Emmaus Hampshire
Data Protection Policy
Emmaus Hampshire needs to hold and process personal data about individuals. These can be companions, current and former employees, volunteers, donors and supporters.
The Data Protection Act 1998 states that an individual has the right to expect that personal information is protected by an organisation, that it is fairly and lawfully obtained and processed in accordance with legitimate business and legal requirements, securely held and not shared with third parties without the individual’s consent. Emmaus Hampshire will comply with the Data Protection Act (1998). The Act applies whether the data is stored electronically, on paper or in any other way.
This policy provides a framework by which personal data will be managed at Emmaus Hampshire in order to be compliant with the DPA and the GDPR.
The ‘Data Controller’ is Emmaus Hampshire. Data will be processed by appointed representatives within Emmaus Hampshire, including managers and any individuals with specific responsibility for data processing. Agents acting on behalf of Emmaus Hampshire may also be data controllers. The Data Protection Officer is the person who is responsible in Emmaus Hampshire for ensuring that Emmaus Hampshire complies with the DPA and the GDPR. Emmaus Hampshires Data Protection Officer is the CEO.
This Policy covers the Data Protection principles and an individual’s rights and responsibilities as set down in the DPA and the GDPR.
There are six data protection principles
Personal data is that which relates to a living individual who can be identified from the data or from a combination of that data with other information in the possession, or likely to come into the possession, of the holder. Data does not have to be private or sensitive in order to constitute personal data and includes information such as names, addresses, telephone numbers. The GDPR has increased the scope of the definition to include identifiers, such as location data and online identifiers, and now also includes genetic data.
Personal data covers both facts and opinions that are held about an individual. It also includes information regarding Emmaus Hampshire intentions towards the individual. Data relates to any information held on a computer including e-mails and photographs, image or voice recordings, or manually held paper records that have been stored in a structured way so that information can be found easily or manual records which are due to be stored.
Sensitive personal data is defined under the DPA as information about an individual’s:
Where as special categories of personal data as defined in the GDPR includes in addition to the above:
4.3 Criminal or alleged criminal offences or any proceedings for an offence or alleged offence
Emmaus can runs DBS checks on all new staff on the basis that Emmaus Hampshire staff will be required to work with vulnerable adults.
Emmaus Hampshire asks Companions to provide details of unspent convictions in order to risk assess and tailor support for Companions.
5 Procedure
Emmaus Hampshire will ensure that appropriate technical and organisational measures are taken to safeguard personal data. All personal data will be password protected and only accessed by those staff who have a particular operational need to do so.
All members of the Emmaus Hampshire team have a personal responsibility to ensure that any information of a personal or sensitive personal nature to which they have access in the course of their work with Emmaus Hampshire is protected from unauthorised access and disclosure. This applies equally to data relating to companions, employees, volunteers, agency workers, trustees, donors, customers, consultants and contractors.
In particular, staff must observe the following rules:
All Emmaus Hampshire employees will be required to complete data protection training as part of their induction.
5.2 Data Processing
5.2.1 General guidelines for processing data
Staff who process personal data must comply with the following:
5.2.2 Retention of personal data
Personal data must not be retained for longer than is necessary. Information must only be retained where there is a genuine organisational need to do so.
When data is retained, it must be stored securely. Electronic data must always be stored somewhere with restricted access or password protected. Hard copy data must be locked away. If a former companion requests that their data is removed from the Emmaus Hampshire systems, then it must be removed or anonymised so it cannot be traced to that individual. If a current companion asks for information to be deleted because they believe it to be incorrect, it must be looked at by the Data Protection Officer and determined if this is the case. If it is incorrect it must be revised, if not, it must be made clear to the companion that the information must be retained until they leave Emmaus Hampshire.
5.2.3 Legal basis for processing
Personal data and special categories of personal data must only be processed where there is a legal basis for processing that data.
Companions
The legal basis for processing personal data of Companions is to protect the vital interests of the data subject.
When processing special categories of personal data, such processing is carried out in the course of its legitimate activities with appropriate safeguards in place.
Staff
The legal basis for processing personal data of employees is because the processing is necessary for the performance of their employment contract.
When processing special categories of personal data, such processing is necessary for the purposes of carrying out specific rights of Emmaus in the field of employment.
Others
The legal basis for processing personal data of other individuals, such as volunteers, donors and supporters is because the processing is necessary for the purposes of the legitimate interests pursued by Emmaus.
In the unlikely event that Emmaus processes special categories of personal data in respect of such individuals, this will be carried out in the course of Emmaus’ legitimate activities with appropriate safeguards in place.
5.2.4 Unauthorised disclosure
Individuals must be aware that disclosure of information in contravention of this policy will be treated by Emmaus Hampshire as a serious disciplinary offence which may result in gross misconduct, and further that under the Data Protection Act individuals can be prosecuted for an improper use or unauthorised disclosure of such data.
5.2.5 Taking data off site
Personal information must never be taken home by an employee, emailed to a personal account or stored on a personal computer. Doing so may result in gross misconduct. If personal information needs to be transported to another location, it is the responsibility of the employee to ensure it is stored securely at all times.
5.3 Individual data rights
Individuals on whom Emmaus Hampshire have data have the following rights under the GDPR:
The Data Protection Officer should keep a log of all requests made and all responses to these requests.
5.3.1 Informal requests
Companion
A current companion can request to see all data that Emmaus Hampshire has on them by requesting this from the Senior Support Manager. The staff member must put this request forward to the Data Protection Officer who must make an arrangement with the companion to show this information to them.
Employee
An employee may make an informal request to view a particular file that the CEO or their line manager holds on them. The Data Protection Officer must arrange this at both parties earliest convenience.
If the employee requests to see their personnel file, it is important to ensure that the employee is only interested in viewing this file, rather than any other information held on them. If this is the case, a suitable time must be arranged for the employee to view their file with the CEO, and or may request copies of any documents contained within the paper based file or print out of pages from within the computerised file.
If an employee, volunteer or companion wishes to make a more comprehensive search thereby invoking the Act, the formal request process must be followed. Current employees, volunteers or companions will not be charged to make a formal request but will need to put the request in writing as outlined below.
5.3.2 Formal Requests
Requests by any individual who has had any dealings with Emmaus Hampshire but is not a current employee or companion must always be considered as a formal request. This includes requests from donors and supporters former staff, volunteers and companions.
Under the Act any individual is entitled:
If an individual wants to make a formal request for access to any information held on them by Emmaus Hampshire:
In some circumstances it may be appropriate for the Data Protection Officer to agree an appropriate time for the individual to review the information held on file, and take copies of documents, as appropriate. Where appropriate, any inaccuracies identified by the requesting individual will subsequently be amended.
5.3.3 Exemptions from Disclosure
In line with the DPA and the GDPR Emmaus Hampshire will not disclose information in the following circumstances:
Various exemptions for certain crime and taxation purposes, where compliance with the provision would be likely to prejudice the crime or taxation purpose.
5.3.4 Deleting data
Any individual has the right to ask that their data is no longer used by Emmaus Hampshire or that the reasons for which it is used are amended. The right to erasure however is limited and any such requests should be considered by the data officer.
5.4 Companion data
When companions join the community they are asked to provide both personal data and sensitive/special categories of personal data, including:
Companions will also be asked to provide details of any criminal convictions and informed of the legal ground for obtaining this information.
On their arrival at Emmaus Hampshire it will be made clear to companion through the induction process what personal data the community will store, the legal basis for the processing, their rights in respect of their personal data, for what purpose their information will be used and under what circumstances their information will be shared and why. This information will be documented in the companion registration document.
The exception to this is a situation when there is a significant concern for welfare or potential threat to life. In these circumstances companion information may be shared in order to safeguard the individual or other members of the community. Information may also be shared if requested by court order.
Companions must be informed that they have the right to request all data that is collected about them, this includes: notes of individual meetings; support plans; referral forms and risk assessments. This list is not exhaustive.
5.4.2 Sharing companion information within the UK Federation
From time to time, a companion may move to another community within the United Kingdom, for example to take up a staff or companion role. In these cases it may be appropriate to provide information about the companion to ensure safeguarding needs are met and to ensure the receiving community is able to support the individual appropriately and as part of their risk assessment processes.
Any employee who does not comply with this will become subject to proceedings under the Disciplinary Procedure.
5.5 Donor and supporter data
5.5.1 Funding Regulator Code of Fundraising Practice
Emmaus Hampshire is registered with the Fundraising Regulator and adheres to its code of fundraising practice which requires all fundraising organisations to be legal, honest, open and respectful.
5.5.2 Collecting donor and supporter data
Emmaus Hampshire relies on donations from individuals to support its work. This can be both cash donations or furniture donations. Whenever donor information is collected, we provide an opportunity to opt-in to email marketing communications and provide relevant information about our mail marketing with the option to opt-out. Where we take a telephone number, this will only be used for the purposes of arranging the delivery or collection of furniture and never for marketing purposes. Tthe donor will be offered the opportunity to set their contact preferences, opting out if they prefer not to be contacted further. All donor and supporter data will be stored securely.
5.5.4 Sharing donor data
Emmaus Hampshire will never sell or share donor or supporter data with third party organisations, unless they are carrying out work on behalf of Emmaus Hampshire. Companies working on behalf of Emmaus Hampshire, such as printers, will be given access to donor data in order to complete the task they have been appointed to do, but in these circumstances Emmaus Hampshire remains the data controller.
