Data Protection Data Protection Objectives of our Policy and Procedures MY Trust holds large amounts of confidential information and places special emphasis on information quality, security and management. It is our policy to make sure that people have no surprises about how information about them is collected, held, used and destroyed. It is also our policy that the information and intellectual property belonging to our organisation is treated with the respect it deserves. It is the responsibility of all our staff, volunteers and Trustees to protect confidential information from inappropriate disclosure and to take every measure to ensure that person identifiable information is not made available to unauthorised persons. This applies to manual and computer records and also conversations about support or interventions with young people and/or staff. We expect this policy and accompanying procedures to become part of the DNA of all our staff, volunteers and Trustees. As such individuals, our partners and our organisation itself should be reassured by our commitment and actions. Our policy and accompanying procedures have two core objectives: Objective 1: To ensure the information about service users, our staff and volunteers, and the intellectual property of our organisation is treated respectfully and within the law, regulation and stated expectations. Objective 2: To provide clear, transparent guidance and procedures for our staff and volunteers to manage their work practically in accordance with this policy. Policy Statement Confidentiality is a cornerstone of practice within MY Trust and the relationship between a member of our staff and a young person depends on it. Young people and families need to be able to tell the truth about deeply personal matters, knowing that this information will not be improperly managed or disclosed. Similarly the relationship between MY Trust as an employer and our staff and volunteers also is one based on trust and confidentiality. People using our services as well as our staff and volunteers deserve a lot more than just information security. Individuals need to know that those responsible for working with them and our organisation more generally collects, manages and shares information reliably and effectively. Confidential information about an individual must not leak but it may well need to be shared in order to provide a seamless integrated service to a young person/family or effective management and support for an employee. The General Data Protection Regulation (GDPR), 2018 protects individuals against the misuse of personal data and may cover both manual and electronic records. All records held on computer or in manual files fall within the GDPR, unless the data in anonymised. Through this policy, we ensure that personal data is: Processed with lawfulness, fairness and transparency Is only processed for specific, explicit and legitimate purposes (purpose limitations) Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation) Accurate and where necessary kept up to date (accuracy) Kept in a form which permits identification of data subjects for no longer than necessary (storage limitations), and Is processed in a manner that ensures appropriate security of the personal data including protection against unlawful processing or accidental loss, destruction or damage (integrity and confidentiality) Through this policy, we ensure that data is processed lawfully under one of these conditions. Consent: the individual has given clear consent to process their data for a specific purpose Contract: the processing is necessary for a contract with the individual, or because they asked us to take specific steps before entering into a contract Legal Obligation: the processing is necessary for us to comply with the law. Vital Interests: the processing is necessary to protect someone’s life Public Task: the processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law, or Legitimate interests: the processing is necessary for our legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests Special Category Data Criminal Offence Data Through this policy, we ensure that data is only processed following these rights for individuals, depending on the lawful basis for processing. The right to be informed The right to access The right to rectification The right to erasure The right to restrict processing The right to data portability The right to object, and Rights in relation to automated decision making and profiling For employment purposes, the most important right is our employees’ right to know what personal data is held about them and to have access to it. It is our view that for too long, people have hidden behind the relative obscurity of Data Protection Acts or alleged rules of information governance in order to avoid taking decisions that would benefit service users. Through this policy and procedures we strike the balance between confidentiality, information security and information sharing to ensure effective support for service users and employment practice. At MY Trust we are equally committed to ensuring that service users’ wishes are respected in relation to how their information is used. While people are unlikely to object to sharing confidential information that enables better outcomes for them personally, there may be some who do not want it used for purposes such as research or reshaping services to achieve better services more generally. Our policy and procedures support the individual’s right to object and sets out how we will respect this. We will achieve our policy through Eleven Rules that provide the thread through all of our work and employment practice. For all Individuals including Service Users: Rule 1: Personal information will be treated confidentially and respectfully Rule 2: Our staff will share confidential information when it is needed for the safe and effective support of an individual Rule 3: Data used to target prevention and intervention will be robust Rule 4: Information that is shared for the benefit of the community will be anonymised Rule 5: Personal Data will be processed lawfully, upholding everyone’s rights For our employees, volunteers and Trustees: Rule 6: Personal data relating to employees, volunteers and Trustees will be collected, held and shared only where there is a sound business reason Rule 7: Computer systems, email and internet including personal devices of employees will be used appropriately Rule 8: Our organisation owns all Intellectual Property and inventions produced by our employees Rule 9: We have robust practices for our storage, retention and destruction of information Rule 10: We have rigorous but proportionate accountabilities and monitoring to ensure our rules are followed Rule 11: Allegations of or actual breaches of data protection or confidentiality will be managed and investigated fairly and promptly Definitions GDPR Principles The Regulation requires that personal data: Shall be processed fairly and lawfully Shall be obtained only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose Shall be accurate and where necessary kept up to date Shall not be kept longer than is necessary for that purpose Processed in accordance with the rights of the data subject Appropriate measures are undertaken against unauthorised or unlawful processing and against accidental loss, destruction or damage to personal data Shall not be transferred to a country or territory outside of the European Economic Area unless that country/territory assures standards of data processing Caldicott Principles We will apply the six general principles of good practice as follows: Justify the purpose Do not use person identifiable information unless absolutely necessary Use the minimum person identifiable information Access to person identifiable information should be on a strict need to know basis Everyone should be aware of their responsibilities Understand and comply with the law Confidential Information Confidential information can be anything that relates to young people, staff, (including volunteers, temporary and agency staff, student placements), their family or friends. It also includes any MY Trust business sensitive information. Information can take many forms including client records, assessments, letters, emails, texts, faxes, audits, forms, contracts and service agreements, employee records, occupational health records and the like. Information may be held on MY Trust servers, client databases, computer file or printout, CDs, portable devices such as laptops, tablets, mobile phones, photographs, video/digital cameras and even heard by word of mouth. Personal information Personal information is information which is about a living person and affects that person’s privacy (whether in his/her personal or family life, business or professional capacity) in the sense that the information has the person as its focus or is otherwise biographical in nature. Person identifiable information is anything that contains the means to identify a person (eg, name, address, postcode, date of birth, NI number, IP address). Even a visual image (eg photo) is sufficient to identify an individual. Special Categories of Personal Data The GDPR refers to sensitive personal data as “special categories of personal data”. Special Categories of Personal Data is personal data consisting of information related to: Race Ethnicity Religious or other beliefs Political opinions Trade union membership (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992 Genetics Biometrics (when used for ID purposes) Health Sexual life Sexual orientation Certain categories of information are legally defined as personally sensitive and should be most carefully protected by additional requirements stated in legislation (eg; information regarding sexually transmitted diseases, HIV, transgender procedures and termination of pregnancy). Processing The term ‘processing’ is used within the GDPR. It applies to a range of activities including the initial obtaining of personal information, the retention and use of it, access and disclosure and final disposal. Verification and Vetting ‘Verification’ covers the process of checking that details supplied by job applicants (eg qualifications) are accurate and complete. Verification therefore is limited to checking of information that is sought in a job application or provided by an applicant; this includes taking up references or use of verification through the Disclosure & Barring Service. Vetting covers any activity we undertake to make our own enquiries from a third party about a job applicant’s background and circumstances. It goes beyond the verification of details as per para (v) above. Legislative and Regulatory Basis Our policy fits with and is compliant with the following legislation and regulation: Common Law (Duty of Confidence) General Data Protection Regulation, 2018 Human Rights Act 1998 (Article 8) Freedom of Information Act 2000 Children Act 2004 Sections 10 & 11 Education and Inspections Act 2006 Criminal Justice Act 2003 (Section 325(4)) Crime and Disorder Act 1998 (Section 115) Professional Performance Act 1995 Mental Health Acts 1983 & 2007 Mental Capacity Act 2005 Regulation of Investigatory Powers Act 2000 Equality Act 2010 Working Together to Safeguard Children (2013) Kent & Medway Safeguarding Children Procedures MAPPA Guidance 2009 Civil Contingencies Act 2004 Learning and Skills Act 2000 (as amended) Computer Misuse act 1990 Justice and Coroner’s act Our policy fits with practice guidance from the Information Commissioner’s Office (ICO) and the Kent & Medway Information Governance Protocols.