GDPR Policy

GENERAL DATA PROTECTION

While at work you may encounter or use confidential information about employees, clients and contractors, for example their names and home addresses. The General Data Protection Regulations contains principles affecting employees’ and clients’ personal records. This replaces the Data Protection Act 1998. Information protected by the Regulations includes not only personal data held on computer but also certain manual records containing personal and client data, with their personnel files that form part of a structured filling system. The purpose of these rules is to ensure that you do not breach the Regulations. If you are in any doubt about what you can or cannot disclose and to whom, do not disclose the personal information until you have sought further advice from the Organisation Data Protection Advisor.

You should be aware that, under the Regulations, you are personally accountable for your actions and can be held criminally liable if you knowingly, or recklessly, breach it. Any serious breach of data protection legislation will also be regarded as misconduct and may be dealt with under the Organisation’s disciplinary procedures. If you access another employee’s or client’s personal records without authority, this constitutes a gross misconduct offence and could lead to your summary dismissal.

Training
All employees are to be trained in the principles staff responsibilities regarding the Regulations. This is to include, but not exclusive to:

What is data?

How to handle it

The circumstances where a data breach may occur

All staff must know the legal grounds for processing data

How to prevent data breaches occurring

Identifying a breach

Reporting a breach

The data protection principles
There are eight data protection principles that are central to the Regulations. The Organisation and all its employees must comply with these principles always in its information-handling practices. In brief, the principles say that personal data must be:

1. Processed fairly and lawfully and must not be processed unless certain conditions are met in relation to personal data and additional conditions are met in relation to sensitive personal data. The conditions are either that the employee or client has given consent to the processing, or the processing is necessary for the various purpose set out in the Act. Sensitive personal data may only be processed with the explicit consent of the employee or client and the consists of information relating to:

  • Race or ethnic origin
  • Political opinions and trade union membership
  • Religious or other briefs
  • Physical or mental health or condition
  • Sexual life
  • Criminal offences both committed and alleged.

2. Obtained only for one or more specified and lawful purpose, and not processed in manner incompatible with those purpose.

3. Adequate, Relevant and not excessive. The Organisation will review personnel/client files on an annual basis to ensure they do not contain a backlog of out-date information and to check there is a sound business reason requiring information to continue to be held.

4. Accurate and kept up-to-date. If your personal information changes, for example you change address, you must inform your line manager as soon as practicable so that the Organisation’s records can be updated. The organisation cannot be held responsible for any errors unless you have notified the Organisation of the relevant change.

5. Data is not kept for longer than is necessary. The organisation will keep personnel files for no longer than six years after termination of the employment. Different categories of data will be retained for different time periods, depending on legal, operational and financial requirements. Any data which the Organisation decides it does not need to hold for a period of time will be destroyed after one year. Data relating to unsuccessful job applicants will only be retained for a period of one year. The staff time limit is a requirement for the organisation to be able to defend itself from allegations that may result in a Tribunal.

6. The organisation will keep client data for a period normally not exceeding five years, apart from clients that have been through the care system and clients that have or had Safeguarding issues, where there is a legal requirement to keep the data indefinitely. This data is processed in accordance with the rights of employees and clients under the Regulations.

7. Personal data is defined as:

Any information relating to a person who can be identified directly or indirectly, by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental economic, cultural or social identity of that person.

8. Appropriate technical and organisational measures will be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. Personnel files are confidential and are stored in locked filling cabinets. Only authorised employees have access to these files. Files will not be removed from their normal place of storage without good reason. Personal and client data stored on discs, memory sticks, portable hard drives or other removable storage media will be kept in locked filling cabinets or locked drawers when not in use by authorised employees. Data held on computer will be stored confidentially by means of password protection, encryption or coding, and again only authorised employees have access to the data. The Organisation has network backup procedures to ensure that data on computer cannot be accidently lost or destroyed.

9. Not transferred to a country or territory outside the European Economic Area unless that country ensures an adequate level of protection for the processing of personal data.

Systems required
Systems will be required for:
Storing/processing the data
Recording the reason(s) for processing the data (including any existing data received)
Informing employees of required information on collection (i.e. on receipt of application forms, employee forms, leave forms etc)
Informing clients of required information on collection (i.e. on receipt of client information and support forms, lease forms etc)
Recording who accesses it
Recording how long the data is intended to be held

Accountability and Data Governance
There is to be a Data Protection Audit completed at least once a year.
The Data Protection Policy is to be reviewed at least every 2 years

Data Protection training
All new staff are to be trained on initial recruitment and existing staff receive refresher training every 2 years.
The Data Controller has been appointed by Leeds City Council.

