Data Protection & GDPR Policy

This policy was agreed by KLS Trustees on 11^th September 2013. It has been significantly reviewed and updated (May18) in the light of the new GDPR coming into force on 25^th May 2018.

All KLS policies are reviewed every three years (or earlier if the law changes).

This policy will be reviewed again in September 2024.

• About Katherine Low Settlement

Katherine Low Settlement is a charity that has been serving Battersea and the wider Wandsworth community since 1924. We are dedicated to building stronger communities and enable people to challenge and find ways out of poverty and isolation.

We run a range of our own community projects to support older people, refugee communities and children, young people and families. In addition to these direct services, we also use our premises to act as a local hub for other charities and community groups so that as partners, we can meet the diverse needs of the communities of Wandsworth. Each week we work with 45+ charities and community groups supporting more than 1,100 people. Visit www.klsettlement.org.uk

1. Katherine Low Settlement’s Data Protection Policy

Katherine Low Settlement’s (KLS) Board of Trustees recognise its overall responsibility for ensuring that KLS complies with its legal obligations.

The purpose of this Data Protection policy is to enable KLS to:

• Comply with the law in respect of the data it holds about individuals.
• Follow good practice.
• Protect KLS’s supporters, staff and other individuals.
• Protect KLS from the consequences of a breach of its responsibilities.

KLS is committed to the lawful and correct treatment of personal, sensitive and commercially sensitive information. This is important to successful working and to maintaining the confidence of those with whom we deal. KLS is registered with the Information Commissioner’s office (ICO).

The policy is endorsed by the Katherine Low Settlement’s Trustees and will be reviewed every three years to make sure it remains relevant and appropriate to the needs of KLS: its staff, volunteers, users/members and visitors.

This Data Protection policy is freely accessible to all. This means that KLS will share copies of this policy with staff and volunteers as part of their induction and training. All KLS’ policies will appear on its website. Hard copies of this policy will be available upon request.

2. Glossary of Terms – Definitions

Data Controller: is the legal ‘person’, or organisation, that decides why and how personal data is to be processed. The data controller is responsible for complying with the Data Protection Act 1998. This is the Katherine Low Settlement. It is also responsible for notifying the Information Commissioner’s Office (ICO) of the data it holds, or is likely to hold and the general purposes that the data will be used for. This is reviewed annually as part of the registration process with the ICO.

Senior Information Risk Officer: is the person accountable for ensuring that KLS follows its data protection policy and complies with the Act. KLS has delegated responsibility to its CEO (Aaron Barbour) and a trustee (Lucy Elphinstone). Overall accountability sits with the Board of Trustees.

The Senior Information Risk Officer will be responsible for:

• Briefing the board on Data Protection responsibilities
• Reviewing Data Protection and related policies
• Advising other staff on Data Protection issues
• Ensuring that Data Protection induction and training takes place
• Handling subject access requests
• Approving unusual or controversial disclosures of personal data
• Ensuring contracts with Data Processors have appropriate data protection clauses
• Electronic security
• Approving data protection-related statements on publicity materials and letters

Data Subject: is the individual whose personal data is being processed. Examples include: employees – current and past; volunteers; job applicants; donors; users; and suppliers.

Personal Data/Information: Information that relates to a living person (e.g. name and address). The Data Protection Act principles do not relate to deceased people, however KLS would carry out an assessment of any other obligations, legal or otherwise, towards any deceased person before using their information in any way.

Sensitive Data/Information: This includes:

• Racial or ethnic origin
• Political opinions
• Religious or similar beliefs
• Trade union membership
• Physical or mental health
• Sexual life
• Criminal record
• Criminal proceedings relating to an Individual’s (data subject)

Processing: means the use made of personal data including:

• Obtaining and retrieving.
• Holding and storing.
• Making available within or outside the organisation.
• Printing, sorting, matching, comparing, destroying.

Each member of staff and volunteer at KLS who handles personal data will comply with the organisation’s operational procedures for handling personal data to ensure that good Data Protection practice is established and followed. All staff and volunteers are required to read, understand and accept any policies and procedures that relate to the personal data they may handle in the course of their work. Significant breaches of this policy will be handled under KLS disciplinary procedures.

Subject access: Individuals have a right to know what information is being held about them. The basic provision is that, in response to a valid request, the Data Controller must provide a permanent, intelligible copy of all the personal data about that Data Subject held at the time the application was made. The Data Controller may negotiate with the Data Subject to provide a more limited range of data (or may choose to provide more), and certain data may be withheld. This includes some third party material, especially if any duty of confidentiality is owed to the third party, and limited amounts of other material.  (“Third Party” means either that the data is about someone else, or someone else is the source.)

