East Northants Community Service needs to collect and use certain information about individuals in order to carry out its day to day activities as a charity and a responsible employer.
The individuals about whom ENCS collects data include staff (plus their next of kin and where appropriate partners and dependants), volunteers, trustees, members, clients, professional advisors and consultants, suppliers and others with whom ENCS has a legitimate business relationship.
This policy sets out how ENCS discharges its responsibility to comply with the Data Protection Act 2018 (DPA2018) and the General Data Protection Regulation (GDPR).
The policy is supported by more detailed policies on security and data retention, and privacy notices for different types of data subject [see below].
3. Data Protection Act and General Data Protection Regulation
DPA2018 and GDPR are concerned only with the protection of ‘personal data’ – i.e. data relating to identifiable living individuals (data subjects), not data relating to organisations.
ENCS recognises its obligation to have at least one of the six prescribed legal bases for any processing of personal data, and to meet at least one of the additional conditions for processing special category data [see below].
ENCS fully endorses and adheres to the six Principles of Data Protection which must be observed at all times when processing of personal data.
The term ‘processing’ is defined by GDPR to cover a wide range of activities including collecting, recording, organising, using, disclosing, storing and deleting data.
4. Data subjects and purposes of data processing at ENCS
ENCS provides appropriate privacy statements for different types of data subject and makes these prominently available.
ENCS processes personal data from previous and current beneficiaries for the purposes of administering and maintain safety and contact details, to capture data on groups and individuals the charity support (this data is anonymised when referring to statistics unless we have explicit permission), to fulfil our duty of care and to help our projects support beneficiaries.
Staff, applicants and ex-staff
ENCS processes personal data from current, past and prospective employees for the purposes of administering and maintaining HR records. Full details can be found in ENCS employee privacy statement.
ENCS processes personal data from current, past and prospective volunteers for the purposes of administering and maintaining safety and contact details records. Full details can be found in ENCS volunteer privacy statement.
ENCS also processes the personal data of trustees, professional advisors and consultants, suppliers and others with whom it has legitimate business relationships. Details and personal data of trustees are processed to remain in line with law and charity commission rules, to conform to our safeguarding practises and to maintain HR records.
Professional advisers and consultants, suppliers and business contacts
We process data of professional advisors, consultants, suppliers and business contacts in order to ensure the progress and work of ENCS. Where there is a supplier, contractor or consultant we will process personal data to maintain accurate HR records and conform to all safeguarding practises.
5. Special category data
The processing of ‘special category’ personal data must comply with one of an additional set of conditions listed in GDPR and amplified in DPA2018. Special category data includes an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, health, sex life or sexual orientation. Data concerning an individual’s criminal record, court appearances, etc, is not special category data but, under DPA2018, is treated similarly.
As an employer ENCS may process type(s) of special category personal data [and criminal records] about applicants or current members of staff for the sole purposes of administering and maintaining appropriate HR records, and of trustees.
6. Data Protection by design and by default
ENCS incorporates Data Protection practice into all relevant processes and activities, and considers the Data Protection implications of all new projects, activities and processes. All major and/or novel developments are reviewed by the Data Protection Lead. Managers are responsible for ensuring that Data Protection is taken into account when setting up or modifying routine processes.
7. Roles and responsibilities at ENCS
The Board of Trustees is ultimately responsible for ensuring that ENCS meets its legal obligations.
The Data Protection Lead at ENCS, with responsibility for day to day compliance, is the Operations Manager. Their responsibilities include:
- Keeping the Board updated about data protection responsibilities, risks and issues
- Maintaining records that demonstrate how we comply with Data Protection
- Advising colleagues on Data Protection practice
- Ensuring that all relevant staff (including volunteers) receive Data Protection induction and regular training
- Reviewing contracts or contract amendments with Data Processors before they are signed
- Reviewing joint processing and data sharing agreements with other organisations before they take effect.
