Rusty Road 2 Recovery (RR2R) Data Protection and GDPR Policy
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the European Council and the European Commission intend to strengthen and unify data protection for individuals within the European Union (EU). It also addresses the export of personal data outside the EU. The primary objectives of the GDPR are to give citizens back control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. When the GDPR takes affect it will replace the data protection directive (officially Directive 95/46/EC) from 1995. The regulation was adopted on 27 April 2016 and applies from 25 May 2018 after a two-year transition period.
The 1998 Data Protection Act, which came into force on 1st March 2000, will continue to apply until the new General Data Protection Regulations come into force in May 2018. The following guidance is not a definitive statement on the Regulations, but seeks to interpret relevant points where they affect Rusty Road 2 Recovery (RR2R). The Regulations cover both written and computerised information and the individual's right to see such records. It is important to note that the Regulations also cover records relating to staff and volunteers.
RR2R staff and volunteers are required to follow this Data Protection Policy at all times.
The Directors have overall responsibility for data protection within RR2R but each individual processing data is acting on the controller's behalf and therefore has a legal obligation to adhere to the Regulations.
Processing of information - how information is held and managed.
Information Commissioner - formerly known as the Data Protection Commissioner.
Notification - formerly known as Registration.
Data Subject - used to denote an individual about whom data is held.
Data Controller - used to denote the entity with overall responsibility for data collection and management. RR2R is the Data Controller for the purposes of the Act.
Data processor - an individual handling or processing data.
Personal data - any information which enables a person to be identified.
Special categories of personal data - information under the Regulations which requires the individual's explicit consent for it to be held by the charity.
Data Protection Principle
As data controller, RR2R is required to comply with the principles of good information handling. These principles are require the Data Controller to:
Process personal data fairly, lawfully and in a transparent manner.
Obtain personal data only for one or ore specified and lawful purposes and to ensure that such data is not processed in a manner that is incompatible with the purpose or purposes for which it was obtained.
Ensure that personal data is adequate, relevant and not excessive for the purpose or purposes for which it is held.
Ensure that personal data is accurate and, where necessary, kept up-to-date.
Ensure that personal data is not kept for any longer than is necessary for the purpose for which it was obtained.
Ensure that personal data is kept secure.
Ensure that personal data is not transferred to a country outside the European Economic Area unless the country to which it is sent ensures an adequate level of protection for the rights (in relation to the information) of the individuals to who the personal data relates.
RR2R must obtain our service users, customers, clients, staff, volunteers and community member's explicit consent when storing certain information (known as 'personal data' or 'special categories of personal data') on file. For the purposes of the Regulations, personal and special categories of personal data cover information relating to:
The racial or ethnic origin of Data Subject.
Their political opinions.
Their religious beliefs or other beliefs of a similar nature.
Whether they are a member of a trade union.
Their medical conditions.
The commission or alleged commission by them of any offence.
Online identifiers such as an IP address.
Genetic and/or biometric data which can be used to identify an individual.
Staff bank account details and National Insurance numbers.
Special categories of personal information collected by RR2R will, in the main, relate to the medical conditions of our staff and volunteers. Consent is not required to store information that is not classed as special category of personal data (e.g. name, address, telephone number) as long as only accurate data that is necessary for a service to be provided is recorded. As a general rule RR2R will seek consent where personal or special categories of personal information are to be held. If special categories of personal data need to be recorded for the purpose of Health and Safety and the volunteer refuses consent, the case should be referred to the Directors for advice.
Consent may be obtained in a number ways depending on the nature, and consent must be recorded and stored in the filing cabinets:
Face to face/written - a client information form should be used.
Telephone - verbal consent should be sought and noted on the client information form.
Email - the initial response should seek consent.
Consent obtained for one purpose cannot automatically be applied to all uses e.g. where consent has been obtained from a volunteer in relation to information regarding their health, separate consent would be required if, for example, we needed to store information regarding a criminal record.
Preliminary verbal consent should be sought at point of initial contact as special categories of personal data will need to be recorded in the event of an emergency. The verbal consent is to be recorded in the appropriate fields on the volunteer form record or stated in an email for future reference. Although written consent I the optimum, verbal consent is the minimum requirement.
Specific consent for use of any photographs and/or videos taken should be obtained in writing. Such media could be used for, but not limited to, publicity material, press releases, social media could be used for, but not limited to, publicity material, press releases, social media, and website. Consent should also indicate whether agreement has been given to their name being published in any associated publicity. If the subject is less than 18 years of age then parental/guardian consent should be sought. Consent is for photograph is obtained through the completion of the photo consent form.
Individuals have a right to withdraw consent at any time.
Ensuring the Security of Personal Information
Unlawful disclosure of personal information
It is an offence to disclose personal information 'knowingly and recklessly' to third parties.
It is a condition of receiving a service that all service users, our service users, customers, clients, staff, volunteers and community members for whom we hold personal details sign a consent form allowing us to hold such information.
Service users, clients, staff, volunteers and community members may also consent for us to share personal or special categories of personal information with other people on a need to know basis.
Service users, clients, staff, volunteers and community member's individual consent to share information should always be checked before disclosing personal information.
Personal information should only be communicated within RR2R staff and volunteer team on a strict need to know basis. Care should be taken that conversations containing personal or special categories of personal information may not be overheard by people who should not have access to such information.
Use of files, books and paper records
In order to prevent unauthorised access or accidental loss or damage to personal information, it is important that care is taken to protect personal data. Paper records will be kept in locked cabinets overnight and care will be taken that personal and special categories of personal information is not left unattended and in clear view during the working the day.
Disposal of scrap paper, printing or photocopying overruns
Names/addresses/phone numbers and other information written on scrap paper are also considered to be confidential. Any scrap paper that contains personal information will be shredded. If paper is being transferred from away from the office, to the office for shredding this will be done as soon as possible. When transporting documents they will be carried out of sight.
All laptops and phones that have access to personal data must have a password to gain entry. These devices must also automatically lock themselves after 5 minutes if they have not been used. These devices must also automatically lock themselves after 5 minutes if they have not been used. Laptops and phones in public areas should be positioned in such a way so that passers-by cannot see what is being displayed. if working in a public area, e.g. the art studio, you should lock your laptop or phone when leaving it unattended.
Cloud systems and third-party providers
When commissioning cloud based systems and third part providers, RR2R will satisfy themselves as to the compliance of data protection principles and robustness of these providers.
The google drive is where the bulk of our organisational documents are kept including policies, organisational information, grant applications etc. This is password protected with access restricted to a few key members of staff and volunteers. At present (March 2020) this is not used to store personal information.
What to do if there is a breach?
If you discover, or suspect, a data protection breach you should report this to a Senior Management who will review our systems, to prevent a reoccurrence. All Directors will be informed of the breach, action taken and outcome to determine whether it needs to be reported to the Information Commissioner. There is a time limit for reporting breaches to ICO so the Directors should be informed without delay. Any deliberate or reckless breach of this Data Protection Policy by an employee or volunteer may result in disciplinary action which may result in dismissal.
RR2R holds information on our service users, customers, clients and the community and other supporters, to whom we will from time to time send copies of our newsletters and details of other activities that may be of interest to them. Specific consent to contact will be sought from our staff, clients and other supporters before making any communications.
We recognise those users, customers, members, clients, the community and supporters for whom we hold records have the right to inscribe from our mailing lists. This wish will be recorded on their records and will be excluded from future contacts. The following statement is to be included on any forms used to obtain personal data:
We promise never to share or sell your information to other organisations or businesses and you can opt out of our communications at any time by telephoning 01278 431864, writing to Rusty Road 2 Recovery Unit 23f, Axe Road, Colley Lane, Ind Eat, Bridgwater, Somerset, TA6 5LN
Any documents which gathers personal and/or special categories of personal data should contain the following Privacy Statement information:
Explain who we are
What we will do with their data
Who we will share it with
Consent for marketing notice
How long we will keep it for
That their data will be treated securely
how to opt out
Where they can find a copy of the full
The regulations apply equally to volunteer and staff records. RR2R may at times record special categories of personal data with the volunteer's consent or as part of a staff member's contract of employment. For staff and volunteers who are regularly involved with vulnerable people, it will be necessary for RR2R to apply to the Disclosure & Barring Service to request a disclosure of spent and unspent convictions, as well as cautions, reprimands and final warnings held on the police national computer. Any information obtained will be dealt with under the strict terms of the DBS Code. Access to the disclosure reports is limited to the Senior Management Team. If there is a positive disclosure the Directors will discuss this, anonymously, with our insurers to assess the risk of appointment. Other staff, volunteers and insurers should not see the report itself.
Further guidance regarding confidentiality issues can be found in our Confidentiality Policy. When working from home, or form some other off-site location, all data protection and confidentiality principles still apply. All computer data, e.g. documents and programmes related to work for RR2R should not be stored on any external USB drive unless password protected.
Workstations in areas accessible to the public, e.g. office, should operate a clear desk practice so that any paperwork, including paper diaries, containing personal and/or special categories of personal data is not left out on the desk where passers-by could see it.
Any paperwork kept away from the office (e.g. client's contact details kept at home by a worker) should be treated as confidential and kept securely as if it were held in the office. Documents should not be kept in open view (e.g. on a desktop) but kept in a file drawer or filing cabinet as examples, the optimum being a locked cabinet but safely out of sight is a minimum requirement.
Retention of records
Paper records should be retained for the following periods at the end of which they should be shredded:
Clients records - 3 years after ceasing to be a client.
Prospective client records - 3 years from initial meeting.
Staff records - 3 years after ceasing to be a member of staff.
Unsuccessful staff application forms - 2 months after vacancy closing date.
Volunteer records - 1 year after ceasing to be a volunteer.
Employer's liability insurance - 40 years
Archived records should clearly display the destruction date.
The rights of an individual
Under the Regulations an individual has the following rights with regard to those who are processing his/her data:
Personal and special categories of personal data cannot be held without the individual's consent (however, the consequences of not holding it can be explained and service withheld).
Data cannot be used for the purposes of direct marketing of any goods or services if the Data Subject has declined their consent to do so.
Individuals have a right to have their data erased and to prevent processing in specific circumstances:
- Where data is no longer necessary in relation to the purpose for which it was originally collected.
- When an individual withdraws consent.
- When an individual objects to the processing and there is no overriding legitimate interest for continuing the processing.
- Personal data was unlawfully processed
An individual has a right to restrict processing - where processing is restricted, RR2R is permitted to store the personal data but not further process it. RR2R can retain just enough information about the individual to ensure that the restriction is respected in the future.
An individual has a 'right to be forgotten'.
RR2R will not undertake commercial telephone marketing activities under any circumstances.
Data Subjects can ask, in writing to the Directors, to see all personal data held on them, including emails and computer or paper files. The Data Processor (RR2R) must comply with such requests within 30 days of receipt of the written request.
Powers of the information commissioner
The following are criminal offences, which could give rise to a fine and/or prison sentence:
The unlawful obtaining of personal data.
The unlawful selling of personal data.
The unlawful disclosure of personal data to unauthorised persons.
Further information is available at www.informationcommissioner.gov.uk
Details of the information commissioner
The information commissioner's office is at:
Water Lane, Wilmslow,
Cheshire, SK9 5 AF
Switchboard: 01625 545 700
Email: : firstname.lastname@example.org
Data Protection Help Line: 01625 545 745
Notification Line: 01625 545 740
At Rusty Road 2 Recovery (RR2R), we're committed to protecting and respecting your privacy. This Policy explains why we collect personal information about people, how we use it, the conditions under which we may disclose it to others and how we keep it secure. We may change this Policy from time to time so please check this policy occasionally to ensure that you're happy with any changes.
Any questions regarding this Policy and our privacy practices should be sent by email to email@example.com or by telephone on 01278 431864 or by writing to Rusty Road 2 Recovery Unit 23f, Axe Road, Colley Lane, Ind Est, Bridgwater, Somerset, TA6 5LN.
Who is Rusty Road 2 Recovery?
RR2R are a small community Interest Company based in Bridgwater, Somerset. We are a Non-for Profit Company that supports individuals with mental health problems, older people and young adults. RR2R also runs a discounted garage and several groups such as Restoration of Classic Cars, Spray art therapy, metal sculpturing and wood working. this helps individuals learn new skills and helps with their roar to recovery.
How do we collect information from you?
We obtain information about you through various ways, e.g. social media, consultations, surveys, customer/client/volunteer forms, website and emails.
What type of information is collected from you?
The personal information we collect will include your name, home address, email address, telephone number, any medical conditions you may have, emergency contact details, benefits, and any criminal convictions.
How is your information used?
We may use your information to:
Support you according to your needs;
To contact you in regards to any work we may be contracted to do for you;
Reply to any queries you may have had;
If subscribed, send you a newsletter;
Invite you to join in with projects or events that you have previously expressed an interest in;
Seek your views or comments on there services we provide;
Notify you of changes to our services;
Process a job application.
In the event of an emergency any medical information will be given to the relevant people.
Keeping your information
We review our retention periods for personal information on a regulator basis. We are legally required to hold some types of information to fulfil our statutory obligations. We will hold your personal information on our systems for as long as is necessary for the relevant activity, or as long as is set out in our GDPR policy which is available on request.
Who has access to your information?
We will not sell or rent your information to third parties.
We will not share your information with third parties for marketing purposes.
Third party service providers working on our behalf:
We may pass your information to our third party services providers, agents subcontractors and other associated organisations for the purposes of completing tasks and providing services to you our behalf. However, when we use third party service providers, we disclose only the personal information that is necessary to deliver the service. Please be reassured that we will not release your information to third parties beyond the RR2R network for them to use for their own direct marketing purposes, unless you have requested us to do so, or we are required to do so by law, for example, by a court order or for the purposes of prevention of fraud or other crime.
Third party product providers we work in association with:
We will not contact you for marketing purposes by email, phone or text message unless you have given your prior consent. We will not contact you for marketing purposes by post if you have indicated that you do not wish to be contacted. You can change your marketing preferences at any time by contacting us by email: firstname.lastname@example.org or by telephone on 01278 431864 or by writing to Rusty Road 2 Recovery Unit 23f, Axe Road, Colley Lane, Ind Est, Bridgwater, Somerset, TA6 5LN.
How you can access and update your information
The accuracy of your information is important. If you change email address, or any of the other information we hold is inaccurate or out of date, please email us at: email@example.com by telephone on 01278 431864, writing to Rusty Road 2 Recovery Unit 23f, Axe Road, Colley Lane, Ind Est, Bridgwater, Somerset, TA6 5LN.
You have the right to ask for a copy of the information RR2R hold about you.
Security precautions in place to protect the loss, misuse or alteration of your information
When you give us personal information, we take steps to ensure that it's treated securely. Any sensitive information (such as medical information) is only shared with senior staff and locked away in a filing cabinet in which only senior staff have access to.
Links to other websites
In addition, if you linked to our website from a third party site, we cannot be responsible for the privacy policies and practices of the owners and operators of that third party site and recommend that you check the policy of that third party site.
16 or Under
We are concerned to protect the privacy of children aged 16 or under. If you are aged 16 or under, please get your parent/guardian's permission beforehand whenever you provide us with personal information.
Confidentiality Policy on the disclosure of personal information relating to service users
Reasons for this Policy Statement:
To protect the interests of our service users, customers, clients and the community.
To ensure all these parties have trust and confidence in the company.
To protect the company, its directors, staff and volunteers.
To comply with data protection law.
Staff and volunteers receiving personal information about clients, customers or community members, should treat this information as confidential.
Under no circumstances should staff and volunteers share personal information with their own partners, family or friends.
RR2R will seek to ensure that:
All personal information will be treated as confidential. Information will only be collected that is necessary and relevant to the work in hand. It will be stored securely, only accessible on a need to know basis to those members of staff and volunteers duly authorised. The retention section of the Data Protection Policy which should be read in conjunction with this policy.
Where consent is not given for the company to record and store basic information about the service user it is unlikely that a service will be able to be provided.
All information stored on computers will be kept secure with password protection and treated as confidential.
Paper records will be kept in a locked cabinet with restricted access.
Any signed consent forms will be stored in the client's paper records in locked cabinet.
All service users, clients, customers and volunteers, whose data we hold are made aware of their right of access to their records.
Reasonable efforts will be made ensure the physical environment in which face to face discussions and telephone conversations take place does not comprise confidentiality.
Service users, clients, customers and community members will be made aware of their right to complain if they feel confidentiality has been breached.
Breaches of confidentiality will be dealt with through the company's staff and volunteer disciplinary procedures.
Personal information: by personal information we mean:
The data protection definition which is any information which enables a living person to be identified (e.g name, address, phone number, email address, etc).