3. Key Legislation and Guidance

A number of key pieces of legislation and guidance inform the development of the policies, procedures, guidance and agreements within this document. They include:

• Data Protection Act 1998 (the Act)
• General Data Protection Regulation (effective 25^th May 2018)
• Minimum Data Handling Measures (Cabinet Office Standard)
• The Caldicott Report
• Data Sharing Code of Practice (Information Commissioner’s Office guidance)
• Common Law Duty of Confidence. This states that data given in confidence should not be disclosed unless:
  • The consent of the individual has been obtained
  • A statute of law dictates that disclosure is made
  • It is in the overriding public interest to do so.

4. The Eight Principles of Data Protection

The Data Protection Act and Article 5 of the GDPR require that personal data:

P1. Shall be processed fairly, transparently and lawfully. This means KLS must:

• have legitimate grounds for collecting and using the personal data
• not use the data in ways that have unjustified adverse effects on the Individuals (data subjects) concerned
• be transparent about how KLS intends to use the data and give Individuals appropriate fair processing notices when collecting their personal data
• handle people’s personal data only in ways they would reasonably expect
• make sure KLS does not do anything unlawful with the data.

P2. Shall be obtained only for one or more of the purposes specified in the Act and shall not be processed in any manner incompatible with those purposes. This means KLS must:

• be clear from the outset about why KLS is collecting personal data and what it intends to do with it
• comply with the Act’s fair processing requirements – including the duty to give clear fair processing notices to Individuals when collecting their personal data
• comply with what the Act says about notifying the Information Commissioner
• ensure that if KLS wishes to use or disclose the personal data for any purpose that is additional to, or different from, the originally specified purpose, the new use of disclosure is fair.

P3. Shall be adequate, relevant and not excessive in relation to those purpose(s). This means that:

• KLS holds personal data about an Individual that is sufficient for the purpose it is holding it for in relation to that Individual
• KLS does not hold more information than needed for that purpose and has a minimum data set to describe this.

P4. Shall be accurate and, where necessary, kept up to date. This means that KLS must:

• take reasonable steps to ensure the accuracy of any personal data it obtains
• ensure that the source of any personal data is clear
• carefully consider any challenges to the accuracy of information
• consider whether it is necessary to update the information.

P5. Should not be kept for longer than is necessary. This means that KLS should:

• review the length of time it keeps personal data
• consider the purpose or purposes it holds the information for in deciding whether (and for how long) to retain it
• securely delete information that is no longer needed for this purpose or these purposes
• update, archive or securely delete information if it goes out of date.

P6. Shall be processed in accordance with the rights of Individuals under the Act. This means that the Individual has:

• a right of access to a copy of the information comprised in their personal data
• a right to object to processing that is likely to cause or is causing damage or distress
• a right to prevent processing for direct marketing
• a right to object to decisions being taken by automated means
• a right in certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed
• a right to claim compensation for damages caused by breach of the Act.

P7. Shall be kept secure by the Data Controller and any Data Processor, who take appropriate technical and other measures to prevent unauthorised or unlawful processing or accidental loss or destruction of, or damage to, personal information. This means that KLS, and those organisations who process an Individuals data through contracted agreement with KLS, must:

• design and organise security to fit the nature of the personal data it holds and the harm that may result from an information security breach
• be clear about who in the organisation is responsible for ensuring information security
• make sure it has the right physical and technical security, backed up by robust policies and procedures and reliable, well-trained staff and volunteers
• be ready to respond to any breach of security swiftly and effectively.

P8. Shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of Individuals in relation to the processing of personal information.

5. Processing data with a lawful basis

The GDPR sets out 6 lawful bases for processing personal data. If there is no other lawful purpose identified then consent must be sought. These are:

• Contract: Processing is necessary for the performance of a contract with the Individual, or to take steps to enter a contract. This could be to fulfil an employment contract, or a contract to provide goods or services.
• Legal Obligation: Processing is necessary to comply with a legal obligation
• Vital Interests: Processing is necessary to protect the vital interests of an Individual or another person
• Public Task: Processing is necessary to fulfil a task that is in the public interest or in the exercise of official authority vested in the Data Controller
• Legitimate Interests: Processing is necessary for the purposes of legitimate interests of the Association and those legitimate interests are not outweighed by possible harm to the Individuals rights and interests
• Consent: Processing of data has consent from the

What is valid consent?

