Data Protection
Data Protection & GDPR Policy
Policy information
| Organisation | The Recovery Foundation is the Responsible Data Controller. The Board of Trustees determine the purposes for which and the manner in which any personal are, or are to be processed. |
| Scope of policy |
This policy applies to The Recovery Foundation as an operating Charitable Incorporated Organisation. There are no other Data Processors operating on the behalf of The Recovery Foundation. |
| Policy operational date | June 2018. This policy will be reviewed every 3 years. |
| Policy prepared by | The appointed Data Protection Officer: Mrs Emma Sithole |
| Date approved by Board/ Management Committee | Sign off required |
| Policy review date | May 2021 |
Introduction
Purpose of policy
The Recovery Foundation has day-to-day responsibility for data protection in order to comply with UK law and also by means of following good practice.
The GDPR forms part of the data protection regime in the UK, together with the new Data Protection Act 2018 (DPA 2018).
- following good practice
- protecting clients, staff and other individuals
- protecting the organisation
Types of Data
Personal data
The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people.
The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This could include chronologically ordered sets of manual records containing personal data.
Personal data that has been pseudonymised – eg key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.
Sensitive personal data
The GDPR refers to sensitive personal data as “special categories of personal data” (see Article 9).
The special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual.
Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing (see Article 10).
Determining Data:
The GDPR applies to the processing of personal data that is:
- wholly or partly by automated means; or
- the processing other than by automated means of personal data which forms part of, or is intended to form part of, a filing system.
Personal data only includes information relating to natural persons who:
- can be identified or who are identifiable, directly from the information in question; or
- who can be indirectly identified from that information in combination with other information.
Personal data may also include special categories of personal data or criminal conviction and offences data. These are considered to be more sensitive and you may only process them in more limited circumstances.
Pseudonymised data can help reduce privacy risks by making it more difficult to identify individuals, but it is still personal data.
If personal data can be truly anonymised then the anonymised data is not subject to the GDPR. It is important to understand what personal data is in order to understand if the data has been anonymised.
Information about a deceased person does not constitute personal data and therefore is not subject to the GDPR.
Information about companies or public authorities is not personal data.
However, information about individuals acting as sole traders, employees, partners and company directors where they are individually identifiable and the information relates to them as an individual may constitute personal data.
- If, by looking solely at the information you are processing you can distinguish an individual from other individuals, that individual will be identified (or identifiable).
- You don’t have to know someone’s name for them to be directly identifiable, a combination of other identifiers may be sufficient to identify the individual.
- If an individual is directly identifiable from the information, this may constitute personal data.
NOTE:
The GDPR does not apply to certain activities including processing covered by the Law Enforcement Directive, processing for national security purposes and processing carried out by individuals purely for personal/household activities.
Policy statement The Recovery Foundation has a commitment to:
- comply with both the law and good practice
- respect individuals’ rights
- be open and honest with individuals whose data is held
- provide training and support for staff who handle personal data, so that they can act confidently and consistently
- Notify the Information Commissioner voluntarily, even if this is not required
Key risksThe Recovery Foundation have identified the main risks within two key areas:
- information about data getting into the wrong hands, through poor security or inappropriate disclosure of information
- individuals being harmed through data being inaccurate or insufficient
It is appropriate to highlight the sensitive nature of the information that The Recovery Foundation handles.
bilities
The Board / Company Directors
They have overall responsibility for ensuring that the organisation complies with its legal obligations.
Data Protection Officer
Designated Data Protection Officer is:
Mrs. Emma Sithole
Their responsibilities include:
- Briefing the Board on Data Protection responsibilities
- Reviewing Data Protection and related policies
- Advising other staff on tricky Data Protection issues
- Ensuring that Data Protection induction and training takes place
- Notification to the ICO
- Handling subject access requests
- Approving unusual or controversial disclosures of personal data
- Approving contracts with Data Processors
Specific Department Heads
Depending on the size of your organisation, you may want to mention IT or Marketing for monitoring their own compliance with GDPR and reporting back to the DPO
Employees & Volunteers
All staff and volunteers within The Recovery Foundation are required to read, understand and accept any policies and procedures that relate to the personal data they may handle in the course of their work.
(From now on, where ‘employees’ is used, this includes both paid employees and volunteers.)
All data processed by employees of The Recovery Foundation will adhere to Article 5 of the GDPR, which sets out seven key principles that lie at the heart of the general data protection regime.
Article 5(1) requires that personal data shall be:
- “(a) processed lawfully, fairly and in a transparent manner in relation to individuals (‘lawfulness, fairness and transparency’);
- (b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (‘purpose limitation’);
- (c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
- (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
- (e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals (‘storage limitation’);
- (f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”
Article 5(2) adds that:
“The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).”
