INTRODUCTION

 

Lewisham Parent and Carer’s Forum
Leemore Central Community Hub,
Bonfield Road,
Lewisham,
London SE13 5EU

Tel: 075345 68020 —
Email: info@lewishamparentcarer.org.uk
Website: www.lewishamparentcarer.org.uk
Registered Charity no. 1159533 in England

Who we are

Lewisham Parent and Carer’s Forum (LPCF) are a registered charity (Charitable Independent Organisation). We are a group of parent carers who have a child or young person with a disability or additional need, living in the Borough of Lewisham. The aim of the Parent Forum is to try and get the best services for our children, working with the local authority, health and social care to consult and feedback the views of parents and carers. We run workshops, training, provide regular newsletters, attend meetings on behalf of parents and carers, look at current policies and provide information and signposting. This policy applies to all our employees, Trustees and volunteers.

1. The Basics of General Data Protection Regulations 2018

The Data Protection Act 1998 gives individuals the right to know what information is held about them. It provides a framework to ensure that personal information is handled properly. The new General Data Protection Regulation come into effect in the UK on 25 May 2018, and will replace the Data Protection Act 1998:

  1. LPCF will ensure that your information is processed lawfully, fairly and in a transparent manner.
  2. We will only collect information which is relevant to the purposes of the LPCF. If you unsubscribe to our membership your personal information and all reference to it will be destroyed in a suitable manner, i.e. shredded.
  3. The LPCF will only ask you for information which is relevant. In order for us to contact you with information, activities, events, consultations and newsletters we will require your name, address, landline, mobile phone number and email address.We would further ask for the year of your child’s birth (for those with additional needs and disabilities), your child’s additional need or disability, and for your ethnicity. This information is optional but it would be helpful to the LPCF in order that we may monitor that we have a diverse membership, and that we reaching a wide range of ages and needs/disabilities within Lewisham.We ask you to complete feedback forms and signing in sheets for events/workshops/activities. The information required will be a name, signature and contact number. We will keep this information in a safe place. This information will be kept in a file in our locked office, to help with our funding monitoring procedures with the Department of Education, to ensure that we are reaching a wide range of parent carers and that we may contact you should you have requested us to do so.
  4. We will ensure that all of our information is up to date by contacting members annually to ensure that there are no changes to their details. If members have any changes to their details it would welcome if they could advise the LPCF as soon as possible, and these changes will be made with immediate effect.
  5. Once you inform the LPCF that you wish to unsubscribe and require your information to be deleted from our database, we will do so immediately. There will be no need for us to retain any of your information on file and this will be destroyed.
  6. We will ensure the security of your data by holding the database on an external drive which will be kept at the offices of LPCF in a locked container. All email addresses will be kept on the office laptop and will not be shared with anyone else. All emails are sent out blind so that no one else can see them. We have Norton security on our systems to help against malware problems.

2. The controller shall be responsible for ensuring that all data is:

  1. processed fairly and lawfully and, in particular, shall not be processed unless specific conditions are met;
  2. obtained only for one or more of the purposes specified in the GDPR, and shall not be processed in any manner incompatible with that purpose or those purposes;
  3. adequate, relevant and not excessive in relation to those purpose(s);
  4. accurate and, where necessary, kept up to date;
  5. not kept for longer than is necessary;
  6. processed in accordance with the rights of data subjects under the GDPR;
  7. kept secure by the Data Controller who takes appropriate technical and other;
  8. measures to prevent unauthorised or unlawful processing or accidental loss or destruction of, or damage to, personal information; and
  9. not transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal information.

The second area covered by the GDPR provides individuals with important rights, including the right to find out what personal information is held on computer and most paper records. Individuals have the right to request to see their information, and to ask for their information to be amended or erased.

2. Definitions

Confidentiality: Confidential information is defined as verbal or written information, which is not meant for public or general knowledge, information that is regarded as personal by users, members, trustees, employees or volunteers.