Consent must be:

• Freely given: the Individual has choice and control on how their personal data may be used
• Specific and informed: the Individual understands all the purposes for which their data may be used. If there are multiple purposes, consent must be sought for each
• Unambiguous: the Individual knows what they have consented to and why, and that they have given their consent
• A deliberate action by the Individual g. signing / verbal / electronic binary choice options

6. Data Collection

KLS will ensure that data is collected within the boundaries defined within this policy. This applies to data that is collected in person (face to face or over the telephone), electronically or by completing a form. It applies to any location that is being used by staff, volunteers or contractors to deliver KLS related business.

When collecting data, KLS will ensure, wherever possible, that there is a fair processing notice in place and that the Individual:

• clearly understands why the information is needed
• understands what it will be used for and what the consequences are should the Individual decide not to give consent to processing (more relevant to sensitive information)
• understands who the data may be shared with and why
• has the option to agree to sharing the data
• grants explicit written or verbal consent to collect and share sensitive data wherever possible
• gives explicit consent to contact via email
• is competent enough to give consent and has given so freely without any duress.

The above points indicate that the Individual will have enough information for them to give Informed Consent. Any concerns regarding competence should be referred to a health care professional.

There are instances within KLS where implicit/implied consent is assumed for collecting data, for example information given when responding to an appeal. The Privacy Policy clearly explains this.

7. Data Storage & Security

Information and records relating to Individuals will be stored securely and will only be accessible to authorised staff and volunteers.

Information will be stored for only as long as it is needed or required by statute and will be disposed of appropriately in line with the Retention, Archiving and Destruction of Information procedure.

Any recorded information on users/members, volunteers and staff will be:

• Kept in locked cabinets, in locked offices.
• Protected by the use of passwords if kept on computer; with software being kept up to date.
• Appropriate back-up and disaster recovery solutions shall be in place
• Destroyed confidentially if it is no longer needed.
• Archived and stored securely in a locked office, if appropriate.

Access to information on Sharepoint or KLS databases are controlled by a password and only those needing access are given the password. Staff and volunteers should be careful about information that is displayed on their computer screen and make efforts to ensure that no unauthorised person can view the data when it is on display.

In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, KLS shall promptly assess the risk to the Individual’s rights and freedoms and if appropriate report this breach to the Information Commission Office (ICO).

8. Data Access and Accuracy

All Individuals have the right to access the information KLS holds about them and why. KLS will also take reasonable steps to ensure that this information is kept up to date by asking Individuals whether there have been any changes.

If an Individual contacts KJLS requesting information then this is called a ‘subject access request’. These will be handled by the Senior Information Risk Officer within the required time limit. Subject access requests must be in writing. Where the individual making a subject access request is not personally known to the Senior Information Risk Officer their identity will be verified before handing over any information. The required information will be provided in ‘permanent form’ unless the applicant makes a specific request to be given supervised access in person. KLS will charge £10 per subject access request.

All employees have the responsibility of ensuring information stored about an Individual is factual and not subjective.

In addition, KLS will ensure that:

• it has a Senior Information Risk Officer with specific responsibility for ensuring compliance with the Act
• everyone processing personal information understands that they are contractually responsible for following good data protection practice
• everyone processing personal information is appropriately trained to do so; is appropriately supervised; will report a suspected or actual breach of data management using the Data Protection Breach Reporting procedure
• anybody wanting to make enquiries about handling personal information knows what to do
• it deals promptly and courteously with any enquiries about handling personal information
• it describes clearly how it handles personal information
• it will regularly review and audit the ways it holds, manages and uses personal information
• it regularly assesses and evaluates its methods and performance in relation to handling personal information
• all staff are aware that a breach of the rules and procedures identified in this policy may lead to disciplinary action being taken against them.

This policy will be updated as necessary to reflect best practice in data management, security and control and to ensure compliance with any changes or amendments in the law.

9. Confidentiality

As confidentiality applies to a much wider range of information than Data Protection, KLS has a separate Confidentiality Policy. This Data Protection Policy should be read in conjunction with KLS’s Confidentiality Policy.

KLS has a privacy statement for clients, setting out how their information will be used. This is available on request.

Staff, volunteers and sessional workers are required to sign a short statement indicating that they have been made aware of their confidentiality responsibilities.  (See separate Confidentiality Policy and Statement.)

In order to provide some services, KLS will need to share client’s personal data with other agencies (Third Parties). Verbal or written agreement will always be sought from the client before data is shared.

Where anyone within KLS feels that it would be appropriate to disclose information in a way contrary to the confidentiality policy, or where an official disclosure request is received, this will only be done after discussions with the Senior Information Risk Officer.  All such disclosures will be documented.

10. Transparency

KLS is committed to ensuring that in principle Data Subjects are aware that their data:

• Is being processed and for what purpose it is being processed.
• What types of disclosure are likely.
• How to exercise their rights in relation to the data.

