Privacy policy

Data Protection Policy and Procedures 

 

Jan 2024 

 

Aims of This Policy 

The aim of this policy is to ensure that everyone handling personal data is fully aware of the requirements and acts in accordance with data protection procedures.  

 

The CCAN recognises the importance of the correct and lawful treatment of personal data; it maintains confidence in the organisation and provides for successful operations. In order to ensure effective delivery of services, CCAN is required to maintain certain personal data about individuals for the purposes of satisfying operational and legal obligations.  

 

The type of personal data that CCAN may require includes information about:   

  • current, past and prospective employees; 

  • trustees / Directors 

  • The CCAN consultants; 

  • suppliers; 

  • partner organisations;  

  • Users who participate in activities and / or events.   

 

This personal data, whether it is held on paper, computer or other media, will be subject to the appropriate legal safeguards as specified in the Data Protection Act 2018. 

 

Principles 

The CCAN fully endorses and adheres to the eight principles of the Data Protection ActThese principles specify the legal conditions that must be satisfied in relation to obtaining, handling, processing, transportation and storage of personal dataEmployees and any others who obtain, handle, process, transport and store personal data for CCAN must adhere to these principles. 

 

The principles require that all personal data shall: 

 

  1. Be obtained and processed fairly and lawfully and shall not be processed unless certain conditions are met; 

  1. Be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with that purpose; 

  1. Be adequate, relevant and not excessive for those purposes; 

  1. Be accurate, where necessary for that purpose; 

  1. Not be kept for longer than is necessary for that purpose; 

  1. Be processed in accordance with the data subject’s rights; 

  1. Be kept secure from unauthorised or unlawful processing and protected against accidental loss, destruction or damage by using the appropriate technical and organisational measures; 

  1. And not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. 

 

The definition of ‘Processing’ is obtaining, using, holding, amending, disclosing, destroying and deleting personal data. This includes some paper based personal data as well as that kept on computer. 

 

Satisfaction of principles 

The Personal Data Guardianship Code suggests five key principles of good data governance on which best practice is based. The organisation will seek to abide by this code in relation to all the personal data it processes, i.e.  

 

  • Accountability: those handling personal data follow publicised data principles to help gain public trust and safeguard personal data.  

  • Visibility: Data subjects should have access to the information about themselves that an organisation holds. This includes the right to have incorrect personal data corrected and to know who has had access to this data.  

  • Consent: The collection and use of personal data must be fair and lawful and in accordance with the DPA’s eight data protection principles. Personal data should only be used for the purposes agreed by the data subject. If personal data is to be shared with a third party or used for another purpose, the data subject’s consent should be explicitly obtained. 

  • Access: Everyone should have the right to know the roles and groups of people within an organisation who have access to their personal data and who has used this data.  

  • Stewardship: Those collecting personal data have a duty of care to protect this data throughout the data life span. 

 

Types of Information 

CCAN might process the following personal information:  

  • Information on applicants for posts, including references 

  • Employee information – contact details, bank account number, payroll information, sickness records, line management and appraisal notes 

  • Volunteers – contact details and volunteer supervision and records; 

  • Users – contact details and case notes 

  • DBS Applicants – applications and disclosures 

 

Personal information is kept in the following forms: 

Paper based filing systems 

Electronic filing systems (internal) 

Web based electronic filing systems 

 

Groups of people within the organisation who will process personal information are:  

Directors – All types of information 

Partners All types of information relevant to the partnership 

Volunteers –Users information relevant to the activity / event being undertaken 

 

 

Notification 

The need we have for processing personal data are recorded on the public register maintained by the Information CommissionerWe notify and renew our notification on an annual basis as the law requires.   

 

If there are any interim changes, these will be notified to the Information Commissioner within 28 days. 

 

The name of the Data Controller within our organisation as specified in our notification to the Information Commissioner is Deana Bamford. 

 

 

 

Responsibilities 

Under the Data Protection Guardianship Code, overall responsibility for personal data in a not-for-profit organisation rests with the governing body. This is the CCAN Directors. 

 

The governing body delegates tasks to the Data Controller. The Data Controller is responsible for: 

  • understanding and communicating obligations under the Act; 

  • identifying potential problem areas or risks; 

  • producing clear and effective procedures; 

  • notifying and annually renewing notification to the Information Commissioner, plus notifying of any relevant interim changes; 

  • reporting back to the governing body. 

 

All employed staff and volunteers who process personal information must ensure they not only understand but also act in line with this policy and the data protection principles.  

