The purpose of this policy is to enable the St Albans Old People’s Trust Charity to: Comply with the law (General Data Protection Regulations (GDPR) 2018 and the Data Protection Act 1998) in respect of the data it holds about individuals
The St Albans Old People’s Trust Charity will ensure that the information the charity holds about its, beneficiaries, trustees, staff, volunteers and other individuals etc. is used in accordance with the law. The charity will only collect and use personal data in compliance with this Policy and the Rules set out below.
The Charity will:
- Follow good practice
- Protect beneficiaries, trustees, staff, volunteers and other individuals by respecting their rights
- Demonstrate an open and honest approach to personal data and
- Protect the charity from the consequences of a breach of its responsibilities.
This policy applies to all the information that we control and process relating to identifiable, living individuals including contact details, health and finance details, assets and bank details, photographs, audio and digital recording.
The St Albans Old People’s Trust Charity will comply with General Data Protection Regulations 2018 as follows:
- Transparency: The charity will be open and transparent in the way personal data is used and shared. There may be limited circumstances where the charity does not have to comply with the transparency requirement but in such instances the charity will obtain further advice from the ICO. Individuals will be provided with information about how their personal data is collected and stored.
- Collecting and Using Personal Data for Lawful purpose only. The charity will only collect and use the minimum amount of personal data relevant for the purpose of the charity and where the charity can rely on a lawful basis (or bases) and where the purposes have been identified in a privacy notice provided to individuals, for example in the charity’s grant application form. When collecting personal data from individuals the charity will ensure that the individuals are aware of the purposes for which the personal data will be used.Any use of personal data will be for the identified purposes and any different or new purposes will have a lawful basis. Personal data that is not necessary for any legitimate business purpose will not be collected or accessed.St Albans Old People’s Trust Charity has identified that the charity has a legitimate interest in keeping personal data about beneficiaries as trustees must be satisfied that each qualifies as a beneficiary of the charity in accordance with the Governing Document dated 30th May 2000The charity considers the processing and storing of such personal data is necessary to comply with the Governing Document. All personal data, including details of health and assets, will be stored securely, data on computer will be password protected and paper copies of data will be kept in a locked cabinet. Only authorised members of staff and trustees will have access to personal data.
- Privacy Impact Assessments and Privacy by Design. The trustees consider that the use of personal data is unlikely to result in significant risks for the rights and freedoms of individuals and therefore a Privacy Impact assessment is not necessary. The charity will ensure that systems, databases and tools that collect and use personal data are designed to promote privacy protection.
- Ensuring data quality. Processing inaccurate information can be harmful to individuals and the Charity. The main way of ensuring that personal data is kept accurate and up to date is by ensuring that the sources the charity uses to obtain personal data are reliable. Individuals will be actively encouraged to inform the charity should their personal data change.To ensure that personal data is accurate, it will generally be collected directly from individuals. All will be actively encouraged to update their details by notifying the charity of any changes in their personal data.
- Retaining and disposing of data. Any personal data must only be kept where there is a business or legal need to do so. When the charity disposes of personal data, this will be undertaken in a secure manner.Documents (including paper and electronic versions and email) containing personal data will not be kept indefinitely and will always be securely deleted and destroyed once they have become obsolete or when that personal data is no longer required. Paper based documents will be shredded at the registered office of the Trust. Electronic data will be permanently deleted from all drives and electronic media. Computer equipment that is surplus to requirements will be disposed of securely by specialist contractors. The charity will maintain a record of the details of the media and computer equipment that has been disposed of.Personal data will not be retained simply on the basis that it might come in useful one day without any clear view of when or why.Personal data are stored by this charity as Data Controller and by the Grant Manager employed by Hertfordshire Independent Living Service, Jubilee Centre, Catherine Street, St Albans, AL3 who act for us as a Data Processor.The Charity will not keep personal data for longer than is necessary. This means that:
- a beneficiary’s full file will be completely destroyed by the Data Controller and Data processor after three years from a grant being issued.
- a beneficiary’s summary file of accounting data will be held by the data controller and be completely destroyed after eight years from a grant being issued.
- records of complaints/investigations will be destroyed after three years.
- application forms for unsuccessful applicants will be destroyed three years after the date of
- Trustees will destroy and delete all charity documents held within their own records twelve
months after receipt, including all computer data and paper copies
- Trustees’ personal files will be destroyed three years after ceasing to be a trustee
- Staff personal files will be destroyed three years after employment ceases.
