privacy policy

Concern for Health in East Kent, (CHEK)                 

Data Protection Policy, including Key Procedures

 

 

Aims of this Policy

 

CHEK needs to keep certain information on its members, whether Executive, Committee, co-opted Members, Members or Volunteers to carry out its day to day operations, to meet its objectives and to comply with legal obligations.

 

The organisation is committed to ensuring any personal data will be dealt with in line with the Data Protection Act 1998. To comply with the law, personal information will be collected and used fairly, stored safely and not disclosed to any other person unlawfully. 

 

The aim of this policy is to ensure that everyone handling personal data is fully aware of the requirements and acts in accordance with data protection procedures. This document also highlights key data protection procedures within the organisation.

 

This policy covers all Members of CHEK and all volunteers and interested parties acting in the name of CHEK.

Definitions

 

In line with the Data Protection Act 1998 principles, CHEK will ensure that personal data will:

  • Be obtained fairly and lawfully and shall not be processed unless certain conditions are met
  • Be obtained for a specific and lawful purpose
  • Be adequate, relevant but not excessive
  • Be accurate and kept up to date
  • Not be held longer than necessary
  • Be processed in accordance with the rights of data subjects
  • Be subject to appropriate security measures
  • Not to be transferred outside the European Economic Area (EEA)

 

The definition of ‘Processing’ is obtaining, using, holding, amending, disclosing, destroying and deleting personal data. This includes some paper based personal data as well as that kept on computer.

 

The Personal Data Guardianship Code suggests five key principles of good data governance on which best practice is based. The organisation will seek to abide by this code in relation to all the personal data it processes, i.e.

  • Accountability: those handling personal data follow publicised data principles to help gain public trust and safeguard personal data.
  • Visibility: Data subjects should have access to the information about themselves that an organisation holds. This includes the right to have incorrect personal data corrected and to know who has had access to this data.
  • Consent: The collection and use of personal data must be fair and lawful and in accordance with the DPA’s eight data protection principles. Personal data should only be used for the purposes agreed by the data subject. If personal data is to be shared with a third party or used for another purpose, the data subject’s consent should be explicitly obtained.
  • Access: Everyone should have the right to know the roles and groups of people within an organisation who have access to their personal data and who has used this data.
  • Stewardship: Those collecting personal data have a duty of care to protect this data throughout the data life span.

 

 

 

Responsibilities

 

Under the Data Protection Guardianship Code, overall responsibility for personal data in a not for profit organisation rests with the governing body. In the case of CHEK, this is the Officers of the Executive Committee.

 

All members of the Executive Committee Officers and sub-Committee members who process personal information must ensure they not only understand but also act in line with this policy and the data protection principles.

 

Breach of this policy can result in disciplinary action being taken by whatever National Law Enforcement agents are deemed necessary under the Data Protection Act 1998.

Policy Implementation

 

To meet our responsibilities CHEK will:

  • Ensure any personal data is collected in a fair and lawful way;
  • Explain why it is needed at the start;
  • Ensure that only the minimum amount of information needed is collected and used;
  • Ensure the information used is up to date and accurate;
  • Review the length of time information is held;
  • Ensure it is kept safely;
  • Ensure the rights people have in relation to their personal data can be exercised

 

CHEK will ensure that:

  • Anyone wanting to make enquiries about handling personal information, whether a member of staff, volunteer or other interested party, knows what to do;
  • Any disclosure of personal data will be in line with our procedures.
  • Queries about handling personal information will be dealt with swiftly and politely.

Training

 

Training and awareness raising about the Data Protection Act and how it is followed in this organisation will take the following forms:

 

On induction: reference to this policy document and, if an Executive Officer, signed declaration of responsibility.

 

General training/ awareness raising: This policy, and its availability to all members of CHEK, will be made an Agenda item at the next available AGM and at subsequent annual meetings.