Data Subjects will generally be informed in the following ways:

• Staff and sessional workers: in the staff handbook
• Volunteers: in the volunteer welcome/support pack
• Clients: when they request or sign up to services (on paper, on line or by phone)
• Members: in the welcome pack

Standard statements will be provided to staff for use on forms where data is collected. Whenever data is collected, the number of mandatory fields will be kept to a minimum and Data Subjects will be informed which fields are mandatory and why.

11.   Complaints

If a data subject thinks that their data has been misused or that KLS has not kept it secure, they should contact KLS’ Senior Information Risk Officer and tell them (follow KLS’ complaints & compliments policy and procedures).

If the data subject is unhappy with their response or if they need any advice they should contact the Information Commissioner’s Office.

12.   Staff training and acceptance of responsibilities

All staff who have access to any kind of personal data will be given a copy of the staff handbook and copies of all relevant policies and procedures during their induction process, including the Data Protection policy, Confidentiality policy and the operational procedures for handling personal data. All staff will be expected to adhere to all these policies and procedures.

KLS will provide opportunities for staff to explore Data Protection issues through training, team meetings, and supervisions.

Volunteers will receive information about Data Protection as part of their induction.

Appendix 1: Katherine Low Settlement’s Privacy Statement

When you request information from Katherine Low Settlement (KLS), sign up to any of our services or buy things from us, KLS obtains information about you.  This statement explains how we look after that information and what we do with it.

We have a legal duty under the Data Protection Act 1998 to prevent your information falling into the wrong hands.  We must also ensure that the data we hold is accurate, adequate, relevant and not excessive.

Normally the only information we hold comes directly from you.  Whenever we collect information from you, we will make it clear which information is required in order to provide you with the information, service or goods you need.  You do not have to provide us with any additional information unless you choose to.  We store your information securely on our computer system, we restrict access to those who have a need to know, and we train our staff in handling the information securely.

If you have signed up to a class or other service we will also pass your details to the professional worker providing that service.  That worker may hold additional information about your participation in these activities.

We would also like to contact you in future to tell you about other services we provide, to keep you informed of what we are doing and ways in which you might like to support KLS.  You have the right to ask us not to contact you in this way.  We will always aim to provide a clear method for you to opt out.  You can also contact us directly at any time to tell us not to send you any future marketing material.

You have the right to a copy of all the information we hold about you (apart from a very few things which we may be obliged to withhold because they concern other people as well as you).  To obtain a copy, either ask for an application form to be sent to you, or write to the Data Protection Officer at Katherine Low Settlement.  We aim to reply as promptly as we can and, in any case, within the legal maximum of 40 days.

Appendix 2:  Katherine Low Settlement’s confidentiality statement for staff and volunteers

When working for Katherine Low Settlement (KLS), you will often need to have access to confidential information which may include, for example:

• Personal information about individuals who are supporters or otherwise involved in the activities organised by KLS.
• Information about the internal business of KLS.
• Personal information about colleagues working for KLS.

KLS is committed to keeping this information confidential, in order to protect people and the organisation itself.  ‘Confidential’ means that all access to information must be on a need to know and properly authorised basis.  You must use only the information you have been authorised to use, and for purposes that have been authorised.  You should also be aware that under the Data Protection Act 1998, unauthorised access to data about individuals is a criminal offence.

You must assume that information is confidential unless you know that it is intended by KLS to be made public.

You must also be particularly careful not to disclose confidential information to unauthorised people or cause a breach of security.  In particular you must:

• Not compromise or seek to evade security measures (including computer passwords).
• Not gossip about confidential information, either with colleagues or people outside KLS.
• Not disclose information unless you are sure that you know who you are disclosing it to, and that they are authorised to have it.

If you are in doubt about whether to disclose information or not, do not guess. Withhold the information while you check with an appropriate person (your Line Manager and/or the Data Protection Officer, Aaron Barbour) whether the disclosure is appropriate.

Your confidentiality obligations continue to apply indefinitely after you have stopped working for Katherine Low Settlement.

I have read and understand the above statement.  I accept my responsibilities regarding confidentiality.

Signed:              

Name:

Date:

Appendix 3: Katherine Low Settlement’s photography and video film consent form

At Katherine Low Settlement we produce a wide range of materials to tell people about our services and to raise money for our work. From time to time we take photographic images (moving and still) of subjects, and use case studies which can include these images and personal data (such as name and project, where appropriate and consented to) to enhance and illustrate our media applications to make them more accessible, and inspiring for our audiences.

