GDPR – General Data Protection

 

Policy Statement

 

Emmaus North East needs to hold and process personal data about individuals. These can be companions, current and former employees, volunteers, donors, and supporters.

 

The General Data Protection Regulation (GDPR) of 2018 states that an individual has the right to expect that personal information is protected by an organisation, that it is fairly and lawfully obtained and processed in accordance with legitimate business and legal requirements, securely held and not shared with third parties without the individual’s consent. Emmaus North East will comply with these regulations, which apply whether the data is stored electronically, on paper or in any other way.

 

Scope

 

This policy provides a framework by which personal data will be managed at Emmaus North East in order to be compliant with GDPR.

 

The ‘Data Controller’ is Emmaus North East. Data will be processed by appointed representatives within Emmaus North East, including managers and any individuals with specific responsibility for data processing. Agents acting on behalf of Emmaus North East may also be data controllers. The Data Protection Coordinator is the person who is responsible in Emmaus North East for ensuring that Emmaus North East complies with GDPR. Emmaus North East’s Data Protection Coordinator is the Emmaus North East Finance Manager.

 

This Policy covers the Data Protection principles and an individual’s rights and responsibilities as set down in GDPR. This policy does not form part of any individual employee’s contract of employment with Emmaus North East. However, it is the responsibility of every employee to familiarise themselves with, and to comply with this policy. A breach could be considered a criminal offence and lead to prosecution of Emmaus North East and/or the employee by the Information Commissioners Office (ICO).

 

Data protection principles

 

There are six data protection principles that are central to the GDPR. In brief, they say that personal data must be:

 

  • processed fairly and lawfully and in a transparent manner in relation to the data subject
  • collected for specified, explicit and legitimate purposes and not further processed in any manner incompatible with those purposes
  • adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed
  • accurate and, where necessary, kept up to date
  • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
  • processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures

 

Data Definitions

 

Personal Data

 

Personal data is that which relates to a living individual who can be identified from the data or from a combination of that data with other information in the possession, or likely to come into the possession, of the holder. Data does not have to be private or sensitive to constitute personal data and includes information such as names, addresses, telephone numbers. The GDPR has increased the scope of the definition to include identifiers, such as location data and online identifiers, and now also includes genetic data.

 

Examples:

 

  • in a recruitment process this can include information contained in a job application or CV, interview notes and references
  • or a companion this could be information in their referral form, risk assessment, support plans
  • for a furniture donor, this could be the information supplied on the Gift Aid declaration

 

Personal data covers both facts and opinions that are held about an individual. It also includes information regarding Emmaus North East’s intentions towards the individual. Data relates to any information held on a computer including e-mails and photographs, image, or voice recordings, or manually held paper records that have been stored in a structured way so that information can be found easily or manual records which are due to be stored.

 

Sensitive Personal Data and Special Categories of Personal Data

 

Sensitive personal data is defined under GDPR as information about an individual’s:

 

  • Racial or ethnic origin
  • Political opinions
  • Religious beliefs or other beliefs of a similar nature
  • Trade union membership or non-membership
  • Physical or mental health or condition
  • Sex life

 

special categories of personal data as defined in the GDPR includes in addition to the above:

 

  • Biometric data
  • Genetic data
  • Criminal or alleged criminal offences or any proceedings for an offence or alleged offence

 

Emmaus runs DBS checks on all new staff on the basis that Emmaus staff will be required to work with vulnerable adults.

 

Emmaus North East asks Companions to provide details of unspent convictions in order to risk assess and tailor support for Companions.

 

Procedure

 

Data security

 

Emmaus North East will ensure that appropriate technical and organisational measures are taken to safeguard personal data. All personal data will be password protected and only accessed by those staff who have a operational need to do so.

 

All members of the Emmaus North East team have a personal responsibility to ensure that any information of a personal or sensitive personal nature to which they have access in the course of their work with Emmaus North East is protected from unauthorised access and disclosure. This applies equally to data relating to companions, employees, volunteers, agency workers, trustees, donors, customers, consultants, and contractors.

