to the Governing Documents |
Original to be kept permanently |
|
Statutory Registers |
Permanently |
|
Membership records |
20 years from commencement of membership register |
|
Rental or Hire Purchase Agreements |
6 years after expiry |
|
Other |
|
|
Deeds of Title |
Permanently |
|
Leases |
12 years after lease has expired |
|
Accident books |
12 years from the date of the last recorded accident, see also records of injuries/accidents at work, above |
|
Health & Safety Records |
12 years |
Appendix 2: Legislation Conformance
The legislation that the policy conforms to:
- General Data Protection Regulations (EU) 2016/679 (GDPR)
- UK Data Protection Act 2018 (DPA2018)
- Privacy and Electronic Communications Regulations (PECR)
- Any legislation that will replace the GDPR in UK law after leaving the European Union.
Return to Home