DATA PROTECTION POLICY
In accordance with the Requirements of the Data Protection Act 1998 and GDPR
Area 43 needs to keep certain information about employees, volunteers, clients and other users to allow it to monitor performance, achievements, and health and safety, for example. It is also necessary to process information so that staff can be recruited and paid, courses organised and obligations to funding bodies, the Charities Commission and Welsh Government complied with. To comply with the law, information must be used fairly, stored safely and not disclosed to any other person unlawfully. To do this, Area 43 must comply with the 6 Data Protection Principles which are set out in the Data Protection Act 1998 (the 1998 Act) and the General Data Protection Regulations 2018.
Article 5 of the GDPR requires that personal data shall be:
“a) processed lawfully, fairly and in a transparent manner in relation to individuals;
- b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
- c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
- f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
Article 5(2) requires that:
“the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
Area 43 and all staff or others who process or use any personal information must ensure that they follow these principles at all times. In order to ensure that this happens, Area 43 has developed this Data Protection Policy.
Status of the Policy
This policy does not form part of the formal contract of employment, but it is a condition of employment that employees (and volunteers) will abide by the rules and policies made by Area 43 from time to time. Any failure to follow the policy can therefore result in disciplinary proceedings.
AREA 43 DATA PROTECTION POLICY
Any member of staff, volunteer, trustee or client who considers that the policy has not been followed in respect of personal data about themselves should raise the matter with the Data Protection Officer initially. If the matter is not resolved it should be raised as a formal grievance.
Notification of Data Held and Processed
All staff, volunteers, trustees, clients and other users are entitled to
- Know what information Area 43 holds and processes about them and why.
- Know how to gain access to it.
- Know how to keep it up to date.
- Know what Area 43 is doing to comply with its obligations under GDPR.
Responsibilities of Staff
- Checking that any information that they provide to Area 43 in connection with their employment is accurate and up to date.
- Informing Area 43 of any changes to information, which they have provided. i.e. changes of address
- Checking the information that Area 43 will send out from time to time, giving details of information kept and processed about staff.
- Informing Area 43 of any errors or changes. Area 43 cannot be held responsible for any errors unless the staff member has informed Area 43 of them.
If and when, as part of their responsibilities, staff collect information about other people, (e.g. about the personal circumstances and details of clients), they must comply with the guidelines for staff.
All staff are responsible for ensuring that:
- Any personal data which they hold is kept securely.
- Personal information is not disclosed either orally or in writing or accidentally or otherwise to any unauthorised third party.
Staff should note that unauthorised disclosure will usually be a disciplinary matter, and may be considered gross misconduct in some cases.
Personal information should be:
- kept in a locked filing cabinet; or
- if it is kept electronically, be encrypted and password protected
Information stored outside of the EU – Email
Area 43 uses GSuite (Google) as the email host and is GDPR compliant. Google servers may be located outside of the EU. Google uses the EU-US Privacy Shield Framework, this means they have adequate security for the transferring of data between the EU and the US in order to comply with data protection requirements.
More information on the privacy shield framework can be found: https://www.privacyshield.gov/welcome
People following an Agored Cymru Unit, Accreditation or Qualification can access the
Rights to Access Information
Staff, volunteers, trustees, clients and other users of Area 43’s services have the right to access any personal data that are being kept about them either on computer or in certain files. Any person who wishes to exercise this right can make their request either verbally or in writing to the Data Protection Officer.
In order to gain access, an individual may wish to receive notification of the information currently being held. This request should be made verbally or in writing.
Area 43 will make no charge for an access request, however Area 43 may charge a reasonable fee if an individual requests further copies of their data following a request.
Area 43 aims to comply with requests for access to personal information as quickly as possible, and will ensure a response is provided within 1 month.
Publication of Area 43 Information
Information that is already in the public domain is exempt from the 1998 Act. It is Area 43’s policy to make as much information public as possible, and in particular the following information will be available to the public for inspection:
- Names of Area 43 Trustees and senior staff with significant financial responsibilities (for inspection during office hours only)
- List of key staff
- Photographs of key staff
Any individual who has good reason for wishing details in these lists or categories to remain confidential should contact the Data Protection Officer.
Area 43 can only process personal data with the explicit consent of the individual and this consent can be withdrawn at any time by notifying the Data Protection Officer. Agreement to Area 43 processing some specified classes of personal data is a condition of acceptance of volunteer placements, induction of trustees and a condition of employment for staff. This includes information about previous criminal convictions.
Some jobs or courses will bring the applicants into contact with children, including young people between the ages of 10 and 18. Area 43 has a duty under the Children Act and other enactments to ensure that staff are suitable for the job, and clients for the courses offered. Area 43 also has a duty of care to all staff and clients and must therefore make sure that employees and those who use Area 43 s facilities do not pose a threat or danger to other users.
Area 43 will also ask for information about particular health needs, such as allergies to particular forms of medication, or any conditions such as asthma or diabetes. Area 43 will only use the information in the protection of the health and safety of the individual, but will need consent to process in the event of a medical emergency, for example.
Processing Sensitive Information
Sometimes it is necessary to process information about a person’s health, criminal convictions, race and gender and family details. Recognising that this information is considered sensitive and the processing of it may cause particular concern or distress to individuals, staff and clients will be asked to give express consent for Area 43 to do this. Offers of employment, training or voluntary places may be withdrawn if an individual refuses to consent to this, without good reason. More information about this is available from the Data Protection Officer.
The Data Controller and the Data Protection Officer/s
Area 43 is the Data Controller under the Act and is registered with the information Commissioner Office under the registration number Z5483358, and the board of trustees is therefore ultimately responsible for implementation. However, there is a designated Data Protection Officer dealing with day to day matters. The first point of contact for enquirers is Sally Jones who may either deal with the enquiry herself or refer it to another designated data protection officer.
If you think your data has been misused or that Area 43 has not kept it secure, you should contact Sally Jones. If you’re unhappy with the response or if you need any advice you should contact the Information Commissioner’s Office (ICO).
Retention of Data
Area 43 will keep some forms of information for longer than others. No information will be kept longer than necessary. Details can be found in Area 43’s Document Retention Policy.
Disposal of Data
When personal data is no longer required, or has passed its retention date, paper records will be disposed of securely.
Electronic records must be permanently deleted, with particular care taken that ‘hidden’ data cannot be recovered.
Compliance with the 1998 Act and GDPR is the responsibility of all members of Area 43. Any deliberate breach of the data protection policy may lead to disciplinary action being taken, or access to Area 43 facilities being withdrawn, or even a criminal prosecution. Any questions or concerns about the interpretation or operation of this policy should be taken up with the designated Data Controller.