Empowering you to live your best life today
Empowering you to live your best life today
Data Protection, Retention, Privacy & Confidentiality Policy 2024
Introduction
Confidentiality is central to the implementation of the core values which Impactful Governance - Community Interest Company requires all "staff" (staff, volunteers and contractors) to apply in all areas of their work. In maintaining these values it is essential that information about people is respected and contained, held and used appropriately. This policy has been developed in line with the Data Protection Act (1998) and in no way limits any rights under the Freedom of Information Act (2000).
All staff, Consultants and Volunteers are required to sign the confidentiality agreement (Appendix A) during induction and before commencing any work for or with Impactful Governance - Community Interest Company.
Aim
The aim of this policy is to ensure that employees are aware of their responsibilities in maintaining confidentiality in terms of updating and storing records, access to records and disclosure of information. The contents of this policy are in line with the requirements of the Data Protection Act (1998) the Care Standards Act (2000), Supporting People Frameworks and OFSTED or other accreditation requirements.
GDPR
Impactful Governance adheres to the guidance in the Statutory Code of practice prepared under Section 125 of the Data Protection ACT 2018 (DPA 2018) to meet our accountability obligations in relation to data sharing and we comply with our legal obligations under the UK GDPR and the DPA 2018.
Regulations on General Data Protection Registration (GDPR) came into force in May 2018 and new rules apply to this policy regardless of it being updated with new laws. The Data Controller is Andrew Waite (Chief Executive) and can be contacted at Impactful Governance – Community Interest Company Office:
The Old Free School
George Street, Watford
Hertfordshire WD18 0BX
Security of Equipment and data
Impactful Governance subscribes to Kaspersky Internet Security which checks all websites and documents before opening. These are downloaded onto the Office Computer and both Directors’ mobile phones. Consultants are advised to install software protection onto their own personal mobile phones and computers, especially when handling data through email communication from Impactful Governance. To limit the number of documents at risk, we use HubSpot CRM to hold client data and documents. This is where documents should be exchanged whilst held securely on a cloud-based system.
Cyber Security
We have invested in Cyber Essentials Security and have achieved accreditation. This is now managed by our I.T. Support service “Computask”. All data is only held on Impactful Governance computers, laptops and work mobile phones or cloud.
Direct Marketing & Communication
Postal mailing or electronic mailing may take place from time to time and data is collected through a physical registration of attendees at events or activities or held on Client Relationship Management (CRM) Management software and stored on cloud-based storage for existing and opted-in clients. Data is not transferred to any other organisation or to anyone outside of the European Union (E.U.) although data may be held securely on cloud-based systems outside of the E.U.
We do not pass on information to third parties and data is not permitted to be shared outside of Impactful Governance – Community Interest Company without the written consent of individuals. This includes names, address, telephone number, email or other methods of communication which remains confidential.
A CONFIDENTIALITY AGREEMENT IS SIGNED BY EVERY MEMBER WORKING FOR US, THAT INFORMATION WILL NOT BE SHARED.
Responsibilities
1. Maintaining and storing files and records
1.1 All personal files and records relating to people who use a service must be securely stored away when not in use and this must be carried out in line with the appropriate procedures in place for storage of files.
1.2 Files and records should only contain information that is necessary for their purpose.
1.3 Files and records must be retained for seven years after the person has ceased to receive services from Impactful Governance - Community Interest Company. After this period of inactivity the file must be destroyed in a manner that ensures confidentiality. Historic employment data for staff must be held for 15 years.
1.4 Information kept in files and records must be accurate and up-to-date.
1.5 All Impactful Governance - Community Interest Company staff are entitled to expect that personal information kept about themselves remains confidential. All personnel files and records must be kept in locked cupboards or cabinets.
1.6 Files should not be removed from Impactful Governance - Community Interest Company premises other than in exceptional circumstances and only with the prior knowledge and agreement of the appropriate Line Manager.
1.7 All electronic files and other forms of confidential information must be saved on password protected computer systems. If using iPads or laptops, a security code must be used for the device. If working in a public place or public transport being aware that someone could overlook screens or papers.