By completing this form, you give us full permission to use these images and any personal information you supply to us in our media applications, which reasonably promote or advertise KLS’ aims, throughout the world wherever KLS’ chooses to do so. This may include our printed publications e.g. books, newspapers, magazine articles; adverts and publicity material; audio-visual and electronic materials; media work; display materials; direct mail; television programmes, internet publications and any other media we may use in the future. The images will not be used for any other purpose.

KLS’ will keep all the images and use them for such period as it considers appropriate, and will move them into its image archive for posterity once they are no longer appropriate for the modern image library. The copyright of any material which is generated as a result of this photographic session shall be assigned and shall be the property of the Katherine Low Settlement.

Your details:

Data protection statement

KLS’ values your support and promises to respect your privacy. The data we gather and hold is managed in accordance with the Data Protection Act (1998). Other than as specified above, the information that you give us here will only be used to contact you about these photo(s) and videos.  We will not pass the details recorded on this form on to any other organisation without your permission.

Appendix 4: Privacy Impact Assessment

Screening questions

These questions are intended to help you decide whether a Privacy Impact Assessment (PIA) is necessary. Answering ‘yes’ to any of these questions is an indication that a PIA would be a useful exercise. You can expand on your answers as the project develops if you need to.

You can adapt these questions to develop a screening method that fits more closely with the types of project you are likely to assess.

1. Will the project involve the collection of new information about individuals?
2. Will the project compel individuals to provide information about themselves?
3. Will information about individuals be disclosed to organisations or people who have not previously had routine access to the information?
4. Are you using information about individuals for a purpose it is not currently used for, or in a way it is not currently used?
5. Does the project involve you using new technology that might be perceived as being privacy intrusive? For example, the use of biometrics or facial recognition.
6. Will the project result in you making decisions or taking action against individuals in ways that can have a significant impact on them?
7. Is the information about individuals of a kind particularly likely to raise privacy concerns or expectations? For example, health records, criminal records or other information that people would consider to be private.
8. Will the project require you to contact individuals in ways that they may find intrusive?

Privacy Impact Assessment – Template

ICO has produced a useful template (See Annex 2, page 34, in the ICO’s Code of Practice https://ico.org.uk/media/for-organisations/documents/1595/pia-code-of-practice.pdf ) as an example of how KLS could record the PIA process and results. KLS can adapt the process and the template to enable KLS to conduct effective PIAs integrated into our project management processes.

Step one: Identify the need for a PIA

Explain what the project aims to achieve, what the benefits will be to the organisation, to individuals and to other parties.

You may find it helpful to link to other relevant documents related to the project, for example a project proposal.

Also summarise why the need for a PIA was identified (this can draw on your answers to the screening questions).

ADD KLS DETAIL HERE…..

Step two: Describe the information flows

The collection, use and deletion of personal data should be described here and it may also be useful to refer to a flow diagram or another way of explaining data flows. You should also say how many individuals are likely to be affected by the project.

ADD KLS DETAIL HERE…..

Consultation requirements

Explain what practical steps you will take to ensure that you identify and address privacy risks. Who should be consulted, internally and externally? How will you carry out the consultation? You should link this to the relevant stages of your project management process.

Consultation can be used at any stage of the PIA process.

ADD KLS DETAIL HERE…..

Step three: identify the privacy and related risks

Identify the key privacy risks and the associated compliance and corporate risks. Larger-scale PIAs might record this information on a more formal risk register.

Annex three can be used to help identify the DPA related compliance risks

Privacy issue:

Risk to individuals:

Compliance risk:

Associated organisation / corporate risk:

ADD KLS DETAIL HERE…..

Step four: Identify privacy solutions

Describe the actions you could take to reduce the risks, and any future steps which would be necessary (e.g. the production of new guidance or future security testing for systems).

Risk:

Solution(s):

Result: is the risk eliminated, reduced, or accepted?

Evaluation: is the final impact on individuals after implementing each solution a justified, compliant and proportionate response to the aims of the project?

ADD KLS DETAIL HERE…..

Step five: Sign off and record the PIA outcomes

Who has approved the privacy risks involved in the project? What solutions need to be implemented?

Risk:

Approved solution:

Approved by:

ADD KLS DETAIL HERE…..

Step six: Integrate the PIA outcomes back into the project plan

Who is responsible for integrating the PIA outcomes back into the project plan and updating any project management paperwork?

Who is responsible for implementing the solutions that have been approved?

Who is the contact for any privacy concerns which may arise in the future?

Action to be taken:

Date for completion of actions:

Responsibility for action:

Contact point for future privacy concerns:

ADD KLS DETAIL HERE…..