Data Protection Policy
Adviza delivers services for young people and adults across the Thames Valley, including Connexions for Buckinghamshire County Council and the National Careers Service.
The purpose of this policy is to explain our approach to ensuring we comply with the General Data Protection Regulation (GDPR), which comes into force on 25th May 2018, largely replacing the Data Protection Act 1998, for when we collect, process and store personal data.
Adviza is committed to a policy of protecting the rights and privacy of individuals (including staff, clients and others) in accordance with all Data Protection laws, the Human Rights Act 1998, the Privacy and Electronic Communications (EC Directive) Regulations 2003 and the Common law of Confidentiality.
This policy ensures that Adviza, our employees, associates, volunteers and (where applicable) subcontractors:
- Comply with Data Protection Law and follow good practice.
- Protect the rights of all data subjects.
- Are open and transparent about how we process personal data.
- Protect ourselves from the risks of a data breach.
The policy applies to all Adviza personal data processing activities and to all staff, volunteers, associates and (where appropriate) subcontractors who process any personal data. Any breach of Data Protection Laws, other relevant law or the company’s policies is considered to be a disciplinary offence and in that event Adviza disciplinary procedures will apply.
As a matter of good practice, it is expected that other agencies and individuals working with Adviza (and have access to personal data) will have read and comply with this policy.
Adviza needs to process certain information about its staff, clients and other individuals it has dealings with for a range of purposes (e.g. to recruit and pay staff, to record progress and training) and to comply with contractual and legal obligations. Clients and staff have the right to confidentiality and therefore information that identifies individuals should be shared only when there are clear and valid reasons for doing so. Whether personal information is collected and used on paper or electronically, it must be processed in accordance with the law.
3. KEY TERMS AND DEFINITIONS
The following terms are used in this document:
Caldicott Guardian – means designated health or social care professional (usually a senior manager) responsible for ensuring that the (Caldicott) principles governing the sharing of patient-identifiable information are adhered to within their organisation.
Consent (of the data subject) – means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Criminal Offence Data – means personal data relating to criminal convictions and offences, or related security measures and includes data about criminal allegations, proceedings or convictions.
Data controller – means a ‘person’ who (either jointly or in common with other persons) determines the purposes for which and the manner in which any personal data is, or is to be processed.
Data processor – means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Data subject – any living individual who is the subject of personal data.
Gillick Competence – whether or not a child is capable of giving the necessary consent will depend on the child’s maturity and understanding and the nature of the consent required. The child must be capable of making a reasonable assessment of the advantages and disadvantages of the treatment proposed, so the consent, if given, can be properly and fairly described as true consent." (Gillick v West Norfolk, 1984)
Personal data – means any information relating to an identified or identifiable natural person (data subject) directly or indirectly. This could include an identifier such as a name, identification number, location data, online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
Processing – means any operation or set of operations which is performed on personal data (whether or not by automated means) such as collection, recording, organisation, structuring, storage, adaptation, retrieval, use, dissemination or otherwise making available, restriction, erasure or destruction.
Special Category Data – is broadly similar to the concept of sensitive personal data under the previous law. It includes an individual’s:
- ethnic origin;
- trade union membership;
- biometrics (where used for ID purposes);
- sex life; or
- sexual orientation.
4. LEGAL FRAMEWORK FOR DATA PROTECTION
Below is a brief summary of the laws relevant to the processing and sharing of personal information.
The General Data Protection Regulation
The General Data Protection regulation (GDPR), which comes into force on 25th May 2018, largely replaces the Data Protection Act 1998, governs the protection and use of personal information identifying living individuals. GDPR establishes data subjects’ rights in relation to the handling of their personal data, by data controllers and data processors. Data controllers and data processors must handle this information in accordance with standards in the GDPR known as the Data Protection Principles. These 6 principles require data to be:
- processed lawfully, fairly and in a transparent manner in relation to individuals;
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up to date;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; and
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
For more information see https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/principles/.
