Data Protection and Confidentiality Policy
1. Introduction
Adopt NI offers professional and confidential services to those from the adoption and looked after communities. These services are based on trust, diplomacy and discretion and recognises the very sensitive nature of the information being processed.
Adopt NI recognises that employees, volunteers, trustees & others who work within our Charity, gain information about individuals and organisations during the course of their work or activities. In most cases such information will not be stated as confidential, and we may have to exercise common sense and discretion in identifying whether information is expected to be confidential.
Adopt NI is committed to ensuring that any personal information which is provided to us in the course of our work will be processed and stored in accordance with the Data Protection Act. We strive to be concise, clear, and transparent about how we obtain and use Personal Information and how (and when) we delete that information once it is no longer required. (refer to Document Retention and Disposal Policy).
Confidentiality is a broader concept than data protection but there is overlap between the two areas.
· Confidentiality refers to all forms of information including personal information about people using services or employees or volunteers, information about the organisation, for example, its plans or finances and information about other organisations, whether the information is recorded or not.
· Data protection concerns only personal information, which is recorded, whether this be in electronic or manual format.
2. Data Protection Act
The UK data protection regime is set out in the Data Protection Act 2018 along with the GDPR (General Data Protection Regulations) (which also forms part of UK law) and The Privacy and Electronic Communications Regulations (PECR). The Information Commissioners Office (ICO) regulates data protection in the UK. The purpose of the Act is to protect the rights of individuals about whom data (information) is obtained, stored, processed, and disclosed.
What is data protection?
Data protection is essentially the area of the law that governs what may, and what may not, be done with personal information. Such personal information may be in electronic (e.g., stored on computer hard drive) or manual form (in a manual filing system).
Data protection is about ensuring people can trust organisations to use their data fairly and responsibly. The following is not a definitive statement on the Act, but seeks to interpret relevant points where they affect Adopt NI. The Act covers both written and computerised information and the individual’s right to see such records.
The law
The Data Protection Act is mandatory, and Adopt NI is required under law to comply with the Act. This means that we must:
· Notify and register with the Information Commissioner’s (IC) Offices
· Adhere to the eight data protection principles below
· Educate and train staff in the correct use of data
Consequences of breaching the Data Protection Act
Staff can be criminally liable if they knowingly or recklessly disclose personal data in breach of the Act. A serious breach of data protection is also a disciplinary offence and will be dealt with under the Adopt NI’s disciplinary procedures. If a member of staff accesses another employee’s personnel records without authority this constitutes a gross misconduct offence and could lead to summary dismissal.
Notification
The Information Commissioner maintains a public register of data controllers who process data (information) and who are required to notify their details to the Commissioner.
2. Aim
This Policy sets out the data protection principles with which Adopt NI must comply and the procedures that are to be followed when dealing with Personal Data. This applies to all Personal Data processed by, or on behalf of Adopt NI.
3. Scope
It is important to note that the Act covers all records relating to clients, Trustees, staff, and volunteers.
Board members, staff and volunteers will be made aware of this policy when first joining the organisation and will be asked to sign that they have read and understood the policy and will abide by it. In the case of staff, their contracts will state the necessity of adhering to this policy and will make it clear that a breach could be a serious disciplinary matter.
The Board of Directors have overall responsibility for data protection within Adopt NI, with operational decisions delegated to The Regional Manager. However, each individual processing data is acting on the Charity’s behalf as a Data Processor, and therefore has a legal obligation to adhere to the Regulations.
4. Definitions
Processing of Information – how information is held and managed.
Data Subject – used to denote an individual about whom data is held.
Data Controller – used to denote the entity with overall responsibility for data collection and management. Adopt NI is the Data Controller in relation to the Act.
Data Processor – an individual handling or processing data.
Personal Data – any information about a particular living individual which can identify who they are. This includes - a customer, client, trustee, employee, partner, member, supporter, business contact, public official, or member of the public.
Special Category Data - Sometimes known as “sensitive personal data”, means Personal Information that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic and biometric data and the processing of data concerning health or sex life.
5. Data Protection Principles
There are eight principles of data (information) processing with which the data controller must ensure compliance. Personal data shall be:
1. Principle 1: processed fairly and lawfully
2. Principle 2: obtained only for the purpose stated
3. Principle 3: adequate, relevant, and not excessive
4. Principle 4: accurate and, where necessary, kept up-to-date
5. Principle 5: not be kept for longer than is necessary for that purpose
6. Principle 6: processed in accordance with the rights of data subjects
7. Principle 7: appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to personal data
8. Principle 8: not transferred to countries without adequate protection
* (further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes).
6. Lawful Processing
All processing of personal data must meet one of the six lawful bases defined in Article 6(2) of the GDPR:
1. Consent – where we have the consent of the data subject
2. Contractual - necessary for the performance of a contract to which the individual is party or in order to take steps at the request of the individual prior to entering into a contract
3. Legal Obligation - necessary for compliance with a legal obligation to which the charity is subject
4. Vital Interests - necessary for the protection of the vital interests of the individual or another natural person
5. Public Interest - necessary for the performance of a task carried out in the public interest or exercise of official authority
6. Legitimate Interests - necessary for the purposes of legitimate interests of Adopt NI or a third party, except where those interests are overridden by the interests of fundamental rights and freedoms of the individual, in particular where the individual is a child
Where processing is based on consent, the data subject has the option to easily withdraw. Without consent, we must then satisfy ourselves that the processing is necessary for the purpose of the relevant lawful basis. We must then document our decision as to which lawful basis applies to help demonstrate our compliance with the data protection principles. The most appropriate lawful basis will be noted in the Records of Processing Activities (RoPA). Where Special Category Data is processed, including criminal offence information, we must identify a lawful special condition for processing that information and document it.
7. Individual’s Rights
The GDPR states that individuals have the following rights in respect of the processing of their Personal Information:
a. Right to be informed - To be told how their personal data is used in clear and transparent language. Adopt NI will keep individuals informed of its processing activities through its privacy notices which can be found on our website at (https://www.adoptni.org/privacy-policy).
b. Right of access - To know and have access to the personal data we hold about them.
c. Right to data portability - An individual has the right to receive a copy of their Personal Information and use it for other purposes.
d. Right to rectification - To have their personal data corrected where it is inaccurate or incomplete.
e. Right to object – To complain/to object to Adopt NI’s processing of their Personal Information.
f. Right to restrict processing - To limit the extent of the processing of their personal data.
g. Rights related to automated decision making and profiling - An individual has the right to challenge any decision that is made about them on an automated basis (subject to certain exception).
h. Right to erasure - An individual is entitled to request that Adopt NI ceases to hold Personal Information about them. The Charity is required to comply with a request for erasure unless it has reasonable grounds to refuse.
8. Why Information is Held
Most information held by Adopt NI relates to service users, employees, trustees, and volunteers. Information is kept enabling Adopt NI staff to understand the needs of individuals or service users in order to deliver the most appropriate services. Information about users may be kept for the purposes of monitoring our equal opportunities policy and also for reporting back to funders. Information received by Adopt NI, as part of the services it provides, will be considered to be information for the Charity to share with colleagues and use to deliver its aims and objectives.
9. Use of Information
General enquiries
Enquirers can make a general approach to Adopt NI rather than an individual staff member or volunteer. As such, any information “belongs” to Adopt NI, not the individual staff member. Confidentiality does not prevent discussion between Adopt NI representatives in order to offer the fullest response to a request.
Marketing
Direct marketing including selling products or services and promotional activities are subject to the General Data Protection Regulations and Electronic Communications (EC) Directive regulations. No representative of Adopt NI can make unsolicited phone calls to someone who has told Adopt NI that they do not want calls from the charity.
Adopt NI representatives cannot send unsolicited marketing materials by electronic mail or fax without getting permission first. All approved marketing by Adopt NI representatives must identify the sender and the name and address of the charity.
When individuals say they do not want to receive marketing materials this request must be dealt with promptly.
Trustees
Members of the Board of Trustees have a right to information held by the Charity and are responsible for the policies and procedures of the organisation. However, any such information will not be disclosed unnecessarily to Trustees unless such disclosure is relevant and necessary. Individual Trustees will not elicit information of a personal nature except where it is relevant to resolving a defined task.
A record will be kept of all requests by trustees to view a file containing details of a personal nature. The record will summarise the nature and scope of the information disclosed and the reason for the disclosure.
Staff
Line Managers may “need to know” confidential information about other staff members. Access, storage, and disposal of confidential information about employees is subject to the same principles as confidential information held by staff in respect of users. Confidential information will therefore:
Be restricted to those who need to know
Paper records will be kept securely locked in filing cabinets
Access to computer files will be restricted to those who need to know
Volunteers
A volunteers’ pack is given to all new volunteers. This requires that they respect the privacy of users, maintain strict confidentiality about the affairs of the organisation and its employees and do not disclose to others information they have gained during their voluntary work. They are also required to sign this policy which binds them to these conditions. Volunteers have a right to expect that information given to AUKCAP will be treated as confidential.
Additional requirements
In relation to some services (such as information and advice) there may be additional confidentiality requirements that apply to meet regulatory or good practice guidance.
Any breach of these rules will be considered a disciplinary offence and may, in fact, be deemed to be in breach of the data protection legislation. Anyone guilty of a breach of data protection laws may face prosecution.
10. Principles of Confidentiality
· All staff and volunteers should inform groups, organisations, or individuals why they are requesting information and explain the purpose of storing and using this information. They should ask permission to keep and use this information and note that permission was obtained.
