CONFIDENTIALITY AND DATA PROTECTION POLICY
Introduction
In collecting and using information about trustees, employees, volunteers and service users, Belong upholds the data protection principles which are set out in the UK General Data Protection Regulations 2018 (UK GDPR) and listed in this policy. Belong and all its trustees, staff or representatives who process or use personal information should follow these principles at all times. In order to ensure that this happens, Belong has developed this Confidentiality and Data Protection Policy. This sets out our commitment to protecting personal data and details how Belong implements that commitment with regards to the collection and use of personal or special category data.
In line with our legal responsibilities, Belong is committed to:
- Ensuring that we comply with the UK GDPR’s data protection principles;
- Meeting our legal obligations as laid down by the UK GDPR;
- Ensuring that data is collected and used fairly and lawfully;
- Ensuring that all data held is up to date and accurate;
- Establishing appropriate retention periods for data;
- Ensuring that data subjects’ rights can be appropriately exercised;
- Providing adequate security measures to protect data;
- Ensuring that a nominated officer is responsible for data protection compliance and provides a point of contact for all data protection issues;
- Ensuring that all staff are made aware of good practice in data protection;
- Ensuring that everyone handling data knows where to find further guidance;
- Ensuring that queries about data protection, internal and external to the organisation, are dealt with effectively and promptly; and
- Regularly reviewing data protection procedures and guidelines within the organisation.
Data protection principles
Belong complies fully with the data protection principles set out in the UK GDPR. These require that data is
- Processed lawfully, fairly and in a transparent manner in relation to individuals;
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the UK GDPR in order to safeguard the rights and freedoms of individuals; and
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Our legal basis for keeping and processing information about trustees, staff and volunteers
We keep and process personal information about trustees, staff members and volunteers, in line with Article 6 of the UK GDPR, in order to fulfil legal obligations, including those pertaining to employment and health and safety. We keep and process special category information about trustees, staff members and volunteers, in line with Article 9 of the UK GDPR, in the course of our legitimate activities in connection with our charitable purposes.
We do not keep any comprehensive registers of criminal convictions. We keep and process data regarding criminal convictions and offences in accordance with Article 10 of the UK GDPR, only under the control of official authority such as that held by Her Majesty’s Prison and Probation Service, or when this processing is authorised by UK legislation for example
- The Crime and Disorder Act 1998 (as amended by the Police and Justice Act 2006 and the Policing and Crime Act 2009)
- The Rehabilitation of Offenders Act 2014
- The Domestic Violence, Crime and Victims Act 2004
We put appropriate safeguards in place to ensure that personal, special category and criminal convictions data are not disclosed to third parties without the consent of staff or volunteers, unless we have a duty to disclose this information as outlined later in this policy.
Summary of information we keep and process about trustees, staff and volunteers
The personal, special category and criminal convictions information we keep and process about trustees, staff and volunteers includes:
- Full name, date of birth, address, NI number, tax codes, contact details.
- Security clearance and enhanced DBS check records.
- Right to work information where applicable.
- Contractual details including attendance at work, absences, and reasons for absences
- Emergency contact details.
- Details about health needs at work including allergies, ongoing medical conditions, required reasonable adjustments, medication and vaccination information.
- Details of any previous criminal convictions and the surrounding circumstances.
- Records of accidents or incidents involving trustees, staff or volunteers which occur whilst at work.
- Records of performance and, where applicable, disciplinary information for example line management meeting minutes, restorative justice competency review minutes, appraisal meeting minutes, induction process records, performance improvement plans.
Our legal basis for keeping and processing information about service users
We keep and process personal information about service users, in line with Article 6 of the UK GDPR, in order to perform our charitable objectives that are carried out in the public interest with a clear basis in law. This is called the “public task” lawful basis for processing data. We keep and process special category information about service users, in line with Article 9 of the UK GDPR, in the course of our legitimate activities in connection with our charitable purposes. This is called the “not for profit bodies” reason for processing data.
We do not keep any comprehensive registers of criminal convictions. We process and keep data regarding criminal convictions and offences in accordance with Article 10 of the UK GDPR, only under the control of official authority such as that held by Her Majesty’s Prison and Probation Service, or when this processing is authorised by UK law for example:
- The Crime and Disorder Act 1998 (as amended by the Police and Justice Act 2006 and the Policing and Crime Act 2009)
- The Rehabilitation of Offenders Act 2014
- The Domestic Violence, Crime and Victims Act 2004
We put appropriate safeguards in place to ensure that personal, special category and criminal convictions data are not disclosed to third parties without the consent of trustees, staff or volunteers, unless we have a duty to disclose this information as outlined later in this policy.
Our charitable objectives, which are carried out in the public interest and have a clear basis in law, are:
- To promote for the benefit of the public in the UK and its communities, with a view to the preservation of public order, the provision of services for mediation and conciliation between people, organisations and groups who are involved in disputes or conflicts where that dispute or conflict results from or may lead to acts of anti-social behaviour, crime, vandalism, racial abuse or breach of the peace.
- To promote for the benefit of the public in the UK, the provision of services for mediation and conciliation between victims of crime and offenders, with a view to the preservation of public order, and for the preservation and protection of the well-being of such victims and the rehabilitation of such offenders.
- The promotion of social inclusion among prisoners, ex-offenders, and their families who are socially excluded from society, or parts of society, as a result of their past of current involvement in the criminal justice system or the involvement of a family member(s) by:
- providing information to support to enable prisoners, ex-offenders, and their families to identify and access education, employment, training and/or recreational opportunities
- providing mentoring support to enable prisoners, ex-offenders, and their families to develop self-confidence, self-awareness, empathy and life skills such as budgeting, communication, conflict resolution, goal setting and reflective thinking
- providing psychotherapeutic support to enable prisoners, ex-offenders, and their families to process experiences of trauma, better manage emotional and mental health problems and improve their emotional and mental wellbeing.
Summary of information we keep and process about service users
The personal, special category and criminal convictions information we collect about service users includes:
- Full name, date of birth, ethnicity, address, prison location, contact details
- NOMIS and PNC numbers
- Full details of offending background where applicable, including and not limited to information regarding offence types, conviction dates, sentence dates and lengths, circumstances surrounding offences, victim and witness statements, risk assessments, pre-sentence reports, ASSET reports, psychiatric reports.
- Full details where applicable of incidents whereby service user has been a victim of crime or anti-social behaviour including and not limited to dates of incidents, court hearings, victim and witness statements, psychiatric reports.
- Names and contact details of other agencies working with service user including and not limited to offender managers, offender supervisors, substance misuse workers, mental health practitioners, victim liaison officers, police officers, mentors.
- Details about health needs of service users including and not limited to information about diagnosed or suspected learning disabilities, mental health problems, emotional wellbeing, physical disabilities or health problems, incidents of self-harm, treatment plans, use of medication.
- Details about support needs of service users including and not limited to information about previous/current gang involvement, educational history and circumstances, work history and circumstances, family history and circumstances.
- Full details, where applicable, about service user’s custodial behaviour such as information regarding actual or suspected involvement in violent/anti-social behaviour/disorder incidents, actual or suspected involvement in extremism, adjudication records, IEP records, support plans.
- Monitoring and evaluation data including records of interventions, service user feedback forms, completed CRIME PICS 2 questionnaires, completed CRIAQ questionnaires, completed self-esteem and wellbeing questionnaires, evidence and information regarding reoffending and resettlement post release from custody.
Status of this policy
Belong as an organisation is a data controller under the UK GDPR, and the trustees are therefore ultimately responsible for implementation. However, the data protection officer will deal with day-to-day matters. Belong has one data protection officer, who is the director of the organisation.
Any member of the trustee board, staff member, volunteer, service user or other individual who considers that the policy has not been followed should raise the matter with the data protection officer. He/she may also raise the issue with the Information Commissioners Office who are the regulatory body for data protection in the UK.
Belong’s expectations of staff and volunteers
Trustees, staff and volunteers are expected to:
- Check that any information that they provide to Belong in connection with their employment, trusteeship or volunteering is accurate and up to date.
- Inform Belong’s data protection officer of any changes to information that they have provided, e.g. changes of address, either at the time of appointment or subsequently. Belong cannot be held responsible for any errors unless the trustee, staff member or volunteer has informed Belong of such changes.
- Avoid exchanging personal information or comments (gossip) about individuals with whom they have a professional relationship.
- Avoid discussing a person’s sexuality (i.e. ‘outing’ a gay person) without their prior consent.
- Avoid talking about organisations or individuals in social settings.
If and when, as part of their trusteeship, employment or volunteering, trustees, staff or volunteers collect information about other people (e.g. about a service user’s progress, references and referrals to other organisations, or details of personal circumstances), they must comply with the principles and guidelines set out in this policy.
Data security
All trustees, staff and volunteers are expected to ensure that:
- Any personal, special category or criminal convictions data that they collect is kept securely
- Personal, special category or criminal convictions data is not disclosed either orally or in writing or via web pages or by any other means, accidentally or otherwise, to any unauthorised third party
- Personal, special category or criminal convictions information regarding service users is not shared with Belong or authorised third parties via email, except via a secure server e.g. CJSM.
- Staff should note that unauthorised disclosure will usually be a disciplinary matter, and may be considered gross misconduct.
Personal, special category and criminal convictions information should only be kept by trustees, staff or volunteers in computerised format. If it is kept in hard copy format, there must be a clear reason for this and this must be authorised by the data protection officer. Any personal or special category information kept in hard copy format must also be stored securely in a locked drawer or cupboard.
Trustees, staff or volunteers may, where necessary, keep personal, special category and criminal convictions information in computerised format. If it is computerised, it must be coded, encrypted or password protected on a local hard drive and where possible, on a network drive that is regularly backed up. If a copy is kept on a diskette or other removable storage media, that media must itself be coded, encrypted or password protected and kept safely in a filing cabinet, drawer, or safe.
Rights to be informed
Trustees, staff, volunteers and service users have a right to know what types of information we collect about them and why. Belong provides all service users, trustees, staff and volunteers with a statement regarding the personal, special category and criminal convictions data held about them. This outlines all the types of data Belong holds and processes about them, the reasons for which they are processed and the lawful basis according to which the information is held.
In addition this outlines how long we will keep this information, who the information will be shared with and the rights of trustees, staff, volunteers and service users in relation to the information being held.
This is provided at the time we collect information from individuals or, where we obtain data from other sources, as soon as possible and within one month of collecting the data.
Rights to access
All trustees, staff, volunteers and service users have a right under the UK GDPR to access certain personal data being kept about them either on computer or in certain files. Any person who wishes to exercise this right should make a request in writing and submit it to the Data Protection Officer (see above). Belong aims to comply with requests for access to personal information or rectification of data as quickly as possible, but will ensure that it is provided within one month, as required by the UK GDPR.
A copy of the information will be provided free of charge. However, we may charge a reasonable fee, based on the administrative costs of providing the information, when a request is manifestly unfounded or excessive or if it is a request for further copies of the same information.
Where requests are manifestly unfounded or excessive, we may refuse to respond to the request. Where we refuse to respond to a request, without undue delay and within one month, we will explain why to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy.
Belong has a legal responsibility under the Official Secrets Act 1989 not to disclose official information about security and intelligence and official information that might lead to the commission of crime. Any information of this nature relating to trustees, staff, volunteers or service users that is kept or processed by Belong will therefore not be accessible to data subjects who request access to it.
Rights to rectification
Trustees, staff, volunteers and service users have a right to have inaccurate personal data rectified, or completed if it is incomplete. A request for rectification of information can be made verbally or in writing. Belong will in most cases respond to such a request within one calendar month. We may extend the time to respond by a further two months if the request is complex or we have received a number of requests from the individual. If we do this we will let the individual know without undue delay and within one month of receiving their request and explain why the extension is necessary. We will only refuse a request for rectification in certain situations, outlined below.