Communication
Privacy notices are:
Concise, transparent, intelligible and easily accessible
Identify and contact details
Purpose of processing
Legal basis of processing
Who the data is shared with
Transfers outside of EU (there are none from TLA) and how the data is protected.
Retention period or criteria used
Inform clients and staff of all their legal rights
Right to complain

Legal grounds for processing Data
Listed below are some of the more common reasons the organisation can demonstrate legal grounds for processing data. Most lawful bases require that processing is `necessary`. If the purpose can reasonably be achieved without processing, the basis will not be lawful. The lawful basis should be determined and documented.
Consent of data subject (client or staff)
Necessary for purposes of legitimate interests
Necessary for performance of contract with data subject
Necessary for the compliance with legal obligation
Necessary to protect the vital interest of data subject who cannot consent
Necessary for the performance of task carried out in the public interest or in exercise of official authority
These grounds should be explained in a Privacy Notice or replying to a Subject Access Request

Consent
The purpose is to put clients and staff in control of their data.

Consent means;
Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to personal data relating to them is processed. It should be: freely given, specific, fully informed and unambiguous with a positive indication. Consent must not be bundled with Terms and Conditions and it needs to be able to be withdrawn at any time and in an easy way. “Take it or leave it” consent is not deemed to be freely given. A clear indication must be given about what individuals are consenting to and their right to amend/seek erasure or withdraw. Silence must not be inferred as consent.

Staff and client consent to personal information being held
The Organisation holds personal data about Staff. By signing a written and unambiguous dated consent form, (attached at Appendix A), staff consent to the data being processed by the Organisation for any purpose related to continuing employment or its termination including, but not limited to, payroll, human resources and business continuity planning purpose. Agreement to the Organisation processing personal data is a condition of employment. This includes giving consent to the organisation using staff name, photograph and a brief work experience history in its marketing or promotional material, whether in hard copy print format or online on the Organisation’s website. It also includes supplying the Organisation with any personal data that it may request from time to time as necessary for the performance of the employment contract of employment or the conduct of the Organisation’s business, for example, supplying up-to-date contact telephone number to be held by line managers as part of its business continuity plan.

The Organisation also holds limited sensitive personal data about its clients and, by signing the written dated consent form, (attached at Annex B), clients give explicit consent to the Organisation holding and processing that data with details of the information obtained and sent to the contract monitoring department of the Leeds City Council.

Right to Erasure (Right to be forgotten), to rectify to restrict
Individuals have the right to have personal data erased and to prevent processing in specific circumstances:
Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed
When the individual withdraws consent
When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing
The personal data was unlawfully processed (i.e. otherwise in breach of the GDPR)
The personal data must be erased to comply with a legal obligation
The right to rectify when the data is inaccurate or incomplete
The right to restrict (freeze processing)
The processing is unlawful
The accuracy is contested
When proposed legitimate interest grounds, on objection, are not found to be demonstrable

Under the GDPR, this right is not limited to processing that causes unwarranted and substantial damage or distress. However, if the processing does cause damage or distress, this is likely to make the case for erasure stronger.
The organisation can refuse to comply with a request for erasure where the personal data is processed for the following reasons:
To exercise the right of freedom of expression and information
To comply with a legal obligation for the performance of a public interest task or exercise of official authority
For public health purposes in the public interest
Archiving purposes in the public interest, scientific research historical research or statistical purposed
The exercise or defence of legal claims

Private and client right to access personal information
Staff and clients have the right, on request, to receive a copy of the personal information that the organisation holds about them, including their personal file, and to demand that any inaccurate data be corrected or removed.

Individuals also have the right on request to:

Be told by the organisation whether and for what purpose personal data about them is being processed.
Be given a description of the data and the recipients to whom it may be disclosed
Their rights
Where it has not been collected from the individual, where it came from
Have communicated in a concise, intelligible and easily accessible form the personal data concerned, and any information available as to the source of the data.
Without undue delay and within one month without a fee (can be extended by two months, if complex)
If the request is found to be `manifestly unfounded or excessive`, a reasonable administration fee can be charged, or the request can be refused
How long the data is to be stored (if possible)
Identity and contact details of the Data Protection Advisor
Details on the recipients of the personal data

Upon request, the organisation will provide individuals with a statement regarding the personal data held about them, it will state all the categories of personal data the organisation holds and processes about them and the reasons for which they are processed. If individuals wish to access a copy of any personal data being held and the reasons for which they are processed, they must make a written request for this and the deadline to meet is one month. To make a request, please complete a Personal Data Subject Access Request Form (attached at Appendix C), that can be obtained from the Data Protection Advisor, Scheme Manager or Supervisor.

