The Family Support Centre (FSC) recognises that, as a processor of personal information, it has a duty to follow The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 with respect to information it holds on all those who come into contact with and volunteer at the centre.
The aims of the policy is to ensure that trained advisors and anyone involved with the centre adopt the 7 key principles with regards to privacy and data protection and that clients and staff are confident that these principles are being adhered to.
This policy will be reviewed every 3 years, the next review being January 2025.
This policy is considered with, and relates to, the Confidentiality Policy. Although we are a small charity, we process personal information and are thus upheld by UK GDPR.
The principles and procedures named in the policy are to be followed by anyone at the centre who processes information. This includes receptionists, administrators, advisors, team leaders, treasurer, trustees and secretary to the trustees. The people whose data we are protecting include clients, all volunteers in whatever capacity, donors, supporters, grant-makers and lenders.
The UK GDPR applies to Personal Information. This is information relating to an individual person that makes it possible to identify that person, either directly or indirectly, such as name, identification number, location data and an online identifier. It also applies to ‘sensitive personal data’ such as race religion etc Even if the information is inaccurate; it is still Personal Information as it relates to that individual.
Lawfulness, fairness and transparency
We will have a lawful basis to processing data by obtaining consent from the person whose information we are collecting. The data we process must be necessary to achieve the purpose of the centre. We hold data because a person has volunteered to be an advisor or provide administrative support for us; they are a trustee; they have donated to us; they have attended a training event or they have requested information from us. It is also necessary because a client has asked us to enter a contract with them by seeking advice, counselling or support or they have requested information.
A person has a right to know what information we hold about them and a right to see their record.
Information will not be shared with any other organisation or individual (third party) without obtaining consent from the individual to whom the information pertains.
A Privacy Notice will be displayed in the centre and on the website and given to anyone whose data we are processing to read and agree to.
Data must be collected for specified, explicit and legitimate purposes. Data will be prevented from being used for new purposes if they are incompatible with the original purpose for collecting the data. Consent must be obtained for the new purpose.
The data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
The information we collect must be accurate and kept up to date. Any inaccurate data is erased or rectified without delay.
Data will not be kept for longer than is necessary for the purposes for which the data was originally processed. The data we hold will be reviewed annually in March and erased/deleted when no longer required or relevant. Individuals have a right to erasure if information is no longer needed (the right to be forgotten) We have set a standard retention period of 6 years or, in the case of a minor, 6 years from their 18th birthday. This follows the practice of many counsellors as clients may return to the centre.
Integrity and confidentiality (security)
The centre will put measures in place to protect the information we hold from unauthorised or unlawful processing, against accidental loss, destruction or damage. We will put appropriate organisational measures in place so that data is stored securely. If/when data is stored electronically, we will put technical measures in place so that it can be restored in the event of an incident (back up).
Paper records and the diary will be securely locked away where only authorised persons can access them. Anything that contains personal information will not be on display. Any electronic records/information (if used) will be held on a dedicated laptop which is password protected.
We will take responsibility for what we do with data and how we comply with data protection principles. We will have appropriate measures and records in place to demonstrate compliance.
We believe that all staff has an element of responsibility in upholding these principles but a Data Protection Trustee (Liz Warner) will be nominated and will ensure application of the data protection policy and procedures across The Family Support Centre, and will be responsible for the review and update of measures as necessary.
Consent is the most appropriate lawful basis for processing information and it offers individuals real choice and control which in turn, builds trust and engagement.
In obtaining consent we will:
The UK GDPR provides certain rights for individuals and as such we will uphold the following:
We will respond to any requests for access, erasure, processing restriction and objections within one calendar month as outlined in the UK GDPR.
All staff will be trained in the policy and procedures surrounding data protection. On appointment staff will be required to sign a statement that they will adhere to the centre’s codes of practice and procedures. New staff will have a programme of induction where they are made clearly aware of their role and responsibilities in line with this and other policies. When there are updates or new procedures, the team leaders are responsible for ensuring staff are made aware.
The Team Leaders and Trustees of the Family Support Centre Shirley approved this policy on 26th January 2022.