The Family Support Centre (FSC) recognises that, as a processor of personal information, it has a duty to follow The General Data Protection Regulation (GDPR) with respect to information it holds on all those who come into contact with and volunteer at the centre.
The aims of the policy is to ensure that trained advisors and anyone involved with the centre adopt the 7 key principles with regards to privacy and data protection and that clients and staff are confident that these principles are being adhered to.
This policy will be reviewed every 3 years, the next review being July 2021.
This policy is considered with, and relates to, the Confidentiality Policy. Although we are a small charity, we process personal information and are thus upheld by GDPR.
The principles and procedures named in the policy are to be followed by anyone at the centre who processes information. This includes receptionists, administrators, advisors, team leaders, treasurer, trustees and secretary to the trustees. The people whose data we are protecting include clients, all volunteers in whatever capacity, donors, supporters, grant-makers and lenders.
The GDPR applies to Personal Information. This is information relating to an individual person that allows you to identify that person such as name, identification number, location data and an online identifier. It also applies to ‘sensitive personal data’ such as race religion etc.
Lawfulness, fairness and transparency
We will have a lawful basis to processing data by obtaining consent from the person whose information we are collecting. The data we process must be necessary to achieve the purpose of the centre. We hold data because a person has volunteered to be an advisor or provide administrative support for us; they are a trustee; they have donated to us; they have attended a training event or they have requested information from us. It is also necessary because a client has asked us to enter a contract with them by seeking advice, counselling or support or they have requested information.
A person has a right to know what information we hold about them and a right to see their record.
Information will not be shared with any other organisation or individual (third party) without obtaining consent from the individual to whom the information pertains.
A Privacy Notice will be displayed in the centre and on the website and given to anyone whose data we are processing to read and agree to.
Data must be collected for specified, explicit and legitimate purposes. Data will be prevented from being used for new purposes if they are incompatible with the original purpose for collecting the data. Consent must be obtained for the new purpose.
The data must be adequate, relevant and limited to what is necessary.
The information we collect must be accurate and up to date. Any inaccurate data is erased or rectified without delay.
Data will not be kept for longer than is necessary for the purposes for which the data was originally processed. The data we hold will be reviewed annually in March and erased/deleted when no longer required or relevant. Individuals have a right to erasure if information is no longer needed (the right to be forgotten) We have set a standard retention period of 6 years or, in the case of a minor, 6 years from their 18th birthday. This follows the practice of many counsellors as clients may return to the centre.
Integrity and confidentiality (security)
The centre will put measures in place to protect the information we hold from unauthorised or unlawful processing, against accidental loss, destruction or damage. We will put appropriate organisational measures in place so that data is stored securely. If/when data is stored electronically, we will put technical measures in place so that it can be restored in the event of an incident (back up).
Paper records and the diary will be securely locked away where only authorised persons can access them. Anything that contains personal information will not be on display. Any electronic records/information (if used) will be held on a dedicated laptop which is password protected.
We will take responsibility for what we do with data and how we comply with data protection principles. We will have appropriate measures and records in place to demonstrate compliance.
We believe that all staff has an element of responsibility in upholding these principles but a Data Protection Trustee (Liz Warner) will be nominated and will ensure application of the data protection policy and procedures across The Family Support Centre, and will be responsible for the review and update of measures as necessary.
All staff will be trained in the policy and procedures surrounding data protection. On appointment staff will be required to sign a statement that they will adhere to the centre’s codes of practice and procedures. New staff will have a programme of induction where they are made clearly aware of their role and responsibilities in line with this and other policies. When there are updates or new procedures, the team leaders are responsible for ensuring staff are made aware.
This policy was approved on 11th July 2018 by the Team Leaders and Trustees of the Family Support Centre Shirley.