Personnel wishing to make a complaint that these rules are not being followed in respect of any personal data the Organisation holds about them, should raise the matter with, initially the Scheme Manager or Supervisor. If this has not resolved the issue the complaint should be referred to the Data Protection Advisor.

If the matter is still not resolved to their satisfaction, it should be raised as a formal grievance under the Organisation grievance procedure or client complaint form, after initial informal discussion with their line manager or Scheme manager/Supervisor.

Staff obligations in relation to personal information
It forms part of staff job duties and responsibilities to collect personal information about employees or other people such as clients or customers. All staff must comply with this policy. This includes ensuring the information is processed in accordance with the Regulations, is only processed for the purpose for which it is held, is kept secure and is not kept for longer than necessary. Staff must also comply with the following guidelines always:

Do not disclose confidential personal information to anyone except the data subject. It should not be:
Giving to someone from the same family
Passed to any other unauthorised third party
Placed on the Organisation’s website
Posted on the internet in any form

Unless the data subject has given their explicit prior written consent to this Be aware that those seeking information sometimes use deception to gain access to it. Always verify the identity of the data subject and the legitimacy of the request, particularly before releasing personal information by telephone
Where the Organisation provides staff with code words or passwords to be used before releasing personal information, for example by telephone, all staff must strictly follow the Organisation’s requirement in this regard
Only transmit personal information between locations by fax or e-mail if a secure network is in place, for example, a confidential fax machine or encryption is used for e-mail.
If anyone receives a request for personal information about another employee, this should forward this to who is responsible of dealing with such requests
Ensure any personal data you hold is kept secretly, either in a locked filing cabinet or, if computerised, it is password protected or encrypted so that it is protected from unintended destruction or change and is not seen by unauthorised persons
Do not access another employee’s record without authority, as this may be treated as gross misconduct and it is a criminal offence
Do not write down (in electronic or hard copy form) opinions on facts concerning a data subject which it would be inappropriate to share with that data subject
Do not remove personal information from the workplace with the intention of processing it elsewhere unless this is necessary to enable you to carry out your job duties and has been authorised by your line manager.
Ensure that, when working on personal information as part of your job duties when away from your workplace and with the authorisation with your line manager, you continue to observe the terms of this policy and the Act, in particular in matters of data security
Ensure that hard copy personal information is disposed of securely, for example cross-shredded. Remember that compliance with the act is a personal responsibility. If there are any questions or concerns about the interpretation of these rules, please contact the Data Protection Advisor immediately.

Personal Data Breach
A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data.
The organisation must notify the relevant supervisory authority of a breach where it is likely to result in a risk to the rights and freedoms of individuals. If unaddressed such a breach is likely to have a significant detrimental effect on individuals – for example, result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.
This must be assessed on a case by case basis. For example, the organisation will need to notify the relevant supervisory authority about a loss of customer details where the breach leaves individuals open to identity theft. On the other hand, the loss or inappropriate alteration of a staff telephone list, for example, would not normally meet this threshold.
The notification breach information to the ICO must contain the following information:
The nature of the personal data breach including, where possible:
The categories and approximate number of individuals concerned; and
The categories and approximate number of personal data records concerned.
The name and contact details of the data protection Advisor (if your organisation has one) or other contact point where more information can be obtained.
A description of the likely consequences of the personal data breach.
A description of the measures taken, or proposed to be taken, to deal with the personal data breach and, where appropriate, of the measures taken to mitigate any possible adverse effects.

A notifiable breach must be reported to the relevant supervisory authority within 72 hours of the organisation becoming aware of it. The GDPR recognises that it will often be impossible to investigate a breach fully within that time-period and allows you to provide information in phases. If the breach is sufficiently serious to warrant notification to the public, the organisation responsible must do so without undue delay.
Failing to notify a breach when required to do so can result in a significant fine up to 20 million Euros or 4 per cent of global turnover.

A personal data breach without a risk to an individual’s rights and freedoms must:
Still be recorded
Result in action being taken in response

A recording system should be set up, but these regulations require all employees to know their reporting obligations (and act upon them).