DATA PROTECTION POLICY
Introduction
Salusbury World needs to gather and use information about individuals that they advise, support and work with, as well as organisations that they have a relationship with or may need to contact.
This policy describes how this personal data must be collected, handled and stored to meet the organisation’s data protection standards – and to comply with the law.
Why this policy exists
The policy ensures Salusbury World:
- • Complies with data protection law and follows good practice
- • Protects the rights of staff and clients
- • Is open about how it stores and processes individuals’ data
- • Protects itself from the risks of a data breach
Data protection law
The Data Protection Act 1998 amended in 2018 describes how organisations – including Salusbury World – must collect, handle and store personal information.
These rules apply regardless of whether the data is stored electronically, on paper or on other materials.
To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.
The Data Protection Act is underpinned by eight important principles. These say that personal data must:
1. Be processed fairly and lawfully
2. Be obtained only for specific, lawful purposes
3. Be adequate, relevant and not excessive
4. Be accurate and kept up to date
5. Not be held for any longer than necessary
6. Processed in accordance with the rights of data subjects
7. Be protected in appropriate ways
Charity no. 1071065 Patrons: Juliet Stevenson and Ben Bailey Smith
8. Not be transferred outside the European Economic Area, unless that country or territory also ensures an adequate level of protection.
Policy scope
This policy applies to all the staff and volunteers at Salusbury World. It applies to all data that the organisation holds relating to identifiable individuals, even if that information technically falls outside of the Data Protection Act 1998.
Everyone who works for or with Salusbury World has some responsibility for ensuring data is collected, stored and handled appropriately and in line with the data protection principles.
Data protection risks
This policy helps to protect Salusbury World from some very real data security risks, including:
- • Breaches of confidentiality. For instance, information being given out inappropriately.
- • Failing to offer choice. For instance, all individuals should be free to choose how the company uses data relating to them.
- • Reputational damage. For instance, the organisation could suffer if hackers successfully gained access to sensitive data.
General staff guidelines
- • Only those who need the data for their work should be able to access it.
- • Data should not be shared informally.
- • Staff and volunteers will be made aware of their responsibilities in regards to data when they are being trained.
- • All data will be kept securely, if possible in one place
- • Strong passwords should be used.
- • Personal data should not be disclosed to unauthorised people.
- • Data should be reviewed regularly and updated if it is found out of date.
- • Staff or volunteers should request help if they are unsure about correct use of data.
Data Storage
All of Salusbury World data is stored in compliance with the GDPR. Salusbury World have in place procedures and technologies to maintain the security of all personal data Charity no. 1071065 Patrons: Juliet Stevenson and Ben Bailey Smith
from the point of collection to the point of destruction. All clients must sign a consent form before we store the data that we collect.
Where data is stored on paper, it is kept in a secure place where unauthorised people cannot see it. Hard copies are kept in a locked drawer or filling cabinet then shredded when they are no longer required.
The client consent form outlines the organisation’s commitment to data protection. It ensures clients are made aware that their data will be handled appropriately.
Data will be processed fairly and lawfully and transparently in accordance with the GDPR. It will be:
1. Processed for specified, lawful purposes and in a way which is not incompatible with those purposes;
2. Adequate, relevant and not excessive for the purpose;
3. Accurate and up to date;
4. Not kept for any longer than is necessary for the purpose, these purposes may vary between Salusbury World’s various projects
Where data is stored electronically, it is protected from unauthorised access, accidental deletion and malicious hacking attempts. Strong passwords are used, data is stored on designated drives and servers, and is only uploaded to an approved cloud computing service. Data is backed up frequently and never saved directly to laptops. Downloads and scans are deleted daily. Computers are protected by security software or a firewall.
Data accuracy
Data will be held in as few places as necessary, and staff should take every opportunity to ensure data is updated, especially if inaccuracies are discovered.
Salusbury World will make it easy for clients to update the information held about them.
Subject access requests
All clients are entitled to ask what information the organisation holds about them, and why. They can ask how to gain access to it, and will be informed about how to keep it up to date.
The process for requesting this data is detailed on the client consent form signed upon registration. Charity no. 1071065 Patrons: Juliet Stevenson and Ben Bailey Smith
Subject access requests must be made in writing, and the data controller will aim to provide data within 14 days. The data controller will always verify the identity of anyone making a request before handing over information.
Requests for data removal can be made in writing. The data controller will always verify the identity of anyone making a request before removing information.
Data Sharing
Salusbury may share data with organisations it works closely with such as schools and external projects only if these organisations have data protection policies and procedures that comply with those of Salusbury World.
Salusbury World may share personal data that they hold about data subjects (without the subject’s consent) with other organisations. Such organisations include Ofsted, AQS, health authorities and professionals, where there is a lawful basis for doing so.
Salusbury World will inform data subjects of any sharing of their personal data unless it is not legally required to do so, for example where personal data is shared with the police in the investigation of a criminal offence.
Please see social media policy for storing and sharing of images.
Breach of Data
‘Serious breaches’ are not defined. However, the following should assist staff in considering whether breaches should be reported.
Reportable | Non Reportable | |
A manual paper-based filing system (or unencrypted digital media) holding the personal data relating to 50 named individuals and their financial records | A similar system holding the trade union subscription records of the same number of individuals, where there are no special circumstances surrounding the loss |
Method of reporting:
Serious breaches should be reported to the ICO using their DPA security breach helpline on 0303 123 1113 (open Monday to Friday, 9am to 5pm). Select option 3 to speak to staff who will record the breach and give you advice about what to do next. If you would like to report in writing you can use our DPA security breach notification form, which should be sent to the email address casework@ico.org.uk or by post to our office Charity no. 1071065 Patrons: Juliet Stevenson and Ben Bailey Smith
address Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF. This can be found in Salusbury World data Protection folder.
Training
All staff will have training on GDPR in preparation for May 2018. This will be updated annually to make sure that each employee complies with the law.
Policy ratified by Trustees: Feb 2019
Review date: Feb 2021
Person responsible for the policy: Sarah Reynolds