Data protection Policy
Last Updated: March 2017
Review date: March 2019
ASE Assist Ltd needs to keep certain information on its service users, employees and contract workers to carry out its day to day operations, to meet its objectives and to comply with legal obligations. ASE Assist Ltd is committed to ensuring any personal data will be dealt with in line with the Data Protection Act 1998. To comply with the law, personal information will be collected and used fairly, stored safely and not disclosed to any other person unlawfully.
The aim of this policy is to ensure that everyone handling personal data is fully aware of the requirements and acts in accordance with data protection procedures. This document also highlights key data protection procedures within the organisation.
In line with the Data Protection Act 1998 principles, ASE Assist Ltd will ensure that personal data will:
- Be obtained fairly and lawfully and shall not be processed unless certain conditions are met
- Be obtained for a specific and lawful purpose
- Be adequate, relevant but not excessive
- Be accurate and kept up to date
- Not be held longer than necessary
- Be processed in accordance with the rights of data subjects
- Be subject to appropriate security measures
The definition of ‘Processing’ is obtaining, using, holding, amending, disclosing, destroying and deleting personal data. This includes data kept on paper, on computer and on mobile phones.
The Personal Data Guardianship Code suggests five key principles of good data governance on which best practice is based. The organisation will seek to abide by this code in relation to all the personal data it processes, i.e.
Accountability: those handling personal data follow publicised data principles to help gain public trust and safeguard personal data.
Visibility: Data subjects should have access to the information about themselves that an organisation holds. This includes the right to have incorrect personal data corrected and to know who has had access to this data.
Consent: The collection and use of personal data must be fair and lawful and in accordance with the DPA’s eight data protection principles. Personal data should only be used for the purposes agreed by the data subject. If personal data is to be shared with a third party or used for another purpose, the data subject’s consent should be explicitly obtained.
Access: Everyone should have the right to know the roles and groups of people within an organisation who have access to their personal data and who has used this data.
Stewardship: Those collecting personal data have a duty of care to protect this data throughout the data life span
Type of information processed
ASE Assist Ltd processes the following personal information:
- Clients and Service Users’ (defined as those who have signed up to our newsletter, agreed to be added to our database, attended a course, attended an event): name, email address, phone number and sometimes address
- Reports on Clients/Service Users progress, notes on conversations held and actions agreed with them*
- Employee, contract worker and volunteer information such as contact details, payroll or invoice details, supervision and appraisal notes
*Note: we do not store sensitive personal information (such as political opinions, religious beliefs, membership of a trade union, or financial details.)
The people within the organisation who will process personal information are Employees (including contract workers and Directors). Everyone who processes personal information must ensure they not only understand but also act in line with this policy and the data protection principles.
The Directors are responsible for keeping this policy up to date, and for responding to any requests for information from individuals (Subject Access Requests).
To meet our responsibilities we will ensure the following:
- Personal data is collected in a fair and lawful way;
- Explain why it is needed at the start;
- Ensure that only the minimum amount of information needed is collected and used;
- Ensure the information used is up to date and accurate;
- Review the length of time information is held;
- Ensure it is kept safely;
- Ensure the rights people have in relation to their personal data can be exercised
We will ensure that:
- Everyone managing and handling personal information is trained to do so
- Anyone wanting to make enquiries about handling personal information, whether a member of staff, volunteer or service user, knows what to do
- Any disclosure of personal data will be in line with our procedures
- Queries about handling personal information will be dealt with swiftly and politely
Training and awareness raising about the Data Protection Act and how it is followed in this organisation will take the following forms:
- On induction staff will be provided with this policy
- Team members will be given specific training when learning how to handle data
Gathering and checking information
Before personal information is collected, we will consider what details are necessary for our purpose and how long we are likely to need the information. We will inform people whose information is gathered about why we are gathering their information and what we will do with it.
We will do this through disclaimers on emails and forms, and on the website.
We will take the following measures to ensure that personal information kept is accurate:
- Keeping in regular contact with people to ensure they have an opportunity to notify us of any changes
- Provide a way for users to unsubscribe to newsletters in every newsletter email they receive
- Provide a generic email address ([email protected]) that is checked by more than one member of staff, and encourage people to use it to give us feedback and get in touch
This website uses Google Analytics, a service which transmits website traffic data to Google servers. This instance of Google Analytics does not identify individual users or associate your IP address with any other data held by Google. Reports provided by Google Analytics are used to help us understand website traffic and webpage usage.
You may opt out of this tracking at any time by activating the “Do Not Track” setting in your browser.
The organisation will take steps to ensure that personal data is kept secure at all times against unauthorised or unlawful loss or disclosure. The following measures will be taken:
- Password protection on personal information files and online systems that store personal information
- Paper files destroyed once information has been added to online systems
- Staff understand they must not disclose passwords or personal data to a third party
Subject Access Requests
Anyone whose personal information we process has the right to know:
- What information we hold and process on them
- How to gain access to this information
- How to keep it up to date
- What we are doing to comply with the Act.
They also have the right to prevent processing of their personal data in some circumstances and the right to correct, rectify, block or erase information regarded as wrong.
Individuals have a right under the Act to access certain personal data being kept about them on computer and certain files. Any person wishing to exercise this right should apply in writing to:
Data Protection Request, 13 Clavering Road, London, E12 5EY.
We may make a charge of £10 on each occasion access is requested. The following information will be required before access is granted:
- Full name and contact details
- Relationship with the organisation (former / current member of staff, volunteer, service user)
- Any other relevant information- e.g. timescales involved
To release information we will need to see one of the following forms of ID: passport, birth certificate, utility bill.
Queries about handling personal information will be dealt with swiftly and politely.
We will aim to comply with requests for access to personal information as soon as possible, but will ensure it is provided within the 40 days required by the Act from receiving the written request (and relevant fee).
This policy will be reviewed at intervals of 2 years to ensure it remains up to date and compliant with the law, or more frequently if there is a change in the law.