1. Scope of policy
This policy applies to:
- The Lighthouse Project (Crawley)
- all staff and volunteers operating on behalf of The Lighthouse Project (Crawley)
2. Purpose of policy
The purpose of this policy is to enable THE LIGHTHOUSE PROJECT (CRAWLEY) to:
- comply with the Data Protection Act 1998 in respect of the data it holds about individuals
- ensure that the eight “Principles of Good Practice” are observed throughout the Trust
- establish clear guidelines on the privacy and use of “personal data”
- follow good practice
- protect THE LIGHTHOUSE PROJECT (CRAWLEY)’s supporters, staff and other individuals
- protect the Trust from the consequences of a breach of its responsibilities
THE LIGHTHOUSE PROJECT (CRAWLEY) will seek to:
- comply with both the law and good practice
- respect individuals’ rights
- be open and honest with individuals whose data is held
- provide training and support for staff and volunteers who handle personal data, so that they can act confidently and consistently
THE LIGHTHOUSE PROJECT (CRAWLEY) recognises that its first priority under the Data Protection Act is to avoid causing harm to individuals. In the main this means:
- keeping information securely in the right hands, and
- holding good quality information.
Secondly, the Act aims to ensure that the legitimate concerns of individuals about the ways in which their data may be used are taken into account. In addition to being open and transparent, THE LIGHTHOUSE PROJECT (CRAWLEY) will seek to give individuals as much choice as is possible and reasonable over what data is held and how it is used.
4. Status of Policy
This policy does not form part of the formal contract of employment, but it is a condition of employment that employees will abide by the rules and policies made by THE LIGHTHOUSE PROJECT (CRAWLEY). Significant breaches of this policy by current staff and volunteers will be handled under THE LIGHTHOUSE PROJECT (CRAWLEY)’s disciplinary procedures.
Confidentiality applies to a much wider range of information than Data Protection and extends to storage, access and use of data and information that is business sensitive.
6. Key risks
THE LIGHTHOUSE PROJECT (CRAWLEY) has identified the following potential key risks, which this policy is designed to address:
- Loss of credit card, bank or gift aid data
- Loss of personal data of individuals under the age of 18
- Loss of laptops or mobile devices containing personal information
- Unauthorised access to the website
- Misuse of THE LIGHTHOUSE PROJECT (CRAWLEY) data by third parties (ie mailing houses, agencies, service providers)
- Existence of multiple databases containing personal details of supporters and volunteers with loss of data integrity
- Breach of confidentiality (information being given out or made accessible inappropriately)
- Failure to offer choice about data use when appropriate
- Breach of security by allowing unauthorised access
- Risk of loss or breach of security whilst data is in transit
- Harm to individuals if personal data is not up to date
- Rogue staff and volunteers
17. Brief introduction to Data Protection Act 1998
All organisations that keep information on living and identifiable people must comply with the Data Protection Act 1998. The Act applies to any computerised or manual records containing personal information about people. All organisations using personal data must comply with the data protection principles – enforceable rules for handling personal information.
18. Data Protection Principles
The eight principles set out in the Act are that personal information:
- shall be processed fairly and lawfully and, in particular, shall not be processed unless specific conditions are met
- shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or purposes
- shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed
- shall be accurate, and where necessary, kept up to date
- shall not be kept for longer than is necessary for the specified purpose(s)
- shall be processed in accordance with the rights of data subjects under the Act
- should be subject to appropriate technical and organisational measures to prevent the unauthorised or unlawful processing of personal data, or the accidental loss, destruction, or damage to personal data
- shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
9. Data Subject
Any living individual who is the subject of personal data held by THE LIGHTHOUSE PROJECT (CRAWLEY).
10. Personal Data
Data relating to a living individual who can be identified from that information or from that data and other information in possession of the data controller. Includes name, address, telephone number, id number. It also includes expression of opinion about the individual, and of the intentions of the data controller in respect of that individual.
Although this policy only applies to information relating to living and identifiable individuals, THE LIGHTHOUSE PROJECT (CRAWLEY) will adhere to good practice when processing any personal information.
11. Sensitive Data
Sensitive data encompasses a wide range of information and can include ethnic or racial origin; political opinion; religious or other similar beliefs; memberships; physical or mental health details; personal life; or criminal or civil offences.