Gathering and checking information

Before personal information is collected, CHEK will consider: The individual contact details which are required including; name, address, telephone numbers and email addresses. Also, CHEK may require confirmation by means of a check-box if members are willing to participate in tasks such as distributing leaflets, leading events etc. 

 

We will inform people whose information is gathered about the following:

  • why the information is being gathered
  • what the information will be used for
  • who will have access to their information (including third parties)

 

This is most likely to be stated as part of a general membership application form.

 

We will take the following measures to ensure that personal information kept is accurate: It will be possible for Members to update their details once a year when invited, by email or letter, to do so.

 

CHEK does not anticipate collecting Personal sensitive information such as:

ethnic origin, political opinions, religious beliefs, membership of a trade union, physical or mental health, criminal convictions etc.

 

 

 

Data Security

 

The organisation will take steps to ensure that personal data is kept secure at all times against unauthorised or unlawful loss or disclosure. The following measures will be taken:

  • Written, paper applications will be collected and held by Executive Committee Officials only before passing on the to the Membership Secretary for inclusion in the computer database system.
  • The computerised database system will be available to the Membership Secretary and whosoever may provide IT support to that Officer.
  • The Membership Secretary will disclose information when required to Committee and sub-Committee members by way of specific queries to the database.  Lists of general details without a specific purpose will not be provided.
  • Data sent by email will be accompanied by a request to keep all data confidential and, when use has expired, for it to be destroyed.
  • Printed data will be destroyed as soon as its usefulness has passed.
  • The computerised database system will exist on the Membership Secretary’s computer and will be password protected.
  • Backups of the database will be held separately by the Membership Secretary by either external hard-drive or Cloud storage with password protection.

 

Regarding any unauthorised disclosure of personal data to a third party:

The Officers of the Executive Committee are accountable for compliance of this policy. An Officer could be personally liable for any penalty arising from a breach that they have made.

Any unauthorised disclosure made by a Member may result in the termination of the Membership agreement.

 

Subject Access Requests

 

Anyone whose personal information we process has the right to know:

  • What information we hold and process on them
  • How to gain access to this information
  • How to keep it up to date
  • What we are doing to comply with the Act.

 

They also have the right to prevent processing of their personal data in some circumstances and the right to correct, rectify, block or erase information regarded as wrong.

Individuals have a right under the Act to access certain personal data being kept about them on computer and certain files.  Any person wishing to exercise this right should apply in writing to:

Mrs Jennifer Cole, Membership Secretary, Concern for Health in East Kent, 73 South Road, Faversham, Kent, ME13 7LX

 

The following information will be required before access is granted:

·         Full name and contact details of the person making the request

·         Their relationship with CHEK: i.e. Officer, Committee Member, non-Committee Member, volunteer etc.

·         Any other relevant information - e.g. date joined, other names.

 

We may also require proof of identity before access is granted. The following forms of ID will be required:

1. A proof of address by recent utility bill AND

2. Copy of one of the following, driving licence, passport or Citizen Card.

All documents will be returned.

 

We will aim to comply with requests for access to personal information as soon as possible, but will ensure it is provided within the 40 days required by the Act from receiving the written request. 

 

Review

 

This policy will be reviewed every 2 years to ensure it remains up to date and compliant with the law. If an earlier review is required, this may take place at the AGM.  Other revisions, i.e. change of responsible personnel, or revisions to the Act can take place as part of any Executive Committee meeting as and when required.

 

Declaration

I confirm I have read and understood CHEKs Data Protection Policy and will act in accordance with it.

 

I am connected with this organisation in my capacity as a

ÿ        Officer of CHEK

ÿ        Member

ÿ        Volunteer

ÿ        Other

 

Signature:

 

Print name:

 

Date:

 

Please return this form to:

Mrs Jennifer Cole

Membership Secretary

Concern for Health in East Kent

73 South Road

Faversham

Kent

ME13 7LX

 

Be the first to comment

Please check your e-mail for a link to activate your account.