 

Any unauthorised disclosure of personal data to a third party by an employee may result in disciplinary proceedings. 

 

The Directors are accountable for compliance of this policy. A Director could be personally liable for any penalty arising from a breach that they have made.  

Any unauthorised disclosure made by a volunteer may result in the termination of the volunteering agreement. 

 

 

Policy Implementation 

To meet our responsibilities staff and volunteers will: 

  • Ensure any personal data is collected in a fair and lawful way; 

  • Explain why it is needed at the start; 

  • Ensure that only the minimum amount of information needed is collected and used for the purpose for which it was collected; 

  • Ensure the information used is up to date and accurate; 

  • Review the length of time information is held; 

  • Ensure it is kept safely; 

  • Ensure the rights people have in relation to their personal data can be exercised  

 

 

Training 

Training and awareness raising about the Data Protection Act and how it is followed in this organisation will take the following forms:  

 

On induction:  All new staff and volunteers will have an assessment of their understanding of Data Protection during the induction process.   

 

Staff and Volunteers will be asked to sign a declaration confirming they understand and will adhere to the policy. 

 

Staff processing DBS applications will have additional training on the safe and secure handling of disclosure information. 

 

General training/ awareness raising: Information will be placed around the building to remind staff of the principles of data protection.  This will be in the form of simple do’s and don’ts.  Staff will be reminded of their responsibilities at team meeting and in line management. 

 

We will ensure that: 

  • Everyone managing and handling personal information is trained to do so.  

  • Anyone wanting to make enquiries about handling personal information, whether a member of staff, volunteer or service user, knows what to do;  

  • Any disclosure of personal data will be in line with our procedures. 

  • Queries about handling personal information will be dealt with swiftly and politely. 

 

Gathering and checking information 

Before personal information is collected, we will consider: 

  • What details are necessary for the purpose 

  • How long CCAN likely to need this information 

 

We will inform people whose information is gathered about the following:  

  • why the information is being gathered 

  • what the information will be used for  

  • who will have access to their information (including third parties) 

 

We will take the following measures to ensure that personal information kept is accurate: annual data cleanse, requests for updated information. 

 

Personal sensitive information will not be used apart from the exact purpose for which permission was given. 

 

Data Security 

The organisation will take steps to ensure that personal data is kept secure always against unauthorised or unlawful loss or disclosure. The following measures will be taken:  

  • Personal Data will be kept in locked cupboards with access restricted to those people whom have authority to access the data 

  • Password protection on personal information files 

  • Restricted access to computer files 

  • Personal data cannot be taken off site 

  • Data, including personal data, is backed up daily and information kept off site 

  • Password protected attachments for sensitive personal information sent by email 

 

Any unauthorised disclosure of personal data to a third party by an employee may result in disciplinary proceedings. 

 

The Directors are accountable for compliance of this policy. A Director could be personally liable for any penalty arising from a breach that they have made.  

Any unauthorised disclosure made by a volunteer may result in the termination of the volunteering agreement. 

 

Subject Access Requests 

Anyone whose personal information we process has the right to know: 

  • What information we hold and process on them 

  • How to gain access to this information 

  • How to keep it up to date 

  • What we are doing to comply with the Act. 

 

They also have the right to prevent processing of their personal data in some circumstances and the right to correct, rectify, block or erase information regarded as wrong. 

 

Individuals have a right under the Act to access certain personal data being kept about them on computer and certain filesAny person wishing to exercise this right should apply in writing to The Data Controller, CCAN, CAN HQ, Memorial Square, Coalville, LE67 3TU. 

 

We make a charge of £10 on each occasion access is requested 

 

The following information will be required before access is granted: 

 

  • Full name and contact details of the person making the request. 

  • Relationship with the organisation (former/ current member of staff, trustee or other volunteer, member, service user. 

  • Any other relevant information that will help expedite the fulfilment of the request. 

 

We will also require proof of identity before access is granted. The following forms of ID will be required 

 

  • Photo ID 

  • Proof of address 

 

Queries about handling personal information will be dealt with swiftly and politely. 

We will aim to comply with requests for access to personal information as soon as possible but will ensure it is provided within the 40 days required by the Act from receiving the written request and relevant fee. 

 

 

Review 

This policy will be reviewed at intervals of 1 year, or earlier in the event of any significant changes to the laws relating to Data Protection or the organisation to ensure it remains up to date and compliant with the law.