Enforcement
Penalties for infringement of Data Protection include:
Failure to comply with the principles may leave you open to substantial fines. Article 83(5)(a) states that infringements of the basic principles for processing personal data are subject to the highest tier of administrative fines. This could mean a fine of up to €20 million, or 4% of your total worldwide annual turnover, whichever is higher.
Court action and prosecution for serious breaches and infringement of data protection.
The Recovery Foundation will provide all employees with mandatory training on Data Protection and GDPR. This will be updated every 3 years from then onwards.
Training will include modules on the following:
- What is Data Protection and GDPR?
- Important Definitions
- What is personal data?
- Accountability and Transparency
- Collecting and Storing Data
- Vishing and Phishing – what do I do?
- Reporting a Data Protection breach
The data that The Recovery Foundation deals with on a day to day basis fall under the ‘Special Category Data’ definition and is therefore subject to more stringent regulations.
The lawful basis category data will be processed under is ’Contract’:
Article 6(1)(b) gives you a lawful basis for processing where:
“processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”
The Special Category Data conditions The Recovery Foundation applies are listed below:
Article 9(2) of the GDPR
(d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;
(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;
Security
Scope
Data Security and business continuity are included within the scope of this policy.
Setting security levels
As a principle The Recovery Foundation as part of the ‘Special Category Data’ held for individual’s sets high security levels for all data processed.
Data may include sensitive information including mental health conditions and other health related information. This means a breach in confidentiality would come with great consequence.
Security measures
The Recovery Foundation processes personal data securely by means of ‘appropriate technical and organisational measures’ – this is the ‘security principle’.
Risk analysis, organisational policies, and physical and technical measures are all taken into account.
The Recovery Foundation uses measures such as pseudonymisation and encryption to ensure the ‘confidentiality, integrity and availability’ of your systems and services and the personal data you process within them.
The measures taken also enable the restoration, access and availability of personal data in a timely manner in the event of a physical or technical incident.
These measures will be tested for effectiveness and any required improvements made as a matter of priority.
The Recovery Foundation uses a ‘cloud drive’ to store documentation such as policies and other administrative documents. This data, although some of it still considered confidential, is given a confidentiality level 1 and requires password protection only.
Any personal data or data regarding other organisations is stored separately on an encrypted hard drive. There is a back up encrypted hard drive in case of technical malfunction. Data is pseudonymised and encrypted, and both hard drives are password protected. As this data contains sensitive information the confidentiality level is set at 3.
Documentation including application forms, supervision records and appraisals are also stored on an encrypted hard drive. As this data is also sensitive it is categorised as a confidentiality level 3 and the same measures are in place as for personal and organisation data. Individuals will retain their own personal hard copy for their records.
Regarding passwords:
Passwords will have a lifespan of 3 months before each employee will be mandated to change them. This is to increase security and decrease the risk of data breaches.
Business continuity
The Recovery Foundation has installed backup procedures (both for data and for key employee availability) and emergency planning.
Specific risks
In the absence of an office space, employees of The Recovery Foundation currently work from home and meet clients in a variety of public spaces.
Special precautions are in place in order to comply with GDPR laws. It is the policy of The Recovery Foundation that any administrative data for the charity is stored on the cloud drive and that it is password protected.
Any personal data must be treated with high level vigilance and adhere to the following:
The point of contact for individuals wishing to contact The Recovery Foundation will be via email using the following address in the first instance:
info@therecoveryfoundation.org.uk
This may include Any data from individuals booking onto a course with The Recovery Foundation will be kept on an encrypted hard drive.
As The Recovery Foundation relies on email as its preferred method of communication, in the first instance, it is important to address ‘vishing and phishing’.
The Recovery Foundation within its mandatory training package provides a module on recognising vishing and phishing scams and how to tackle them.
The Recovery Foundation will never give out the contact details or personal data of any employee or student over email or telephone without the express permission (in writing) of the individual whose details have been requested.
Data Recording & Storage
Accuracy
The Recovery Foundation recognises the importance of keeping accurate data and sets high standards for employees in checking for accuracy.
When information is taken from a new client (whether an individual or an organisation) the data collected is typed into the contact form and then sent electronically to that individual for them to check for accuracy. This way the client has control over the information they provide and are also able to ensure we have correctly taken their information.
Updating
Employees:
Data for employees will be filed on the encrypted hard drive. It is the responsibility of the employee to alert The Recovery Foundation to any changes in personal information including contact details, status and work-related requirements. This should be done in writing and the relevant documentation will be stored accordingly.
In the case of recruitment CV’s will be held no longer than 6 months in accordance with law.
