DATA PROTECTION

This policy applies to the work of White Gold Cornwall, to all websites operated by White Gold Cornwall, use of messaging (such as email) and any other methods we may use for information processing of personal data.

“‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” (UK GDPR)

White Gold Cornwall is a charity committed to mentoring children, young people and adults across the whole of Cornwall and the Isles of Scilly and in order to do this, there is a need to process some information.  White Gold Cornwall will only ever collect the information that is necessary in order to provide the best service, meet objectives or comply with contractual obligations.  This enables the provision of a personalised service that best meets an individual’s needs and it helps monitor the impact of our intervention in a young person’s life whilst also respecting their privacy.

Since the end of the Brexit transition period (31 December 2020), EU law ceased to apply directly in the processing of UK residents’ personal data.    The UK GDPR is the UK’s post-Brexit version of the EU GDPR and together with the Data Protection Act 2018, now governs our legal responsibilities in relation to information or data.

The UK GDPR is substantially similar to the EU GDPR in many ways.  For instance processors are still obliged to ensure the security of the personal data they process and data subjects still have the same rights:

  • The right to be informed.
  • The right of access.
  • The right to rectification.
  • The right to erasure.
  • The right to restrict processing.
  • The right to data portability.
  • The right to object.
  • Rights in relation to automated decision-making and profiling.

To be subject to GDPR data must be recorded and, therefore, does not relate to information only known to an individual (retained in someone’s head) or if such information is shared verbally without being recorded.

ROLES  AND RESPONSIBILITIES

  • A Data Controller has been appointed who is responsible for deciding what data is held and how it is used. Currently the Data Controller for WGC is CEO, Alan Milliner
  • The Data Processor has responsibility for requesting, storing and disclosing information. The Office Manager performs these duties.

All members of WGC (Managers, Engagement Workers and Trustees) will be made aware of the importance ensuring that data is kept safe and not disclosed inappropriately.

USE OF DATA

Processing relates to any use of data. For instance, reading an email that contains information about a person receiving support and discussing details with a colleague is considered to be “processing”.

Processing is also involved when recording information in a different form e.g. including it in a report.

There are six reasons organisations can process personal information:

Reasons for lawful processing What this means
Consent where permission is given to process personal data for a specific purpose
Contractual where processing is necessary to enable work to be allocated, recorded and monitored.  White Gold Cornwall may have a contract arrangement with, for example, a college or social care
Legal Obligation There may be statutory reasons for data processing which ensure WGC complies with the law
Legitimate Interest WGC might processes information if we believe there is a lawful reason to do so and that it is appropriate to use the information in that way. It is essential that WGC has access to and shares particular information about individuals in order to provide relevant support.
Public Task or Government and judicial functions Personal information might be processed to carry out a legal public duty.  It is unlikely that WGC would need to do this as it is more for the police or local authorities

PROVIDING INFORMATION REGARDING DATA

All individuals having any involvement with WGC will be provided with information with regard to data that is held and processed about them.

A Privacy Notice (Appendix 1) will be supplied to individuals who have accepted support and, where appropriate, parents / carers. A Consent Form (Appendix 2), that also refers to data that is used and retained, will be signed prior to support commencing.

All members of WGC will be provided with a Privacy Notice (Appendix 3) and are required to sign a Declaration Form (Appendix 4).

RIGHT TO ACCESS

Under UK GDPR all individuals have the right to access data held about them and this must be arranged within one calendar month of a request. This applies to all persons including members of WGC, children and young people being supported, parents / carers of those receiving support and

any other persons involved about whom we have data e.g. Social Workers and other professionals.

Individuals also have the right to:

  • Have inaccurate personal data rectified, blocked, erased or destroyed.
  • Object to processing of personal data that is causing, or is likely to cause, damage or distress.
  • Claim compensation for damages caused by a breach of UK GDPR regulations.

To access personal information, or to raise any questions or concerns contact should be made with the office Manager who is also the Data Proccessor.

GDPR IN RELATION TO CHILDREN

An important difference between the EU and UK GDPR is the Child consent age.  In accordance with DPA 2018/UK GDPR, a child can consent to data processing at age 13 (rather than 16 as EU GDPR)

However the concept of competence (the child’s capacity to understand the implications of their decisions) is an important factor when consideration of consent.  If a child is not competent to exercise their own data protection rights or provide consent it will usually be in their best interests to allow an individual with parental responsibility to act on their behalf. This does not mean that a child loses their rights as a data subject.  In most situations, WGC will try to work with families for the benefit of the child or young person whenever this is possible.

Other factors, such as safeguarding issues, may also need to be considered and a child’s welfare and safety must always be the primary consideration.

When the issue of consent is unclear, discussions between the Engagement Worker, a manager and, if appropriate, professionals such as Social Workers, should take place.

In any event the best interests of the child shall be the primary consideration.

DATA STORAGE AND SECURITY

WGC recognises the importance of security and the lawful and correct treatment of personal data. Ensuring that information is secure and used appropriately ensures the successful working of WGC, the confidence and trust of those being supported and that the reputation of WGC is maintained.

Data in respect of individuals being supported will be stored electronically on office computers and in paper files. Much of this data is highly sensitive and is only shared with those having a legitimate interest to view the data.

WGC will ensure that all personal data is non-recoverable from any IT system that is to be disposed of or given or sold to a third party.

All members of WGC, particularly those working directly with those being supported, will be made aware of the importance of need to ensure data is kept safe and that it is not disclosed inappropriately.

The following must be adhered to;

  • Personal and sensitive information is retained in “hard copy” form in the office. All such documents will be kept secure in a locked cabinet. Security is provided through the use of two separate keys to access the cabinet.
  • When unattended the office will be locked.
  • There must be a legitimate reason for accessing the information retained in the office.  For instance it is not acceptable, or indeed legal, to read information relating to a young person by someone not providing support or not having a legitimate reason for doing so.
  • All computers will be password protected and only accessed by managers or others having been given permission to have access by a manager.
  • Due to the nature and operation of WGC personal and sensitive data is forwarded via email. Such information must be password protected and care should be taken to ensure that it is not viewed by any person not permitted to have access.
  • There may be occasions when, for practical reasons, documents are taken from the office e.g. Referral Forms or Risk Assessments when an EW and Manager attend an initial meeting. Great care must be taken to ensure security in such situations and the documents should be transported in a locked holder such as a briefcase or locked container and must be returned to the office or, in the case of copies, securely disposed of (e.g. by shredding) at the earliest opportunity.
  • Data relating to individuals who have been referred to WGC must not be retained in a manner that could lead to loss or illegal disclosure. For instance, documents should not be retained on formats such as USB sticks, CDs etc or on home computers where it may be accessed by others.
  • Some data is necessarily stored on mobile phones e.g. contact numbers of parents. Mobile phones should be securely locked with personal ID means (such as face recognition) or by a passcode.  It is essential that such information is not disclosed inappropriately.
  • Any incident involving a breach MUST be reported immediately to a manager. This would include any loss, hacking of computers, viewing by persons not permitted to have access etc.
  • Any a breach of data security must be reported to ICO within 72 hrs.
  • Information will be stored for only as long as it is needed or required by statute and will be disposed of appropriately i.e. shredding paper documents and deleting computer files when no longer required.

DISCLOSURE

An exemption exists in relation to the processing of personal data if it is in the public interest (UK GDPR).

WGC may share data with other agencies such as the local authority, funding bodies and other voluntary agencies when appropriate.

In most circumstances the individual will be made aware of how and with whom their information will be shared.  There are, however, circumstances where the law allows the disclosure of data, (including sensitive data), without the data subject’s consent.

These are:

  1. Carrying out a legal duty.
  2. Protecting vital interests of an individual or other person.
  3. The information is in the public domain.
  4. Conducting any legal proceedings, obtaining legal advice or defending any legal rights.
  5. Monitoring for equal opportunities purposes – i.e. race, disability or religion
  6. Providing a confidential service where the individual’s consent cannot be obtained or where it is reasonable to proceed without consent: e.g. where we would wish to avoid forcing a stressed or ill individual to provide consent.
  7. Processing criminal data (DPA 2018/UK GDPR)

Data subject rights can also be waived if they significantly inhibit an organisation’s legitimate need to process data for scientific, historical, statistical and archiving purposes (DPA 2018/UK GDPR)

Specifically, the Principles require that personal information:

  • Observe fully the conditions regarding fair collection and use of information.
  • Meet its legal obligations to specify the purposes for which information is used.
  • Collect and process appropriate information, and only to the extent that it is needed to fulfil its operational needs or to comply with any legal requirements.

In order to ensure the safety of any person, or safeguard them from harm, information may be disclosed.

RECRUITMENT

Information sought from applicants must be justified as being necessary to enable the recruitment decision to be made or for a related purpose such as equal opportunities monitoring.

The collection of personal information at interview, its recording, storage and use will generally be in “hard copy” form. Applicants, whether successful or not, will be entitled to have access to interview notes or other material used as part of the recruitment process.

All WGC staff will be subject of an enhanced Disclosure Barring Service (DBS) check.

Criminal offences that are spent do not normally have to be declared when applying for a job. However, exceptions to this rule include those intending to work with children and all applicants will be required to declare all convictions including those that are spent in order to work with WGC.

RELATED POLICIES

  • Retention of files.
  • Recruitment, selection & supervision.
  • Freedom of Information.
  • Equality and diversity
Initial Document created: August 2012 M. Pascoe
Reviewed / Amended
October 2013 M. Pascoe
March  2014
June 2017 M. Pascoe
July 2018 (Amended in accordance with GDPR) M. Pascoe
September 2018 M. Pascoe
June 2019 M. Pascoe
February 2020 Jo Duncan                         M. Pascoe
May 2021 (compliance to DPA 2018/UK GDPR) T. Fleming

APPENDIX 1

INFORMATION USED BY WHITE GOLD CORNWALL

Privacy Notice (Young People, Parents and Carers)

White Gold Cornwall Privacy Statement

In order to provide appropriate support it is necessary to collect certain information (data) about those that we support and, where applicable, parents/carers. Use of data is governed by legislation; Data Protection Act (2018) and UK General Data Protection Regulation (UK GDPR).

Everyone involved with White Gold Cornwall (WGC) takes their responsibilities with regard to personal information very seriously and we have policies and procedures in place to ensure that data is used appropriately and kept secure.

Information about you or a person in your care

Initially information is recorded on a “Referral form”. This is usually completed by an organisation or agency asking us to provide support e.g. by a Social Worker or head of a school. Information is also obtained and updated during the course of our involvement with you or your child / young person. Some of the data that we collect is classified as “sensitive data” which is explained below.

Information held by White Gold Cornwall

Information provided on our referral form will usually include;

  • The name, date of birth, address and contact details of the person seeking support.
  • The name, address and contact details of the parent or carer.
  • Family details including other persons in the home.
  • Hobbies, interests and clubs attended.

Sensitive personal data will vary according to individual circumstances but may include;

  • Reasons for the referral being made.
  • Social circumstances.
  • Physical or mental health details.
  • Religious or cultural beliefs or practices.
  • Substance misuse i.e. drugs and alcohol.
  • Involvement with the criminal justice system.
  • Any risks possessed by the person being supported to themselves or others.

Other information that we collect

In order to provide appropriate support WGC workers may record details of sessions and relevant information provided by the person being supported or other persons involved with them.

Workers write monthly updates of the sessions that are seen by managers and provided to referring agencies.

Confidentiality

During sessions the person being supported may discuss personal information regarding incidents, opinions and feelings. Such conversations will remain confidential between the individual and the WGC worker and will not be shared with others unless exceptional circumstances mean that such information must be shared. For example if the information concerns a severe risk to the safety of the individual or another person.

The worker will discuss confidentiality with the person receiving support.

