DATA PROTECTION POLICY
Data protection Policy
This policy establishes the guidelines by which information is collected and stored by The Offshoot Foundation. The Offshoot Foundation needs to keep certain information about its staff, members and users of its services to enable it to monitor its effectiveness and to meet appropriate safeguarding guidance.
This policy is to be read in conjunction with the Confidentiality/Information sharing and DBS policies and procedures.
Staff of The Offshoot Foundation
Service users of The Offshoot Foundation
To comply with the law, General Data Protection Regulations 25/5/18, information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully. In summary personal data must be;
Obtained and processed fairly and lawfully
Obtained for a specified and lawful purpose and not to be processed in a manner incompatible with that purpose
Adequate, relevant and not excessive for that purpose
Accurate and up to date
Not be kept for longer than necessary
Processed in accordance with the data subjects rights
Kept safe from unauthorised access, accidental loss or destruction
Will not be transferred outside of the European Economic Area, unless that country has equivalent levels of data protection
All staff who process any personal information must ensure that they adhere to these principles at all times.
Any member of staff who considers that this procedure has not been followed should raise it with the Chief Executive. If the matter is not resolved it should be raised as a grievance. Any user of the services should follow the complaints procedure.
All individuals have the right to;
Know what information The Offshoot Foundation hold and processes about them and its purpose
Know how to gain access to this information
How top keep the information up to date
Know what The Offshoot Foundation is doing to comply with data protection legislation
The Offshoot Foundation hold personal information in respect of its staff, members, users and other members of the public. The information held may include an individuals name, postal, e-mail and other addresses, telephone. This information is held and we only contact people with their permission via the method they request to enable us to meet the needs of our users and organisational business.
Unauthorised or inappropriate disclosure may be a disciplinary matter, and could be considered a matter of gross misconduct ion some instances.
The Offshoot Foundation has taken measures to guard against unauthorised or unlawful processing of personal data and against accidental loss, destruction or damage.
Adopting an information security policy (this document is our policy)
Taking steps to control physical security (projects and staff records are all kept in a locked filing cabinet)
Putting in place controls on access to information (password protection on files and server access)
Establishing a business continuity/disaster recovery plan The Offshoot Foundation takes regular back-ups of its computer data files and this is stored away from the office at a safe location)
Training all staff on security systems and procedures
Detecting and investigating breaches of security should they occur
Working from home
The Offshoot Foundation keeps note of which staff take work home with them.
If working on something at home and at work try to keep both sets of information pretty much up to date
Home computers should have records removed once project/work records no longer needed at home
Staff agree to try to keep work taken home relatively secure, to return all work related material upon the completion /termination of their contract; and organization should be informed if information have got into wrong hands
Special funding tracking requirements and data protection
Try not to keep more than project/tracking requires
The more information kept the more secure it should be kept
If publishing volunteers’ details, tell them
Take extra care if records include sensitive data
Just keep personal data as long as necessary under funding rules
Don’t keep surplus information.
When communicating information electronically additional care must be taken to ensure that only the intended recipient(s) receive the information.
Personal and sensitive information will be discussed in suitably confidential environments. All staff must be aware of the difficulties of ensuring confidentiality in open spaces and must respect any confidential information inadvertently overheard.
Disposal of information
Personal and sensitive material will be shredded. Particular care will be taken to delete information from computer hard drives when disposing of the computer or passing it to another member of staff.
We can supply you with the following document:
Privacy Information Notice for Employees and other Workers
Personal information: any details relating to a living, identifiable individual. This applies to staff, members and users of The Offshoot Foundation. It also applies to various members of the public such as job applicants and visitors.
Sensitive information: this is defined by the Act as that relating to ethnicity, political opinions, religious beliefs, trade union membership, physical and mental health, sex life, criminal proceedings or convictions. The person about whom the data is being kept must give express consent to the processing of such data, except where the data processing is required by law for employment purposes or to protect the vital interests of a third party.