Emmaus North East needs to hold and process personal data about individuals. These can be companions, current and former employees, volunteers, donors, and supporters.
The General Data Protection Regulation (GDPR) of 2018 states that an individual has the right to expect that personal information is protected by an organisation, that it is fairly and lawfully obtained and processed in accordance with legitimate business and legal requirements, securely held and not shared with third parties without the individual’s consent. Emmaus North East will comply with these regulations, which apply whether the data is stored electronically, on paper or in any other way.
Scope
This policy provides a framework by which personal data will be managed at Emmaus North East in order to be compliant with GDPR.
The ‘Data Controller’ is Emmaus North East. Data will be processed by appointed representatives within Emmaus North East, including managers and any individuals with specific responsibility for data processing. Agents acting on behalf of Emmaus North East may also be data controllers. The Data Protection Coordinator is the person who is responsible in Emmaus North East for ensuring that Emmaus North East complies with GDPR. Emmaus North East’s Data Protection Coordinator is the Emmaus North East Finance Manager.
This Policy covers the Data Protection principles and an individual’s rights and responsibilities as set down in GDPR. This policy does not form part of any individual employee’s contract of employment with Emmaus North East. However, it is the responsibility of every employee to familiarise themselves with, and to comply with this policy. A breach could be considered a criminal offence and lead to prosecution of Emmaus North East and/or the employee by the Information Commissioners Office (ICO).
Data protection principles
There are six data protection principles that are central to the GDPR. In brief, they say that personal data must be:
Data Definitions
Personal Data
Personal data is that which relates to a living individual who can be identified from the data or from a combination of that data with other information in the possession, or likely to come into the possession, of the holder. Data does not have to be private or sensitive to constitute personal data and includes information such as names, addresses, telephone numbers. The GDPR has increased the scope of the definition to include identifiers, such as location data and online identifiers, and now also includes genetic data.
Examples:
Personal data covers both facts and opinions that are held about an individual. It also includes information regarding Emmaus North East’s intentions towards the individual. Data relates to any information held on a computer including e-mails and photographs, image, or voice recordings, or manually held paper records that have been stored in a structured way so that information can be found easily or manual records which are due to be stored.
Sensitive Personal Data and Special Categories of Personal Data
Sensitive personal data is defined under GDPR as information about an individual’s:
special categories of personal data as defined in the GDPR includes in addition to the above:
Emmaus runs DBS checks on all new staff on the basis that Emmaus staff will be required to work with vulnerable adults.
Emmaus North East asks Companions to provide details of unspent convictions in order to risk assess and tailor support for Companions.
Procedure
Data security
Emmaus North East will ensure that appropriate technical and organisational measures are taken to safeguard personal data. All personal data will be password protected and only accessed by those staff who have a operational need to do so.
All members of the Emmaus North East team have a personal responsibility to ensure that any information of a personal or sensitive personal nature to which they have access in the course of their work with Emmaus North East is protected from unauthorised access and disclosure. This applies equally to data relating to companions, employees, volunteers, agency workers, trustees, donors, customers, consultants, and contractors.
Staff must observe the following rules:
All Emmaus North East employees will be required to complete data protection training as part of their induction.
General guidelines for processing data
Staff who process personal data must comply with the following:
Retention of personal data
Personal data must not be retained for longer than is necessary. Information must only be retained where there is a genuine organisational need to do so.
When data is retained, it must be stored securely. Electronic data must always be stored somewhere with restricted access or password protected. Hard copy data must be locked away. If a former companion requests that their data is removed from the Emmaus North East systems, then it must be removed or anonymised, so it cannot be traced to that individual. If a current companion asks for information to be deleted because they believe it to be incorrect, it must be looked at by the Data Protection Coordinator and determined if this is the case. If it is incorrect, it must be revised, if not, it must be made clear to the companion that the information must be retained until they leave Emmaus North East.
Legal basis for processing
Personal data and special categories of personal data must only be processed where there is a legal basis for processing that data.
Companions
The legal basis for processing personal data of Companions is to protect the vital interests of the data subject.
When processing special categories of personal data, such processing is conducted in the course of its legitimate activities with appropriate safeguards in place.
Staff
The legal basis for processing personal data of employees is because the processing is necessary for the performance of their employment contract.
When processing special categories of personal data, such processing is necessary for the purposes of conducting specific rights of Emmaus in the field of employment.