The GDPR applies in the UK and is expected to continue to do so following the UK’s exit. The GDPR is expected to be supplemented by a new UK Data Protection Act later in 2018.
These Data Protection Laws are regulated by the Information Commissioner who has a role in promoting good practice and enforcing them by investigating breaches (for more information about the Act, see www.ico.org.uk
The GDPR provides the following rights for individuals (see https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/ for more details):
The right to be informed about the collection and use of their personal data, including the purposes for processing their personal data, retention periods for that personal data, and who it will be shared with. This is called “privacy information” and must be provided to individuals at the time we collect their personal data from them or within one month of obtaining personal data.
- The right of access to their personal data (see below)
- The right to have inaccurate personal data rectified, within one month of a valid request to do so.
- The right to have personal data erased in certain circumstances (known as “the right to be forgotten”) within one month of a valid request to do so.
- The right to restrict processing in certain circumstances within one month of a valid request to do so (after which the data can be stored but not otherwise be processed).
- The right to data portability, which allows individuals to obtain and reuse their personal data for their own purposes across different services.
- The right to object to:
- processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
- direct marketing (including profiling); and
- processing for purposes of scientific/historical research and statistics.
- Rights in relation to automated decision making and profiling (which does not apply to any of Adviza’s activities).
- The right to complain to the Information Commissioner’s Office
Under the GDPR, data controllers have a general obligation to implement technical and organisational measures to show that they have considered and integrated data protection into processing activities and that data is processed securely. This is known as “privacy by design”
Common Law of Confidentiality
The common law of confidentiality provides a measure of protection for individuals against unauthorised disclosure of personal information.
Of importance is that, where information has been given to another on the understanding that it will remain confidential, this must be respected unless there is a substantial public interest which overrides this right to confidence.
Human Rights Act 1998
The Human Rights Act incorporated the European Convention on Human Rights into English law. It is unlawful for a public authority to act in a way that is incompatible with these rights. Of relevance is the right contained in Article 8 which states that:
1. Everyone has the right to respect for his private and family life, his home and his correspondence.
However, this right is not absolute. The second part of Article 8 recognises that the right to privacy must be balanced with other public interests.
It is important, however, that any decision to override the right to privacy in the public interest must be proportionate to the aim.
Privacy and Electronic Communications (EC Directive) Regulations 2003
The Privacy and Electronic Communications Regulations (PECR) sit alongside the Data Protection Laws. They give people specific privacy rights in relation to electronic communications and include specific rules on:
- marketing calls, emails, texts and faxes;
- cookies (and similar technologies);
- keeping communications services secure; and
- customer privacy as regards traffic and location data, itemised billing, line identification, and directory listings.
The Data Protection Laws still apply and the PECR just set out some extra rules for electronic communications but there are some differences and Adviza must make sure it complies with both. In particular, it’s important to realise that PECR apply even if we are not processing personal data. For example, many of the rules protect companies as well as individuals, and the marketing rules apply even if you cannot identify the person you are contacting.
PECR restrict unsolicited marketing by phone, fax, email, text, or other electronic message. There are different rules for different types of communication and the rules are generally stricter for marketing to individuals than for marketing to companies. Usually specific consent is needed to send unsolicited direct marketing. The best way to obtain a valid consent is to ask customers to tick opt-in boxes confirming they are happy to receive marketing calls, texts or emails from Adviza. The PECR are not covered further in this policy and more detail can be found at https://ico.org.uk/for-organisations/guide-to-pecr/.
5. TYPES OF DATA RETAINED AND WHEN IT MAY BE SHARED
There are three levels of information retained by Adviza:
1. Statistical information i.e. information from which the individual cannot be identified;
2. Basic personal information e.g. name, address, date of birth, telephone number and/or email address; and
3. Additional personal information
Statistical information may be shared within Adviza and externally for the following purposes:
To provide management information in order to
- Monitor service delivery
- Monitor outcomes and effectiveness of the service
- Plan service delivery effectively
- Provide partner agencies with the information to inform their planning and delivery of provision
The sharing of this aggregate information may be undertaken without seeking consent as individuals cannot be identified from the information. Care must be taken not to identify individuals inadvertently i.e. where information is so specific that it becomes possible for someone to identify an individual through their circumstances or where an individual could be identified when combining the statistical information with other readily available information (e.g. using a pin map to identify teenage parents in a village or ward where there is only one teenage parent).
Basic Personal Details
The following basic personal details are retained by Adviza in order to identify and keep in touch with clients, staff and others who come into contact with Adviza:
- First name(s) and surname
- Date of birth
- Address including postcode
- Telephone number – at home and mobile (if available)
- E-mail address (if available)
- Social media contact details
This personal information may need to be shared with other agencies where Adviza needs to work with these agencies on the client’s behalf to provide the full range of services to address that person’s needs. Basic information will be shared immediately with the other agency to ensure that all agencies involved are talking about the same person. The data subject must be informed of the sharing of basic information and, in most cases, a formal agreement must be in place with the other agency.
Additional Personal Information
Other personal information may be recorded which the data subject has shared with his/her Adviser. This may include (but is not limited to) the following, depending on the requirements of the service/purpose for data processing in question:
- A record of assessments
- Action plans or development plans
- Relevant health information
- Special educational needs statement or Education Health & Care Plan (EHCP) where appropriate
- Information regarding Special Educational Needs and Disabilities (SEND)
- Current status (e.g. in learning, self-employed, retired, unemployed, on apprenticeship, not known)
- Name of adviser
- Date and type of contact e.g. guidance interview, telephone, email, group session
- Names of persons in contact with the person, organisation and contact details.(Subject to written consent where required, in cases where sensitive information may be disclosed relating to a type of organisation, such as if a person is referred to a Drug Action Team or youth offending Team, or is in the care of Social Services.)
This information is kept so that Adviza can make sure that it provides appropriate support to the client. This information may also include “special category data” as defined above.
This additional personal information may be shared with other organisations to help the person progress. This information will be only be shared where there is a lawful basis for doing so and usually with the person’s consent (see below).
6. LAWFUL BASIS FOR PROCESSING
Under the GDPR a data controller must have at least one valid lawful basis in order to process personal data. There are six lawful bases (an Article 6 basis) for processing and no single basis is ’better’ or more important than the others – which basis is most appropriate to use will depend on the purpose of processing the personal data and relationship with the individual. The lawful basis for processing personal data also has an effect on the data subject’s rights (see below).
The six lawful bases are:
1. Consent: the individual has given clear consent for us to process their personal data for a specific purpose
2. Contract: the processing is necessary for a contract we have with the individual, or because they have asked you to take specific steps before entering into a contract
3. Legal obligation: the processing is necessary for us to comply with the law (not including contractual obligations)
4. Vital interests: the processing is necessary to protect someone’s life
5. Public task: the processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law
6. Legitimate interests: the processing is necessary for our legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
Most lawful bases require that processing is ‘necessary’ (i.e. if the data controller can reasonably achieve the same purpose without the processing, then there is no lawful basis for processing and the data must not be collected and processed).
Adviza has prepared an audit of the personal data it processes that records the lawful basis for processing in each instance. When personal data not already included in the audit is proposed to be collected and processed, Adviza will determine the lawful basis before beginning processing, and document it in the data audit.
The lawful basis for processing can also affect which rights are available to individuals. For example, some rights will not apply:
However, an individual always has the right to object to processing for the purposes of direct marketing, whatever lawful basis applies.
Adviza’s privacy notices (see below) will include the lawful basis for processing as well as the purposes of the processing.
Adviza will only process special category data after identifying both a lawful basis for general processing and an additional condition for processing this type of data (an Article 9 condition). The available conditions for processing special category data are (in broad terms - see https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/special-category-data/ for more details):
a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes;
b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law … providing for appropriate safeguards for the fundamental rights and the interests of the data subject;
c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;
e) processing relates to personal data which are manifestly made public by the data subject;
f) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
g) processing is necessary for reasons of substantial public interest, on the basis of the law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;
h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of the law or pursuant to contract with a health professional;
i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of the law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;
j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes based on the law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
Adviza will only process criminal conviction data or data about offences after having satisfied itself that there is both a lawful basis for general processing and that the following additional condition for processing this type of data will be met (the Article 10 condition - see https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/criminal-offence-data/
7. DATA PROCESSORS
Whenever a controller uses a processor it needs to have a written contract in place. The contract is important so that both parties understand their responsibilities and liabilities. The GDPR sets out what needs to be included in the contract, including:
- The subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subject, and the obligations and rights of the controller.
- Contracts must also include as a minimum the following terms, requiring the processor to:
- only act on the written instructions of the controller;
- ensure that people processing the data are subject to a duty of confidence;
- take appropriate measures to ensure the security of processing;
- only engage sub-processors with the prior consent of the controller and under a written contract;
- assist the controller in providing subject access and allowing data subjects to exercise their rights under the GDPR;
- assist the controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments;
- delete or return all personal data to the controller as requested at the end of the contract; and
- submit to audits and inspections, provide the controller with whatever information it needs to ensure that they are both meeting their obligations, and tell the controller immediately if it is asked to do something infringing the GDPR or other data protection law of the EU or a member state.
Processors must only act on the documented instructions of a controller. They will however have some direct responsibilities under the GDPR and may be subject to fines or other sanctions if they don’t comply.
This applies to all Adviza’s data processors including subcontractors, associates, service providers (e.g. payroll, databases, IT services etc.). An appropriate data processing agreement must be in place before Adviza shares any personal data with anyone who will be acting as a data processor. Where Adviza is the data processor and another organisation (such as a commissioner) is the data controller, the consent of the controller must be obtained before a sub-processor can be engaged and a similar contract must be in place between Adviza and the sub-processor.
8. POLICIES FOR INFORMATION PROCESSING AND SHARING
Consent is a very important element of developing trust in working relationships with clients. Equally, we recognise that we often won’t need consent to process personal data because we have a different lawful basis.
Where consent is required, we recognise that GDPR sets a high standard for consent and that consent means offering individuals real choice and control. Genuine consent should put individuals in charge, build trust and engagement, and enhance our reputation. Under GDPR, consent requires a positive opt-in and the data subject has the right to withdraw that consent. Therefore, Adviza will not use pre-ticked boxes or any other method of default consent and consent requests will be separate from other terms and conditions.
When seeking consent, we will:
- Use clear, plain language that is easy to understand.
- Be specific and detailed so that we get separate consent for separate things.
- Name our organisation and any third-party controllers who will rely on the consent.
- Make it easy for people to withdraw consent and tell them how.
- Keep evidence of consent – who, when, how, and what we told the data subject.
- Keep consents under review, and refresh them if anything changes.
- Avoid making consent to processing a precondition of a service.
Where our consent practices prior to 25th May 2018 did not meet GDPR standards, we will refresh them.
We will not seek consent from staff and volunteers for processing their personal data, instead relying on contractual obligations, legal obligations and the legitimate interests of Adviza, the data subject and third parties (e.g. government agencies) as lawful bases for processing this information.
Information sharing can take place without the consent of the data subject, i.e. where there is another lawful basis for doing so. In all cases, we will ensure that information sharing is reasonable and expected by the data subject, making it clear in the privacy notice (or request for consent) why the information is being shared and who is involved. In general, we will only share additional personal data (see above), particularly special category or confidential information (i.e. where we explicitly offer a confidential service to clients), with the data subject’s consent, unless there is a legal or contractual obligation for us to do so.
Relevant age for providing consent to information sharing
Under the Data Protection Laws only children aged over 16 (this is expected to be reduced to 13 by the proposed new Data Protection Act) can make their own decisions about their information, unless there is a reason to suggest otherwise (this is expected to be reduced to age 13 by the proposed new Data Protection Act) can. For children under that age consent must be obtained by their parent/legal guardian and, if consent is obtained from children online, age verification measures must be in place.
Staff will need to use their professional judgement to decide if a client above the legal minimum age is competent to make their own decisions. When it comes to young people, staff should work in line with what is known as the ‘Gillick Ruling’ (see key terms for further information).
Refusal of consent
If a client refuses to share sensitive information with another agency then this should be noted on the client record and that information must not be shared unless any of the conditions in the next section apply.
We will ensure that it is as easy for a data subject to withdraw their consent as it was for them to give it, for example having a prominent statement on the same web-page as that used to gain consent in the first place.
Disclosing information Without Consent
Personal information should only be disclosed for the purposes identified in this section and in accordance with what the individual has been told. There are expectations if the information is required for the following purposes:
- Where there are child protection/safeguarding issues involved;
- Where there is a significant threat to life;
- Where the client needs urgent medical treatment;
- Where terrorism is a concern;
- Where the disclosure is necessary for the prevention of crime, the apprehension or prosecution of offenders, or the assessment or collection of any tax or duty or of any imposition of a similar nature;
- The disclosure consists of information which is required by law to be made publicly available;
- The disclosure is required by law or by order of the court; or
- The disclosure is made in connection with legal proceedings.
These limits to confidentiality should be made clear to the client at the earliest opportunity and where confidentiality has to be broken, staff should seek to ensure that the client is informed first or as soon as possible afterwards (unless they have been instructed to otherwise by an appropriate authority (e.g. the Police).
Further sharing of personal data
The second principle of the GDPR states that “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes”.
The purpose for sharing data under this policy should be compatible with the provision of Adviza Services. That is, Adviza and its partner agencies can only share information relevant to the services provided for clients, e.g. around their training or support in career progression. Where it is proposed to share data a non-compatible purpose, it is the obligation of Adviza and its partner agencies to seek the consent from the client for the secondary use of the personal data.
When data is being shared with partner agencies for purposes compatible with the provision of Advizas’ services on a regular and systematic basis, Adviza will complete appropriate data sharing/processing agreements with those agencies. This will also be pursued as best practice, where such data sharing is only on an ad hoc basis, recognising that there may be circumstances (e.g. urgency) where this is not possible).
Minimal identifiable information
In line with the third principle of Data Protection, “personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.” It is essential that the data collected by Adviza and its partner agencies that is shared with other parties is the minimum identifiable information necessary for the purpose of providing appropriate Adviza services to the client.
Accuracy of the data
It is the responsibility of Adviza and its partner agencies to ensure and maintain the accuracy of personal information they share with other organisations under this policy. Where an organisation becomes aware that information they have provided may be inaccurate, they must take steps to inform all partner agencies of the updated data. Information discovered to be inaccurate must be notified to the originating organisation.
Where a data subject has requested inaccurate personal data to rectified, or completed if it is incomplete, we will ensure we do so, free of charge, within one month of a valid request to do so. We will only refuse to comply with a request for rectification if the request is manifestly unfounded or excessive, taking into account whether the request is repetitive in nature and giving our justification (ensuring that we notify the individual within one month of receiving their request). In some such cases we may, instead of refusing the request, charge a "reasonable fee" to deal with the request based on the administrative costs of complying with the request (ensuring that we notify the individual within one month of receiving their request).
Right to be forgotten
The GDPR introduces a right for individuals to have personal data erased. The right is not absolute and only applies in certain circumstances. The right to erasure does not apply in a range of other circumstances (see https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/ for more detail)
Adviza will comply, free of charge, with any valid request to erase a data subjects’ personal data within 1 month of receipt of the request and inform all third-parties to whom the data has been disclosed, asking them to do likewise.
We will only refuse to comply with a request for erasure if the request is manifestly unfounded or excessive and giving our justification (ensuring that we notify the individual within one month of receiving their request). In some such cases we may, instead of refusing the request, charge a "reasonable fee" to deal with the request based on the administrative costs of complying with the request (ensuring that we notify the individual within one month of receiving their request).
Right to restrict processing
The GDPR introduces a right for individuals to request the restriction or suppression of their personal data. The right is not absolute and only applies in certain circumstances. The right to restriction does not apply in a range of other circumstances (see https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-restrict-processing/ for more detail).
Adviza will comply (i.e. store but not process data), free of charge, with any valid request to restrict processing a data subjects’ personal data within 1 month of receipt of the request and inform all third-parties to whom the data has been disclosed, asking them to do likewise.
We will only refuse to comply with a request for restriction if the request is manifestly unfounded or excessive and giving our justification (ensuring that we notify the individual within one month of receiving their request). In some such cases we may, instead of refusing the request, charge a "reasonable fee" to deal with the request based on the administrative costs of complying with the request (ensuring that we notify the individual within one month of receiving their request).
Right to portability
The GDPR introduces a right for individuals to obtain and reuse their personal data for their own purposes across different services. The right is not absolute and only applies in certain circumstances. The right to portability does not apply in a range of other circumstances (see https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-restrict-processing/ for more detail).
Adviza will comply, free of charge, with any valid request to provide personal data under this right within 1 month of receipt of the request or explain why we are not doing so informing the data subject of their right to complain to the Information Commissioners’ Officer and to judicial remedy.
Right to object
The GDPR introduces a right for individuals to object to:
- processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
- direct marketing (including profiling); and
- processing for purposes of scientific/historical research and statistics.
Adviza will offer a way for individuals to object online and stop processing the personal data if such an objection is received unless:
- we can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual; or
- the processing is for the establishment, exercise or defence of legal claims; or
- we are conducting research where the processing of personal data is necessary for the performance of a public interest task.
We will always stop processing personal data for direct marketing purposes as soon as we receive an objection. There are no exemptions or grounds to refuse.
For more detail see https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-object/.
Security of Personal Information
The sixth principle of Data Protection requires that appropriate measures should be in place to protect the personal information from unauthorised access, unlawful processing, or accidental loss, damage or destruction. Our IT Policy (IT3) provides specific details on our approach to data security, together with the specifications of our suppliers (e.g. database suppliers) and our security accreditations (i.e. Cyber Essentials).
Adviza and its partner agencies are responsible for the security of information we hold. We and each partner agency must take all reasonable care and employ appropriate physical, technical and organisational safeguards to protect the personal data under this data protection policy. Partner agencies must agree on the standards required for protecting the data, for example, the storage safeguards for information in hardcopy and electronic format, security of data in transmission and security standards for access to the data. As a minimum, partner agencies should only allow direct access to their database to staff that have password access to the system. Paper records should be located in a secure, non-portable filing system that is not accessible to the public and can be locked when not in use. Higher safeguards will be required where the personal data is of a sensitive nature.
Adviza employees all deal on a daily basis with other peoples’ personal data and have an absolute responsibility to keep this information as safe and secure as possible. This care must be exercised whether staff are working in the office, travelling, attending external meetings or working in schools, job centres etc. when particular extra vigilance is required. Appropriate training on Data protection will be provided to all Adviza staff and associates.
From time to time Adviza may commission consultants to undertake research aimed at informing the development of the Adviza service. In addition, Adviza often uses sub-contractors to deliver services. When contracting with consultants or sub-contractors, contracts should specify that all client information used will remain the property of Adviza and that during the course of the research/delivery of service, consultants and sub-contractors will abide by the Adviza data protection policy.
Storing paper documents.
Paper records must only be kept for as long as necessary and shredded for disposal thereafter (with appropriate records kept of all such disposals). In public areas paper documents should not be left out unattended and should be kept in locked storage when not in use or overnight. Documentation including personal data should be kept in locked cabinets certified to SEAP class 2.
What kinds of data are especially sensitive?
