Data Protection Policy

Introduction:

Trustees have a legal obligation to comply with the Data Protection Act 1998 and new legislation that came into effect on 25th May 2018. The law updated data protection laws making them fit for the digital age and covering cyber security as well as giving more control over use of personal data.

The purpose of this policy is to enable Sampson’s Almshouses to comply with the law (The DPA 1998) in respect of the data it holds about individuals.

The Charity Will:

• follow good practice

• protect residents, trustees, and other individuals by respecting their rights

• demonstrate an open and honest approach to personal data and

• protect the charity from the consequences of a breach of its responsibilities.

This policy applies to all the information that we control and process relating to identifiable, living individuals including contact details, , bank details and details of next of kin

Data Storage and processing:

The Charity recognises that data is held about:

• residents

• trustees

• staff

This information is always stored securely and access is restricted to those who have a legitimate need to know. We are committed to ensuring that those about whom we store data understand how and why we keep that data and who may have access to it. We do not transfer data to third parties without the express consent of the individual concerned.

Rights of individuals

All individuals who come into contact with (name of charity) have the following rights under the DPA:

• a right of access to a copy of their personal data

• a right to object to processing that is likely to cause or is causing damage or distress

• a right to prevent processing for direct marketing

• a right to object to decisions being taken by automated means

• a right, in certain circumstances, to have inaccurate personal data rectified, blocked, erased or destroyed and

• a right to claim compensation for damages caused by a breach of the DPA.

Archived records are stored securely and the charity has clear guidelines for the retention of information.

The trustees recognise their overall responsibility for ensuring that the charity complies with its legal obligations and are responsible as follows:

Roles and Responsibilities:

• briefing trustees on Data Protection responsibilities

• reviewing Data Protection and related policies

• advising other staff on Data Protection issues

• ensuring that Data Protection induction and training takes place

• notification

• handling subject access requests.

All trustees, staff and volunteers are required to read, understand and accept any policies and procedures that relate to the personal data they may handle in the course of their roles.

Significant breaches of these policies will be handled under disciplinary procedures.

Key risks to the safety of data control and process:

The trustees have identified the following potential key risks:

• breach of confidentiality (information being given out inappropriately)

• individuals being insufficiently informed about the use of their data

• misuse of personal information by staff or volunteers

• failure to up-date records promptly

• poor IT security and

• direct or indirect, inadvertent or deliberate unauthorised access.

The trustees will review the charity’s procedures regularly, ensuring that the charity’s records remain accurate and consistent and in particular:

• IT systems will be designed, where possible, to encourage and facilitate the entry of accurate data

• data on any individual will be held in as few places as necessary and trustees and staff will be discouraged from establishing unnecessary additional data sets

• effective procedures will be in place so that relevant systems are updated when information about an individual changes.

If a breach of data security is suspected or occurs the trustees should be notified immediately.

Subject Access Requests

Any individual who wants to exercise their right to receive a copy of their personal data can do so by making a Subject Access Request, (‘SAR’) to the clerk. The request must be made in writing and the individual must satisfy the clerk of their identity before receiving access to any information.

A SAR must be answered within 40 calendar days of receipt by the charity.

Collecting and using personal data

Sampson’s Almshouses typically collects and uses personal data in connection with the provision of accommodation for the recipients of the Charity. The charity collects personal data mainly in the following ways:

• by asking applicants for accommodation to complete paper forms

• by asking residents to give information verbally.

• by communicating with residents both in writing and electronically

Sampson’s Almshouses will:

• not use any of the personal data it collects in ways that have unjustified adverse effects on the individuals concerned

• be transparent about how it intends to use the data and give individuals appropriate privacy notices when collecting their personal data

• handle people’s personal data only in ways they would reasonably expect

• not do anything unlawful with the data.

Keeping Data Secure

The Charity will take all appropriate measures to prevent unauthorised or unlawful processing of personal data and to protect personal data against loss, damage or destruction. This means that:

• personal files for residents, trustees, and employees and applications for accommodation will be kept by the Clerk in a locked filing cabinet at all times with access only by the Clerk and trustees

• electronic files containing personal data will be password protected and backed up on a regular basis

backed up electronic data will be held securely by the Clerk on, password protected and with access only by the Clerk and trustees

Retention of personal data

The Charity will not keep personal data for longer than is necessary. This means that: a resident’s file will be completely destroyed after six years of the resident leaving or passing away

• records of complaint/investigations concerning residents will be destroyed six years after the resident leaves or passes away

• application forms for unsuccessful applicants will be destroyed three years after the date of application.

• trustees will destroy and delete all charity documents held within their own records three yearss after receipt, including all computer data and paper copies

• trustees personal files will be destroyed one year after ceasing to be a trustee

This policy has been approved for issue by the board of trustees of Sampson’s Almshouses.
Review date: May 2022

More information:

Full information about the Data Protection Act, its principles and definitions can be found at www.ico.gov.uk