 

Staff must observe the following rules:

 

  • electronic storage of such material must have limited access and system passwords must be changed every six months
  • take responsibility for the security of their workstation, keeping their password safe and locking it when they are not at their desk
  • label personal information sent by post as ‘Private & Confidential’ and send it via courier or recorded delivery
  • write ‘Private and Confidential in the subject when sending personal information via email
  • not disclose information about Emmaus North East or any personal information about individuals other than in the course of proper performance of duties and or to authorised colleagues
  • take particular care when exchanging information with third parties to check that the person requesting information is who they claim to be and that there is proper authorisation or consent
  • not use information for purposes other than that for which it was intended
  • sign a confidentiality clause as part of their contract of employment with Emmaus North East
  • pass on a request for information under GDPR or a request by a data subject in respect of their rights under the GDPR

 

All Emmaus North East employees will be required to complete data protection training as part of their induction.

 

General guidelines for processing data

 

Staff who process personal data must comply with the following:

 

  • were specific personal information is sought from an individual, the individual must be informed as to the purposes for which that data will be used
  • personal data obtained for a specified purpose must not be used for another purpose without the individual’s consent
  • any personal data processed must be adequate, relevant, and not excessive in relation to the purpose for which it is held
  • personal data must be accurate and kept up to date. The senior management may remind employees from time to time to check those of their personal details which are subject to change e.g., personal details such as home address
  • any data no longer needed must be disposed of securely
  • financial information from donors and supporters must always be destroyed or suitably redacted as soon as possible
  • high-risk processing must not be conducted unless a Data Protection Impact Assessment has been conducted
  • consider to what extent pseudonymisation (replacing identifying fields with pseudonyms) and minimisation can be applied

 

Retention of personal data

 

Personal data must not be retained for longer than is necessary. Information must only be retained where there is a genuine organisational need to do so.

 

When data is retained, it must be stored securely. Electronic data must always be stored somewhere with restricted access or password protected. Hard copy data must be locked away. If a former companion requests that their data is removed from the Emmaus North East systems, then it must be removed or anonymised, so it cannot be traced to that individual. If a current companion asks for information to be deleted because they believe it to be incorrect, it must be looked at by the Data Protection Coordinator and determined if this is the case. If it is incorrect, it must be revised, if not, it must be made clear to the companion that the information must be retained until they leave Emmaus North East.

 

Legal basis for processing

 

Personal data and special categories of personal data must only be processed where there is a legal basis for processing that data.

 

Companions

 

The legal basis for processing personal data of Companions is to protect the vital interests of the data subject.

 

When processing special categories of personal data, such processing is conducted in the course of its legitimate activities with appropriate safeguards in place.

 

Staff

 

The legal basis for processing personal data of employees is because the processing is necessary for the performance of their employment contract.

 

When processing special categories of personal data, such processing is necessary for the purposes of conducting specific rights of Emmaus in the field of employment.

 

Others

 

The legal basis for processing personal data of other individuals, such as volunteers, donors and supporters is because the processing is necessary for the purposes of the legitimate interests pursued by Emmaus.

 

In the unlikely event that Emmaus processes special categories of personal data in respect of such individuals, this will be conducted during Emmaus’ legitimate activities with appropriate safeguards in place.

 

Unauthorised disclosure

 

Individuals must be aware that disclosure of information in contravention of this policy will be treated by Emmaus North East as a serious disciplinary offence which may result in gross misconduct, and further that under GDPR individuals can be prosecuted for an improper use or unauthorised disclosure of such data.

 

Taking data off site

 

Personal information must never be taken home by an employee, emailed to a personal account, or stored on a personal computer. Doing so may result in gross misconduct. If personal information needs to be transported to another location, it is the responsibility of the employee to ensure it is always stored securely.

 

Individual data rights

 

Individuals on whom Emmaus North East have data have the following rights under the GDPR:

 

  • Where processing is conducted on the basis of consent, individuals can withdraw their consent at any time
  • Subject Access. Individuals can make a request to view or to have a copy of their personal data. This includes employees, volunteers, companions, donors, supporter, and any other party that Emmaus North East records information on
  • Data Portability. Under the GDPR individuals have a right to be provided with, or have another organisation provided with, a copy of any data in a structured, commonly used, and machine-readable form where the lawful ground for processing is consent or where processing is necessary for the performance of a contract and the processing is conducted by automated means
  • Individuals have the right to object to Emmaus North East processing for marketing purposes and can object generally to Emmaus North East processing personal data
  • Automated decision making. Individuals have the right not to be subject to a decision when it is based on automated processing and it produces a legal effect or similar significant effect on the individual unless it is necessary for entering into or performance of a contract, is authorised by law or is based on explicit consent

 

The Data Protection Officer should keep a log of all requests made and all responses to these requests.

 

Informal requests

 

Companion

 

A current companion can request to see all data that Emmaus North East has on them by requesting this from the Deputy Community Leader. The staff member must put this request forward to the Data Protection Coordinator who must make an arrangement with the companion to show this information to them.

 

 

 

 

 

Employee

 

An employee may make an informal request to view a particular file that the senior manager or their line manager holds on them. The Data Protection coordinator must arrange this at both parties’ earliest convenience.

 

If the employee requests to see their personnel file, it is important to ensure that the employee is only interested in viewing this file, rather than any other information held on them. If this is the case, a suitable time must be arranged for the employee to view their file with the senior manager, and or may request copies of any documents contained within the paper-based file or print out of pages from within the computerised file.

 

If an employee, volunteer, or companion wishes to make a more comprehensive search thereby invoking the Act, the formal request process must be followed. Current employees, volunteers or companions will not be charged to make a formal request but will need to put the request in writing as outlined below.

 

Formal Requests

 

Requests by any individual who has had any dealings with Emmaus North East but is not a current employee or companion must always be considered as a formal request. This includes requests from donors and supporters’ former staff, volunteers, and companions.

 

Under the Act any individual is entitled:

 

  • to be told whether anyone in Emmaus North East is holding any of their personal data

 

If so, to be given a description of:

 

  • the personal data held
  • the purposes for which the data is being processed
  • those to whom the information is, has or may be disclosed

 

If an individual wants to make a formal request for access to any information held on them by Emmaus North East:

 

  • the individual should be advised to put a request in writing to the Data Protection Coordinator, 257 Stanhope Road, South Shields, NE33 4RT

 

On receipt of the letter the Data Protection Officer will check to ensure that the individual is who they claim to be, validate their right to gain access to the data and consider the appropriateness of the request in line with GDPR.

 

The Data Protection Coordinator will contact the appropriate individuals within Emmaus North East and, where appropriate, any external organisations and request access to or copies of the relevant information held on that individual within any system or manual file.

 

The information, once collated, must be made available within 30 days from receipt of the request, unless the burden of providing the information is excessive.

 

If a request is “manifestly unfounded or excessive” the Data Protection Officer can charge a fee or refuse to respond but will need to be able to provide evidence of how the conclusion was reached.

 

In some circumstances it may be appropriate for the Data Protection Coordinator to agree an appropriate time for the individual to review the information held on file, and take copies of documents, as appropriate. Where appropriate, any inaccuracies identified by the requesting individual will subsequently be amended.

 

Exemptions from Disclosure

 

In line with GDPR Emmaus North East will not disclose information in the following circumstances:

 

  • personal data processed for the purposes of management forecasting or planning, if disclosure would prejudice the conduct of Emmaus North East
  • records of Emmaus North East’s intention in connection with negotiations with the individual, if disclosure might prejudice those negotiations
  • various exemptions for certain crime and taxation purposes, where compliance with the provision would be likely to prejudice the crime or taxation purpose

 

Deleting data

 

Any individual has the right to ask that their data is no longer used by Emmaus North East or that the reasons for which it is used are amended. The right to erasure however is limited and any such requests should be considered by the Data Officer.

 

Companion data

 

When companions join the community, they are asked to provide both personal data and sensitive/special categories of personal data, including:

 

  • Name
  • Date of birth
  • National Insurance number
  • Medical history
  • Housing history

 

Companions will also be asked to provide details of any criminal convictions and informed of the legal ground for obtaining this information.

 

On their arrival at Emmaus North East, it will be made clear to companion through the induction process what personal data the community will store, the legal basis for the processing, their rights in respect of their personal data, for what purpose their information will be used and under what circumstances their information will be shared and why. This information will be documented in the companion registration document.

 

The exception to this is a situation when there is a significant concern for welfare or potential threat to life. In these circumstances companion information may be shared in order to safeguard the individual or other members of the community. Information may also be shared if requested by court order.

 

 

 

Access

 

Companions must be informed that they have the right to request all data that is collected about them, this includes: notes of individual meetings; support plans; referral forms and risk assessments. This list is not exhaustive.

 

Sharing companion information within the UK Federation

 

From time to time, a companion may move to another community within the United Kingdom, for example to accept a staff or companion role.  In these cases, it may be appropriate to provide information about the companion to ensure safeguarding needs are met and to ensure the receiving community is able to support the individual appropriately and as part of their risk assessment processes.

 

Information about companions may only be provided to another community if the companion has been informed by the data controller that it may be shared in this way and the data controller complies with the Data Sharing Policy found here.

 

Any employee who does not comply with this will become subject to proceedings under the Disciplinary Procedure.

 

 

Donor and supporter data

 

Funding Regulator Code of Fundraising Practice

 

Emmaus North East is registered with the Fundraising Regulator and adheres to its code of practice which requires all fundraising organisations to be legal, honest, open, and respectful.

 

The full code can be found at: https://www.fundraisingregulator.org.uk/code-of-fundraising-practice/code-of-fundraising-practice/

 

Collecting donor and supporter data

 

Emmaus North East relies on donations from individuals to support its work. This can be both cash donations and furniture donations. Whenever donor information is collected, we provide an opportunity to opt-in to email marketing communications and provide relevant information about our mail marketing with the option to opt-out. Where we take a telephone number, this will only be used for the purposes of arranging the delivery or collection of furniture and never for marketing purposes. The donor will be offered the opportunity to set their contact preferences, opting out if they prefer not to be contacted further. All donor and supporter data will be stored securely.

 

Sharing donor data

 

Emmaus North East will never sell or share donor or supporter data with third party organisations unless they are conducting work on behalf of Emmaus North East.  Companies working on behalf of Emmaus North East, such as printers, will be given access to donor data in order to complete the task they have been appointed to do, but in these circumstances Emmaus North East remains the data controller.

 

Where information is shared with suppliers working on behalf of Emmaus North East, it will be password protected and sent using secure methods.

All suppliers conducting work on behalf of Emmaus North East who handle personal data will be required to provide their own data protection policy and a contract clearly stating how they will use and dispose of any data provided.

 

Every time data is shared with a supplier working on behalf of Emmaus North East, it will be logged on the data sharing worksheet.

 

Donor welfare

 

No-one employed by Emmaus North East will accept a donation from anyone they feel may be vulnerable and lack the capacity to make an informed decision about their donation. Any concerns about individual donors must be flagged to the Community Manager so appropriate action can be taken.

 

Changing contact preferences

 

A donor has the right to change their contact preferences at any time. This can be done by contacting Emmaus North East. Any request to change contact preferences will be made with immediate effect.

 

Employee data

 

This specifically relates to any data held about potential, current or former employees, trustees, and volunteers at Emmaus North East

Emmaus North East’s recruitment processes are maintained to ensure they meet GDPR and are designed to ensure that applicants:

 

  • are treated in a fair, timely and efficient manner
  • are only considered for the vacancy or vacancies they have applied for, or consent is sought before considering them for other vacancies inside or outside Emmaus North East
  • understand the rationale used in assessing applications

 

Personal data

 

Personal data which may be held by the Emmaus North East includes:

 

  • personal files and information held by senior managers
  • list of names and addresses whether on spreadsheet, paper, or card indexes
  • list of names, telephone numbers and or email addresses held by managers
  • paper based employee files containing employment records held by senior manager (contracts, appraisals, letters of communication etc.)
  • references provided to, or received from, external sources
  • training records, including personal development plans
  • support and Supervision records held by line managers
  • payroll and pension records held by Finance Manager and Ellison Services
  • information contained on e-mail which mentions the individual’s name and of which they are the specific focus
  • computerised files holding information focusing on a specific individual
  • health records submitted to Emmaus North East with the permission of the individual which may include medical certificates, medical appointment letters and Occupational Health reports

 

This list is not exhaustive and will be subject to change.

 

Emmaus North East will hold, and process personal data provided by an employee for all purposes related to their employment including, but not limited to:

 

  • administering and maintaining personnel records
  • paying and reviewing salary and other remuneration and benefits
  • providing and administering benefits (including pension, life assurance and permanent health insurance)
  • undertaking performance appraisals and reviews, including talent review and succession planning
  • during performance, absence, disciplinary, harassment and bullying, grievance, and redundancy proceedings
  • providing references and information to future employers, and, if necessary, governmental, and quasi-governmental bodies for social security and other purposes, the Inland Revenue and the DWP
  • providing information to funders or potential funders
  • providing information to potential merger partners with Emmaus North East.

 

Processing Sensitive Personal Data and Special Categories of Personal Data

 

Sensitive personal data and special categories of personal data will be processed as follows:

 

  • senior manager will process racial or ethnic origin, sex, sexuality, age, and disability for statistical monitoring purposes, in accordance with the Commission on Racial Equality and Disability Discrimination Act guidelines. This data will be used to measure Emmaus North East’s diversity profile in line with our diversity strategy
  • senior manager will process data on an employee’s health for the purposes of maintaining sickness or other absence records and taking decisions as to an employee’s fitness for work and entitlement to related benefits (e.g., SSP). Details of work-related injuries or illnesses will also be provided to the Health and Safety TU rep where requested and will be reported in accordance with Emmaus North East’s legal requirements
  • payroll will process Trade Union membership details for the purposes of making deductions from salary for union subscriptions.
  • senior managers will process information on criminal offences (spent and unspent) in order to determine suitability for employment or continued employment, where appropriate. Please see above comments on the legal basis for such processing.

 

Sensitive personal data/special categories of personal data may also be processed, in accordance with GDPR and legislation, to exercise or perform a right or obligation conferred or imposed by law on Emmaus North East in connection with employment; in connection with legal proceedings or for obtaining legal advice; or for administration of justice.

 

Sharing employee information

 

Information and the sharing of information are critical to the running of Emmaus North East. Employees and third parties with whom Emmaus North East has a business relationship, including arrangements which directly benefit employees, rely on fast, reliable access to information. For this reason, personal data is shared with and may be obtained from:

 

  • Payroll Bureau
  • Pensions Advisor and Pension Organisations and Trustees
  • Occupational Health
  • Statutory Authorities
  • Government Agencies
  • Funders
  • Police
  • Legal Advisors
  • TU Officials
  • Insurance Advisors and companies

 

This list is not exhaustive and will be subject to change.

 

Every time employee data is shared, it will be logged on the data sharing worksheet (held by the admin team).

 

Processing of personal data on recruitment applications

 

All responses to advertisements, whether electronic or paper-based, will be submitted and processed on the basis stipulated above.

 

Emmaus North East uses manual systems to consider applications against advertised positions using the relevant person specification and other similar vacancies where consent is given within Emmaus North East.

 

The process for the receipt and distribution of applications is as follows:

 

  • applications are accepted via mail (e-mail and postal mail) for specific positions. For some positions, Emmaus North East may request responses via external agencies
  • speculative applications are also accepted via both types of mail, but the applicant is either contacted to complete a full application where a suitable vacancy is available, or the application is destroyed
  • copying of applications may be conducted by Emmaus North East or an agent acting on behalf of Emmaus North East
  • applicants are selected for positions based on skills, qualifications experience and competencies required by the job person specification
  • applications are reviewed by recruitment panel members (managers and staff) and in some cases external recruitment consultants
  • applications for a specific vacancy (including supplementary data produced by the process (e.g., marking sheet, interview notes, completed tests and results) will be retained by Emmaus North East on paper, with basic details being entered into the recruitment database and on a test spreadsheet where applicable
  • if an application matches the criteria for another position (the criteria being that specified in the person specification), the applicant may be contacted to ascertain whether they are interested in the position and data will only be processed if consent is given
  • applications may be electronically or manually shared between Emmaus North East sites
  • application data is reported on, in terms of volumes received from various sources of advert (e.g., newspaper, internet site, agency, recruitment fair, speculative etc.)

 

 

 

 

Processing of sensitive personal data/special categories of personal data for recruitment and subsequent employee monitoring

 

Sensitive personal data/special categories of personal data are not used in the decision-making process, except where the following circumstances are relevant to the position being considered:

 

  • details that the applicant has declared about any support, modifications, adjustments, or special equipment needed to assist them in performing the duties of the post taking into account Emmaus North East’s obligations under the Equality Act 2010
  • details of criminal offences spent and unspent convictions due to Emmaus North East’s Vulnerable Adult Client group

 

Emmaus North East will also process information on racial or ethnic origin, gender, sexuality, age, and disability for statistical monitoring purposes only, in accordance with the Equality Act 2010 and other relevant guidelines.

 

Employee Monitoring

 

Emmaus North East has the means, automated and otherwise, of monitoring individual usage of property and equipment including E-mail and the Internet. All traffic is automatically recorded to ensure that it is being used appropriately and Emmaus North East may retrieve and read all this information at any time. To protect Emmaus North East’s charitable resources, we reserve the right to use appropriate monitoring systems and information, and such information may form part of the evidence in any disciplinary or other management action that may be taken in connection with:

 

  • any breach of our rules relating to personal use of property, equipment, and time
  • any other matter upon which individual usage of property, equipment and time has a bearing