General Data Protection Regulation Policy
Dear All,
As of 25th May 2018 we are now all working in a new data protection environment following the General Data Protection Regulation (GDPR).
Our organisation already places data privacy and security at the core of how we work so that the often very sensitive information relating to the people we support is kept secure.
This policy takes data security to an enhanced level recognising that the data we process on behalf of our stakeholders (including trustees, employees, people we support, volunteers, donors and third-party vendors) belongs to the individual rather than to the organisation. To support this, we have developed some new procedures such as a Privacy Notice and Consent, a Subject Access Request where individuals can request a copy of their data, a Data Impact Assessment that is required for all new projects and services going forward, and the appointment of a Data Protection Officer (DPO) responsible for coordinating these aspects.
If there is one message we would like you to take away from this Policy it is that the data we hold on an individual is the property of the individual. Each of us is a custodian of that data for the individual and the data must be treated with the utmost respect for privacy. We all must promote a positive culture of data protection compliance across our organisation.
Thank you for your support in this important area of our work.
Heather Benjamin, Chair of Trustees
Paul Snell, Chief Executive
25th May 2018
--------------------------------------------------------
This Policy represents the policy of the Walsingham Support Group1 on data privacy and security policy following the General Data Protection Regulation (GDPR).
Walsingham Support is registered with the Information Commissioner's Office (ICO). The ICO upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
Our Data Protection Officer (DPO) is Chris Ratcliffe. The Subject Access Request Coordinator is Ravanti Halai. They can be contacted at [javascript protected email address]
This Policy contains 4 appendices -
• Appendix 1 is “Privacy Notice and Consent”;
• Appendix 2 is “Form 1 Data Trigger Events and Guidelines”;
• Appendix 3 is “Data Retention Policy”;
• Appendix 4 provides a specimen “Data Asset Register”
This Policy is reviewed in April each year as well as updated on an ongoing basis to ensure that it remains up to date and in line with operational experience.
Each member of staff has ownership of this Policy and so that the member of staff most closely connected to the data has responsibility for taking the appropriate action in relation to it except a data breach must always be reported to the DPO.
The terms “data” and “information” are used interchangeably.
“Data” means any information by which an individual can be identified e.g. email, name, address.
“Processing” means handling any data.
The identity of any individual contacting us in relation to their data must be verified by a valid and current photo ID such as passport or driving licence.
1 Recording and managing ongoing consent
• Individuals may consent to the processing of their data by acknowledging that they have read and understand the Privacy Notice and Consent. There is a specially drafted version for job applicants and current and former Walsingham Support employees available on the website.
• If consent cannot be given at the time of the data acquisition (such as with people we support not being able to give informed consent), we will rely on our legitimate interests lawful basis for processing their data PROVIDED in each case we -
o Identify the legitimate interest
o Show that processing is necessary to achieve it, and
o Balance it against the individual’s interests, rights and freedoms.
• The record of when and how we got consent from an individual will be the effective administration of sending and receiving back a signed Privacy Notice or the electronic record of giving consent.
• The Privacy Notice and Consent will be refreshed for appropriateness as part of the annual review. The Privacy Notice and Consent is attached as Appendix 1.
• Individuals may withdraw their consent at any time by contacting us at [javascript protected email address] or through their usual Walsingham Support contact and by completing Form 1 (see Appendix 2).
• Withdrawals of consent will be acted upon within one month from the date Form 1 is received with sufficient information and document support for ID verification.
• Withdrawal of consent may mean that the appropriate service cannot then be delivered.
2 Ensuring the personal data we hold remains accurate and up to date
• Individuals may challenge the accuracy or completeness of the information we hold about them by completing Form 1. If it is the case that the information was inaccurate or incomplete, we will correct the record within one month. If the request is complex or there are a series of requests this may be extended to two months.
• The identity of the individual must first be verified by photo ID.
• We will then inform any data processors (third parties) we disclosed the information to about the corrections where possible.
• In case we do not take action in response to a request for correction, we will explain why to the individual, informing them of their right to complain to the Information Commissioner’s Office (ICO). The ICO’s helpline is 0303 123 1113.
• Our Data Retention Policy includes rules for creating and keeping records including emails (see Appendix 3). Each manager of each service and department is required to continually review its systems and manual records to ensure the information we hold continues to be adequate for the purposes it was collected including updating records and removing legacy records in accordance with the Data Retention Policy.
• To assist in this, each service and department is required to maintain their own Data Asset Register (see Appendix 4 for specimen form).
3 Ensuring we securely dispose of personal data that is no longer required or where an individual has asked for it to be deleted
• Individuals may request the deletion of their data we hold about them by completing Form 1.
• The identity of the individual must first be verified by photo ID.
• We will then inform any data processors (third parties) we shared the information with about their request for deletion.
• The information from any backup systems must also be deleted.
• Our Data Retention Policy advises on the disposal of various categories of data, and advises on its secure deletion so that personal data is not disclosed during deletion.
• The Data Retention Policy is continually reviewed to make sure it continues to meet business and statutory requirements including variances in local authority contracts.
• Responsibility for retention and deletion is assigned to the department or service most closely connected to the individual.
• If we use third parties to delete personal data, we will ensure the contract includes the requirement for them to take appropriate security measures and to allow us to undertake an audit of their work.
4 Responding to an individual’s request to restrict the processing of their personal data
• We will consider and if required block or restrict the processing of personal data if an individual -
o Contests the accuracy of their personal data until its accuracy is verified
o An individual has objected to the processing of their personal data
o There is no lawful basis for processing that individuals personal data
o If we no longer need the personal data but the individual requires the data to establish, exercise or defend a legal claim
• The individual must first complete Form 1 and have their identity verified by photo ID.
• We will then act on an individual’s request to block or restrict the processing of their personal data.
• We will then inform any data processors (third parties) we shared the information with.
• We will inform individuals when we lift a block or restriction on processing.
5 Allowing individuals to move, copy or transfer their personal data from one IT environment to another in a safe, secure and usable way
• We recognise that the right to data portability allows individuals to obtain and reuse their personal data for their own purpose across different services.
• Individuals may submit a request for data portability to us by completing Form 1.
• The identity of the individual must first be verified by photo ID.
• We recognise and respond to any individual request in line with our legal obligations and statutory timescales usually within one month (or two months if the request is complicated or we receive a number of requests).
• We provide the personal data in a commonly used and machine-readable format if possible. If it is not possible, the paper data must be securely collected or delivered by or to the individual or by a named person in the new service provider responsible for that individual.
• The medium in which the data is provided must have appropriate technical measures in place to protect the data it contains. In the case of people we support moving to another care provider, we will seek to transfer their data by secure FTP (file transfer protocol) through our IT Department.
• The purpose of this is to ensure that the medium in which the data is provided allows individuals to move, copy or transfer their data easily from one organisation to another without hindrance.
• In case we are not taking action in response to a request, we will explain to the individual within one month the reasons, informing them of their right to complain to the ICO. The ICO’s helpline is 0303 123 1113.
6 Handling an individual’s objection to the processing of their personal data
• Individuals have the right to object to the processing of their data.
• This will be communicated to them at the point of first communication through the Privacy Notice and Consent.
• Individuals have the right to submit an objection request by completing Form 1.
• The identity of the individual must first be verified by photo ID.
• We will act on an individual’s objection to the processing of their personal data according to the legitimate grounds outlined in the GDPR.
• Our staff are receiving training to ensure each member of staff can recognise and respond to an objection raised by an individual.
• Requests of objection from an individual are to be raised by staff to their immediate manager who in-turn may raise it with the DPO.
7 Managing information risk effectively so that management and staff understand the impact on stakeholders of personal data related risks
• This Policy demonstrates our commitment to clearly communicate a set of security policies and procedures, which put data security at the core of our operations.
• Each and every staff member is responsible for good data security to support good information risk management.
• To support staff in this in relation to electronic data, our information technology (IT) processes will identify vulnerabilities and potential threats connected with our services.
• No personal information can be left in plain view when a member of staff leaves their desk.
• All personal information must be locked away at the end of the working day.