All information about identifiable individuals is subject to the Data Protection Laws. However, extra care should be taken with the following types of personal data:
- Data which is classed as ‘special category data’ or ‘criminal conviction data’ under the GDPR and other Data Protection Laws.
- Large amounts of personal data - for example a database containing 1,000 or more entries. This could have a more serious impact if accidentally lost.
- Information which is more likely to cause distress to an individual if it is accidentally lost - for example, information about someone’s personal circumstances.
Almost all information provided by Adviza or relating to Adviza clients would fall into this category.
Recognising this, Adviza has conducted, and will maintain, a Data Protection Impact Assessment in respect of all ‘special category data’ or ‘criminal conviction data’ it holds. Data Protection Impact Assessments will be carried out in all other circumstances required by the Data Protection Laws (see https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-impact-assessments/).
What are the implications if personal data is accidentally lost?
Data losses of any scale must initially be reported through the line management structure. Any incidents involving the loss of data must also be notified to the Head of Compliance and Deputy Chief Executive.
If personal data is transported between centres, from work to home or to other locations, there is inevitably an extra degree of risk that the information will accidentally be lost. This applies whether the information is in paper form, on a memory stick, or a laptop, and even if passwords are used to protect documents. Therefore, such physical transportation of data should not take place unless absolutely unavailable.
If personal data is lost, there could be the following implications:
- The data could be found and read by someone outside Adviza. This would be an ‘unauthorised disclosure’ of personal data and a breach of the Data Protection Laws.Such a loss may also cause distress to the subjects of the data and in some cases may even put them at risk.
- Unless, the breach is “unlikely to result in a risk for the rights and freedoms of data subjects” Adviza must report the loss to the Information Commissioner within 72 hours if feasible (and if not a justification must be provided).
- Any breach of personal data for which Adviza is a data processor must be notified to the controller without undue delay after becoming aware of the breach.
- We could face enforcement action (including hefty fines) by the Information Commissioner, the details of which will be made public. This has already happened to a number of organisations including Government departments, NHS Trusts and a number of charities. This will inevitably lead to bad publicity and damage to Adviza’s reputation.
- Individual staff can also be liable for breaches of the Data Protection Laws, as well as Adviza itself.
- Mitigating actions are likely to be required to recover the data and/or minimise its impact on the data subject.
- Where there is a high risk to the rights and freedoms of the data subject, the controller (usually Adviza) must communicate the breach to the data subject without undue delay.
Our Security Incident Policy (SIP1) provides specific details on our approach to data breaches.
Guidance for handling personal data when based in an Adviza office
Accessing and personal data within the Adviza environment carries less risk than transporting data externally but care must still be taken to protect information.
- It is safer to view information electronically rather than print it out and data must always be saved to the network rather than to a local disk.
- Printed material must only be kept for as long as necessary and shredded for disposal.In public areas it should not be left out unattended and should be kept in locked storage overnight or when not in use, in locked cabinets certified to SEAP class 2.
- In public areas, extra care must be taken to ensure that personal information, either on a screen or in paper form, is not visible to visitors.
- Notes made in diaries or notebooks about clients and their personal details, or notes documenting meetings with or about clients, should be transferred to the database or a secure filing system as soon as possible.The original notes should be destroyed.
Scanning and storing hard copy documents.
When receiving documents from another agency or creating a written document from a template, scan the document and copy it into the database within the record. Delete the scanned version that sits on your PC/laptop and/or within Citrix. This method should be appropriate for the majority of hard copy documents received or generated.
A few documents may contain very sensitive data which is not appropriate to put onto the database. These documents must be kept safe within a locked cabinet in an appropriate Adviza Centre. These documents should be reference material to enable you to provide appropriate actions and support to the client concerned. There should be no need to transport these documents.
Guidance for transporting personal data
Adviza accepts that it is impossible to eliminate the transport of all personal data, but by following the guidance in this checklist it should be possible to reduce it to a minimum:
- Ask yourself if it is really necessary to carry personal data.If it is unavoidable it is safer to carry information on an Adviza laptop (which is encrypted and secure) than in paper form or on a memory stick.