Retention of information

When sessions with WGC conclude, information is retained for as “long as is necessary” in line with legislation. Any information that is not necessary to retain, e.g. for legal reasons, will be deleted from our computer or shredded.

Security

All information is kept confidential and records are kept secure.  Alan Milliner, CEO is registered with the Information Commissioner’s Office (ICO) as a Data Protection Officer and all members of WGC are aware of their responsibilities under DPA 2018/ UK GDPR.

Rights regarding personal information

You have a right to access any of the information that is held about you at any time. You also have the right to have inaccurate information corrected, information updated and the right to request that certain information is deleted.

If you wish to access information, or if you have any questions or concerns, please contact the Office Manager by telephone; 01209 219185 or email admin@whitegoldcornwall.co.uk

If you feel that we are not able to assist or your concerns have not been resolved to your satisfaction you have the right to complain to the Information Commissioners Officer (ICO). Information is available via the website https://ico.org.uk/concerns/

PRIVACY NOTICE (Member of White Gold Cornwall)

This notice complies with the Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR from January 2021) that replaces the EU GDPR.

DPA 2018/UK GDPR deals with information about you (personal data) that is processed (obtained, retained and used) by White Gold Cornwall Foundation (WGC). We retain data in “hard copy” and electronic form. Under DPA 2018/UK GDPR there must be a lawful basis for processing data; this includes “a legitimate interest”, in accordance with a contract, a legal requirement and individuals giving consent.

Personal Data

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” (UK GDPR)

We process personal data in respect of all persons involved with WGC; Trustees, Managers, Engagement Workers, volunteers and others performing a specific role e.g. finance.

Information that we collect

The majority of information that we process about you is governed by our having a “legitimate interest” to do so e.g. we retain your address, telephone number, email address etc to allow us conduct WGC business.

Some information is provided with your consent e.g. medical details that you have disclosed and information that you have provided for use on the website including a photo of you.  We may also ask to use your photo for the promotion or celebration of the services of White Gold Cornwall.

Data is obtained when individuals join WGC and through an ongoing process when a role is performed.  Dependent upon your role the data that we process may include your;

  • Name and date of birth.
  • Home address, email address and phone number.
  • Driving licence and insurance details.
  • Financial details e.g. bank account and N.I. details.
  • Contract information (such as start dates, references and hours worked).
  • Qualifications, experience and training attended.
  •  Medical information where appropriate.
  • Details of work that you have completed.
  • Records of meetings with managers.

Sometimes we receive information about you from third parties. For example, we may receive information from referrers and directly from the parents / carers of those receiving support.

Holders of most positions in WGC will be subject of an enhanced Disclosure and Disbarring Service

(DBS) check. This information may be shared with referring agencies.

Use of Personal Data

Data used to assist in the organisation and operation of WGC may be shared with Managers, Trustees and colleagues when necessary to ensure the effective management of WGC.

We will not share information about you with third parties without your consent unless the law requires that we do so. For instance, some financial details are processed.

Some data is shared with referrers e.g. Social Workers for those receiving support. This will normally only relate to your name, results of a DBS check and, provided you consent, your contact details.

We make every effort to ensure that data is secure and that it is only seen by those that are entitled to have access in the performance of their role. We have policies and procedures in place to ensure this.

Retention of data

WGC will retain data while you are performing a role within WGC. Retention periods after leaving WGC varies but data must not be retained “longer than necessary” and will be in line with appropriate statutory requirements or guidance. Some data must be retained for 6 years e.g. financial records.

Rights to access data

Under GDPR you have the right to request access to data that we hold about you.

You also have the right to:

  • Have inaccurate personal data rectified, blocked, erased or destroyed.
  • Object to processing of personal data that is causing, or is likely to cause, damage or distress.
  • Claim compensation for damages caused by a breach of the GDPR regulations.

To access your personal information, or if you have any questions or concerns, please contact Sally Ackerley (Office Manager)

If you have concerns that cannot be dealt with by WGC, or if you have a complaint, you can contact the Information Commissioner’s Office at https://ico.org.uk/concerns/

Further information regarding data is included in the WGC Data Protection policy (available on request).