• In relation to paper data, it is the responsibility of all staff in the services to ensure to the best extent that is reasonably practical, that data is secure. The following is recommended:
o All personal staff information is kept under lock and key
o All data relating to online banking records of the people we support is kept under lock and key
o The office door in a service is always closed if the office is empty and locked if the premises are vacated for longer than one hour
• We are moving towards being a paperless organisation to help us secure data as well as corporate responsibility towards the environment. Personal data on the people we support is uploaded to the RDS (remote desktop server).
• By applying these controls we can all contribute towards reducing personal data risks.
• The effectiveness of these controls will form part of the annual review.
• The Data Breach Log is maintained by the DPO to respond to and to record data breaches.
• We will ensure an adequate level of protection for any personal data processed by others on our behalf that is transferred outside (if at all) and within the European Economic Area.
8 Information data map and Risk Register
• We have carried out an organisation wide data mapping exercise that has identified the data that we process and how it flows through our organisation. This was carried out by each constituent part of the organisation by persons with in-depth knowledge of our working practices.
• Our information data map identified and recorded our processing of personal data including how we hold it, where it came from, who we share it with, and what we do with it.
• The master information data map is maintained by the DPO.
• Identified data risks are documented in the Risk Register maintained in Head Office.
• The results of the data mapping have formed the basis of each department and service maintaining its own Data Asset Register.
• There will arise from time to time scenarios not covered by this Policy. Please refer these to the DPO.
9 The lawful basis for data processing
• The two most appropriate lawful grounds for our data processing are:
o Consent: We will only obtain personal data from an individual with their consent (which includes their right to withdraw consent); or
o Legitimate interests: In case informed consent cannot be given, processing is necessary for our legitimate interests except where such interests are overridden by the interests or fundamental rights and freedoms of the individual. This assessment must be carried out on a case by case basis. If any individual objects to our processing of their data, we must be able to demonstrate compelling legitimate grounds for the processing of the data that overrides the interests, rights and freedoms of the individual.
• The GDPR contains other lawful grounds for processing including -
o Processing is necessary for the performance of a contract with the individual or to take steps to enter into a contract
o Processing is necessary for compliance with a legal obligation other than contractual obligations
o Processing is necessary to protect the vital interests of the individual or another person
• We must assess which lawful ground we are relying on in each case and document the lawful ground, for example, in our Privacy Notice. In the case of grounds other than “Consent” or “Legitimate Interests”, please contact the DPO for advice.
10 Privacy Notice and Consent: how we ask for and record consent
• Consent will usually be the most appropriate lawful ground for processing data.
• We provide a Privacy Notice and Consent to every individual we process data on in the case that consent is the most appropriate lawful ground for processing data.
• In requesting consent by the Privacy Notice and Consent, this is prominent and separate from our terms and conditions.
• Our Privacy Notice and Consent requests individuals to positively opt in by using unticked opt-in boxes and / or signing the Privacy Notice and Consent.
• Our Privacy Notice and Consent uses clear, plain language that is easy to understand.
• It specifies why we want the data and what we are going to do with it.
• We will consider requests to allow individuals to consent separately to different types of processing of data wherever appropriate.
• It names Walsingham Support and its subsidiaries and any other third-party organisations who will rely on this consent.
• We tell individuals they can withdraw their consent at any time and how to do this.
• We will try to accommodate an individual who refuse to give consent. However, this may mean that we cannot provide certain services to that individual.
• Our Privacy Notice and Consent will be refreshed as part of the annual review.
• Our Privacy Notice and Consent contains a statement that we apply best practice standards to processing data on an individual whether we obtained it directly from the individual or lawfully from a third party.
• Our Privacy Notice and Consent is provided free of charge.
11 Responding to individuals' requests to access their personal data
• Individuals have the right to submit a data access request (known as “subject access request”) by completing Form 1. Please refer to the accompanying Guidelines to Form 1.
• Before we can respond to a subject access request, the identity of the individual must first be verified by photo ID.
• We will respond to individuals’ subject access requests free of charge except as to postage within one month (or two months if the request is complex or part of a series of requests) of a completed Form 1.
• The subject access request is made initially either directly to the Subject Access Request Coordinator, Ravanti Halai tel. 020 8343 5606 [javascript protected email address] or by submitting a request through the individual’s Walsingham Support contact.
• Any member of staff may have to deal initially with a data access request.
• Further training and advice is available in this area to any member of staff by contacting the Subject Access Request Coordinator.
12 Compliance monitoring with this GDPR Policy
• Quality will monitor compliance with this Policy within its quality audit structure.
• Changes to the Policy will be made on an ongoing basis in the light of experience. The current version of the Policy will be maintained by the DPO on our intranet.
• All staff are responsible for implementing this Policy as it relates to data security in their day to day work.
• The DPO and Subject Access Request Coordinator have additional responsibilities for carrying out this policy.
• The Board will be given a copy of the annual data audit report.
13 Data protection awareness training for all staff
Learning & Development will -
• Provide induction training on this Policy for all new staff.
• Provide specialist training for staff with specific duties such as information security, payroll and finance.
• Promote ongoing awareness generally in data protection by intranet articles, circulars, team briefings and posters and internal training relating to best practice.
14 Written contracts with third party data processors
• When we use a third-party data processor to process personal data on our behalf, we ensure there is a written contract in place for the processing of data according to the requirements of the GDPR.
• We have reviewed existing contracts to ensure they contain appropriate contractual clauses.
• We only use processors who have signed up to approved industry codes of conduct and have been industry certified in data security.
15 Data protection is integrated into our processing activities
• We continually look to minimise the amount and type of data we collect, process and store across all areas of our organisation.
• To reduce risk of a data breach, we will pseudonymise/ anonymise personal data when appropriate by encryption or otherwise to make the data unidentifiable to an individual. This will include encryption of the hard drive in computer equipment such as desktops and laptops and encrypted memory sticks (pseudonymising) and turning data into a form which does not identify individuals (anonymisation).
• We will carry out an annual review of our public-facing documents, policies and Privacy Notices to ensure they meet the transparency requirements under the GDPR.
• We will ensure that any new processes or systems that we introduce in our services enable us to comply with individuals’ rights under the GDPR.
• We will create, review and improve our data security features and controls on a continual basis.
16 A Data Protection Impact Assessment (DPIA) will be undertaken for any new project linking in with our existing risk and project management processes
• The DPIA will help us identify and risk manage the data protection risks of any new project.
• A DPIA is required for any new project and incorporated into the overall project plan.
• DPIA documentation and training is available for staff on how to conduct the assessment.
• The project manager is responsible for completing the DPIA.
• The DPIA must be completed as part of the project brief.
• The DPIA will include consultation with the DPO, data processors, third party contractors and with any applicable public authorities and their representatives.
• If the DPIA indicates elevated data security risks that we are unable to manage by reasonable means then the ICO will be consulted for guidance.
• The effectiveness of the DPIA framework will be part of the annual review.
17 Identifying, reporting, managing and resolving any personal data breaches
• How to recognise and report breaches of data security is part of data training. It is largely a matter of common sense however as to what constitutes a data breach. A common example is sensitive data being emailed to the wrong person. Staff are reminded to always check the intended recipient when sending personal data by email and not rely on its auto suggest function.
• It is very important that when a data breach becomes known to a staff member, it is reported as soon as is possible to their immediate manager who in-turn will notify the DPO or in a serious case directly to the DPO. We are required to report to the ICO within 72 hours breaches risking an individual’s rights and freedoms.
• The individuals affected will be notified by the DPO.
• The DPO keeps a Data Breach Log of the type, volume and cost of incidents to identify trends and help prevent recurrences.
Appendix 1
Privacy Notice and Consent
As of 25th May 2018, the General Data Protection Regulation (GDPR) introduces enhanced data protection and privacy for all individuals within the European Union. This Privacy Notice is being sent to you because we require your consent to process your personal data. If you would like to know more about Walsingham Support’s GDPR Policy then please follow the link here [website]. We celebrate the fact that everyone is unique and is at the centre of everything we do.
Walsingham Support is registered with the Charity Commission number 294832. Our registered address is Suite 500, 1ST Floor, Building 4, North London Business Park, Oakleigh Road South, New Southgate, London N11 1GN. This Privacy Notice and Consent also applies to our subsidiaries, Walsingham Support Community Solutions and Salters Hill Charity Limited.
You are being sent this Privacy Notice because we process your personal data as a person we support, supporter or family member of such person, trustee, member, staff, volunteer, adviser, complainant, enquirer, representative of an organisation we have a relationship with, donor, or other connected person and so that you can give us your consent to our processing your personal data.
1. The purpose we need to process your data is for some or all the following reasons:
• compliance with legal, regulatory and corporate governance obligations and good practice
• gathering information as part of inspections by regulatory bodies or legal proceedings or requests
• ensuring business policies are adhered to (such as policies covering security and Internet use)
• operational reasons, such as recording services, training and quality control
• ensuring the confidentiality of commercially sensitive data
• security vetting, examining complaints and allegations of criminal offences
• preventing unauthorised access and modifications to systems
• checking references
• ensuring safe working practices, monitoring and managing staff access to systems and facilities and staff absences
• staff administration and assessments, monitoring staff conduct, disciplinary matters
• enabling us to meet our charitable objects generally.
2. In processing your data, in each case, we have balanced our own legitimate interests against your interests and fundamental rights and freedoms. We believe that it is in both of our interests for our processing your personal data to help us deliver on the important work that we do in the community.
3. The type of personal information we process may include your personal details, family details, lifestyle and social circumstances, membership details, goods and services, financial details, education and employment details, health and medical records, visual images, personal appearance and behaviour, or living accommodation details. We may also process special category data including your physical or mental health details, racial or ethnic origin, religious or other beliefs of a similar nature, offences and alleged offences, criminal proceedings, outcomes and sentences, trade union membership.
4. We shall ensure that the processing of your personal data by any recipient or categories of recipients such as public authorities will be in compliance with the applicable data protection rules according to the purposes of the processing.
5. We will not transfer your personal data outside of the United Kingdom or European Economic Area.
6. Your data is subject to a retention period depending on the nature of the data.
7. We are under a legal obligation to give effect to your rights.
8. You have the right to object to the processing of your personal data.
9. You have the right to withdraw your consent at any time.
10. To exercise your rights or for more information on your rights or in case you have any questions, please first contact your usual contact at Walsingham Support. Our Data Protection Officer (DPO) is Chris Ratcliffe and our Subject Access Request Coordinator is Ravanti Halai. They can be contacted at [javascript protected email address]. In responding to your request, we may need to verify your identity by photo ID. This is to ensure information security of your personal data.
11. You have the right to lodge a complaint with the Charity Commission (our supervisory authority) at any time and the Information Commissioner’s Office (ICO). Walsingham Support is registered with the ICO with registration reference Z9158817
12. We will not source your personal data other than with your consent or from a third party if the data and its processing is necessary for our legitimate interests provided that in each case -
a. We have identified the legitimate interest
b. Show that processing is necessary to achieve it
c. Balance it against your interests, rights and freedoms
13. We apply the same best practice standards to processing your personal data whether obtained directly from you or a third party.
14. We do not have in place any automated decision-making processes.
15. This Privacy Notice is provided to you at the time your personal data is obtained from you or within one month.
16. In case you do not give us your consent or you withdraw your consent this may result in our not being able to provide services to you.
I consent to the processing of all categories of personal data including where relevant special category data on these terms.
Name: ________________________________
Signed: ……………………………………………
Date:
Appendix 2
Form 1 Data Trigger Events and Guidelines
Please use this Form 1 for the following purposes under the GDPR Policy -
• Withdrawing consent to personal data (R/1)
• Challenging the accuracy or completeness of personal data (R/2)
• Request for deletion of personal data (R/3)
• Block or restrict the processing of personal data (R/4)
• Move, copy or transfer personal data to another IT environment (R/5)
• Objection to processing personal data (R/6)
• Subject Access Request for personal data(R/12)
Notes for Applicants
1. Under the GDPR (General Data Protection Regulation), individuals have the right to access their data under a subject access request or for other above stated purposes.
2. If you are applying on your own behalf you need only complete Sections 1, 4 & 5.
3. If you are applying on behalf of someone else you must complete all the Sections. We will only allow you to access another person’s data in the case where that persons is not able to give informed consent and you are acting under appropriate legal authority.
4. Everyone making an application must complete Section 1.
5. Please complete all sections in BLOCK CAPITALS.
6. Before we can action this Form, we must first verify your identity. To enable us to do this, please send a signed copy of your official photo ID (passport or drivers licence). We may also require proof of your residence (usually a utility bill dated within 3 months).
SECTION 1: Your Details
Why are you contacting us about your personal data? Please give a full description opposite according to one of the following reasons -
• Withdrawing consent?
• Challenging its accuracy or completeness?
• Request for deletion?
• Block or restrict the processing of personal data?
• Move, copy or transfer personal data to another IT environment?
• Objection to processing?
• Subject Access Request?
Surname
Forename(s)
Maiden Name (if applicable)
Age (if under 18)
Address
Postcode
Daytime phone number
Email address
SECTION 2: Details of the data subject (if you are applying on behalf of another person)
Title
Surname
Forename(s)
Her Maiden Name (if applicable)
Age (if under 18)
Address
Postcode
Daytime phone number
Email address
SECTION 3: Permission from the Data Subject
Please complete one of the following:
EITHER
I have a letter from the person who is named in Section 2 authorising me to apply on his/her behalf and enclose the letter, dated ______________, which I enclose with this subject access request form. Please also include a signed copy of photo ID of the person you are representing (as well as signed copy of photo ID for yourself)
OR
My relationship to the person I have named in Section 2 is e.g. Parent or Guardian -
I am entitled to act on behalf of that person because (please provide evidence of such legal authority) -
SECTION 4: Information to enable us to do the search for data
Give any information you think may help us to complete the search for data. It will help us to know details such as the service area, manager’s name etc.
What contact does the data subject have with Walsingham Support? Please give dates if possible.
(e.g. service user, parent, employee etc)
SECTION 5: Declaration
Please read this section carefully, then sign and date it at the bottom
• I understand that the period in which Walsingham Support must respond will not start until I have signed and returned this form together with any supporting documents and provided sufficient information for the search to be undertaken.
• I understand that I must provide signed copy proof of identity (e.g. passport, driving licence) before the request is processed.
• I understand that Walsingham Support may contact me for further information in relation to this request.
• I understand that the search may show that Walsingham Support does not hold any personal data about me, or the person on whose behalf I am applying.
• If information held about the data subject also contains information about other people, and Walsingham Support cannot provide the data requested without disclosing information that would identify that other person, the information does not need to be disclosed, unless permission has been sought and given by that other person.
I certify that I am the person in SECTION 1 and I consent to your processing my personal data to enable you to respond to this request
Signed / Date
…………………………………………………. dd / mm/ year
Please complete all relevant sections of the form and return it with your letter of authorisation (if applicable – see Section 3) and signed copy photo ID to:
Walsingham Support
Subject Access Request Coordinator
Suite 500, Building 4,
North London Business Park
Oakleigh Road South
LONDON N11 1GN
GUIDELINES for dealing with data trigger events including subject access requests
Introduction
Under the General Data Protection Regulation (GDPR), no fee can be charged for subject access requests (unless the request is ‘manifestly unfounded or excessive’) and the response must be provided within a month. If the request is complex or there are a series of requests this may be extended to two months. The request can also be made electronically (e.g., by e-mail) provided Form 1 is completed and their identity verified by photo ID. Our response should be provided in a commonly used electronic form rather than paper copy.
How to identify Form 1 data trigger events
There is no standard format for a data trigger event – a simple letter or e-mail asking to be supplied with ‘all personal information that you hold about me’ is clear. An oral request is not sufficient, but callers can be told to put the request in writing by completing Form 1. If in any doubt as to whether the request is a data trigger event, staff should consult the DPO or Subject Access Request Coordinator to ensure that the time limit referred to above is complied with.
Procedure
1 Data trigger events should be processed only by the designated member of Walsingham Support staff.
2 On receipt of Form 1, it will be logged (log to be created ) and checked for validity (including photo ID of the individual making the request, which must be verified).
3 If valid, diary notes will be made to ensure that the time limit for responding is not exceeded.
4 A standard letter of acknowledgement will be sent to the individual who made the request within 2 working days, outlining the timeframe for the response.
5 The designated member of Walsingham Support will then review all sources of data held about the individual (e.g., applicable drives, individual e-mail records, HR files, appraisals, training records) and collate it, taking into account any possibility of adversely affecting the rights and freedoms of others (right to withhold).