Consent: of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

Data: The GDPR definition of personal data also includes information such as name, an identification number, location data including addresses, emails, phone numbers, online identifiers including IP addresses, information gathered by cookies or factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (which could include CCTV). The GDPR reaches further than the current Data Protection Act. It is designed to take into account modern technology and the right of the data subjects to the protection of the personal data being held by an organisation about him/her:-

The LPCF’s Data information is stored:

  1. Electronically i.e. on computer and/or backup portable hard drive, including word processing documents, emails, computer records, backed up files or databases and information recorded on telephone logging systems.
  2. There will be manual records kept of minutes with attendees names and feedback forms from events. These will be kept in a locked office.

Data Controller: The Data Controller will be the Board of Trustees of LPCF. They alone will decide what personal information we will hold and how it will be held or used

Data Protection Act 1998: The UK legislation that provides a framework for responsible behaviour by those using personal information, which will be superseded by the General Data Protection Regulations on 25 May 2018.

Data Protection Manager: The Data Protection Officer will be Sue Stocks, who will be responsible for ensuring that we follow our data protection policy and complies with the General Data Protection Regulations

Data concerning health: means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;

Data Subject: any living individual whose personal data is being processed. Examples include:

  • employees – current and past
  • volunteers
  • apprentices
  • job applicants
  • donors
  • service users/clients
  • suppliers

‘Explicit’ consent: is a freely given, specific and informed agreement by an individual to the processing of personal information about them. Explicit consent is needed for processing sensitive data.

Notification: Notifying the Information Commissioner about the data processing activities of Lewisham Parent and Carer’s Forum, as certain activities may be exempt from notification.

Information Commissioner: The UK Information Commissioner responsible for implementing and overseeing the General Data Protection Regulations.

Processing: means the use made of personal data including any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller

Personal data: means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Personal data breach: means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

3. Policy statement

As an organisation we need to collect and use certain types of information about the different people we come into contact with in order to carry out our work. This personal information must be collected and dealt with appropriately– whether on paper, in a computer, or recorded on other material. This policy applies to all personal and sensitive personal data. We will:

  • comply with the General Data Protection Regulations in respect of the data we hold about individuals;
  • respect individuals’ rights;
  • be open and honest with individuals whose data is held;
  • ensure that everyone processing personal information understands that they are contractually responsible for following good data protection practice;
  • protect the organisation’s clients/service users, employees, volunteers and other individuals;
  • provide training, support and supervision for employees and volunteers who handle personal data, so that they can act legally, confidently and consistently;
  • regularly assess and evaluate our methods and performance in relation to handling personal information; and
  • protect the organisation from the consequences of a breach of its responsibilities.

We recognise that our first priority under the General Data Protection Regulations (GDPR) is to avoid causing harm to individuals. Information about employees, volunteers and clients/service users will be used fairly, securely and will not be disclosed to any person unlawfully.

Secondly, the Regulations aim to ensure that the legitimate concerns of individuals about the ways in which their data may be used are taken into account. In addition to being open and transparent, we will seek to give individuals as much choice as is possible and reasonable over what data is held and how it is used.

3.1. Disclosure

We will not share personal data with any other organisation unless we have the consent of the person to which it relates. However, this stipulation will be waived – where necessary – in relation to the Trustees who are the Data Controllers.

The Data Subject will be made aware of how and with whom their information will be shared. There are circumstances where the law allows us as an organisation to disclose data (including sensitive data) without the data subject’s consent.

These are:

  1. Processing carried out by individuals purely for personal or household activities including correspondence and the holding of addresses or social networking and online activity undertaken within the context of these activities;
  2. Processing covered by the Law Enforcement Directive;
  3. Processing for national security;
  4. Taking into account our Safeguarding and Child Protection Policy for children, young people and vulnerable adults. Where there is concern there will be discussion with the Data Controllers and a referral will be made to the local statutory agency, with immediate effect.

We regard the lawful and correct treatment of personal information as very important to successful working, and to maintaining the confidence of those with whom we deal.

3.2. Data Controller

Lewisham Parent and Carer’s Forum is the Data Controller under the GDPR, which means that it determines what purposes personal information held, will be used for. It is also responsible for notifying the Information Commissioner of the data it holds or is likely to hold, and the general purposes that this data will be used for.

4. Responsibilities

The Trustees recognises its overall responsibility for ensuring that Lewisham Parent and Carer’s Forum complies with its legal obligations.

The Data Protection Manager is currently Sue Stocks who has the following responsibilities:

  • Briefing the Trustees/Management Committee/Board on Data Protection responsibilities;
  • Reviewing Data Protection and related policies;
  • Advising other staff on Data Protection issues;
  • Ensuring that Data Protection induction and training takes place;
  • Handling subject access requests;
  • Approving unusual or controversial disclosures of personal data;
  • Ensuring contracts with Data Processors have appropriate data protection clauses;
  • Electronic security;
  • Ensuring that all personal and company data is non-recoverable from any computer system previously used within the organisation, which has been disposed of or passed on/sold to a third party.
  • Approving data protection-related statements on publicity materials and letters

Each employee, trustee and volunteer who handles personal data will comply with the organisation’s operational procedures for handling personal data (including induction and training) to ensure that good Data Protection practice is established and followed. All employees, trustees and volunteers are required to read, understand and accept any policies and procedures that relate to the personal data they may handle in the course of their work.

Significant breaches of this policy or personal data breaches will be handled under our disciplinary procedures.

5. Confidentiality

Because confidentiality applies to a much wider range of information than Data Protection, we have a separate Confidentiality Policy. This Data Protection Policy should be read in conjunction with the Confidentiality Policy.

In order to support members, we will need to share client’s personal data with other agencies (Third Parties). Verbal or written consent will always be sought from the member/client before data is shared.

Where anyone within our organisation feels that it would be appropriate to disclose information in a way contrary to the confidentiality policy, or where an official disclosure request is received, this will only be done after discussions with a manager or the Data Protection Officer. All such disclosures will be documented.

6. Security

This section of the policy only addresses security issues relating to personal data. It does not cover security of the building, business continuity or any other aspect of security.

Any recorded information on clients, volunteers and employees will be:

  • Kept in locked containers, scanned onto a portable hard drive and secured.
  • Protected by the use of passwords if kept on computer or encrypted if appropriate
  • Destroyed confidentially if it is no longer needed, or if an individual requests

Access to information on the main database is controlled by a password and only those needing access are given the password. Employees, trustees and volunteers should be careful about information that is displayed on their computer screen and make efforts to ensure that no unauthorised person can view the data when it is on display.

Notes regarding personal data of clients should be shredded or destroyed.

7. Data Recording and storage

We have a single database holding basic information about all clients and volunteers. The back-up copies of data are kept in a safe place.

We will regularly review our procedures for ensuring that our records remain accurate and consistent and, in particular:

  • We will keep records of how and when information was collected.
  • The database system is reviewed and re-designed, where necessary, to encourage and facilitate the entry of accurate data.
  • Data on any individual will be held in a single place as set out in our action plan, and all employees, trustees and volunteers will be discouraged from establishing unnecessary additional data sets.
  • Effective procedures are in place so that all relevant systems are updated when information about any individual changes.
  • Effective procedures are also in place to address requests from data subjects for access to, amendments or the erasure of their information
  • Employees, trustees and volunteers who keep more detailed information about individuals will be given additional guidance on accuracy in record keeping in compliance with the GDPR.
  • Data will be corrected if shown to be inaccurate.

We store archived paper records of clients and volunteers securely in the office.
Information will be stored for only as long as it is needed or required by statute and will be disposed of appropriately.

8. Access to data

Information and records will be stored securely and will only be accessible to authorised employees and volunteers, and the individual to whom the information relates.

All clients and customers have the right to request access to all information stored about them. Any subject access requests will be handled by the Data Protection Manager within the required time limit.

Subject access requests must be in writing or by email. All employees, trustees and volunteers are required to pass on anything which might be a subject access request to the Data Protection Manager without delay. In accordance with the GDPR, we will provide personal data in a ‘commonly used and machine readable format.’ We also recognise the right of the individual to transfer this information to another Controller.