· Staff and volunteers are able to share information with their Line Manager in order to discuss issues and seek advice but should not disclose to anyone, other than their Line Manager, any information considered sensitive, personal, financial, or private without the knowledge or consent of the individual, or organisation.
· Staff and volunteers should avoid exchanging personal information or comments (gossip) about individuals with whom they have a professional relationship.
· Staff and volunteers should avoid talking about organisations or individuals in social settings.
· There may be circumstances where it would be appropriate for colleagues to discuss difficult situations with each other to gain a wider perspective on how to approach a problem.
· If staff and volunteers receive information from individuals outside Adopt NI regarding the conduct of a colleague or group, then this should be dealt with sensitively. The appropriate colleague should tell the individual about the Complaint Procedure and advise them accordingly.
· If employees are dissatisfied with the conduct of a colleague, and have sensitive information that could be evidenced through investigation, they should discuss it with the appropriate line manager. Any allegation, which is found to be malicious, or ill- founded, will be dealt with Adopt NI action under the Disciplinary Procedure
11. Procedures for Staff
· At no time will any personal information that has been provided, obtained, or discussed with an individual be passed on to another person outside the remit of Adopt NI without the express permission of the individual concerned; nor must it be discussed with or passed on to unauthorised individuals or groups within Adopt NI. Only authorised personnel may have access to clients’ files, except where it is deemed necessary by the Regional Manager.
When working from home, or from an off-site location, all data protection and confidentiality principles still apply. All electronic data, e.g., documents and programmes related to work for Adopt NI should not be stored on any external hard disk or on a personal computer. If documents need to be worked on at a non-networked device they should be saved onto SharePoint.
Workstations in areas accessible to the public, e.g., reception or trading office, should operate a clear desk practice so that any paperwork, including paper diaries, containing personal and/or special categories of personal data are not left out on the desk where passers-by could see it. Consideration should be given to what may be seen on screens and they should be locked when not in use.
When sending emails or other electronic communications to outside organisations, e.g., social workers, care should be taken to ensure that any identifying data is removed and that codes (e.g., initials or identifying code number, etc.) are to be used. Confidential and/or special categories of personal information should be written in a separate document which should be password protected before sending. Wherever possible, this document should be ‘watermarked’ confidential.
Any paperwork kept away from the office should be treated as confidential and kept securely as if it were held in the office. Documents should not be kept in open view, but kept in a file in a drawer or filing cabinet as examples, the optimum being a locked cabinet but safely out of sight is a minimum requirement.
If you are carrying documents relating to a number of clients when on a series of home visits, you should keep the documents for other clients locked out of sight in the boot of the car, and not take them into the other clients’ homes. When carrying paper files or documents they should be in a folder or bag which can be securely closed or zipped up. The briefcase/folder/bag should contain Adopt NI’s contact details. Never take more personal data with you than is necessary for the job in hand. Care should be taken to ensure that you haven’t inadvertently left anything behind on leaving.
12. What to Do If There Is a Breach
If you discover, or suspect, a data protection breach you should report this to the Regional Manager who will review our systems, in conjunction with the IT Consultant to prevent a reoccurrence. The IT Consultant should be informed of the breach, action taken and outcomes to determine whether it needs to be reported to the Information Commissioner and also for reporting to the Board of Trustees.
There is a time limit of 72 hours for reporting breaches to ICO so the Regional Manager should be informed without delay.
Any deliberate or reckless breach of this Data Protection Policy by an employee or volunteer may result in disciplinary action which may result in dismissal.
Adopt NI will not undertake direct telephone marketing activities under any circumstances.
13. Subject Access Requests (SARs)
Data Subjects can ask, in writing to the Regional Manager, to see all personal data held on them, including e-mails and computer or paper files. The Data Processor (Adopt NI) must comply with such requests within 30 days of receipt of the written request.
If an individual would like to access a copy of the data we hold about them, They should do so by sending their request in writing to Adopt NI, Data Controller, Ciara Scully, 18 Heron Road, Belfast, BT3 9LE or via email to ciara@adoptni.org.
Your request will be processed within 30 days. There is no fee payable to access personal information (or to exercise any of the other rights). We will need to request specific information from the individual to help us confirm their identity and ensure their right to access the information (or to exercise any of their other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it. If you require further information on accessing your data please contact the Data Controller on +44 (0)28 9045 4222.
14. The Information Commissioner (ICO)
Powers
The following are criminal offences, which could give rise to a fine and/or prison sentence
· The unlawful obtaining of personal data.
· The unlawful selling of personal data.
· The unlawful disclosure of personal data to unauthorised persons.
Address
The Information Commissioner’s Office – Northern Ireland
3rd Floor
14 Cromac Place,
Belfast
BT7 2JB
Telephone: 0303 123 1114
Email: ni@ico.org.uk
Further information is available at Information Commissioner's Office (ICO)