6 A response is then drafted and agreed with the concerned department or service prior to being despatched.
7 Despatch date (less than 28 days from receipt of valid request) will be logged.
[Quote log reference]
Dear Sir/Madam
General Data Protection Regulation Subject Access Request
I acknowledge receipt of your application regarding your personal data under the General Data Protection Regulation.
I am unable to process your request as I do not have sufficient information to enable me to respond to your request or your request must be in writing.
Please complete Form 1.
If you have any queries regarding this matter, please contact [name of staff member] who is the designated person dealing with this enquiry on XXXX or [email]
Please quote the reference number above in all your correspondence.
Yours faithfully,
[Quote log reference]
Dear Sir/Madam
General Data Protection Regulation Subject Access request
I acknowledge receipt of your application regarding your personal data in respect of the following: -
[Specify data trigger event and details of request].
This matter is being dealt with by [name of staff member] (Telephone number [ ]) (email [ ]) who is the designated person dealing with this enquiry. Please quote the reference number above in all your correspondence.
Walsingham Support has a statutory duty to provide the information requested by [date].
Yours faithfully,
[Quote log reference]
Dear Sir/Madam
General Data Protection Regulation Subject Access request
In reply to your application regarding your personal data in respect of the following: -
[Specify data trigger event and details of request].
I [specify action taken e.g., attach a copy of all your personal data].
If you have any queries regarding this matter please contact [staff member name] who is the designated person dealing with this enquiry. Please quote the reference number above in all your correspondence.
Yours faithfully,
Appendix 3
Data Retention Policy
Guidelines for creating and keeping records: minimum required retention period
In carrying out our various functions and activities, Walsingham Support collects personal information from individuals and external organisations and generates a wide range of data that is recorded and retained in paper or electronic format.
Retention of specific documents may be necessary to:
• Fulfil statutory or other regulatory requirements.
• Evidence events/agreements in the case of disputes.
• Meet operational needs.
• Ensure the preservation of documents of historic or other value.
The General Data Protection Regulation (GDPR) means that is important for us to have good practice in records management for the timely and secure disposal of document and records that are no longer required for business purposes.
1. Scope & purpose
The purpose of this policy is to provide a organisation-wide policy framework to inform decisions on whether a particular document (or set of documents, including electronic versions) should either be:
• Retained – and if so in what format, and for what period; or
• Disposed of - and if so when and by what method.
2. Retention & disposal
Any decision whether to retain or dispose of a document should take account of the following high-level considerations:
Has the document or record set been appraised?
As a first step, the nature and contents of any documents or records being considered for disposal should be ascertained. No document should be earmarked or designated for disposal unless this has been done. Insofar as existing documents or records are concerned it follows that the above can only be achieved by inspection.
This should only be undertaken by staff who possess sufficient operational knowledge to enable them to identify the document concerned and its function within Walsingham Support. Any decision to the effect that future documents of a specified description be disposed of on expiry of a specified retention period should be an informed one i.e., taken with a full appreciation and understanding of the nature and function of the document and records.
Is retention required to evidence events a dispute?
Where a dispute arises, or litigation has been commenced, it is important that Walsingham Support has access to all correspondence and other documentation that is relevant to the matter.
The Limitations Act 1980 specifies time limits for commencing litigation. The starting point therefore, is that the retention period is the length of time that has to elapse before a claim is barred. The majority of potential legal claims are statute barred on the expiry of 6 years from the cause of action.
Many documents will relate to completed matters where, realistically, the risk of subsequent litigation or other dispute is minimal.
Where a retention period has expired in relation to a particular document a review should always be carried out before a final decision is made to dispose of that document.
In the event that a decision is taken to dispose of a particular document or set of documents, then consideration should be given to the method of disposal (see section 3 below).
3. Disposal of document & records
Staff should take into account the following considerations when selecting a method of disposal:
• Under no circumstances should paper documents or removable media (CDs, DVDs, discs, etc) containing personal data or confidential information be simply binned or deposited in refuse tips. To do so could result in the unauthorised disclosure of such information to third parties, and render Walsingham Support liable to action under the GDPR. Such documents should be destroyed on site (e.g. by shredding) or placed in “Confidential Waste” refuse bins.