12. Data Controller
This is THE LIGHTHOUSE PROJECT (CRAWLEY) in its capacity as a collector of information and includes any person who makes decisions with regard to particular personal data, including decisions regarding the purposes for which personal data are processed and the way in which the personal data are processed. Any person who handles Personal Data information on behalf of THE LIGHTHOUSE PROJECT (CRAWLEY) is bound by the legal requirements of the Data Protection Act. Any such person does not act as an individual, but as a representative of the data controller.
Any operation related to organisation, retrieval, disclosure and deletion of data and includes:
- obtaining and recording data
- accessing, altering, adding to, merging, deleting data
- retrieval, consultation or use of data
- disclosure or otherwise making available of data
Roles and Responsibilities
The Board of Trustees recognises its overall responsibility for ensuring that THE LIGHTHOUSE PROJECT (CRAWLEY) complies with its legal obligations.
15. Data Protection Officer
The Data Protection Officer has the following responsibilities:
- Ensuring the Board are briefed on their Data Protection responsibilities
- Reviewing Data Protection and related policies and making recommendations for change
- Advising other staff on Data Protection issues
- Ensuring that Data Protection induction and training takes place
- Notification (registration with the Information Commissioner’s Office)
- Handling subject access requests
- Approving unusual or controversial disclosures of personal data
- Approving contracts with Data Processors
- Approving departmental procedures relating to Data Protection
16. Specific other staff
The appointed trustee is responsible for implementation of technical measures to prevent unauthorised access to personal data and unauthorised processing of personal data.
17. Team/Department managers
The manager of each team or department where personal data is handled is responsible for implementing operational procedures (including induction and training) to ensure that good Data Protection practice is established and followed.
18. Staff and volunteers
All staff and volunteers are required to read, understand and accept any policies and procedures that relate to the Personal Data they may handle in the course of their work.
19. Confidentiality relating to Data Protection
Staff and volunteers shall only access personal data where it is necessary and relevant to their specific role. Staff and volunteers will treat all personal data as confidential.
THE LIGHTHOUSE PROJECT (CRAWLEY) data must not be used by staff or volunteers once they have left THE LIGHTHOUSE PROJECT (CRAWLEY) employment or service. In the event that data is misappropriated, THE LIGHTHOUSE PROJECT (CRAWLEY) will take a hard line approach in dealing with the matter.
Training and Awareness
All staff given authorisation to access to personal data will have their responsibilities outlined during their induction procedures.
Data Protection will be included in foundation training for volunteers.
Information for staff is contained in the staff handbook and information for volunteers is contained in the holiday and mission leaders’ handbook.
THE LIGHTHOUSE PROJECT (CRAWLEY) will provide staff and volunteers with ongoing training opportunities.
22. Procedure for signifying acceptance of policy
Staff and relevant volunteers will be required to acknowledge that they have read and understood THE LIGHTHOUSE PROJECT (CRAWLEY) Data Protection Policy and the data protection procedures relevant to their team or event.
Fair Processing / Privacy Notices
23. Communication with Data Subjects
THE LIGHTHOUSE PROJECT (CRAWLEY) is committed to ensuring that Data Subjects are aware:
- that their data is being processed;
- for what purpose it is being processed;
- what types of disclosure are likely; and
- how to exercise their rights in relation to the data.
THE LIGHTHOUSE PROJECT (CRAWLEY) will ensure explicit consent from the data subjects is obtained before processing sensitive data.
25. Procedures to ensure transparency
Data Subjects will be informed in the following ways:
- Staff – in the staff handbook
- Volunteers – in the induction pack
- Supporters – when they sign up (on paper, on line or by phone) for services or purchase products
- Standard statements will be provided to staff for use on forms where data is collected.
This section of the policy addresses security issues relating to personal data only. It does not cover security of the building, business continuity or any other aspect of security.
27. Security – Specific risks
THE LIGHTHOUSE PROJECT (CRAWLEY) has identified the following risks:
- Information passing between THE LIGHTHOUSE PROJECT (CRAWLEY) and mailing houses or other suppliers could go astray or be misdirected
- Laptops, mobile devices or documents containing personal information may be lost, stolen or misplaced
- Staff or volunteers with access to personal information could misuse it
- Volunteers could continue to be sent information after they have stopped working for THE LIGHTHOUSE PROJECT (CRAWLEY), if their records are not updated promptly
- Poor website security might give a means of access to information about individuals once individual details are made accessible on line
- Staff may be tricked into giving away information, either about supporters or colleagues, especially over the phone, through “social engineering”
- Information passing between THE LIGHTHOUSE PROJECT (CRAWLEY) regional employees, volunteers and national office could go astray
28. Setting security levels
Access to information on the main computer system will be controlled by function.
