Data Protection Policy

Data Protection Policy and Procedures from May 2018

  1. The General Data Protection Regulation (GDPR) is a new law that replaces the Data Protections Act. Any organisation that processes personal data will have to be compliant. It is a fundamental legal responsibility of every charity to ensure they have the right policies and procedures in place so that they are run properly and are taking individual’s rights seriously. GDPR become effective from 25th May 2018.
  2. GDPR Principles are that personal data shall be:
    1. Processed lawfully, fairly and in a transparent manner in relation to individuals;
    2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
    3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
    4. Accurate and up to date with inaccurate data erased or rectified without delay;
    5. Kept in a form which permits identification of data subjects no longer than is necessary for the purposes for which the data is processed;
    6. Processed in a manner that ensures appropriate security of the data, using appropriate technical or organisational methods.
  3. Personal Data Formats:
    1. Personal data can be held electronically but may also be held in other forms such as paper, photographs etc. All are covered by the regulation.
  4. BHCCA will be ‘data controllers’ in the following ways:
    1. As an employer processing the personal data of employees, trustees and volunteers.
    2. As a provider of personal services to clients of the Day Centre and members of the clubs.
    3. As an organisation holding information with regard to supporters.
    4. As an organisation holding personal data with regard to other organisations and suppliers.
  5. The likely bases for processing personal data are:
    1. Contract – the processing is necessary for a contract made with an individual e.g. members attending the Day Centre or to members of staff with regard to their employment.
    2. Individuals attending the various clubs who have given consent with a clear affirmative action to allow the processing to take place.
    3. Individuals have consented to the processing of the personal data (e.g. for newsletters)
    4. Companies and organisations which have a relationship with BHCCA.
  6. Individuals whose personal data is being processed have the following rights in relation to the data being held on them.
    1. The right to be informed about what data is being held
    2. The right of access to view that information
    3. The right of rectification if they feel the data is incorrect
    4. The right to erase information held on them
    5. The right to restrict how the data is processed and used
    6. The right to data portability
    7. The right to object (e.g. to direct marketing)
    8. Rights not to be subject to automated decision making and profiling.
  7. Inventory of information – what information is held by BHCCA:
    1. Day Centre members: Name; address; email address; phone numbers; DOB; health notes; medication; care notes; next of kin/contacts details.
    2. Lunch Club members: Name; address; email address; phone numbers; health notes; next of kin/contacts details.
    3. Other club members: Name; address; phone numbers; email address.
    4. Members of staff: Name; address; email address; phone numbers; DOB; employment related details, DBS details.
    5. Volunteers: name; address; phone numbers; email address, DBS details.
    6. Postal newsletter Mailing list: name; address.
    7. Email mailing list: name; email address.
  8. Location of Personal Data: Personal data is currently held as follows:
    1. BHCCA office computer and filing cabinets
    2. BHCCA Secretary’s personal computer.
  9. Personal Data Records:
    1. Stored personal data needs to be accurate, adequate, relevant and limited to what is necessary.
    2. Stored data should be deleted when no longer required, but care needs to be taken to retain data that it may be necessary to hold for a period of time e.g. for HMRC purposes
  10. Financial Data: the financial data held by BHCCA will include:
    1. Employee Records including salary, pension records, expenses;
    2. Volunteer records involving expenses;
    3. Supporter and fundraising data including donations;
    4. Supplier information including email addresses or contact information of those providing goods and services;
    5. Beneficiary financial data including grants, funding.
  11. Third parties:
    1. BHCCA needs to be clear that any third parties who are holding data on its behalf, such as a payroll or pensions provider or DBS (Disclosure and Barring Service) services are clear with their responsibilities.
  12. Security of Personal Data:
    1. Physical security for personal data should include paper records to be locked in cabinets when not in use with the office door being locked when the office is unoccupied.
    2. Computer security should include password protected access and computer security software which should be regularly updated.
    3. Passwords must be strong and should not be written down. They should be changed regularly.
    4. Regular back-ups should be made of data with the encrypted system provided through Mozy back-up software.
  13. Sharing Personal Data:
    1. Personal data must not be given to any person not authorised to receive it, unless the individual whose data it is has given express and specific permission to do so. Requests for personal data that are not clearly authorised should be referred to the Day Centre Manager for matters relating to the Centre or to the BHCCA secretary otherwise. Any doubts should be referred first.
  14. Data Breaches:
    1. A personal data breach means a breach of security leading to the accidental destruction, loss, alteration, unauthorised disclosure of, or access to persona data.
    2. A breach may occur through theft, a system attack, unauthorised use of data by a member of staff or from accidental loss or system failure.
    3. If a personal data breach occurs the ICO (Information Commissioner’s Office has to be notified within 72 hours unless it is unlikely to result in a risk to the rights or freedoms of any individuals.
    4. Any data breach has to be documented even if not needed for referral to the ICO giving full details of the event.