1.8 Staff members working from home must ensure that all confidential information is kept in a secure location that ensures confidentiality cannot be purposefully or inadvertently breached. This includes ensuring that personal computers used for work purposes are password protected and that no files with personal data are consequently printed as a hard copy at home.
1.9 Profiling of individuals within an organisation is based on organisation activity, roles, types and geographic location. This is for the purpose of identifying the appropriately skilled and located Consultant to work with organisations and individuals.
2. Access to files and records
2.1 The person to whom files and records refers must be supported, according to their individual need, to have access to them if they wish.
2.2 Only staff members who have full and up to date (i.e. within the last three years) enhanced DBS clearance can have access to personal details of Impactful Governance - Community Interest Company service users, members, volunteers or employees. Access to personal files and records by staff members should be made on a need to know basis. The Managing Director may decide that some information about a person is confidential and that it should not be disclosed to the staff team but information must be disclosed to the Designated Senior Person (DSP) for safeguarding concerns. If confidential information is being passed on to other staff it must be made clear by the individual passing on this information that the information continues to remain confidential.
2.3 Relatives of people who use a service can have access to a person’s files and records with the written consent of the relevant service user. Documents with shared information on other service users must be removed before access is given. A £20 administration fee applies for disclosing personal information.
2.4 Where a person has given their consent for any personal information to be disclosed to someone else, it is important to establish that their consent is informed and that they have an understanding of the possible implications of such a disclosure. If in doubt, consult with the Managing Director.
2.5 Volunteers, visitors and people not employed to support the person concerned should not have access to personal files and records. Specific information may be shared e.g. dietary preferences, issues relating to individual risk taking etc. This disclosure should take place preferably in the presence of the person concerned and with their prior consent. (Please see Impactful Governance - Community Interest Company’s Volunteer Guidelines or speak with the Managing Director).
2.6 Certain people, such as the Care Quality Commission, OFSTED Inspectors, and Care Managers have legal rights to access personal information.
2.7 All Impactful Governance - Community Interest Company staff are entitled to have access to files and records kept about them by making a written request and allowing 7 days notice.
2.8 Where a person using a service has seen their file and feels that information is inaccurate in anyway, they may request that the file be amended. This request should be made to a senior manager, stating the reasons why. People may ask team members to support them in making the request.
2.9 Where an employee has seen their file and feels that information is inaccurate in anyway, they may request that the file be amended. This request should be made in writing to the Managing Director, stating the reasons why they feel the file should be amended.
2.10 If in doubt about a person’s right to access personal information, consult with a senior manager. Remember that access to confidential information will only be made on a ‘need to know’ basis.
2.11 Subjects are able to opt-out of correspondence and request their information to be removed at any time by confirming their request in writing by email or by post. Evidence of the individual owner will be sought to clarify the data belongs to the subject making the request.
3. Verbal Communication
3.1 Confidentiality is equally applicable to verbal information as to written information. Telephone conversations must limit the amount of information that you can give without categorically having proof of the authorised recipient. This also applies to anyone within hearing distance of a telephone conversation. In addition to the previous stipulations, the following guidance applies.
3.2 Confidentiality must be ensured when arranging meetings with people supported by Impactful Governance - Community Interest Company services. As such, meetings should only be arranged in public spaces at the explicit request of the person being supported.
3.3 Workers should avoid making work-related telephone calls outside of Impactful Governance - Community Interest Company venues or the home of the service user the telephone call relates to. If such telephones conversations must be undertaken in a public place, staff should move to the most private area available. They must also ensure that they do not use any identifying details during the course of the conversation. This includes names, addresses, dates of birth and any personal issues.
4. Disclosure of Information
4.1 Employees should be aware that there may be circumstances where they are not able to respect someone’s confidentiality – these will be in situations where someone discloses that they have abused someone or are being abused or when any breach of a disciplinary rule is alleged. In these circumstances a Managing Director or DSP must be contacted. In the event that someone is being abused, the Safeguarding Policy must be followed. Also, where there is a possible breach of the Impactful Governance - Community Interest Company’s disciplinary rules the Disciplinary Procedure will be instigated.
4.2 Disclosure of personal information should always be kept to an absolute minimum and on a ‘need to know’ basis only. When discussing matters with someone and a safeguarding issue arises, we must stop the discussion and inform the other party that a safeguarding issue will be reported to a DSP as part of a legal Duty to Report.
4.3 In deciding whether or not to disclose information, employees should consider the following points;
• Does the person to whom it is being disclosed need to know?
• Is the person aware that the information is confidential? People must be told the status of information so that they know how to treat the information.
• How can the information be conveyed in a way that is respectful, discreet and sensitive?
If in doubt, contact the Designated Senior Person.
4.4 In deciding whether or not someone needs to know the information, employees should consider the following points;
• We have a legal Duty to Report all Safeguarding issues.
• We will not be putting the person at risk if we disclose the information to a DSP.
• What harm might we do by notdisclosing the information?
• Do Impactful Governance - Community Interest Company colleagues need to have the information to be able to support the person adequately?
• Consider the seven conditions of Data Protection if sharing with anyone other than Safeguarding officials:
1. What information needs to be shared.
2. The organisations that will be involved.
3. What you need to tell people about the data sharing and how you will communicate that information.
4. Measures to ensure adequate security is in place to protect the data.
5. What arrangements need to be in place to provide individuals with access to their personal data if they request it.
6. Agreed common retention periods for the data.
7. Processes to ensure secure deletion takes place.
If in doubt, contact the Chief Executive.
4.5 Where information regarding a service user needs to be passed on to a professional who works with that person (e.g. a Doctor, ambulance or Care provider), this will be discussed with the service user concerned beforehand.
4.6 Information about a person may be given to a relative or family member of a person living in a residential service following discussion with the person concerned and a senior manager.
4.7 Personal information about an Impactful Governance - Community Interest Company staff member should not be disclosed to another staff without their consent.
4.8 Personal information about an Impactful Governance - Community Interest Company staff member may need to be passed on to a manager within the service or to a senior manager if it relates to the quality of service being provided. This should be on a ‘need to know’ basis only.
A failure to adhere to this policy which results in inappropriate disclosure of confidential information is a disciplinary offence and will be dealt with in accordance with Impactful Governance - Community Interest Company’s Disciplinary Procedure, which could result in dismissal.
Data Protection, Retention and Security of Information
Impactful Governance - Community Interest Company takes the concept of confidentiality very seriously and does all in its power to restrict personal information to those who genuinely need to know. Breach of confidentiality will result in disciplinary measures and removal from service, business or activity of any person found to be in breach of our Data Protection, Retention, Privacy & Confidentiality Policy.
To comply with the principles of the Data Protection Act, Impactful Governance - Community Interest Company will endeavour to ensure that strict confidentiality of clients’ personal data is maintained in all of its work, whether the information is stored on a computer or a manual filing system.
Impactful Governance - Community Interest Company will also ensure that:
Clients are defined as organisations and individuals we engage with or any individual or organisation who receive a service.
Freedom of Information
If a request is received for access to information under the Freedom of Information Act staff should refer the matter to the Chief Executive. In deciding whether there is a duty to disclose the information requested, the Chief Executive should consider all individual’s rights of protection under the Data Protection Act.
Staff, Consultants and Volunteers are to comply with all of the Principals of Data Protection and are aware of the consequences of non-compliance.
Breaches of Data Protection are Disciplinary matters and currently carry a penalty of 1,000,000 Euro or 4% of the organisation annual turnover.
Any discovered data security breach will be notified to Information Commissioners Office within 72 hours. We will report the nature of any breach, the number of data subjects, categories of data and our proposed mitigation (see Appendix B).
For duration of keeping documents see Appendix C.
Passwords
The office internet router firewall device had a default password on it. The password has been changed since installation and a hard-copy is kept in a locked safe.
Default password has been changed on the router and firewalls.
all passwords are at least 11 characters and made up of uppercase, lowercase and special characters.