Data Protection Policy

Data Protection Policy 25 May 2018

Introduction

Clarity in Communication (CiC) is fully committed to compliance with the requirements of the Data Protection Act 2018.

We will follow procedures which aim to ensure that our Director and consultants, who have access to any personal data, are fully aware of and abide by their duties and responsibilities under the Act.

Statement of Policy

It is an absolute requirement of our service, enabling us to do our job, that when supporting a Person Accessing our Service (PAS), we are provided upfront with personal and sensitive data from external bodies (E.g. Police / Courts) who request an Appropriate Adult. This data enables us to assess if the service request meets national deployment criteria. We cannot be reasonably expected to fully support a vulnerable person in the Justice system if we do not have this data.

It is not an absolute requirement that we retain this data. All data collected for service delivery purposes will be anonymised/destroyed, by cross shredding, following service delivery, and what remains used for development of service delivery both locally and nationally, as required by our contract in Ayrshire and national body data collection requirements. It will never be used for marketing purposes or sold to any other organisation. When delivering the service, we will ensure the person accessing the service (PAS) is informed of this, in these terms, and is given a leaflet (currently under development) to advise what anonymised data we are collating, its purpose and anonymity.

Data for the purposes of this policy is information that is

  • Gathered/recorded to enable us to do our job

  • Recorded as part of an anonymised filing system for official statistical purposes

To operate within contractual requirements and Scottish Government needs re the development of the Appropriate Adult Service, this information will be handled correctly, collected, recorded and used, whether that be on paper, computer records or recorded by other means according to the principles within the Act.

The Principles of Data protection

The Act stipulates that anyone processing the data must comply with Eight Principles of good practice, these are legally enforceable and are summarised below:

First Principle: Personal data must be processed fairly and lawfully.

There are two main conditions for meeting this principle – either that the data subject gives consent for the data to be processed or where the processing is necessary to fulfil legal or contractual obligations. For data to be processed fairly and lawfully, the data subject should be aware of who the data controller is and why the data is being processed.

Second Principle: Personal data must only be obtained for one or more specified purpose(s) and must only be processed in a way that is consistent with the specified purpose.

Data should only be collected by data controllers where there is a specific reason for doing so. The data subject must be advised of the purpose(s) for which the data is collected, and the data must not then be used for another unrelated purpose. People have choice and control over consent to keeping and usage of their data.

Third Principle: Personal data must be adequate, relevant and not excessive for the purpose it was processed for.

Only data that is needed to fulfil the purpose for which it is collected should be requested from the data subject. Data must not be collected simply because it might be useful in the future.

Fourth Principle: Personal data must be accurate and, where necessary, kept up to date.

Data controllers should take reasonable steps to check the accuracy of the information they both receive and hold. They should also ensure that data is kept up to date or, where appropriate, destroyed after a reasonable amount of time has elapsed.

Fifth Principle: Personal data processed for any purpose must not be kept longer than is necessary to fulfil that purpose.

Data controllers should not keep data for any longer than is required to fulfil the purpose for which it was collected unless there is a legal requirement to do so Individuals at any time can apply to have their data removed from our records.

Sixth Principle: Personal data must be processed in line with the data subject’s rights.

Data subjects have the right:

  • To access data held about them

  • To prevent processing where it is likely to cause substantial damage or distress to them or anyone else

  • To be informed of the logic of automated decision-making processes to which their personal data has been subjected

  • To refuse to allow a data controller to use their personal data for direct marketing purposes – even if the same data controller fairly and lawfully processes their personal data for another purpose

  • To request that a data controller correct or destroy data which is inaccurate. (They can only ask for data to be destroyed where there is no legal obligation on the data controller to process the data e.g. the Inland Revenue can be asked to correct inaccurate data, but they must continue to process the data to fulfil a legal obligation.)

Seventh Principle: Appropriate security measures must be taken to protect against unauthorised or illegal data processing.

Data controllers are required to ensure that adequate security controls are in place within the workplace to protect personal data. The Office of the Information Commissioner recommends that data controllers should process data within the principles laid down in BS7799 – The British Standard on Information Security. This includes looking at password protection, physical and environmental factors surrounding both electronic and manual data storage, access and display, organisational security, staff training and security policies.