29. Security measures
- Personal Information sent electronically to mailing houses or other suppliers will be protected by a strong password using an approved application and, if the contents include sensitive data, encrypted
- Laptops, mobile devices and removable storage devices containing personal information will be password protected and, if the contents include sensitive data, encrypted
- Website security will be regularly reviewed and monitored
- Volunteers will be provided with methodology to enable them to send securely data electronically and they will be strongly encouraged to use this method
30. Business continuity
Business continuity plans include back-up procedures for personal information. Backups are suitably encrypted.
Accuracy of data
THE LIGHTHOUSE PROJECT (CRAWLEY) will regularly review its procedures for ensuring that its records remain accurate and consistent and, in particular:
- IT systems will be designed, where possible, to encourage and facilitate the entry of accurate data
- Data on any individual will be held in as few places as necessary, and all staff and volunteers will be discouraged from establishing unnecessary additional data sets
- Effective procedures will be in place so that all relevant systems are updated when information about any individual changes
- Staff or volunteers who keep detailed information about individuals will be given additional guidance on accuracy in record keeping
- Whenever data is collected, the number of mandatory fields will be kept to a minimum and Data Subjects will be informed which fields are mandatory and why.
Supporters will be asked periodically to advise THE LIGHTHOUSE PROJECT (CRAWLEY) of any changes to their details.
Retention, archiving and disposal of data
33. Retention periods
THE LIGHTHOUSE PROJECT (CRAWLEY) will establish retention periods for at least the following categories of data:
Archived paper records containing personal information are stored in a secure location within the national office.
Disposal of personal data, whether electronically held or paper records, will be carried out using secure data disposal methods.
Requests for access to personal information – Data Subject Access
36. Subject Access Requests
Any Data Subject access requests will be handled by the Data Protection Officer.
37. Procedure for making requests
Data Subject access requests must be submitted in writing. All staff and volunteers are required to pass on anything which might be a subject access request to the Data Protection Officer without delay.
38. Provision for verifying identity
Where the individual making a Data Subject access request is not personally known to the Data Protection Officer, their identity will be verified before handing over any information.
As THE LIGHTHOUSE PROJECT (CRAWLEY) wishes to be open and transparent, it will endeavour to provide information requested by supporters, staff or volunteers without the need for a formal Data Subject access request.
If a Data Subject access request is made, THE LIGHTHOUSE PROJECT (CRAWLEY) will charge £10.
40. Procedure for granting access
If a Data Subject access request is made, THE LIGHTHOUSE PROJECT (CRAWLEY) will provide hard copies of the information.
Requests for access to personal information – Ad-hoc requests from external parties
41. Authorisation for disclosures not directly related to the reason the data is held
All requests for disclosures not directly related to the reason the data is held will be handled by the Data Protection Officer. All authorised disclosures will be documented.
42. Consent – Underlying principles
THE LIGHTHOUSE PROJECT (CRAWLEY) will not process personal information unless it has the consent of the data subject.
Information about supporters (including photographs) will be made public only with their consent.
Sensitive Data about staff, volunteers and supporters (including health information) will be held only with the knowledge and explicit consent of the individual or their legal guardian.
43. Forms of consent
THE LIGHTHOUSE PROJECT (CRAWLEY) will normally obtain consent in writing or electronically.
44. Marketing – Underlying principles
THE LIGHTHOUSE PROJECT (CRAWLEY) will treat the following unsolicited direct communication with individuals as marketing:
- seeking donations and other financial support
- promoting services
- promoting events
45. Opting out
Whenever data which might be used for any marketing purpose is first collected, this purpose will be made clear, and the Data Subject will be given a clear opt-out. If it is not possible to give a range of options, any opt-out which is exercised will apply to all THE LIGHTHOUSE PROJECT (CRAWLEY) marketing activity.
THE LIGHTHOUSE PROJECT (CRAWLEY) will always provide a simple mechanism for supporters, volunteers and staff to opt out of their data being used in particular ways.
46. Electronic contact
THE LIGHTHOUSE PROJECT (CRAWLEY) will carry out telephone marketing only where consent has been given in advance, or the number being called has been checked against the Telephone Preference Service.
Email addresses will be used for marketing purposes in accordance with The Privacy and Electronic Communications (EC Directive) Regulations 2003.
Policy adopted by Trustees:
Policy due for review: