Data Protection Agreement - Volunteers

Data Protection Policy

Effective Date: June 2016

Policy Statement

Christians Together Calderdale (CTC) needs to collect and use certain types of data in order to carry out our work. We are committed to protecting the rights and privacy of all individuals connected with our work, whether service users, volunteers, staff, supporters or donors. The lawful and correct treatment of personal information is regarded as essential in order to maintain the confidence of those who are connected to us.

Legislation

CTC are committed to complying with the 8 principles of the Data Protection Act which ensures that all personal data is:

• used fairly and lawfully
• used for limited, specifically stated purposes
• used in a way that is adequate, relevant and not excessive
• accurate
• kept for no longer than is absolutely necessary
• handled according to people’s data protection rights
• kept safe and secure
• not transferred outside the European Economic Area without adequate protection

It is recognised that failure to observe these principles puts the professional reputation of the organisation at risk and in some cases may put individuals at risk. It may also result in the Information Commissioner issuing an enforcement notice or criminal prosecution in respect of unlawful disclosure, unlawful obtaining or procuring of personal data, unlawful selling or offering to sell personal data.

We acknowledge our responsibilities under the act, to allow individuals access to their personal information held by us, this is known as an ‘access request’.

Responsibilities

The Data Protection Officer for Christians Together Calderdale registered with the Information Commissioner’s office is Linda Maslen.

It is expected that all employees and volunteers who have access to any data held by Christians Together Calderdale, trustees and management teams will read and abide by this policy.

Overseen by the trustees, project management teams have responsibility for the type of personal data they collect and how they use it. They are also responsible for training staff and volunteers in data protection issues (this would normally form part of the induction training).

All employees and volunteers have a responsibility under the Data Protection Act to ensure that their activities comply with the Data Protection Principles and can be personally liable for the misuse of personal information. Personal data should not be disclosed outside of the organisation’s procedures, or be used for any other purpose than that it was originally intended.

Procedures for managing personal information

Each project team should have procedures in place for managing the personal information they have on their files (computer and paper-based) in line with the Data Protection Act principles, this will include client files, volunteer information and donor/supporter details.

What information can we hold?

We can collect any personal information that is relevant and required for the work that we are doing. There should be clear reasons for requesting and storing the information that we hold, and these should be regularly reviewed.

Consent

A statement detailing our commitment to dealing with personal data in line with the Data Protection Act and details of how it will be used should be included on all forms containing personal information and where possible signed for consent. The data subject (the person that the information is about) should:

• clearly understand why the information is needed and what it is used for
• understand the consequences if it is not provided
• give consent (verbal or written) to this data being used and processed
• be made aware of what might be shared with third parties and for what reason
• be made aware that anything they disclose that highlights a safeguarding risk will be disclosed to relevant bodies in line with our safeguarding policies.

Information/Data Storage

Paper based information should be stored securely in a locked filing cabinet, with only those who have a reason to access it having a key. Files or other confidential information should never be left lying round an office.

Computer files should be password protected (passwords should not be something obvious) and closed when not in use. When away from the computer, the screen should be locked. Whilst confidential data is being viewed on a screen, the screen should be positioned so it cannot be viewed by others. Great care should be taken when sharing information by email or using a memory stick or other device and these should be encrypted. Personal data should not be recoverable from a computer that is no longer being used by the organisation.

Who can have access to the information?

Only those volunteers and employed staff who need to use the information as a part of their role can have access to the information they require. This access should be reviewed regularly.

How long can information be kept for

Information can only be kept for as long as it is needed, so there is no defined period (unless there is a statutory requirement). Each Project Management team should decide how long the data is required and be clear on the reason why it is kept for that length of time. For example client data can justifiably be kept whilst the client is still accessing the project and even for a while after they have left in case they return, or if the information is required for reporting purposes. It is not advisable to keep information for too long as it goes out of date, has to still be stored securely and may be subject to an access request by the data subject. Files should regularly be reviewed and after the set period, should be disposed of using a shredder and any computer records deleted.

Who can we disclose information to?

Information and data can be disclosed within CTC teams ONLY to other staff and volunteers who have a requirement to know the information as a part of their role. If someone requests confidential information from you and you are unsure whether they are entitled to have it, speak to your team manager before disclosing it.

Information about clients must NEVER be shared with other clients. Even confirming to someone that a person is attending a particular project is a breach to their confidentiality and in some cases may put them in danger.

In some instances it may be necessary to disclose data to third parties, such as other organisations in the case of making a client referral. The individual should have been informed that their data will be used in this way at the point when the data is collected and understand that for appropriate interventions, good and appropriate information sharing is key.

Data is often used for reporting to funders and other bodies such as the council, this is a legitimate use of the data and in these instances no individual will be identifiable and case studies should be made anonymous.

If someone is at risk

If abuse is disclosed or it is believed that an adult or child is at risk, information will not be kept confidential and will be shared with the relevant bodies in line with our Safeguarding Adults at Risk and Child Protection policies.

Can we share stories?

There are often times when it is helpful and encouraging to share good news stories of the people that have been helped. This should only happen with the express permission of the individual concerned. If in doubt, the story should be kept anonymous and care should be given to ensure it is not attributable to that individual.

Breaches in confidentiality

If there is any breach in confidentiality, the project management team should investigate how it happened, what has been disclosed and if appropriate discuss with the person whose confidentiality has been compromised. Details of the breach should be reported to the Data Protection Officer and steps should be put in place to ensure it doesn’t happen again.

Any breach in confidentiality by a volunteer or employee should be discussed with them and may result in disciplinary steps being taken as outlined in the volunteer behaviour policy or CTC staff disciplinary policy.

See Appendix 1, for a form that project management teams can use to ensure that the data they collect is managed in line with this policy

Data Protection form – to be completed for all types of data that we hold

Date:______