Eighth Principle: Transferring personal data outside the European Economic Area is restricted unless the rights and freedoms of data subjects are protected.

Countries out with the European Economic Area may not have the same laws protecting the privacy of the data of the individual that those within it have. Data controllers must take steps to ensure that if data is transferred out with the European Economic Area it is secure.

Personal and Sensitive Data

The Act provides conditions for the processing of any personal data. It also makes a distinction between personal and sensitive personal data.

Personal data is defined as data relating to a living individual who can be identified by that data.ie could be used for fraudulent purposes or impersonation of that person's identity

Sensitive personal data is defined as personal data consisting of information as to

  • Racial or ethnic origin

  • Political opinion

  • Religious or other beliefs

  • Trade Union membership

  • Physical or Mental Health condition

  • Sexual orientation

  • Criminal proceedings or convictions

Although not stated in the Act the Information Commissioners Office will treat and include a 'financial information' breach in the same criteria as sensitive personal data.

Handling of Personal or Sensitive Data

We will through appropriate governance and the use of appropriate procedures and controls:

  • Observe conditions regarding the fair collection and use of personal information

  • Meet its legal obligations to specify the purpose for which information is used

  • Collect and process appropriate information and only to the extent that it is needed to fulfil operational needs or to comply with any legal requirements

  • Ensure the quality of information used

  • Apply strict checks to determine the length of time information is held

  • Take appropriate technical and organisational security measures to safeguard personal information

  • Ensure that personal information is not transferred abroad without suitable safeguards

  • Ensure that the rights of people about whom the information is held can be fully exercised under the Act.

These include:

  • The right to be informed that processing is being undertaken;

  • The right of access to one’s personal information within the statutory 40 calendar days;

  • The right to prevent processing in certain circumstances;

  • The right to correct, rectify, block or erase information regarded as incorrect information

Consequently, Clarity will ensure:

  • The Director is the Data Controller for the organisation and registered as such with the Information Commission Office

  • For the purpose of the Ayrshire contract the Director is the Data processor

  • Everyone managing and handling personal information understands that they are legally responsible for following good data protection practice

  • Everyone managing and handling personal information is appropriately trained to do so

  • PAS, seeking to make enquiries about handling personal information, will be provided with a leaflet, which will also have a contact number and explain how we support them (under development)

  • Queries about handling personal information are promptly and courteously dealt with

  • Methods of handling personal information are assessed and evaluated

  • Performance in handling personal information is reviewed

  • Data sharing is carried out under an agreement, setting out the scope and limits of the sharing. This will be with East/South and North Ayrshire; Scottish Appropriate Adult Network and Scottish Government, as necessary.

All Appropriate Adults and the Manager will be fully aware of this policy and of their duties and responsibilities under the Act. This will ensure:

  • Measures are in place to ensure that personal data is kept secure, against unauthorised or unlawful loss or disclosure and we will ensure that: Paper files and other records or documents containing anonymised personal/sensitive data are kept in a secure environment;

  • Personal data held on computers and computer systems is protected by the use of secure passwords, which are changed regularly;

  • Individual passwords should be such that they are not easily compromised, nor shared.

Implementation and Risk Assessment

Clarity in Communication are responsible for data protection, and as such we are responsible for ensuring that this Policy is implemented. Implementation will be led and monitored by the Director and Manager. They will ensure all Appropriate Adults are kept aware of and operate in compliance with the policy via:

  • The provision of data protection training

  • The development of best practice guidelines.

  • Undertaking compliance checks to ensure adherence with the Data Protection Act

  • Monthly Team meetings. Raising any Data related issues as part of agenda

Practical Application

Following development of several drafts of a risk assessment of our service delivery, circulated to, contributed to and read by our team we will apply the following operational service delivery processes to comply with the Act:

  1. Referral agencies i.e. Police/Court will be advised to provide Police Officer contact details only and a verbal brief of circumstances of call with PAS initials only being forwarded to the Appropriate Adult (AA). In Court requests, all that will be required for an AA to attend will be, PAS initials and Sheriff Clerk contact name for the AA to attend and be connected to the individual

  2. Call allocators only to initially record limited personal data and once allocated to be destroyed immediately. Anonymised data kept only for statistical purposes & not which will identify individuals. AA’s will not need to write down any personal or sensitive data to attend a call

  3. System of collating initial info will cease to record any identifying detail other than AA to present at the Police Station/Court as above. Electronic info transfer will be kept to a minimum and not include any personal data.

  4. System change will ensure AA will not have any personal data of PAS. It will be verbal briefing from call allocator only plus Police contact or Sheriff Clerk details and PAS initials only. All AA’s will be advised not to note, communicate, (before or after the deployment) or retain any personal data. A new AA deployment/record of call form has been created. No data of personal or sensitive nature, or indeed anonymised data which, when combined, may lead to identification of the PAS, is to be communicated by any electronic means. Telephone conversation if required or discussed at monthly meeting

  5. As a Community Interest Company, we are required to provide statistical information to 3 Ayrshire Local Authorities, SAAN and on occasions, Scottish Government. We will continue to provide such information but anonymised with no personal or identifying data kept

  6. Clarity are developing a leaflet (work in progress) to advise PAS that anonymised statistical information may be held but will be de personalised/ anonymised and securely stored. Any such anonymised data to be stored in locked cabinet at our office and securely stored by the manager in the interim if he/she is not attending the office daily

  7. Until the leaflet is developed, at every call from 25 May 2018, on meeting with the PAS our AA’s will inform him/her that: “I have been provided with personal and sensitive data relating to you in order that I can provide you with the best possible support. I have not retained or written down this information passed to me and our company will immediately anonymise/destroy this data, which will only be used to help develop a National Service which provides other vulnerable people within the Justice system with the best possible support in future”. We note that these are formal terms and it may be that the AA, dependant on the persons understanding, may have to explain this further in easier to understand terms

  8. At request of Ayr Sheriff’s AA’s pass a note to them in each case re the PAS who is appearing’s general communication ability. This note is de personalised, marked as to be shredded after use, but either Sheriff or Clerk could fail to destroy the note, as marked by us, and information subsequently reach public domain. The form is already de sensitised but certain combined information on it could be used to identify PAS. Clarity will further stress with senior Sheriff Clerk it is their responsibility in Court to ensure form shredded by them after use. Our position is simply and logically that once handed over safely by our AA and appropriately marked, it is their responsibility to ensure the forms destruction after use and not ours

  9. Call allocation 24/7 by Manager and Coordinators or anyone performing this role. Clarity have a manager and 2 coordinators who receive and allocate calls to AA’s 24/7. To perform this role, they are required to receive and assess personal, sensitive data as provided by call requestors. As per our policy of allocating calls detailed above the Coordinator/Manager will only pass on anonymised data to the AA for them to fulfil their role. Coordinators and the Manager, following allocation of the call, will either immediately shred/destroy, or in Out of Hours (1900/0700) or weekends securely store the original sensitive call information until it can be shredded/destroyed or passed to the manager for that purpose.

  10. Retention of Consultants financial and personal data: All AA’s are self-employed and are subject to a safe recruitment process and Enhanced Disclosure Check. Application forms/mileage expenses/payment details will be scanned and held electronically with password protection which only the Director and Manager will have access to.

  11. The company’s website has been adjusted to meet new data protection Act requirements re cookies. Our external web contact is limited.

Notification to the Information Commissioner

The Information Commissioner maintains a public register of data controllers. Clarity in Communication is registered as such.

The Data Protection Act 1998 requires every data controller who is processing personal data, to notify and renew their notification, on an annual basis. Failure to do so is a criminal offence.

Clarity in Communications Director will be responsible for notifying and updating the Information Officer of the processing of personal data, as necessary.

Any changes to the register must be notified to the Information Commissioner, within 28 days. The Director will ensure any changes made between reviews will be brought to the attention of the Information Officer immediately.

Stephen Heath

Director/Data Controller for Clarity in Communication

25 May 2018.