When we receive a request for rectification we will take reasonable steps to satisfy ourselves that the data is accurate and to rectify the data if necessary. We will take into account the arguments and evidence provided by the data subject. In deciding what steps are reasonable we will consider
the nature of the personal data and what it will be used for. The more important it is that the personal data is accurate, the greater the effort we will put into checking its accuracy and, if necessary, taking steps to rectify it. For example, we will make a greater effort to rectify inaccurate personal data if it is used to make significant decisions that will affect an individual or others, rather than trivial ones. In deciding what steps are reasonable we may also take into account any steps we have already taken to verify the accuracy of the data prior to the challenge by the staff member, volunteer or service user. We will restrict the processing of the personal data in question whilst we are verifying its accuracy. Personal data will be deemed to be inaccurate if it is incorrect or misleading as to any matter of fact.
If we are satisfied that the personal data is accurate, we will contact the trustee, staff member, volunteer or service user and tell them that we will not be amending the data. We will explain our decision, and inform them of their right to make a complaint to the Information Commissioner’s Office or another supervisory authority; and their ability to seek to enforce their rights through a judicial remedy. We will also place a note on our system indicating that the individual challenges the accuracy of the data and their reasons for doing so.
We may refuse to comply with a request for rectification or request a reasonable fee to deal with the request, if the request is manifestly unfounded or excessive. If we do this we will justify our decision and base reasonable fees on the administrative costs of complying with the request. We will inform the individual without undue delay and within one month of receipt of the request about the reasons we are not taking action; their right to make a complaint to the Information Commissioner’s Office or another supervisory authority; and their ability to seek to enforce this right through a judicial remedy.
Rights to object
Trustees, staff, volunteers and service users may object to their data being kept and processed by Belong. If an individual objects, we will stop processing the data unless
- We can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual; or
- We need to process the data for the establishment, exercise or defence of legal claims.
Duty to disclose information
Belong has a legal duty to disclose some information including:
- Any information suggesting that a service user is at risk or harming themselves or others; information about this must be shared with the relevant agency for example the prison service, the police service and/or the local safeguarding authority. Please see our Safeguarding Policy and Procedure for more information
- All issues relating to concerns about a child or young person having been abused, being abused or being at risk of being abused; information about this must be shared with the local authority’s Children’s Services, the police service and/or another relevant agency. Please see our Safeguarding Policy and Procedure for more information
- Allegations that a trustee, volunteer or staff member of Belong is not suitable to work with children or young people or vulnerable adults, or that a trustee, volunteer or staff member has behaved harmfully towards a service user; information about this must be shared with the local authority’s Children’s Services, the police service and sometimes with other agencies. Please see our Safeguarding Policy and Procedure for more information
- Information pertaining to suspected, alleged or actual drug trafficking, money laundering, serious criminal offences, acts of terrorism or treason will be disclosed to the police.
- Trustees, volunteers, staff members or service users of Belong who believe that an illegal act has taken place within the organisation must report this to the Director or Trustees of Belong who will report it to the appropriate authorities.
Publication of information
The names of senior staff members and trustees of Belong or any other personal data relating to senior employees or trustees will be published in the annual report and on Belong’s website when any statute or law requires such data to be made public.
Retention of data
Belong has a duty to retain some trustee, staff and volunteer personal data for a period of time following their departure from Belong, mainly for legal reasons, but also for other purposes such as being able to provide references, or for financial reasons, for example relating to pensions and taxation. Different categories of data will be retained for different periods of time as appropriate. In accordance with the UK GDPR, Belong does not store personal data indefinitely; data is only stored for as long as is necessary to complete the task for which is was originally collected.
Conclusion
Compliance with the UK GDPR is the responsibility of all members of Belong. Any deliberate breach of the Confidentiality and Data Protection Policy may lead to disciplinary action being taken, or to access to Belong’s services being withdrawn, or in severe cases to a criminal prosecution.
Any questions or concerns about the interpretation or operation of this policy should be taken up in writing with the Data Protection Officer, our CEO Esther Wanjie-Nyeko.