Where information is shared with suppliers working on behalf of Emmaus Hampshire, it will be password protected and sent using secure methods.
All suppliers carrying out work on behalf of Emmaus Hampshire who handle personal data will be required to provide their own data protection policy and a contract clearly stating how they will use and dispose of any data provided.
Every time data is shared with a supplier working on behalf of Emmaus Hampshire, it will be logged on the data sharing worksheet.
5.5.5 Donor welfare
No-one employed by Emmaus Hampshire will accept a donation from anyone they feel may be vulnerable and lack the capacity to make an informed decision about their donation. More information can be found in the Emmaus Ethical Fundraising Policy.
5.5.6 Changing contact preferences
A donor has the right to change their contact preferences at any time. This can be done by contacting Emmaus Hampshire. Any request to change contact preferences will be made with immediate effect.
5.6 Employee data
This specifically relates to any data held about potential, current or former employees, trustees and volunteers at Emmaus Hampshire.
Emmaus Hampshire recruitment processes are maintained to ensure they meet the Data Protection Act and the GDPR and are designed to ensure that applicants:
5.6.1 Personal data
Personal data which may be held by the Emmaus Hampshire includes:
This list is not exhaustive and will be subject to change.
Emmaus Hampshire will hold and process personal data provided by an employee for all purposes related to their employment including, but not limited to:
5.6.2 Processing Sensitive Personal Data and Special Categories of Personal Data
Sensitive personal data and special categories of personal data will be processed as follows:
Sensitive personal data/special categories of personal data may also be processed, in accordance with data protection legislation, to exercise or perform a right or obligation conferred or imposed by law on Emmaus Hampshire in connection with employment; in connection with legal proceedings or for the purpose of obtaining legal advice; or for administration of justice.
5.6.3 Sharing employee information
Information and the sharing of information are critical to the running of Emmaus Hampshire. Employees and third parties with whom Emmaus Hampshire has a business relationship, including arrangements which directly benefit employees, rely on fast, reliable access to information. For this reason personal data is shared with and may be obtained from:
This list is not exhaustive and will be subject to change.
5.6.4 Processing of personal data on recruitment applications
All responses to advertisements, whether electronic or paper-based, will be submitted and processed on the basis stipulated at Section 5.2.3 above. .
Emmaus Hampshire uses manual systems to consider applications against advertised positions using the relevant person specification and other similar vacancies where consent is given within Emmaus Hampshire.
The process for the receipt and distribution of applications is as follows:
a) Applications are accepted via mail (e-mail and postal mail) for specific positions. For some positions, Emmaus Hampshire may request responses via external agencies.
b) Speculative applications are also accepted via both types of mail but the applicant is either contacted to complete a full application where a suitable vacancy is available or the application is destroyed.
c) Copying of applications may be carried out by Emmaus Hampshire or an agent acting on behalf of Emmaus Hampshire.
d) Applicants are selected for positions based on skills, qualifications experience and competencies required by the job person specification.
e) Applications are reviewed by recruitment panel members (managers and staff) and in some cases external recruitment consultants.
f) Applications for a specific vacancy (including supplementary data produced by the process (e.g. marking sheet, interview notes, completed tests and results) will be retained by Emmaus Hampshire on paper, with basic details being entered into the recruitment database and on a test spreadsheet where applicable.
g) If an application matches the criteria for another position (the criteria being that specified in the person specification), the applicant may be contacted to ascertain whether they are interested in the position and data will only be processed if consent is given.
h) Applications may be electronically or manually shared between Emmaus Hampshire sites.
i) Application data is reported on, in terms of volumes received from various sources of advert (e.g. newspaper, internet site, agency, recruitment fair, speculative etc.).
5.6.5 Processing of sensitive personal data/special categories of personal data for recruitment and subsequent employee monitoring
Sensitive personal data/special categories of personal data is not used in the decision making process, except where the following circumstances are relevant to the position being considered:
Emmaus Hampshire will also process information on racial or ethnic origin, gender, sexuality, age and disability for statistical monitoring purposes only, in accordance with the Equality Act 2010 and other relevant guidelines.
5.6.6 Employee Monitoring
Emmaus Hampshire has the means, automated and otherwise, of monitoring individual usage of property and equipment including E-mail and the Internet. All traffic is automatically recorded to ensure that it is being used appropriately and Emmaus Hampshire may retrieve and read all this information at any time. In order to protect Emmaus Hampshires’s charitable resources we reserve the right to use appropriate monitoring systems and information, and such information may form part of the evidence in any disciplinary or other management action that may be taken in connection with: