Avon Valley Dementia Support
Data Protection Policy
Scope
of the policy
This
policy applies to the work of Avon Valley Dementia Support (AVDS). The policy
sets out the requirements that AVDS has to gather information. The policy
details how personal information will be gathered, stored and managed in line
with data protection principles and the General Data Protection Regulation. The
policy is reviewed on an ongoing basis by AVDS committee members to ensure that
we are compliant. This policy should be read in tandem with AVDS’s Privacy
Policy.
This
data protection policy ensures AVDS:
•
Complies with data protection law and follows good practice
•
Protects the rights of beneficiaries and volunteers
•
Is open about how it stores and processes data
•
Protects itself from the risks of a data breach
General
guidelines for committee members and group leaders
•
The only people able to access data covered by this policy should be those who
need to communicate with or provide a service to the beneficiaries and
volunteers of AVDS.
•
AVDS will provide induction training to committee members and group leaders to
help them understand their responsibilities when handling data.
•
Committee Members and group leaders should keep all data secure, by taking
sensible precautions and following the guidelines below.
•
Strong passwords must be used and they should never be shared.
•
Data should not be shared outside AVDS unless with prior consent and/or for
specific and agreed reasons. Examples where data could be shared would include
Gift Aid information provided to HMRC.
•
Personal data should be refreshed periodically to ensure accuracy.
The
General Data Protection Regulation identifies key data protection principles:
Principle
1 - Personal data shall be processed lawfully, fairly and in a transparent
manner
Principle
2 - Personal data must be collected for specified, explicit and legitimate
purposes and not further processed in a manner that is incompatible with those
purposes; further processing for archiving purposes in the public interest,
scientific or historical research purposes or statistical purposes shall not be
considered to be incompatible with the initial purposes.
Principle
3 - The collection of personal data must be adequate, relevant and limited to
what is necessary in relation to the purposes for which they are processed;
Principle
4 – Personal data held should be accurate and, where necessary, kept up to
date; every reasonable step must be taken to ensure that personal data that are
inaccurate, having regard to the purposes for which they are processed, are erased
or rectified without delay;
Principle
5 – Personal data must kept in a form which permits identification of data
subjects for no longer than is necessary for the purposes for the which the
personal data are processed; personal data may be stored for longer periods
insofar as the personal data will be processed solely for archiving purposes in
the public interest, scientific or historical research purposes or statistical
purposes subject to implementation of the appropriate technical and
organisational measures required by the GDPR in order to safeguard the rights
and freedoms of individuals;
Principle
6 - Personal data must be processed in accordance a manner that ensures
appropriate security of the personal data, including protection against
unauthorised or unlawful processing and against accidental loss, destruction or
damage, using appropriate technical or organisational measures.
Lawful,
fair and transparent data processing
Forms
used to request personal information will contain a privacy statement with
reasons why the information is being requested and what the information will be
used for.
Avon
Valley Dementia Support will ensure that members' information is managed in
such a way as to not infringe an individual members rights which include:
•
The right to be informed
•
The right of access
•
The right to rectification
•
The right to erasure
•
The right to restrict processing
•
The right to data portability
•
The right to object
Adequate,
relevant and limited data processing
Avon
Valley Dementia Support will only ask for information that is relevant for the
provision of support and activities. This will include:
•
Name
•
Postal address
•
Email address
•
Telephone numbers
•
Health information
•
Emergency contact details
Photographs
Photographs
are classified as personal data. Where group photographs are being taken
members will be asked to step out of shot if they don’t wish to be in the
photograph. Otherwise, consent will be obtained in order for photographs to be
taken and those in the photographs will be informed as to where photographs
will be displayed. Should a member wish at any time to remove their consent and
to have their photograph removed then they should contact the AVDS committee to
advise them that they no longer wish their photograph to be displayed.
Accuracy
of data and keeping data up-to-date
Avon
Valley Dementia Support has a responsibility to ensure information is kept up
to date.
Accountability
and governance
The
AVDS Committee are responsible for ensuring that the AVDS remains compliant
with data protection requirements and can evidence that it has. Where consent
is required for specific purposes then evidence of this consent (either
electronic or paper) will be obtained and retained securely. The AVDS Committee
will ensure that new members joining the Committee receive an induction into
the requirements of GDPR and the implications for their role. AVDS will also
ensure that group leaders are made aware of their responsibilities in relation
to the data they hold and process. Committee Members shall also stay up to date
with guidance and practice. The Committee will review data protection and who
has access to information on a regular basis as well as reviewing what data is
held. When Committee Members and group leaders relinquish their roles, they
will be asked to either pass on data to those who need it and/or delete data.
Secure
Processing
AVDS
Committee Members have a responsibility to ensure that data is both securely
held and processed. This will include:
•
Committee members using strong passwords
•
Committee members not sharing passwords
•
Restricting access of sharing member information to those on the Committee who
need to communicate with beneficiaries and volunteers on a regular basis
•
Using password protection on laptops and PCs that contain personal information
•
Using password protection or secure cloud systems when sharing data between
committee members and/or group leaders
Subject
Access Request
Beneficiaries
and volunteers are entitled to request access to the information that is held
by AVDS. The request needs to be received in the form of a written request to
the Secretary of AVDS. On receipt of the request, the request will be formally
acknowledged and dealt with expediently (the legislation requires that
information should generally be provided within one month) unless there are
exceptional circumstances as to why the request cannot be granted. AVDS will
provide a written response detailing all information held on the member. A
record shall be kept of the date of the request and the date of the response.
Data
Breach Notification
Were
a data breach to occur action shall be taken to minimise the harm. This will
include ensuring that all AVDS Committee Members are made aware that a breach
has taken place and how the breach occurred. The Committee shall then seek to
rectify the cause of the breach as soon as possible to prevent any further
breaches. Where necessary, the Information Commissioner's Office would be
notified. The Committee shall also contact the relevant beneficiaries and
volunteers to inform them of the data breach and actions taken to resolve the
breach.