- If you need to carry paper data to another work centre or for a meeting, only take the documents you need.
- All documents should be in a folder so that individual pieces can not get dropped inadvertently, and carry the folders in a briefcase or bag.
- When travelling by car store the document folder(s) and/or laptop in the boot of the car so that they are out of sight. It is obvious laptops are targets for burglary, but so are briefcases/bags/ folders as they could contain credit cards etc.
- When travelling, try to keep the information with you at all times rather than leaving it in a car or otherwise unattended
Client’s Access to their Information
Under the GDPR, data subjects have rights to have access to personal information about them held by any organisation. These requests – “subject access requests” (SAR)– must be fulfilled within 1 calendar month and no charge can be made for providing the data (unless the request is manifestly unfounded or excessive, particularly if it is repetitive, in which case a reasonable fee can be charged based on the administrative cost of providing the information and justification must be provided).
Each partner agency has responsibility for ensuring that data subjects are informed that they have the right to see a copy of the information it holds and are provided with access to personal information held about them in accordance with the requirements of the Data Protection Laws.
If a client requests to see their records, they can either be provided with a printed version or be shown them on screen. This does not have to be immediate but must be provided within 1 calendar month.
Retention of personal data
The fifth principle of Data Protection requires that personal data should be kept only “a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals.”
Paper records will be disposed of in such a way that they cannot be identified (e.g., by use of a shredding machine). Electronic records and any back up files will be electronically deleted from the hard drive of the computer system. Adviza annually archives and deletes client records from the databases we use, in accordance with the company’s data retention schedule (included in the data audit. Partner agencies will take responsibility for secure destruction of personal data.
Further details on our approach to document retention and archiving are provided in our Archive and Document Retention Policy (DR01).
Recording of information for a named individual
When information is received from a source other than directly from the client the source must be recorded and the data subject informed that Adviza is processing their personal data (if they have not already been so informed).
All requests for information and disclosures must be recorded. The log of shared data is held by the system administrator.
Recording of information in bulk from another organisation
All requests for information in bulk and disclosures in bulk must be recorded in the log held by the data controller.
This is to ensure there is an audit trial for data emanating from another organisation.
9. FURTHER OBLIGATIONS
Data Protection Officer
The GDPR requires Adviza to appoint a Data Protection Officer. This is part of the remit of the post of Head of Compliance.
Registration with the Information Commissioner’s Office
Adviza completes a Notification to the Office of the Information Commissioner as required under the Data Protection Laws, on an annual basis.
It is the responsibility of all staff, who have authorised access to the data covered by this policy, to be are aware of their obligations to safeguard that information under the Data Protection Laws and related legislation. Staff should be aware that any breach of this policy could be a matter for disciplinary action, and that it may provide ground for a complaint under the Data Protection Laws against them, which may result in criminal or civil action against them.
Adviza has a clear and transparent complaints procedure. If any data subject is unhappy about how information held about them has been shared they should make a formal complaint to the Adviza Data protection officer in the first instance, and then the Information Commissioner.
10. REVIEW OF THE POLICY
This policy will be reviewed annually. However, such reviews will not prevent ongoing continuous improvement.
11. CONTACT FOR THE POLICY
For all enquiries regarding this policy, please contact:
Data Protection Officer, Adviza, 11th Floor, Ocean House, the Ring, Bracknell, Berkshire RG12 1AX.
 In this policy Data protection Laws means
the Data Protection Act 1998, until the effective date of its repeal
the General Data Protection Regulation ((EU) 2016/679) (GDPR) and any national implementing laws, regulations and secondary legislation, for so long as the GDPR is effective in the UK, and
any successor legislation to the Data Protection Act 1998 and the GDPR, in particular the Data Protection Bill 2017-2019, once it becomes law;
Sign up to our newsletter today to receive latest news updates and information.
We feel very lucky to have [adviser] as part of our extended careers team and we know that we can always call upon her if we need...Read More