- Tenancy agreements, communications will be destroyed three years after tenancy ceases
- Tenancy payment details will be destroyed eight years after tenancy ceases
In order to satisfy the needs of the accounts retention when the verbose details are stored for only three years it was agreed the following process would be adopted:
- Every grant approval to be identified with client code number
- Confirmation by Trustees that the grant recipient meets the Trust’s requirements of:
- Genuine need
- Financial need
- Honouring Individuals’ rights. The charity will reply to queries and complaints from individuals about how the charity uses their personal data within 30 days.Individuals are entitled by law (by making a request) to be supplied with a copy of any personal data held about them (including both electronic and paper records). Individuals are also entitled to know the logic involved in decisions made about them.An individual also has the right to seek erasure of their data and to request portability of their data i.e. that the charity provides their data to them in a structured, commonly used and machine-readable format.Where the charity receives a request from an individual exercising their legal right to control their personal data, the charity will respond promptly. If a valid request concerns a change in that individual’s personal data, such information will be rectified or updated, if appropriate to do so.The Charity will not charge a fee for this unless the request is manifestly unfounded or excessive, in which case we reserve the right to charge a reasonable fee for the administrative costs of complying with the request.We will also charge a reasonable fee if an individual requests further copies of their data following a request and will base this fee on the administrative costs of providing further copies.
- Taking appropriate security measures. Personal data will be kept secure. Technical, organisational, physical and administrative security measures (both computer system and non- computer system related steps) are necessary to prevent the unauthorised or unlawful processing or disclosure of personal data, and the accidental loss, destruction of, or damage to personal data.The charity will monitor the level of security applied to personal data and take into account current standards and practices. As a minimum the charity will ensure that:- Personal files for beneficiaries, trustees, and employees are kept in a locked cabinet or secure computer systems all times with access only by authorised staff.
- Data files for tenants are kept in a locked cabinet or secure computer systems all times with access only by authorised staff.
- Applications for grants are kept in a locked cabinet or secure computer systems at all times with access only by authorised staff.
- Electronic files containing personal data are password protected and passwords will be changed on a regular basis.
- Backed up electronic data is held securely in a separate room disconnected from any computer (If taken off-site it will be encrypted, password protected and will only be accessed by named staff).
- If any personal data is taken from the registered office (e.g. to a Trustee’s home) the personal data will be held securely at all times whilst in transit and at the location where held.
Any suspicion of any data security breach should be reported immediately to The Chair of Trustees. When the charity becomes aware of a breach, protective measures will be taken to effectively mitigate the consequences of the breach.
- Disclosure to Third parties. At times, the charity may disclose personal data to vendors, contractors, service providers and other selected third parties.Prior to disclosing personal data to these parties, the charity will take reasonable steps to ensure that: (i) the disclosure of personal data is appropriate; (ii) the recipient of such information is identified; and (iii) where appropriate or required by law, the third party is contractually committed to complying with this Policy and/ or the charity’s instructions concerning the use of personal data as well as implementing appropriate security measures to protect personal data, limiting further use of personal data, and complying with applicable laws.In certain circumstances, the charity may be required to disclose personal data to third parties when required by law, when necessary to protect the charity’s legal rights, or in an emergency situation where the health or security of an individual is endangered. Prior to such disclosures, the charity will take steps to confirm that the personal data is disclosed only to authorised parties and that the disclosure is in accordance with this Policy and applicable law.
- Safeguarding the use of special categories of data. Special categories of data are information revealing an individual’s racial or ethnic origin, political opinions, religious or other beliefs, trade union membership, processing of genetic data or biometric data (for the purpose of uniquely identifying an individual), health and sex life or sexual orientation. Since this information is more intrusive, the charity will only use it where absolutely necessary and only with the explicit consent of the individual affected. The charity will only hold and make available special categories of data on an individual without their explicit consent if the charity has another lawful basis under applicable law. This may be the case, for example, where the charity holds information about an individual’s health where this is necessary to exercise any obligation conferred by law on us in connection with the charity. For beneficiaries the charity may also collect and use their special category data where:
- Our use of their personal data is to provide support for a particular disability or medical condition
- Our use of their personal data is necessary for providing confidential counselling, advice or support
- Our use of their personal data is necessary for protecting an individual from negligence or physical, mental or emotional harm
- Our use of their personal data is necessary for the purpose of protecting the economic well-being of an individual at economic risk and is of health data
The charity will always assess whether special categories of data are essential for the proposed use and will only collect special categories of data when it is absolutely necessary in the context of the organisation. Application (or other) forms used to collect special categories of data will include suitable and explicit wording expressing the individual’s consent when the charity is collecting explicit consent.
Consent must be demonstrable. Therefore, if it is collected verbally it will be recorded in such a form as to prove that the requisite information was provided to the individual and their response was able to be verified.Where consent is not relied upon, the charity will take steps to ensure that there is another lawful basis under applicable law for the collection and use of such information. In certain circumstances, the charity may be required to consult with the Information Commissioner’s Office about the proposed use of such special categories of data.
- Collecting Children’s Data. It is unlikely that the charity would collect any data pertaining to children but if it became strictly necessary, for example where the charity needs to record ages of children or grandchildren, the Charity will only collect a minimum amount of data about children as is necessary for the purpose. Trustees are aware that children’s data is considered more sensitive and will be protected accordingly.
Data Storage and processing
The St Albans old People’s Trust Charity recognises that data is held about:
This information is always stored securely and access is restricted to those who have a legitimate need to know. We are committed to ensuring that all those about whom we store data understand how and why we keep that data and who may have access to it. We do not transfer data to third parties without the express consent of the individual concerned.
Archived records are stored securely and the charity has clear guidelines for the retention of information as set out in Point 5 above.
Rights of individuals
All individuals who come into contact with St Albans old People’s Trust Charity have the following rights under the DPA:
- a right of access to a copy of their personal data
- a right to object to processing that is likely to cause or is causing damage or distress
- a right to prevent processing for direct marketing
- a right to object to decisions being taken by automated means
- a right, in certain circumstances, to have inaccurate personal data rectified, blocked, erased or destroyed and
- a right to claim compensation for damages caused by a breach of the DPA.
The trustees recognise their overall responsibility for ensuring that the charity complies with its legal obligations. The Chair of Trustees is responsible as follows:
Roles and Responsibilities:
- Briefing trustees on Data Protection responsibilities
- Reviewing Data Protection and related policies
- Advising other staff on Data Protection issues
- Ensuring that Data Protection induction and training takes place
- Notification (where appropriate)
- Handling subject access requests.
All trustees, are required to read, understand and accept any policies and procedures that relate to the personal data they may handle in the course of their roles.
Significant breaches of these policies will be referred to the Trustees for further action.
Key risks to the safety of data control and process:
The trustees have identified the following potential key risks:
- Breach of confidentiality (information being given out inappropriately)
- Individuals being insufficiently informed about the use of their data
- Misuse of personal information
- Failure to up-date records promptly
- Poor IT security and
- Direct or indirect, inadvertent or deliberate unauthorised access.
The trustees will regularly review the charity’s procedures, ensuring that its records remain accurate and
consistent and in particular:
- IT systems will be designed, where possible, to encourage and facilitate the entry of accurate data
- Data on any individual will be held in as few places as necessary and trustees and staff will be discouraged from establishing unnecessary additional data sets
- Effective procedures will be in place so that relevant systems are updated when information about an individual changes.
If a breach of data security is suspected or occurs the trustees/Data Protection Officer should be notified immediately.
Subject Access Requests
Any individual who wants to exercise their right to receive a copy of their personal data can do so by making a Subject Access Request, (‘SAR’) to the secretary. The request must be made in writing and the individual must satisfy the secretary of their identity before receiving access to any information.
A SAR must be answered within 30 calendar days of receipt by the charity.
Collecting and using personal data
St Albans old People’s Trust Charity typically collects and uses personal data in connection with the provision of (objects of the charity). The charity collects personal data mainly in the following ways:
- by asking applicants for complete paper forms
- by asking applicants to give information verbally.
- By collecting information from other agencies (i.e. Department of Social Services)
St Albans old People’s Trust Charity will:
- not use any of the personal data it collects in ways that have unjustified adverse effects on the individuals concerned
- be transparent about how it intends to use the data and give individuals appropriate privacy notices when collecting their personal data
- handle people’s personal data only in ways they would reasonably expect
- not do anything unlawful with the data.
Full information about the Data Protection Act, its principles and definitions can be found at www.ico.org.uk
This Policy has been approved for issue by the board of trustees of St Albans old People’s Trust Charity