Clients:
Data for clients (individuals or organisations) will be filed on the encrypted hard drive. It is the responsibility of the client to alert The Recovery Foundation to any changes in personal information including contact details and work-related requirements. This should be done in writing and the relevant documentation will be stored accordingly.
Storage
Personal data will never be stored for any longer than it is needed.
Article 5(1)(e) says:
“1. Personal data shall be:
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’)”
Retention periods
The Recovery Foundation sets out the following retention periods for data;
Employee Data:
Employee data will be held for a further 5 years after that individual left the charity. This is to allow for any follow-up in the form of references and also to comply with the law including legal action or investigation.
Client Data:
The Recovery Foundation will hold data for as long as the client continues to work with the charity. After this the retention period will be 3 years to allow for any complaints procedures or requests in compliance with the law. The data will be held securely on an encrypted hard drive.
Any organisational contractual data will be retained for 6 years after the end of the contract as is good practice within government organisations.
The Recovery Foundation Financial Records:
For a detailed guide to retention timelines for financial records please refer to Appendix A (The National Archives: Accounting Records).
Archiving
Once records have past their retention period, it is the practice of The Recovery Foundation to dispose of them in a manner that complies with UK standards and good practice.
Data that is to be permanently retained will be archived appropriately.
Data for disposal will be destroyed once it has breached its retention period. This will be done via an external organisation who dispose of confidential information.
Right of Access
Responsibility
The Recovery Foundation will always work within the legal time limit for right of access requests – one month and has a designated officer to deal with this – E. Sithole.
Procedure for making request
Right of access requests must be in writing.
All requests can be made via The Recovery Foundation’s standard request form.
There is a clear responsibility on all employees to pass on anything which might be a subject access request to the appropriate person without delay.
Provision for verifying identity
Where the person managing the access procedure does not know the individual personally there is provision for checking their identity before handing over any information.
Charging
Information is provided free of charge.
However The Recovery Foundation reserves the right to charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive.
The Recovery Foundation may also charge a reasonable fee to comply with requests for further copies of the same information. This does not mean that The Recovery Foundation can charge for all subsequent access requests.
The fee is based on the administrative cost of providing the information.
Procedure for granting access
If the request is made electronically, The Recovery Foundation will provide the information in a commonly used electronic format – Microsoft Word as standard.
Transparency
Responsibility
The Recovery Foundation will always work within the legal time limit for right of access requests – one month and has a designated officer to deal with this – E. Sithole.
Procedure for making request
Right of access requests must be in writing.
All requests can be made via The Recovery Foundation’s standard request form.
There is a clear responsibility on all employees to pass on anything which might be a subject access request to the appropriate person without delay.
Provision for verifying identity
Where the person managing the access procedure does not know the individual personally there is provision for checking their identity before handing over any information.
Charging
Information is provided free of charge.
However The Recovery Foundation reserves the right to charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive.
The Recovery Foundation may also charge a reasonable fee to comply with requests for further copies of the same information. This does not mean that The Recovery Foundation can charge for all subsequent access requests.
The fee is based on the administrative cost of providing the information.
Procedure for granting access
If the request is made electronically, The Recovery Foundation will provide the information in a commonly used electronic format – Microsoft Word as standard.
Lawful Basis
Underlying principles
The data that The Recovery Foundation deals with on a day to day basis fall under the ‘Special Category Data’ definition and is therefore subject to more stringent regulations.
The lawful basis category data will be processed under is ’Contract’:
Article 6(1)(b) gives you a lawful basis for processing where:
“processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”
The Special Category Data conditions The Recovery Foundation applies are listed below:
Article 9(2) of the GDPR
- (d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;
- (h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;
Opting out
As The Recovery Foundation is built on integrity as one of its core values clients are always afforded the opportunity to opt out of their data being used in particular ways
Withdrawing consent
The Recovery Foundation wish to acknowledge that, once given, consent can be withdrawn, but not retrospectively. There may be occasions where The Recovery Foundation has no choice but to retain data for a certain length of time, even though consent for using it has been withdrawn
Employee training & Acceptance of responsibilities
Induction
All employees who have access to any kind of personal data will have their responsibilities outlined during their induction procedures at The Recovery Foundation.
Continuing training
There are opportunities to raise Data Protection issues during employee training, team meetings and personal supervision.
Procedure for staff signifying acceptance of policy
In order for employees to show acceptance of The Recovery Foundation Data Protection and GDPR Policy, they will be asked to sign and date the back page of their Employee Handbook. This will indicate that they have read and accept to adhere to the policies within The Recovery Foundation.
Policy review
Responsibility
The Designated Officer (E. Sithole) has responsibility for carrying out the next policy review as part of The Recovery Foundations ongoing commitment to good practice.
Procedure
The Trustee Board will be consulted in the review.
Timing
The review will commence 3 months prior to the release of the updated policy.