- Handling all requests from Data Subjects to exercise their Data Protection rights
- Being the point of contact for the Information Commissioner
- Reviewing all data protection procedures and related policies, in line with an agreed schedule
- Handling data protection questions from staff and anyone else covered by this policy
- Being the first point of contact in the event of a personal data breach or suspected breach
The Operations Manager and all line managers are responsible for:
- Ensuring that all members of the staff team (and volunteers) are reminded, at least annually, of their roles and responsibilities when processing personal data and that training is undertaken by individual staff members and volunteers as appropriate
All members of staff and volunteers employed by ENCS are responsible for complying with policies and procedures which are designed to ensure that:
- Data is obtained fairly and transparently
- Data is only obtained or held if there is a good reason for doing so
- Data is used only for the purposes for which it is collected. Data is not used for purposes other than those made known at the time the data was collected
- Data is accurate and where necessary up to date, with data inaccuracies being rectified as soon as they are discovered
- Data is not held for longer than necessary and is destroyed in line with ENCS’s retention policy
- Data is held in as few places as necessary and not unnecessarily duplicated
- Access to personal data is restricted to those who need it for clearly defined purposes
- Appropriate security measures are in place and followed
- Any request from a data subject to exercise their Data Protection rights is passed to the Data Protection Lead without delay
- Any breach, possible breach or near miss is reported to a manager or to the Data Protection Lead as soon as anyone becomes aware of it
- Personal information is not transferred abroad without suitable safeguards and only on authority of ENCS’ senior management or board
- Disclosure of personal data outside ENCS, unless in exceptional circumstances and with the authorisation of the Data Protection Lead, takes place only with the prior knowledge of the data subject
8. Data processors
A number of data processors are currently used by ENCS. These are:
- Entapris for the provision of IT systems and technical support and advice
- CVS Northamptonshire and NEST for the provision of pensions;
- CVS Northamptonshire for processing payroll
- HMRC for relevant tax and processing
- Charity Commission for details of trustees
Contracts with all the above, and all future contracts with data processors, are kept under review with the aim of explicitly setting out the responsibilities of each in line with the provisions of GDPR.
9. Collaboration with other organisations
Whenever ENCS agrees to exchange data with one or more other organisations, or to collaborate in an activity that involves the use of personal data, the organisations involved will draw up an agreement, setting out their respective Data Protection responsibilities.
10. Legal bases for processing
ENCS carries out all its processing of personal data under an appropriate legal basis, which is typically assessed as follows:
- Where the Processing is necessary for a contract that is normally the legal basis
- where the processing is necessary under a legal obligation that is normally the legal basis
- where the processing is necessary in the course of our routine activities our legal basis is normally legitimate interests, provided we have carried out and documented an appropriate assessment
- where it is appropriate to offer the data subject a genuine choice, or where no other basis applies, our legal basis is normally consent
ENCS does not carry out any public functions and recognises that the vital interests legal basis is only to be used in the case of serious emergencies.
It is normally the responsibility of the CEO/Operations Manager to assess the appropriate legal basis for the activities of their team and to carry out an assessment if required. Complex or potentially controversial cases may be referred to the Data Protection Lead or, exceptionally, to the Board.
11. Data protection processes and procedures at ENCS
ENCS takes seriously the protection of personal data and has taken the necessary steps to ensure that it is processed safely and securely.
- Staff and trustees (and volunteers where relevant) receive appropriate regular training on data protection issues including IT security
- ENCS’s IT, Acceptable Use and Data Security Policy sets out the procedures and best practice that all staff and trustees and volunteers must adhere to in order to ensure the security, integrity, and availability of data and resources
12. Data subject rights
ENCS recognises the rights of individuals, and in particular those that are applicable to ENCS’s processing: to be informed; to access their data; to rectification of inaccurate data; to erasure of data in certain circumstances and to restriction of processing in certain circumstances.
Subject Access Requests
ENCS aims to comply with written requests for access to personal information as quickly as possible, but will ensure that it is provided – in accordance with guidance from the Information Commissioner – within the one month timeframe specified by GDPR.
Third Party requests for data
In certain circumstances data protection legislation allows personal data to be disclosed for purposes such as law enforcement without the consent of the data subject. Under these circumstances, ENCS will disclose the requested data having first ensured that the request is legitimate. This may include taking legal advice.
13. Data Breaches
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. A breach can be accidental or deliberate. Examples of breaches can include:
- Access by an unauthorised third party
- Deliberate or accidental action (or inaction) by a controller or processor
- Sending personal data to an incorrect recipient
- Computing devices containing personal data being lost or stolen
- Alteration of personal data without permission
- Loss of availability of personal data
Any breach of data protection must be reported immediately to the Operations Manager for inclusion in the data breach log. Information recorded must include date of the breach, number of people affected, nature of the breach, description of the breach, how we became aware of the breach, description of the data in the breach. The data breach log is owned and maintained by the Operations Manager and/or Data Protection Lead (N.B. these may be the same role).
Following a breach immediate remedial action should be taken and the details recorded in the breach log. This should include the consequences of the breach, whether all individuals affected have been informed of the breach, what remedial action was taken and the date the ICO was informed of the breach (if required).
In the event of an investigation and disciplinary action, ENCS will take the promptness of staff actions into account when managing the situation. ENCS expects all staff to report data breaches promptly, and not to hide them.
Breaches must be reported to the ICO if there is a likely risk to people’s rights and freedoms. If, on assessment, the risk is unlikely there is no need to report it however details of the breach and justification of the decision not to report it must be documented in the breach log.
More information on data breaches can be found on the ICO website.
The data breach log should be used in the same way as the accident book, namely even the most minor breach should be recorded as this becomes a very useful resource for training and data security strategy.
Status of the Policy
This policy has been approved by ENCS Board. Any breach will be taken seriously and may result in disciplinary action.