Others
The legal basis for processing personal data of other individuals, such as volunteers, donors and supporters is because the processing is necessary for the purposes of the legitimate interests pursued by Emmaus.
In the unlikely event that Emmaus processes special categories of personal data in respect of such individuals, this will be conducted during Emmaus’ legitimate activities with appropriate safeguards in place.
Unauthorised disclosure
Individuals must be aware that disclosure of information in contravention of this policy will be treated by Emmaus North East as a serious disciplinary offence which may result in gross misconduct, and further that under GDPR individuals can be prosecuted for an improper use or unauthorised disclosure of such data.
Taking data off site
Personal information must never be taken home by an employee, emailed to a personal account, or stored on a personal computer. Doing so may result in gross misconduct. If personal information needs to be transported to another location, it is the responsibility of the employee to ensure it is always stored securely.
Individual data rights
Individuals on whom Emmaus North East have data have the following rights under the GDPR:
The Data Protection Officer should keep a log of all requests made and all responses to these requests.
Informal requests
Companion
A current companion can request to see all data that Emmaus North East has on them by requesting this from the Deputy Community Leader. The staff member must put this request forward to the Data Protection Coordinator who must make an arrangement with the companion to show this information to them.
Employee
An employee may make an informal request to view a particular file that the senior manager or their line manager holds on them. The Data Protection coordinator must arrange this at both parties’ earliest convenience.
If the employee requests to see their personnel file, it is important to ensure that the employee is only interested in viewing this file, rather than any other information held on them. If this is the case, a suitable time must be arranged for the employee to view their file with the senior manager, and or may request copies of any documents contained within the paper-based file or print out of pages from within the computerised file.
If an employee, volunteer, or companion wishes to make a more comprehensive search thereby invoking the Act, the formal request process must be followed. Current employees, volunteers or companions will not be charged to make a formal request but will need to put the request in writing as outlined below.
Formal Requests
Requests by any individual who has had any dealings with Emmaus North East but is not a current employee or companion must always be considered as a formal request. This includes requests from donors and supporters’ former staff, volunteers, and companions.
Under the Act any individual is entitled:
If so, to be given a description of:
If an individual wants to make a formal request for access to any information held on them by Emmaus North East:
On receipt of the letter the Data Protection Officer will check to ensure that the individual is who they claim to be, validate their right to gain access to the data and consider the appropriateness of the request in line with GDPR.
The Data Protection Coordinator will contact the appropriate individuals within Emmaus North East and, where appropriate, any external organisations and request access to or copies of the relevant information held on that individual within any system or manual file.
The information, once collated, must be made available within 30 days from receipt of the request, unless the burden of providing the information is excessive.
If a request is “manifestly unfounded or excessive” the Data Protection Officer can charge a fee or refuse to respond but will need to be able to provide evidence of how the conclusion was reached.
In some circumstances it may be appropriate for the Data Protection Coordinator to agree an appropriate time for the individual to review the information held on file, and take copies of documents, as appropriate. Where appropriate, any inaccuracies identified by the requesting individual will subsequently be amended.
Exemptions from Disclosure
In line with GDPR Emmaus North East will not disclose information in the following circumstances:
Deleting data
Any individual has the right to ask that their data is no longer used by Emmaus North East or that the reasons for which it is used are amended. The right to erasure however is limited and any such requests should be considered by the Data Officer.
Companion data
When companions join the community, they are asked to provide both personal data and sensitive/special categories of personal data, including:
Companions will also be asked to provide details of any criminal convictions and informed of the legal ground for obtaining this information.
On their arrival at Emmaus North East, it will be made clear to companion through the induction process what personal data the community will store, the legal basis for the processing, their rights in respect of their personal data, for what purpose their information will be used and under what circumstances their information will be shared and why. This information will be documented in the companion registration document.
The exception to this is a situation when there is a significant concern for welfare or potential threat to life. In these circumstances companion information may be shared in order to safeguard the individual or other members of the community. Information may also be shared if requested by court order.
Access
Companions must be informed that they have the right to request all data that is collected about them, this includes: notes of individual meetings; support plans; referral forms and risk assessments. This list is not exhaustive.
Sharing companion information within the UK Federation
From time to time, a companion may move to another community within the United Kingdom, for example to accept a staff or companion role. In these cases, it may be appropriate to provide information about the companion to ensure safeguarding needs are met and to ensure the receiving community is able to support the individual appropriately and as part of their risk assessment processes.
Information about companions may only be provided to another community if the companion has been informed by the data controller that it may be shared in this way and the data controller complies with the Data Sharing Policy found here.
Any employee who does not comply with this will become subject to proceedings under the Disciplinary Procedure.
Donor and supporter data
Funding Regulator Code of Fundraising Practice
Emmaus North East is registered with the Fundraising Regulator and adheres to its code of practice which requires all fundraising organisations to be legal, honest, open, and respectful.
The full code can be found at: https://www.fundraisingregulator.org.uk/code-of-fundraising-practice/code-of-fundraising-practice/
Collecting donor and supporter data
Emmaus North East relies on donations from individuals to support its work. This can be both cash donations and furniture donations. Whenever donor information is collected, we provide an opportunity to opt-in to email marketing communications and provide relevant information about our mail marketing with the option to opt-out. Where we take a telephone number, this will only be used for the purposes of arranging the delivery or collection of furniture and never for marketing purposes. The donor will be offered the opportunity to set their contact preferences, opting out if they prefer not to be contacted further. All donor and supporter data will be stored securely.
Sharing donor data
Emmaus North East will never sell or share donor or supporter data with third party organisations unless they are conducting work on behalf of Emmaus North East. Companies working on behalf of Emmaus North East, such as printers, will be given access to donor data in order to complete the task they have been appointed to do, but in these circumstances Emmaus North East remains the data controller.
Where information is shared with suppliers working on behalf of Emmaus North East, it will be password protected and sent using secure methods.
All suppliers conducting work on behalf of Emmaus North East who handle personal data will be required to provide their own data protection policy and a contract clearly stating how they will use and dispose of any data provided.
Every time data is shared with a supplier working on behalf of Emmaus North East, it will be logged on the data sharing worksheet.
Donor welfare
No-one employed by Emmaus North East will accept a donation from anyone they feel may be vulnerable and lack the capacity to make an informed decision about their donation. Any concerns about individual donors must be flagged to the Community Manager so appropriate action can be taken.
Changing contact preferences
A donor has the right to change their contact preferences at any time. This can be done by contacting Emmaus North East. Any request to change contact preferences will be made with immediate effect.
Employee data
This specifically relates to any data held about potential, current or former employees, trustees, and volunteers at Emmaus North East
Emmaus North East’s recruitment processes are maintained to ensure they meet GDPR and are designed to ensure that applicants:
Personal data
Personal data which may be held by the Emmaus North East includes:
This list is not exhaustive and will be subject to change.
Emmaus North East will hold, and process personal data provided by an employee for all purposes related to their employment including, but not limited to:
Processing Sensitive Personal Data and Special Categories of Personal Data
Sensitive personal data and special categories of personal data will be processed as follows:
Sensitive personal data/special categories of personal data may also be processed, in accordance with GDPR and legislation, to exercise or perform a right or obligation conferred or imposed by law on Emmaus North East in connection with employment; in connection with legal proceedings or for obtaining legal advice; or for administration of justice.
Sharing employee information
Information and the sharing of information are critical to the running of Emmaus North East. Employees and third parties with whom Emmaus North East has a business relationship, including arrangements which directly benefit employees, rely on fast, reliable access to information. For this reason, personal data is shared with and may be obtained from:
This list is not exhaustive and will be subject to change.
Every time employee data is shared, it will be logged on the data sharing worksheet (held by the admin team).
Processing of personal data on recruitment applications
All responses to advertisements, whether electronic or paper-based, will be submitted and processed on the basis stipulated above.
Emmaus North East uses manual systems to consider applications against advertised positions using the relevant person specification and other similar vacancies where consent is given within Emmaus North East.
The process for the receipt and distribution of applications is as follows:
Processing of sensitive personal data/special categories of personal data for recruitment and subsequent employee monitoring
Sensitive personal data/special categories of personal data are not used in the decision-making process, except where the following circumstances are relevant to the position being considered:
Emmaus North East will also process information on racial or ethnic origin, gender, sexuality, age, and disability for statistical monitoring purposes only, in accordance with the Equality Act 2010 and other relevant guidelines.
Employee Monitoring
Emmaus North East has the means, automated and otherwise, of monitoring individual usage of property and equipment including E-mail and the Internet. All traffic is automatically recorded to ensure that it is being used appropriately and Emmaus North East may retrieve and read all this information at any time. To protect Emmaus North East’s charitable resources, we reserve the right to use appropriate monitoring systems and information, and such information may form part of the evidence in any disciplinary or other management action that may be taken in connection with: