Data Protection Policy
Scope of policy
This policy applies to:
- Staff members;
- Volunteers;
- Directors;
- All contractors, suppliers, advisors and other people working on behalf of LFLR.
Key policy details
Prepared by: Managing Director
Approved by: Board of Directors
Operational date: 22nd September 2020
Review date: 22nd September 2021
Purpose of policy
The purpose of this policy is to ensure that Leeds Free Legal Representation (LFLR):
- complies with the law in respect of the data it holds about individuals;
- follows good practice;
- protects LFLR’s clients, volunteers, supporters, staff members and other individuals;
- protects the organisation from the consequences of a breach of its responsibilities.
Data protection law and principles
The Data Protection Act 2018 describes how organisations must collect, handle and store personal information. These rules apply regardless of whether data is stored electronically, on paper or on other materials. To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.
The Data Protection Act is underpinned by eight important principles. These say that personal data must:
- Be processed fairly and lawfully
- Be obtained only for specific, lawful purposes
- Be adequate, relevant and not excessive
- Be accurate and kept up to date
- Not be held for any longer than necessary
- Processed in accordance with the rights of data subjects
- Be protected in appropriate ways
- Not be transferred outside the European Economic Area (EEA), unless that country or territory also ensures an adequate level of protection.
Policy statement
LFLR will:
- comply with both the law and good practice;
- respect individuals’ rights;
- be open and honest with individuals whose data is held;
- provide training and support for staff members and volunteers who handle personal data.
LFLR recognises that its first priority under the Data Protection Act is to avoid causing harm to individuals. In the main this means:
- keeping information securely in the right hands, and
- holding good quality information for no longer than necessary.
Secondly, the Act aims to ensure that the legitimate concerns of individuals about the ways in which their data may be used are taken into account. In addition to being open and transparent, LFLR will seek to give individuals as much choice as is possible and reasonable over what data is held and how it is used.
LFLR will never sell or give away data to anyone outside the organisation, unless compelled to do so by statute or an order of the court, or with the express consent of the individual.
Responsibilities
Everyone who works for or with LFLR has some responsibility for ensuring data is collected, stored and handled appropriately. However, these people have key areas of responsibility:
- The Board of Directors are ultimately responsible for ensuring that LFLR meets its legal obligations.
- The Managing Director, as data protection officer is responsible for:
o Keeping the Board of Directors updated about data protection responsibilities, risks and issues;
o Reviewing all data protection procedures and related policies;
o Arranging data protection training and advice for the people covered by this policy;
o Handling data protection questions from staff members and anyone else covered by this policy;
o Checking and approving any contracts or agreements with third parties that may handle LFLR’s sensitive data;
o Approving any data protection statements attached to communications such as emails and letters;
o Ensuring that all new projects or initiatives comply with data protection principles;
o Dealing with requests from individuals to see the data LFLR holds about them (‘subject access requests’).
- The Administrator is responsible for:
o Ensuring all systems, services and equipment used for storing data meet acceptable security standards;
o Ensuring security hardware and software is functioning properly;
o Evaluating any third-party services LFLR is considering using to store or process data.
All staff members and volunteers are required to read, understand and accept any policies and procedures that relate to the personal data they may handle in the course of their work. Breaches of this policy will be handled under LFLR’s disciplinary procedures.
Communication with data subjects
LFLR produces a Privacy Policy for data subjects, setting out how their information will be used. This will be available on request, and a version of this policy will also be published on the website.
Communication with staff members and volunteers
Staff members will be required to sign a short statement indicating that they have been made aware of their confidentiality responsibilities.
All volunteers will receive a copy of this policy and will be asked to agree to it at the point that LFLR permit them to assist with any of LFLR’s cases.
Data accuracy
It is the responsibility of all staff members who work with data to take reasonable steps to ensure it is kept as accurate and up to date as possible.
- Data will be held in as few places as necessary; staff members should not create any unnecessary additional data sets
- Staff members should take every opportunity to ensure data is updated
- LFLR will make it easy for data subjects to update the information LFLR holds about them
- Data should be updated as inaccuracies are discovered eg, if a client or volunteer cannot be reached on their stored telephone number, it should be removed from the database.
Data storage
These rules describe how and where data should be safely stored. Questions about storing data safely can be directed to the Managing Director. When data is stored on paper, it should be kept in a secure place where unauthorised people cannot see it.
These guidelines also apply to data that is usually stored electronically but has been printed out:
- When not required, the paper or files should be kept in a locked drawer or filing cabinet at LFLR or an address known to and approved by LFLR
- Staff members should make sure paper and printouts are not left where unauthorised people could see them, like on a printer
- Data printouts should be shredded and disposed of securely when no longer required
- When data is stored electronically, it must be protected from unauthorised access, accidental deletion and malicious hacking attempts
Personal and sensitive data which is held electronically must be processed according to these guidelines:
- Data should be protected by strong, unique passwords that are changed regularly
- If data is stored on removable media (like a CD or USB flash drive), these should be kept locked away securely when not being used
- Data should only be stored on designated drives and servers
- Servers containing personal data should be sited in a secure location, away from general office space
- Data should be backed up frequently and the backups should be tested regularly
- Data should never be saved directly to laptops or other mobile devices like tablets or smart phones unless the device has been encrypted
- All servers and computers containing data should be protected by approved security software and a firewall.
Data use
All those accessing data on behalf of LFLR should take the following steps when using client data:
- When working with personal data, staff members and volunteers should ensure the screens of their computers are always locked when left unattended
- Personal data should not be shared informally; in particular, it should never be sent by an email address not known to LFLR
- If data is transferred electronically by a personally held electronic device, that device must be encrypted. Personal data should never be transferred outside of the European Economic Area except in accordance with the GDPR regulations.
- Any data downloaded by staff members or volunteers to their electronic devices, must not be permanently stored on those devices, but must be moved onto an encrypted device or to a central storage system and the local copy deleted as soon as possible.
Retention periods
Data will be deleted or destroyed as follows:
- Staff members – within seven years of leaving the organisation
- Clients – seven years after last contact
- Volunteers – seven years after final client contact
- Directors – within seven years of leaving the organisation
- Supporters and donors – within three years of final contact
Data LFLR holds will be reviewed every 12 months.
Archiving
Archived client files are securely stored electronically for the relevant retention period.
Subject access requests
All individuals who are the subject of personal data held by LFLR are entitled to:
- Ask what information is held about them and why
- Ask how to gain access to it
- Be informed how to keep it up to date.
- Be informed how LFLR is meeting its data protection obligations.
If an individual contacts the company requesting this information, this is called a subject access request. Any subject access requests will be handled by the Managing Director and reported to the Board of Directors
Subject access requests may be made verbally or in writing. All staff members and volunteers are required to pass on anything which might be a subject access request to the Managing Director without delay.
All those making a subject access request will be asked to identify any volunteers or staff members who may also hold information about them, so that this data can be retrieved. The Managing Director will have regard to the Information Commissioner’s Office ‘Subject access code of practice’ (http://ico.org.uk/for_organisations/data_protection/subject_access_requests) at all times when dealing with subject access requests.
Where the individual making a subject access request is not known to the Managing Director their identity will be verified before handing over any information.
The required information will be provided in permanent form unless the applicant makes a specific request to be given supervised access in person. LFLR aims to respond to subject access requests within 28 days.
Transparency
LFLR is committed to ensuring that in principle Data Subjects are aware that their data is being processed and
- for what purpose it is being processed;
- what types of disclosure are likely;
- how to exercise their rights in relation to the data.
Data Subjects will generally be informed in the following ways:
- Staff members, volunteers and Directors: by being provided with a copy of our policy;
- Clients: in the client care letter;
- Donors and supporters: by being provided with a copy of our policy.
Further information
There are more detailed guides and data protection resources on the website of the Information Commissioner’s Office (http://ico.org.uk/) and the Charity Finance Group produces a guide for charities – Protecting Data, Protecting People.