• Deletion – Our IT Department will advise on the best method to delete electronic information.
• Recycling – wherever practicable Walsingham Support encourages recycling of paper records keeping with our commitment to the environment.
4. The General Data and Protection Regulation
Under the GDPR personal data processed for any purpose must not be kept for longer than is necessary for that purpose. In other words, retaining documents or records that contain personal data beyond the length of time necessary for the purpose for which that data was obtained is unlawful. The GDPR does not prescribe how long personal data should be retained.
5. How long should I store emails?
Emails referring to individuals are likely to be governed by the GDPR. This means that the subject of the message may have the right to request access to emails. Increasingly law courts are also asking organisations to compile data held in the form of emails as evidence in tribunals and other court cases.
As a rule of thumb, emails should be deleted after 6 months unless it is necessary to retain them for longer such as relating to a dispute.
Further guidance on the retention of documents is available from the Data Protection Officer (DPO), Chris Ratcliffe or the Subject Access Request Coordinator, Ravanti Halai. Both may be contacted at [javascript protected email address]. The IT Department can also advise you on good housekeeping practices regarding the storing and deleting of emails.
A record is required to be created upon the creation of any of the following data events
Record of people we support
Record Minimum required retention period
Controlled Drugs Register 2 years from last entry
Personal financial records and bank statements 3 years
Complaints 3 years
Diary, communication book and handover sheets 3 years
Medication administration record (MAR) sheets 3 years
Support plan 3 years
Meeting minutes 3 years
Daily logs/diaries 3 years from last entry
Whole Life Reviews, CPAs, PCP meetings 3 years if no longer relevant
Risk assessments Current + 3 years after last entry
Person we support and provider service agreement Minimum 3 years after review if replaced by a revised agreement
Referral and application form Keep until individual has ceased to receive a service plus 3 years after
Finance records, petty cash vouchers, receipts 5 years
Hospital history and family history Keep until individual has ceased to receive a service plus 6 years after they have moved on, unless exceptions apply
Medical conditions and medical records Keep until individual has ceased to receive a service plus 6 years after they have moved on, unless exceptions apply
Records of people we support who have moved on or passed away 6 years after they have moved on or passed away, unless exceptions apply
Employee Records
Record Minimum required retention period
Disciplinary, Grievance 3 previous financial years
Time sheets 3 previous financial years
Rotas 3 previous financial years
Staff meeting minutes 3 years
Records/supervisions of current employees 3 years
Training 3 years after they have left
Records/supervisions of employees who have left 6 years after they have left, unless exceptions apply
Records/supervisions of employees who have transferred to another service These records should be transferred with them and given to their new line manager
Record Minimum required retention period
Portable Appliance Testing Summary 2 years
Servicing history of all equipment 3 years
Servicing history of fire alarms and fire equipment (fire extinguisher) 2 years
Gas safety records Current + last two inspections
Fixed Electrical Tests 5 years
Maintenance of the premises 3 years
Servicing history of vehicles Keep for as long as we have the vehicle
Maintenance Records
Health and Safety Records
Record Required retention period
COSHH assessments Only active assessments to be retained
Evacuation records 1 year after last entry
Alarm testing records 1 year after last entry
First aid box checks 1 year after last entry
Emergency lighting tests 1 year after last entry
Incident forms and workbooks 3 years
RIDDOR reports 3 years
Workplace risk assessments As long as Walsingham occupies the building
Other Organisational Records
Record Required retention period
Statement of Purpose Keep (current)
Person we support guide Keep (current)
Company financial records 6 years
Lease agreements and deeds of covenant 12 years after the lease has terminated
Final annual accounts 30 years
Appendix 4
Data Asset Register (sample)
See above link for a specimen excel spreadsheet of a data asset register (for Walsingham Support staff only).
Asset number or ID Name of data asset
Why are we processing? Location Owner Volume Personal data Access Shared Format - paper or electronic Retention Risk impact Risk level
e.g. Drive X or Service X Name of owner Volume Nature of sensitive personal data Access is restricted to Information is shared with Emails, excel spreadsheets, PDF copies of correspondence Retention period Risk assessment in place? Risk Level -high / medium / low
1
2