Where the individual making a subject access request is not personally known to the Data Protection Manager their identity will be verified before handing over any information.

The required information will be provided in permanent form unless the applicant makes a specific request to be given supervised access in person.

We will provide details of information to service users who request it unless the information may cause harm to another person.

Employees have the right to access their file to ensure that information is being used fairly. If information held is inaccurate, the individual must notify the Manager so that this can be recorded on file.

9. Transparency

We are committed to ensuring that in principle Data Subjects are aware that their data is being processed and:

  • for what purpose it is being processed;
  • what types of disclosure are likely; and
  • how to exercise their rights in relation to the data.

Data Subjects will generally be informed in the following ways:

  • Employees: in the staff terms and conditions
  • Volunteers: in the volunteer welcome/support pack
  • Trustees: in the roles and responsibilities/support pack
  • Clients: when they provide their information and consent to retain it is requested, or when they request (on paper, online or by phone) services

Standard statements will be provided to all staff for use on forms where data is collected. Whenever data is collected, the number of mandatory fields will be kept to a minimum and Data Subjects will be informed which fields are mandatory and why.

10. Consent

Staff details will only be disclosed for purposes unrelated to their work for the organisation (e.g. financial references) with their consent.

Information about volunteers will be made public according to their role, and consent will be sought for (a) the means of contact they prefer to be made public, and (b) any publication of information which is not essential for their role.

Information about clients will only be made public with their explicit consent. (This includes photographs.)

Consent will be obtained from parents, if children’s data is being stored or processed depending on the age of the child/young person in accordance with legislation.

‘Sensitive’ data about clients (including health information) will be held only with the knowledge and consent of the individual.

Consent should be given in writing, although for some services it is not always practicable to do so. In these cases verbal consent will always be sought to the storing and processing of data, and records kept of the dates, and circumstances. Online consent will be requested when clients sign up to services, donate or sign up to mailing lists. In all cases it will be documented on the database that consent has been given.

All Data Subjects will be given the opportunity to opt out of their data being used in particular ways, such as the right to opt out of direct marketing (see below).

We acknowledge that, once given, consent can be withdrawn by the Data Subject at any time. There may be occasions where the organisation has no choice but to retain data for a certain length of time, even though consent for using it has been withdrawn.

11. Direct marketing

We will treat the following unsolicited direct communication with individuals as marketing:

  • seeking donations and other financial support;
  • promoting any of our services;
  • promoting our events;
  • promoting membership to supporters;
  • promoting sponsored events and other fundraising exercises;
  • marketing on behalf of any other external company or voluntary organisation.

Whenever data is first collected which might be used for any marketing purpose, this purpose will be made clear, and the Data Subject will be asked to provide their consent. We do not have a policy of sharing lists, obtaining external lists or carrying out joint or reciprocal mailings.

We will only carry out telephone marketing where consent has been given in advance, or the number being called has been checked against the Telephone Preference Service.

Whenever e-mail addresses are collected, any future use for marketing will be identified, and the provision of the address made optional.

12. Staff training and acceptance of responsibilities

All employees that have access to any kind of personal data will be given copies of all relevant policies and procedures during their induction process, including the Data Protection policy, Confidentiality policy and the operational procedures for handling personal data. All staff will be expected to adhere to all these policies and procedures.

Data Protection will be included in trustee training and the induction training for all volunteers.

We will provide opportunities for all staff to explore Data Protection issues through training, team meetings, and supervisions.

13. Policy review

This policy will be reviewed and updated as necessary in response to changes in relevant legislation, contractual arrangements, and good practice or in response to an identified failing in its effectiveness.

In case of any queries in relation to this policy please contact our Data Protection Officer: Sue Stocks on 07534568020 or info@lewishamparentcarer.org.uk. Postal queries: Lewisham Parent and Carer’s Forum—Leemore Central Community Hub, Bonfield Road, Lewisham, London SE13 5EU

Date Policy Adopted: 21st May 2018
Policy Review Date: 21st May 2020
A signed copy is in the office